Anyone else using a VPN'd Virtual Machine to handle downloads?

VPN
1

Just curious if anyone else settled on this type of setup to manage their server.
 
My conundrum:
How to maintain my download automation securely but not sacrifice my now blazing fast up/down for my Plex users during my last server build (on the cheap <$700) and ISP upgrade. Also I do not want a separate physical box just to handle downloads. Then you have to deal with network mapping while on VPN and it just seemed like a big PITA. I had heard of users directing ‘download’ traffic only through the VPN but I didn’t find a good guide for this, and honestly I didn’t look too hard. I work with Virtual Machines every day at work so it seemed like the natural solution for me.
 
Hardware:

  • Retired Dell Workstation from an eBay refurbisher with good ratings
  • Xeon e5 2660 (Passmark 11144)
  • 24GB Ram
  • 2x WD 6TB, 1x 3TB
  • Windows 10
  • Samsung 840 sys drive 256 SSD
  • Of course Plex
     
    ISP:
  • Google Fiber
  • VM limited to 100mbps bidirectional
  • With VPN about 70 up/down
  • Fastest protocol for VPN for me is L2TP - IPSEC

 
Automation:

  • Sonarr
  • Couch Potato
  • Deluge for download client
     
    Virtual Machine:
  • VMWare Workstation Pro
  • Windows 7 (Soon to be 10)
  • Express VPN always on with startup
  • Enabled network kill switch
  • Shared big drives through vmWare setup
  • Snapshot after setup, in case I screw it up
     
    Pros:
  • RDP to VM on local network while VPN’d works
  • Users don’t get dinged because I’m downloading
  • If VPN drops Network traffic stops
  • Mostly automated, rarely need to intervene
     
    Cons:
  • Haven’t figured out port forwarding with the VM yet because IP changes frequently
  • iOS RDP into server works, but iOS keyboard won’t work inside VM
2

Setup a docker and then use deluge or rturrent containers with VPN built in.

This is the easiest way and keeps doesn’t effect the availability of your Plex server for remote connections.

3

You have a way more complicated setup than I do but here’s my input anyway.

I used OpenVPN to create a new network interface and locked my download client to that interface. No special routing in the router needed. Private Internet Access seems plenty fast since it will still max out my 100Mb service.

4

Running a full VM for this seems like overkill. I run VMs as well, but for something like downloading, I just sandbox/containerize it if I feel that’s necessary. I only run an app instance in a sandbox if I think it’s downloading something potentially harmful.

  1. VPN: I use Private Internet Access, which uses OpenVPN (TAP driver), and that creates a new network interface. The way the TAP driver works is that, since it’s emulating a layer 2 device, any traffic designated for a local address will be allowed through, but any traffic heading outside of your local network will be intercepted and routed through the VPN. So if you need to use network drives/RDP/etc, you can. Makes life pretty easy.

  2. External IP: If you use PIA, setting up a static external IP is pretty easy. Using OpenVPN, just type in a single server IP instead of the normal server address. Everytime you connect, you’ll have the same external IP.

  3. Routing Traffic: VPN kill switches can be a pain, since it usually affects all outbound traffic on the OS. Instead, you can limit certain apps by using your firewall to force traffic to certain network interfaces. I use Comodo Firewall (for its firewall and auto-sandboxing) and I have it set to force certain apps (like utorrent/qbittorrent, Chrome, and a few others) via my VPN. If my VPN connection drops out, then my torrent client loses all network/web access; but I can continue to work just fine on other apps using my home IP while I wait for the VPN to reconnect automatically. Some of my Chrome plugins need access to certain ports or IPs on my local network, so I have it set to allow just those ports or IPs.

And alternatively, as others have suggested, you can run containers for all your apps, with the VPN passed through to those containers.

I imagine that would basically handle everything you need in regard to downloading, automation and using less in the way of resources as well (since using a firewall + sandboxing/containers will be far less resource intensive).

5

Set a static IP to fix one of your cons.
https://www.howtogeek.com/howto/19249/how-to-assign-a-static-ip-address-in-xp-vista-or-windows-7/

6

I’m not familiar with docker, but I do this exact thing using Ubuntu and Virtualbox. Inside I run Transmission, Sonarr and Radarr with a VPN killswitch. Map a drive from the host OS in Virtualbox and point my downloads there and then have them moved to their designated folder in my Plex library. Plex runs on the host os. Works great. I think I followed a guide initially, I’ll try to find it.

7

I’ve done this in the past for other things. But I run PFSense and setup a client side VPN to my VPN service and NAT it through. In my ACLs on the firewall I redirect the gateway of the box out the VPN and then set a deny rule below it. If your using PFSense as well it has this cool failsafr feature that will default to your normal gateway unless you route out a gateway group. I have a guide for this in case anyone is interested.

8

I’ll have to check that out. I took a docker precompiler at KCDC a couple years back but I didn’t come up with that as an option when I was trying to figure this out, thanks.

9

Rather than installing a vpn client in every docker image you need vpn, just create a docker image for the vpn client and point your --network parameter to the vpn container.

Here’s a sample docker file for the vpn client…

FROM alpine:3.6
ENTRYPOINT ["openvpn"]
VOLUME ["/config"]
RUN apk add --no-cache openvpn

You can attach the .ovpn config as a volume by running the container like this…

docker run -d \
    --name ipvanish \
    --cap-add=NET_ADMIN \
    --device /dev/net/tun \
    -v /appdata/ipvanish:/config \
    openvpn --config /config/configs/ipvanish-US-New-York-nyc-a01.ovpn

Then in any container where you need to connect to the vpn, you can run them like this…

docker run -it --rm --network container:ipvanish ubuntu:16.04 /bin/bash
10

This is exactly what I did. Getting the VPN to work was a major pain in the ass though. Now that it works it’s rock solid. Can’t be happier.

11

Dammit!!! Thanks, I went with what I knew. These are some solid ideas.

12

How do you get deluge to do this on windows? I’ve seen a bunch of stuff to do it in linux but not windows.

13

I just downloaded COMODO and it’s also installing “Dragon.” Do you have any tips or a quick guide on how you set your stuff up?

14

For clarification, external IP from the VPN service. Pretty much assigns a new one every time it connects. This would be for connecting when outside my home network.

15

Mine disconnects every now and then for some reason and loses the pw even though it’s stored in the setup file. I already spent several hours setting it up since I had no idea what I was doing so troubleshooting it further isn’t worth it to me. Plex is just for me and I keep the pw in Keepass.

16

Just modify the firewall settings?

I use Comodo Firewall to lock certain applications to one network interface or another. If a network interface is unavailable (like when the VPN disconnects), those programs are blocked from any kind of network access at all.

17

I’m assuming you’re mostly interested in the killswitch part of the post and have an OpenVPN type VPN provider already (Private Internet Access is the VPN provider I use).

Step 1: Get the IP and MAC of your VPN interface:

The first step is to get the IP and the MAC of the virtual network interface that the VPN creates. One way to do this is to use CMD. On Windows 8/10, click start, type in CMD, and hit enter when it finds a match. Once the command line window pops up, type in “ipconfig -all” without the quotes and it’ll show you all the network devices on your computer. In PIA’s case, the adapter will be called ‘Ethernet for PIA’. Once you have the ip (IPv4 Address) and MAC (in CMD it’s called “Physical Address”), you can go to Comodo to start setting it up.

Step 2: Set up your VPN as a Network Zone in Comodo

In Comodo, go to the Network Zones tab, and create a new Network Zone called “Private Internet Access” (or whatever you want to call it). With that newly created Network Zone selected, go to add and click on “New Address”. In there you’ll want to type in the MAC address you found in CMD and then create another one for the IP address. With Private Internet Access, it assigns a different IP each time you connect, but all the addresses are in the 10.xx.xx.xx range. So In the picture, I have it set to cover every IP address in the 10 range, from 10.0.0.0 to 10.255.255.255. If your VPN provider does the same, it might be best to set up a range as well, as long as it doesn’t conflict with your other address (in my case, my home addresses are all 192.168. addresses, so they’re a different range entirely).

Step 3: Create a Ruleset in Comodo

Next step is to set up the Firewall Ruleset (in Firewall → Rulesets). Create a new one and add the same rules you see in my ruleset. The blocked out part is just the name of my home network. Basically, with IP Out, select your network zone as the source address and set any as the destination address. Vice versa, and make sure the two allow rules are at the top. Then set up the block rules at the bottom.

Step 4: Add applications to be blocked by Comodo if your VPN loses connection

Lastly go to Firewall —> Application rules and add the applications you want to block. Then check/select them and go to edit, and then it will allow you to select the ruleset you just created.

With all of that, you should be done. Any app using that ruleset should only be able to access the internet while your VPN app is connected. If it disconnects then that application should lose all connectivity. If you’re familiar with IPs and all that and know what your local network’s IPs should be, then you can double check to make sure your ruleset is working by using the Comodo Killswitch app. Go to the main Comodo screen, click on “Contained Apps” and then click on “More” and it’ll open up, or install the Comodo Killswitch App. At the top of that app, you can select Network, and then scroll down until you find the application you’re trying to block. Once you find it, you can turn off your VPN and see if it’s able to make any successful connections outside of your network or not. With my ruleset, it should kill all internet access for that app, and also kill any local network connections that app has.

If your app needs local network access, let me know and I can give you a screenshot of my other ruleset. I have an app that needs to access the computer’s loopback using random ports, so I made a ruleset so it could continue to work, but not access the internet if the VPN is turned off.

Hopefully this works for you. These are the settings that worked for me. If you need any help with any of these steps or have questions, let me know.

18

Check out ZeroTier:

Easiest way to access a network remotely, and it’s free.

19

If I activate the VPN won’t everything go through that tho? Like I still want my remote access to the server and sonarr and what it. I only want the VPN for deluge

20

It’s been a long time! I have finally gotten around to using your tutorial, following it exactly. I really appreciate the detailed guide! I have it all set according to your guidelines but I can’t connect to my plex from outside of my home network. Should I add the plex services to another network zone?