All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
few VPN queries
Ok so I currently use Mullvad and have had no issues with connectivity, speed etc however they do not have the ability to tunnel specific applications through the VPN and their split-tunnel feature is exclude only. This is an issue for me as there are certain games that I play which won't allow me to connect to servers etc while connected to the VPN (Minecraft and a few others). PIA (Private Internet Access) does have this option in their split-tunneling feature however I have had a lot of connectivity issues with a bunch of their server locations. This can range from losing connection at random times which can only be fixed by me manually switching to another location that works. I say "another location that works" because some servers don't let me connect at all which can be quite annoying.
This leads me to the reason I am posting here. I am wondering if there is a self-hosted solution that I can run on a low-cost server that has some software to accompany it with similar split-tunnelling functionality as PIA? I don't need to have multiple locations as I am mainly using it to hide my IP for torrenting purposes. The only apps I will be running through the VPN are Deluge (was qBittorrent prior however that was having connectivity issues) and my browser (since my ISP blocks certain websites that I use). I only need this for my PC which is running WIndows 11 however having the option to run it on Linux and iOS would also be nice (though not required for my use case).
Any info is greatly appreciated. Thanks in advance.
Comments
For Deluge and the browser I use an SSH socks proxy instead of a VPN. qBittorrent never worked properly thru a proxy.
Is this as secure as a VPN in terms of hiding your IP and encrypting the traffic? I don't know much about proxies but I am open to learning more about them if that would work better for what I need. I appreciate your response.
You could also run socks over wireguard which works for us and our clients.
Or you can use the WireSock client instead (if using the regular wireguard client) to specify which apps can use the vpn tunnel or not.
Is this something that is fairly easy to setup? I am pretty comfortable with Linux however I don't know much about networking (other than simple firewall stuff) so what would you recommend? I will do my own research too but I thought I would ask and see if you have any suggestions on where I should start. Thanks for the info!
If you are using Linux you can achieve split tunneling using network namespaces, regardless of provider.
With SSH the traffic is encrypted; if the app exposes the source's IP address depends on the app. SSH can also spoof traffic shaping by enabling data compression
ssh -C -f -N -D 1080 example.com
. Spoofing works well for me, as the ISP blocks bittorrent. No idea if Putty can do this on Windows.The machine I am trying to split-tunnel on is running Windows 11 but I will be running the VPN/proxy software on a Linux machine. I may also look into using an already existing service if that is cheaper than running it myself but from what I understand it shouldn't be too hard or costly to run.
The wiresock client runs on Windows but you could probably setup WINE to run the windows exe file for wiresock on your linux boxes too. Never done that before on linux so not sure if it works 100%. It's really easy to configure once setup though. You just add a couple lines to your existing wireguard config file. Documentation is on their website if needed.
Ah I see, so I would need a Windows server to run that if I didn't want to emulate using WINE. I would preferably like to run something on Linux to keep resource usage low. I will do some research to see what other options are out there but I appreciate your suggestion.
This may be the solution that I go with since it sounds pretty straightforward but I will do some research to be sure that it is in fact what I am looking for. I appreciate the suggestion.
what about a few dockers on a little vps?
I have ~2TB of torrents seeding on my PC that I leave running in the background and then I have an old PC that I turned into a media server that has a 12TB NAS drive in it that has Jellyfin installed on it. I appreciate the thought however it makes more sense to run a VPN/proxy since it would be a lot more cost-effective.
Well, you don't even really need to selfhost (as long as your OS of choice is Linux or some other unixoid system). All you need to do is read up on iptables (specially the packet marking action) and source based routing. When you've mastered this pushing different traffic (by whatever characteristics iptables is able to recognize - by destination, service, user, application, ... practically probably more than you'll ever need) through different tunnels. This obviously assumes that mange the VPN connections yourself and don't rely on some kind of application.
Windscribe's VPN App (for Android) allows inclusive and exclusive split tunneling and also allows custom configs. So you can use custom ovpn/wg configs from your current provider and just use Windscribe's client to get split tunneling. No need to subscribe to Windscribe (although they are great).
Ok so I have setup a VPS as a proxy using
ssh -i C:/Users/%username%/.ssh/priv.key -D 1080 -f -C -q -N username@ip_address
and I have it working on Chrome however the speeds are 1/10 of what is supplied by the VPS. I am getting ~100Mbps up and down on Chrome but the VPS has 1Gbps up and down. I have also been unable to get the proxy to work on Deluge which is weird since it works on Chrome.
This route seems like it would be perfect however these 2 issues are proving otherwise so I may have to go with another approach.
Edit: Turns out it is working on Deluge however there is some kind of issue occurring which is stopping peers from connecting to me.
I use PrivadoVPN for this they are really cheap and there app allows split tunneling, I also got Windscribe but the speeds there are horrific, tried a lot of VPNs but PrivadoVPN stays best for me, only no port forwarding.
Because I used to be behind traffic shaping with bittorrent I had some experimentation on the subject... what worked was to launch Deluge and let it connect to peers without the proxy for a few seconds only, or the ISP would retaliate, then enable the proxy from Deluge's settings.
It's a bitch but works. I didn't find any bittorrent client that properly works with a proxy.
From what remember SSH port forwarding (which the socks proxy function very much is at the core even if it's dynamic) at least used to be single threaded making use as a webproxy pretty ineffective (i'm not 100% sure if memory isn't coming from static forwarding though, so take with a grain of salt).
In regards to torrent you probably won't be able to get an ideal experience this way either since A] to my best knowledge torrent usually prefers UDP which SSH's socks proxy won't do and B] you will practically be firewalled off from the outside since i'm also pretty sure that the emulated socks proxy won't support reverse forwarding (as far as that would be helpful while only supporting TCP to begin with), so you can't take incoming connections, which is usually quite bad for P2P. I don't have much torrent experience at all though, so maybe i'm somewhat off here.
In my opinion SSH's socks proxy isn't that great beyond mostly one off ad hoc usage but given you seem to be on Windows your alternate options are rather limited and i can't really recommend anything more optimal i fear. Networking functionality on Windows is sadly pretty crippled (at least i've never heard of a way to setup any kind of fancy routing there).
What you could do, i guess, would be to build some kind of smallish router but given the routing wouldn't happen on the machine itself you'd loose the possibility to route by process or user as the router obviously has no clue about where the packets it sees are coming from and i'm not really sure if you'd manage so securely match and route all traffic just by protocol characteristics. At least DNS would be pretty much impossible to accurately discern making the chances for leakage in this regard practically 100%.
Ok so I have Chrome and Deluge running with the proxy and everything works fine but the speeds aren't ideal. The cause isn't Deluge itself since I tested the speed on speedtest in Chrome which is where I got the 100Mbps result from. I have checked the resource usage on HTOP and the CPU sits at around 50% which seems fine so I am not sure what could be the issue. I think it may be a setting that needs changing but I don't know much about this sort of stuff so it could be anything.
Here is the speedtest directly from the vps via the cli - https://www.speedtest.net/result/c/d99fbf01-6632-4319-b650-682d80b352cd
and this is the result from Chrome on my PC - https://www.speedtest.net/result/16003047654
The upload speed seems fine since I get around 100 up on my home connection however my download should be ~700Mbps (though I know there is overhead for encryption etc). If there are any other ways of getting this to work instead of using socks5 over ssh that would be ideal but if not I may just have to look into getting another VPN with my desired features.
What'd you see if you switched to single connection mode on speedtest.net and retried?
Basically the same result - https://www.speedtest.net/result/16003098704
For me, Deluge over an SSH socks5 saturates my meager 8mbps. I have no comprehension of what 700mbps are.
I was getting basically full speed when I used Mullvad however it causes issues when playing games that can't be excluded from the VPN tunnel.
Wouldn't plain Wireguard VPN work for you? wg-quick with some AllowedIPs configs will autoconfig some of the iptables for you to support split tunneling.
Rather unlikely as to my best knowledge there really isn't anything to configure in regards to how SSH handles socks. It's actually more of a gimmick. The usual performance tweak would be to switch to some less CPU intensive encryption but that's not really making a lot of sense here as probably both the VPS and you local PC have hardware accelerated AES making a switch to chacha or similar into probably more of a downgrade than anything else.
I'd try what @0xbkt suggested. If you don't see a noticeable difference in single connection mode chances are SSH's proxy is actually really single threaded or at least drastically limits the amount of concurrent connections. A possible workaround would be to setup Wireguard/OpenVPN between your PC and the VPS and run an actual real socks server (dante or whatever) there.
I have no idea. I assume if I am going to run a VPN, I would need some kind of client software that supports program-specific tunnelling (like PIA has) where I can just select the exe of the programs that I want to go through the VPN tunnel. I am willing to try if there are solutions for that out there.
I guess it is limited then which is unfortunate. I think it might be best to look into some self-hosted VPN solutions though trying to find one with the ability to split tunnel is going to be challenging.
Well, as i said before you could actually run a basic VPN (as in no routing of internet traffic just a virtual network) between your PC and the VPS and install a real socks server there. It's not overly elegant but if socks would work for you in general i guess it would do. I'm not sure if there's a Wireguard client for Windows (if there is that would probably be the go to solution these days) but OpenVPN would definitely work.
Disclaimer: 700Mbit is quite a strain on a tunnel and there's no 100% guarantee that something like this will work at all either because of some bottleneck in the setup or because of some suboptimal routing between you and the VPS. At such speeds latency becomes quite a factor with anything going over TCP.
Yup, there are Wireguard clients for every platform imaginable nowadays because of the official Go userland implementation.
My suggestion would be to first set up
microsocks
on the vps, which is just a socks server.Should be as easy as installing it via
apt
or whatever and runningNote that this proxy won't add addittional encryption. Just to test, configure it in your browser, run a speedtest and report your results.
If speeds are better, set up a WireGuard tunnel to the vps for encryption.
Sounds pretty good. Just one tiny addition: I have the vague memory of microsocks actually being written in perl, which wouldn't necessarily be that performant. I'd probably rather go for dante, which might be a bit more complicated but not that much. It's also available via apt as dante-server. OP would just have to consult the man page/google in regards to configuring it.