Author Topic: Odd Behavior with VPN Portforwarding?  (Read 6158 times)

A06

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Odd Behavior with VPN Portforwarding?
« on: June 01, 2019, 09:03:55 pm »
Hi there.  I am new to torrenting and just installed qBittorent. I have noticed something odd.  Whenever I open the program, the connection symbol is yellow.  However, when I run a portcheck (on the forwarded port), it instantly changes to a green plug/symbol

Shouldn’t it always be green from the get-go if I have done everything correctly?

Details:

My OS is Windows 10.  I’m running qBittorent, ESET (antivirus + firewall), and Mullvad (VPN).  I did NOT want to portforward anything on my router so I decided to portforward via my VPN.  Here is what I did:

I enabled port-forwarding on Mullvad’s web interface.  They gave me the port 30018 to use. 

I then took that port number and put it into qBittorent’s Connection page for “Port used for incoming connections.”  I disabledUse different port in each startup” in qBittorent and also disabledUse UPnP / NAT-PMT settings from router.

Next, I went into qBittorent’s Advanced page and set “Network Interface (requires restart)” to Mullvad.  From what I have read, this only allows qBittorent to use my VPN’s adapter - keeping my IP hidden in case my VPN crashes.

Lastly, I went into ESET’s software firewall and input the port 30018 (the same port provided by my VPN).  I set “Direction” to Both. I set “Action” to Allow.  I set “Protocol” to TCP & UDP.

That’s it.  This caused the “red plug” icon in qBittorent to turn to a yellow symbol.  When I ran an online portcheck on port 30018 while qBittorent was running, it said “Port is reachable” and the yellow symbol became a green plug in qBittorent. 

After a computer restart, qBittorent defaults back to a yellow symbol.  As soon as I run another portcheck (port 30018, of course) - it becomes a green plug again until the next restart.

Other information:
Router is completely untouched. No forwarded ports.  UPnP is completely disabled on it.  Also, qBittorent added an exception in the Windows Firewall during installation - however, since ESET manages my firewall, I don’t believe this matters.

Questions:

1. First of all - did I even do all of this correctly?  Any missing steps/settings?

2. Aside from some undiscovered exploit in Windows 10, Mullvad VPN, or qBittorent, am I safe from any nefarious internet traffic trying to log into my computer or remotely gain access to my network due to portforwarding?  (i.e hackers using port-scanners to find open ports)

3. Do the above settings open me up to security issues on my local network?  For example, if another computer is hacked, will it be easier for my computer to be accessed as well?  I have set my Network Preferences to Public in Windows 10 so I shouldn’t be sharing anything with other local devices.

4. Will the above setup work for both private and public trackers?  By “work” I am referring to hiding my IP, giving me solid speeds for leeching + seeding, and reporting the correct ratio data (on private trackers).  Especially when it comes to seeding (gotta give back what you take!)

5. Any idea why qBittorrent shows a yellow symbol whenever I first start it up, but when I run a portcheck via canyouseeme.org or other sites, it changes to a green plug and stays green until I quit the program manually?

6. Any other issues, concerns, or words of advice?  I would appreciate anything you have to say.

Thank you in advance for all the help!

Switeck

  • Forum addict
  • ****
  • Posts: 1494
  • Karma: +95/-0
    • View Profile
Re: Odd Behavior with VPN Portforwarding?
« Reply #1 on: June 03, 2019, 10:03:01 pm »
I can't answer all these questions fully...
but based on what I know...

1. Yes, everything looks set up correctly.

2. With the method done, there is no open incoming listening port on your computer (at least due to all you're doing) EXCEPT the one that routes through the Mullvad VPN -- and that one is likely only open from Mullvad's VPN servers not directly to your computer from any ip address.

3. Probably far less security issues/risks than running without a VPN and with open ports on the router straight into the computer.

4. That depends entirely on whether Mullvad VPN really allows incoming unsolicited network traffic correctly.

5. qBitTorrent shows a yellow symbol whenever you first start it up possibly because Mullvad VPN doesn't start routing incoming unsolicited network traffic until it sees a "standard" web connection demanding that access. You may need to visit canyouseeme.org every time you start qBT as a workaround. :(

6. Software firewalls often claim "full internet access" to programs once allowed but still block almost everything incoming that's meant for the programs to use, so you may need to test with less strict rules on ESET (antivirus + firewall) if nothing else works.

A06

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Odd Behavior with VPN Portforwarding?
« Reply #2 on: June 04, 2019, 07:26:40 am »
I can't answer all these questions fully...
but based on what I know...

1. Yes, everything looks set up correctly.

2. With the method done, there is no open incoming listening port on your computer (at least due to all you're doing) EXCEPT the one that routes through the Mullvad VPN -- and that one is likely only open from Mullvad's VPN servers not directly to your computer from any ip address.

3. Probably far less security issues/risks than running without a VPN and with open ports on the router straight into the computer.

4. That depends entirely on whether Mullvad VPN really allows incoming unsolicited network traffic correctly.

5. qBitTorrent shows a yellow symbol whenever you first start it up possibly because Mullvad VPN doesn't start routing incoming unsolicited network traffic until it sees a "standard" web connection demanding that access. You may need to visit canyouseeme.org every time you start qBT as a workaround. :(

6. Software firewalls often claim "full internet access" to programs once allowed but still block almost everything incoming that's meant for the programs to use, so you may need to test with less strict rules on ESET (antivirus + firewall) if nothing else works.

Thank you for the reply Switeck!  I was hoping it would be you; from a quick look around the forum, you’re one of the most knowledgeable and helpful people here.

I have a few more questions/confirmations:

1. Great, thanks!

2. Do you mean that my computer should be safe when not connected to Mullvad simply because no ports have been forwarded locally (on either my router or software firewall)?

3. So this set-up, on paper, is seemingly “safer” than the traditional portforwarding (or goodness forbid - usage of UPnP)?  I value security (against malicious traffic) over speed, getting more peers, etc.  If I have to seed longer, so be it.  But I want to minimize as many attack vectors on my local set-up as possible from malicious internet traffic.  Scary place out there.

4. Agreed.  This remains to be seen as I have yet to attempt to download my first ever torrent.  Hoping Mullvad’s portforwarding works as expected.

5.  Ah!  I never thought of that and yet it makes the most sense now that I think about it.  I have been port-checking via canyouseeme.org and Mullvad’s own website port-checking tool.  Do you think once I click on a torrent from a public/private tracker (i.e to download it), Mullvad will consider that a request for access and cause the symbol to turn green in qBittorent?  Just like it does when a port-check is run via canyouseeme.org?  Visiting that site and running port-checks every time I want to download something would be mildly infuriating.

6. Right now ESET allows both TCP & UDP traffic in both directions on Mullvad’s port (30018) - the same port that is in qBittorent.  Imagine it did still end up blocking the port/qBittorrent’s traffic, or at least partially - how would I know?  canyouseeme.org gives me the OK sign so what should I look out for to figure out if ESET is secretly being funky?  Slower speeds?  Or a complete inability to download torrents? (then I’d know pretty quickly, haha).

Thanks again Switeck!  Even if you’re not 100% sure on any part of my numerous questions above, gimme whatever ya got.  I truly appreciate you and the guidance - I’ve attempted to look for the answers myself but nobody really seems to care about security as much as I do.  At least, I haven’t been able to find answers to detailed questions like the ones above.

I’ll be checking this thread periodically so whenever you have time, answer away.  Thanks in advance!  ;D
« Last Edit: June 04, 2019, 07:33:28 am by A06 »

Switeck

  • Forum addict
  • ****
  • Posts: 1494
  • Karma: +95/-0
    • View Profile
Re: Odd Behavior with VPN Portforwarding?
« Reply #3 on: June 08, 2019, 09:57:49 am »
2.No, it should be as safe as a similar computer with no ports forwarded locally. But that doesn't mean it's actually secure, due to issues in other software.

3.Yes, in theory safer...so long as the VPN service isn't its own special malware vector. (Extremely unlikely, I bet. But privacy-wise, they could monitor all your traffic through them if they wanted to.) If you want to minimize risks, you want to use the computer for as little as possible, with no internet access, preferably never turning it on at all. The same stuff that provides 2-way communication is often made by companies that aren't serious about security. Terrible security on the majority of Internet-of-Things (IoT) is the end result.
Most people think bad security is simply the result of complexity and lazy programmers. No, too many people benefit from bad security. I'll be ranting obscenities if I go much further into that.

5.I don't know if Mullvad will open the incoming port in response to torrent traffic, only that if the port-check at canyouseme.org seemed to work then it's at least a workaround.

6.Scientific method -- you test using knowns vs unknowns.
Someone you know+trust starts a new torrent nobody else has and gives you the .torrent file. DHT+PEX+LPD all disabled and no tracker on the torrent. So no way to find each other automatically. Then have them manually add a peer -- using your ip:port numbers. If they successfully connect, then it's pretty likely ESET isn't blocking incoming. That test can only be done ONCE per new torrent unless you delete and re-add the torrent each time because qBitTorrent remembers peers+seeds and may retry them on restart.
Also best done on a LAN or even using other BitTorrent software on the same computer to rule out internet problems vs local firewall problems.