VPN Kill Switch Reliability

If you run qBittorrent in / with Docker.
Post Reply
j2f

VPN Kill Switch Reliability

Post by j2f »

Although I realize this question has probably been asked more than enough times, it is very difficult to find a reasonable (and understandable) explanation, so I apologize for opening yet another thread...

I am trying to troubleshoot a VPN kill switch issue(?) when running qBittorrent-nox version 4.3.2 on Ubuntu 18.04 in various configurations such as bare metal, VM, LXC container, etc. The VPN Clients (via GUI and command-line) used in this test are PIA (using "VPN Killswitch: Always") and Mullvad (using "Always require VPN"). Note that qBittorrent is configured to use network interface tun0

I connected to the VPN and started an Ubuntu 20.10 server torrent. Since the file is around 1 gb, for testing I decided to limit the download speed to 50 kb. Once I connected to enough peers, at around 10-20 seconds, I enabled the kill switch (disconnected but did not quit the VPN). Downloading continued for another 1 to 3 minutes before finally winding down. Peer download speeds fluctuated up (surprisingly so) and down multiple times, but eventually did average down as expected. Interestingly, though, the number of completed 256 kb pieces did increase by 1 or 2 before finally stopping. So parts did continue to download

Then I tested with a download speed limit of 1 kb. In most cases, the torrent finally stopped after approximately 8 to 10 minutes. That's certainly not a trivial time difference from the previous test

When the kill switch was enabled, I could not issue a ping, traceroute, etc from the command-line, so it appears something was definitely working. The tun0 interface disappeared from ifconfig, and it no longer showed as an available interface in qBittorrent, as expected. Plus the routing table dropped the tun0 entries. The thing for the life of me that I cannot understand is how could a download possibly continue? Even though tun0 does not show up via ifconfig, is it still there? And does it have a buffer that takes some time to clear, especially when the lower download speed limit affords more connected peers a longer time to finally wind down? Maybe qBittorrent uses buffers?

Now here's the kicker. I ran another qBittorrent test (PIA/Mullvad) on a Windows 7 VM and the peers disappeared/winded down within just a couple of seconds. Looks like this could be a Linux issue but not Windows

So the question is, is this an actual bug or issue, perhaps only with Linux? Or is it something that needs to be tweaked via advanced settings or what-not?

I think the kill switch is working, at least as advertised. In one test I was downloading the same Ubuntu torrent via 2 separate containers, each connected via its own VPN client. I saw each VPN IP connected on the opposing torrent client, invoked the kill switch on one container, and watched the same IPs continue without changing. At no time did my IP change, nor did my real non-VPN IP ever appear in the connected peer lists

I realize the suggestions are going to be to use OpenVPN or Wireshark with ufw rules, but that is not my intention. Since I will be switching from PIA to Mullvad and paying for it, I would like to think I can at least somewhat rely on Mullvad to have a stable enough kill switch. Maybe I could supplement the client with a couple of ufw rules, but I'm not looking to completely replace it

Thanks!
Post Reply