Route qbittorrent to vpn interface only?

VPN
1

Well, I have been researching how to route torrenting traffic to vpn interface only.

I am using wireguard for vpn, and have qbittorrent bind on it. The thing is, if I set

AllowedIPs = 0.0.0.0/1, 128.0.0.0/1, ::/1, 8000::/1

Then I will have all my traffic route through the wireguard interface. Because longest match subnet, then 0.0.0.0/1 and 128.0.0.1/1 would have priority over original 0.0.0.0/0.

If I didn’t set allowedips, then wireguard won’t even create connection to remote vpn server.

Thus, I test manually set 0.0.0.0 mask 0.0.0.0 gateway vpnip and metric highly than my ISP gateway to get my normal traffic through ISP. But then qbit doesn’t have connection ability through wireguard even though it is binded to wireguard interface.

Its kinda slow using vpn for all the traffic, so is there any way I can have my original traffic (eg. YT, spotify) through my ISP and vpn for torrenting?

Edit: The metric method works in the end. Problem is need to use

AllowedIPs = 0.0.0.0/0

But I don’t want to use kill-switch. After googling, I found this works
https://asheroto.medium.com/split-tunneling-in-wireguard-on-windows-e2dfd86d5982

so you need to set Table = off to avoid auto trigger kill-switch, and my qbit works fine in vpn and yt in isp right now!

2

It’s built in to qbit…just go to options, advanced, network interface, and pick your VPN adapter…boom, done. Also, use split tunneling in your vpn client. set qbit to use the VPN and everything else not…but the binding is a MUST to keep from getting nasty letters.

3

If you are running qBit on Docker and only need VPN for your torrent client, take a look at Hotio’s qBit image that has Wireguard built in. Works great for me.

4

It’s a steep learning curve but I installed pfsense.

5

AllowedIPs = 0.0.0.0/0, ::/0

After that’s added to the routing list (cmd: route print), the ISP and VPN connection will have equal priorities for routing traffic. The next step is semi manual, you need to force all regular traffic through LAN:

route add 0.0.0.0 mask 128.0.0.0 <router IP> if 32
route add 128.0.0.0 mask 128.0.0.0 <router IP> if 32
route add ::/1 <link-local computer ip> if 32
route add 8000::/1 <link-local computer ip> if 32

ipconfig /all shows this:

Link-local IPv6 Address . . . . . : fe80::1234:5678:9abc:def%32(Preferred)

Then your IPv6 lines will be:

route add ::/1 fe80::1234:5678:9abc:def if 32

The same interface number to be applied to other lines too (you can see interfaces at the top of route print)

You can delete 0.0.0.0 BEFORE starting a VPN, for a cleaner routing table.

After all that’s done, you’ve practically an inverted version of how VPN connections add themselves: ISP first, VPN second choice.

From now on you can only force connections to run through VPN with the network binding in client settings.

6

Thanks! Worked for me!

7

I have already bind qbit to the wireguard interface. I am just curious about the windows route settings.

Also I have tested on ipleak.net to check if I leak my address, result in apparently not.

8

Will the metric way work? I think it should work as same as you have two default gateways 0.0.0.0/0, then I just need to bind qbit to wireguard as I have already done.

something like this

dest mask gateway interface metric

0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.100 5

0.0.0.0 0.0.0.0 10.168.0.1 10.168.0.1 100 (wireguard address 10.168.0.1/32)

Also, if you use hyper-v switch, what about port-forwarding? does it bridge interfaces or nat the interface?

9

Would this work on macOS if you had different users set up, one user running vpn and qbittorrent, and the other user running everything else (Not through VPN?)

I am using Tunnelblick for my vpn connection

10

Because in windows, if you set wireguard to 0.0.0.0/0, it would trigger kill-switch. If you untick the kill switch, then it would become 0.0.0.0/1 and 128.0.0.0/1 and thus route the traffic here according to longest subnet available.

I dont know if there is kill-switch in linux or mac. If you set Table = off , then wireguard would act normal and dont force you to use kill-switch. Then you could just bind qbit to the adapter, and use the metric policy route method.

11

I know way less about the tech aspect of this than I think you do :slight_smile:

Is there a faq or “vpn for dummies” version of this?