VPN Split Tunnelling Question

Windows specific questions, problems.
Post Reply
thorb

VPN Split Tunnelling Question

Post by thorb »

I recently switched from a SOCK5 proxy to a VPN (PIA). I've got it all set up and working but noticed some unexpected behavior that I was hoping someone might be able to explain.

Background:
The VPN is set up to let all applications bypass VPN but force qBittorrent to use it (split tunneling). I've also enabled an incoming port.

I've tested my torrent IP address and it is indeed that of the VPN. I believe my incoming port is working because some long dead downloads have started working (presumably because communication is now possible with peers that do not allow incoming connections, via them connecting to me).

Unexpected Behavior:
I was expecting to have to find a workaround to access qBittorrent Web UI as I'd assumed I wouldn't be able to connect via my true public IP address anymore (since qBittorrent can only communicate via the VPN now). However, to my surprise, I can still connect to Web UI (via my true public IP address, from outside of my LAN). This is convenient but concerning.

How is this possible? Am I at risk?

My optimistic theory is that all of the connections initiated by qBittorrent (i.e. torrents) go through the VPN tunnel. And since my IP address in the swarm is that of the VPN, any incoming connections also go through the VPN. While the Web UI requests come through my true public IP to the port on which qBittorrent is bound and so it can respond to them.
justaguy

Re: VPN Split Tunnelling Question

Post by justaguy »

To the best of my knowledge - this is owed to the "IP Address" field.

Essentially, this is where you specify what address, or addresses you should be binding your server to -
You have a few options for this.
Imagine your LAN IP is 192.168.0.5
Your public IP is 45.67.89.10

(The following loopback addresses are actually the values for localhost)
Your loopback (localhost) IPv4 (always) 127.0.0.1, and your ipv6 loopback is ::1 or 0:0:0:0:0:0:0:1 .

Imagine you've left the port at 8080 .

If you leave the IP address setting at the default '*', it binds to port 8080 on all available addresses, both ipv4, and ipv6.

If you're on the LAN, you can reach your UI from, say, your phone on the Wifi with 192.168.0.5:8080
From the public, you can reach it from http://45.67.89.10:8080 , or http://example.com:8080
If you had a public ipv6 address, that would work too (example.com would resolve to whatever address it had to)

On your computer, you also have the option to use `http://localhost:8080` (equivalent to 127.0.0.1:8080, or to ::1:8080

Changing the IP Address setting to `0.0.0.0` binds it to port 8080 on all ipv6 addresses, and :: binds it to 8080 on all ipv6

If you JUST wanted lan access, then you would set it to 192.168.0.5
If you JUST want loopback, you could choose 127.0.0.1 for ipv4, or ::1 for ipv6 (This is likely a common use-case, I personally don't like forwarding ports & love using ssh to access my desktop, so I use ssh LocalForward rules to access VNC and webUIs)

A tangent:

My personal recommendation is NOT to portforward 8080 unless you really do want public access to your server - In fact, I don't advise you forward any more points than absolutely neccessary.

Instead, configure ssh on your host - Ensure you do this securely (The default settings are good, but there are hardening guides - biggest tips are to disable root login, and if possible only allow pubkey cert, also running on a port besides 22 will reduce the number of spam hacks you see, but doesn't really add security).

You WILL have to setup your firewall & port forwarding rules for ssh

Bind qBittorrent's Web UI to localhost- 127.0.0.1 didn't work for me (Not sure why), but ::1 did.

On your remote client, configure the ssh settings for your host to forward localhost:8080 to localhost:8080

Code: Select all

# ~/.ssh/config
Host torrenthost
   HostName example.com
   LocalForward 8080 localhost:8080 # WebUI
   LocalForward 6969 localhost:6969 # VNC server
Now, when I ssh into torrenthost, on whichever device I'm using, I'm able to treat localhost:8080 and localhost:6969 as if they were a local device, avoiding needing to open up more ports.
thorb

Re: VPN Split Tunnelling Question

Post by thorb »

Thank you for the incredibly thorough response!
Post Reply