r/VPNTorrents • u/iqBuster • Aug 18 '21 • 2 1

Answered: Why you do need port-forwarding for Bittorrent

Many people look for a VPN with the primary goal of running Bittorrent. Sadly nearly equally many people have no idea what's important there and recommend a random popular VPN without port-forwarding. They know no better. These misguided 'recommendations' are all over this sub and r/piracy too.

Explanation

> But it has been running fine without any port-forwarding for me!

If you are OK with your downloads failing in 10% of cases then continue as usual. If you don't want to miss a chance, here's a short explanation:

Bittorrent relies on your connection working both ways: to accept incoming and outgoing connections. Without port-forwarding: you ~~may~~ will see slower speeds, slower speed ramp up and if a torrent has very few online seeders you may run into a situation where you cannot connect to anybody at all - no download! Seeding is very hard without port-forwarding.

Normally home users cannot accept incoming connections due to NAT. This is always the case for proxies and VPNs, but some VPNs allow the assignment of a port that will always lead to your connected device (and to your client). Making outgoing connections is always technically possible but then you rely on the seed/peer to have their ports open! At least one side must be open. There's no way around.

A detailed explanation would be too long but you can ask in comments.

Is it safe (privacy-wise)? Decide for yourself, discussions also in comments

Opinion & TLDR: If a VPN tracked/logged you, they don't need port-forwarding to find you. On the other hand, it is possible that the no-log VPN is forced to disclose which account currently (at the time of request) has the port in question configured. So far without known precedents. I believe it's worth it, without seeding torrents would die.

How to

Pick a VPN provider that supports port-forwarding. Here's a list I compiled last month.
Pick a client and force it to only ever use the VPN connection in settings (see screenshots). This is called IP/interface binding
In client settings set the "incoming port" to match the forwarded port from your VPN provider (also referred to as "local port")
1. Disable UPnP and other automatic configuration unless your VPN provider explicitly only works with UPnP.
You are set. Bon voyage at the calm seas!

Sometimes you also need to allow incoming connections to the client application in your firewall.

EDIT: Examples

Explicit examples where port-forwarding will help establishing a connection:

Downloader, closed port <--- ---> Seeder, closed port: Tough luck!
Downloader, closed port ---> Seeder, open port: Instant!
Downloader, open port ---> Seeder, closed port: Bummer. Need to wait until Seed sees and connects back to you. Usually up to 30min (or tracker refresh time)
Downloader, open port <---> Seeder, open port: Instant! in either direction

I am writing these posts to form a complete guide for people to follow and set up everything. Next time I see someone recommending a trashy VPN, I'll send them here.

CC BY-SA 4.0

101 Upvotes

100% Upvoted

u/Lordb14me Aug 18 '21 edited Aug 18 '21

With port forwarding, apparently the vpn can no longer maintain that they can't forward dmca notices. What's the truth about this? Usually vpns share 1 ip with hundreds of connected customers at that location. I. Have heard from fellow seeders that somehow port forwarding might give you more exposure to copyright trolls.

3

u/no_step Aug 18 '21

If your VPN provider doesn't log, then port forwarding or not they can't forward DMCA notices

1

u/[deleted] Aug 19 '21

Yeah, but what if the DMCA rights holder asks the VPN company to tell them what IP a port forwards to at this given instant?

Log or not, that is information that a company possesses at this very moment.

Moreover, this is tough activity for a torrenter to mask. Especially for when you're seeding stuff long-term.

1

u/no_step Aug 19 '21

DMCA notices don't happen in real time so your argument doesn't make any sense.

2

u/iqBuster Aug 19 '21

Yes they (can) do. There's an entire kind of business sector dedicated to just that, but their processing must not be done by a conscious VPN provider. Also see my full comment below.

2

u/Low_Director3495 Dec 20 '21

How safe is port forwarding in torrent? Mullvad makes it safe?

1

u/iqBuster Jan 04 '22

Read other comments.

1

u/iqBuster Aug 19 '21

See my full answer below. They could dump all connection states even without you having ports forwarded, and later process the notice manually.

1

u/[deleted] Aug 19 '21

Manual/requested port forwards could be dumped a lot more easily, no?

Because you've inputted them into their WebUI directly, that should be easy for them to comply with?

1

u/iqBuster Aug 19 '21

Easy to get them: yes. Legal to return to the requester? Questionable. Even if they did, your plausible objection is: "I had changed the port to the port in question after the point in time when XYZ was commited" playing around the time difference when their notice was answered.

If your VPN provider goes out their way to f you, an unfortunate choice it was. Imho it's a different threat model for the time being (all of the above unlikely & we're small fish) and imho it will change until the end of the decade. VPNs either legally forced to comply or outlawed. The DNS blocks at ISP level have already begun.

On the other hand there's Mullvad's stance in that they do not allow monthly recurring payment customers to port-forward. The only question there is, how hypothetical or real is the scenario today that they're cautiously defending against?

1

u/[deleted] Aug 19 '21

The DNS blocks at ISP level have already begun.

They're sinkholeing the domain names of torrent trackers and torrent sites like rarbg, pirate bay, etc.?

2

u/iqBuster Aug 19 '21

Yes there's a lot of evidence over at Torrentfreak. If you ever wondered why politicians/media practically never discuss China/Iran/Russia in terms of internet censorship, the likely reason is that they've it on the horizon themselves.

Many European countries but now also Australia and USA have fallen. Though in the US that's only per 'personal' court orders against a particular ISP iirc (or they're still trying? "Pirate Site Blocking Requests Sneak into U.S. Courts")

1

u/[deleted] Aug 19 '21

I'm assuming that they're just blocking DNS requests for these sites rather than IP access?

Most browsers have moved to DNS-over-HTTPS -- and, I only use AdGuard DNS or Quad9, and occasionally Cloudflare for DNS.

Unless they can compel VPNs to keep logs torrenting will stay alive, and finding magnet links and torrent files for movies and shows released in the past 5 years is a piece-of-cake. Worst-case-scenario, tor would host these links.

2

u/iqBuster Aug 20 '21

DNS blocks at ISP level is just the beginning. They've already forced Quad9 to comply with their crazy wishes.

→ More replies

1

u/[deleted] Oct 06 '21

[deleted]

1

u/dave_a7x Feb 10 '22

Are you saying OVPN forwards DMCA notices and it's not safe to torrent with them?

3

u/iqBuster Aug 19 '21 edited Aug 19 '21

This is technically correct, but at the same time a dubious edge-case like what has happened before due to DHCP and dynamic IPs (people wrongly accused due to IP changing and timing differences).

Note: Differentiate between UPnP (dynamic port-forwarding) and static. Further: non-logging vs logging VPN.

Actually I'm going to explain all 4 scenarios at the time of processing a notice:

No logs+UPnP: There are not even database entries to attribute a port to a user at that point in time. Unless they already have instruments to poll each server's UPnP mappings, they've absolutely nothing to report back. (They're sloppy if they do and violate your privacy; see next point)

No logs+static: There's a database entry but there's no proof/validation/verification that the current user held that port at the time something happened. In other words, there's no proof it was you. Maybe you've just got the previously released port and claimed for yourself. (This is pretty much the same as above. If the notices aren't granted data automatically on request, there's a time delay hence requires additional proof and logs that the user is indeed the suspect)

Logs+UPnP: Well they can just log UPnP events and connections

Logs+static: They've proof of you being there at the time of bad event and the logs of your port-forwarding configuration changes.

The 'logs everything': The VPN can log just every connection ever made (with a threshold filter to discard short-lived connections). GAME OVER.

The VPN does manual live traffic monitoring (IA mirror). See above

The VPN provider created tooling to automatically dump all servers' connection states at the time of notice (given how notices are automatic, there's no time delay and you're still connected and there's no way* it's not you): See above. *statistically highly improbable

My conclusions above are based on the current understanding of legislation. The other party would need to proof that you didn't just happen to change to an accused port after the deed. Unless your VPN provider... does you a disservice. Lastly by using servers in the neighboring country you will evade most trolls who are just after easy money (except if you've angered someone for real, but you'll know better and the topic of the subreddit really ain't it)

If you believe a VPN at the current point in time is no longer sufficient for this threat model, you should either connect through Tor and pay with crypto (still shifting the burden onto someone else) or use i2p exclusively.

I think before long the trolls and other parties will push for a change in legislation to tackle VPNs at scale, for now it isn't the case. Though mark my words: they'll claim it's to hunt after 'hollywood s3xuals'.

PS: Personally, I'd still prefer UPnP (if available) / automatically open&close port for usage via scripts / periodically change the port. All of this is mostly placebo, what you really want is i2p or a dedicated service to track the trolls and apply updated ban lists to greatly reduce exposure.

1

u/Lordb14me Aug 19 '21

This is a great post and we really appreciate the time you took to expand on these various scenarios. I am a bit unclear about a couple of things and it would be great if you could clear some of my confusion. In Utorrent, each session I get a random port, say port number 54,345. I get all the peering traffic through that port, which is exposed out from the VPN address assigned to me on that server. On the client machine, the VPN chooses a random unique unassigned port for me to connect to the OpenVPN server, usually 1194 or 8080 or anything else. My question is, can dmca entities log the port number 54,345 that I'm using via the VPN server exit, to the random port to send the traffic back to me? The tunnel from client to server is encrypted, so any mitm shouldn't see what my p2p port is, inside the tunnel, right? And this is why, the trolls need the VPNs help to bridge that gap back to me? This example I outlined is without port-forwarding, but of course for torrents it still works. Your post is of course about making it faster at downloads. But i think port forwarding helps out seeding more... Which is a good thing.

1

u/iqBuster Aug 19 '21

At a network level the trolls only see the <VPN IP:port>, not whatever you've configured locally. In many cases however your local port will match the public port (the one in <VPN IP:public port>). You have the option to define a different local port on the VPN website (or wherever you set it up) or reroute the traffic locally to 'originate' from a different port number. But there's really no point.

Yes they need to bridge the gap, because if you've bound the client correctly to the VPN network, it will never contact the Internet with the real IP. Hence the VPN is the only lead they have and for a good while VPNs will be successful in shielding their users.

Right the tunnel is encrypted etc etc. and it's irrelevant what port you used to connect to the tunneling VPN server.

At the protocol level (BT), I'm not sure whether anything is 'leaked' per se at all. I don't think so. However your client (clientID), unique ID in peerID (usually changes automatically) and DHT node ID are public. Though I'm not aware of these being used at all by them. They just go after real IP and letter scare/irl scare from there. Easy money. Usually server IPs are left untouched (unnotified) because no easy money.

1

u/[deleted] Sep 05 '21

Damn found my aesthetic

1

u/[deleted] Aug 19 '21

If you believe a VPN at the current point in time is no longer sufficient for this threat model, you should either connect through Tor and pay with crypto (still shifting the burden onto someone else) or use i2p exclusively.

I suspect that paying with crypto itself doesn't help as much because things still get connected back to your home IP.

So, I'd add an additional layer of defense: make sure you get your own router and not your ISP's provided router. If push comes to shove, you can claim the "I have an open guest WiFi network" defense.

My friend uses ProtonVPN (free) or Cloudflare WARP (free) to route to his paid SOCKS5 proxy with TorGuard. But, I wonder how this works with dual-stack (4+6) IP configurations.

1

u/iqBuster Aug 19 '21

You can connect to VPN via Tor (OpenVPN TCP) so in the event of VPN disclosing info, they'd get only the Tor entry node.

For this to work well, your VPN should provide ports 80 or 443 to connect to (these are allowed through all Tor exit nodes).

I have no idea on the inner workings of SOCKS. Does it support dual-stack? I guess it doesn't and he only can access IPv4 (or 6 if he chose to).

1

u/[deleted] Aug 18 '21

If 2 parties are behind VPNs without port-forwarding, is there any way that the protocol allows them to download and upload between each other?

u/CluelessButTrying Aug 18 '21

Ah the things I wish I had known before getting a 2 year Nord subscription... its great for everything else but I always see it getting recommended for tormenting and I'm like wait, no! It honestly hasn't affected my torrenting in a big way but it would certainly be preferable to have port forwarding

u/Actual-Maize Aug 24 '21

What about remote port on private internet access? Would that be fine to use ?

1

u/iqBuster Aug 25 '21

I suppose that's exactly what the forwarded port is called in that case.

u/[deleted] Aug 18 '21

How does it connect to peers if you don't have port forwarding turned ON?

I only download and then seed popular torrents -- this may be why I don't notice a major speed decrease of any kind.

The things I torrent reach my max internet speed in both download and upload for the right popular torrents.

Why is this still working?

1

u/iqBuster Aug 19 '21

Yes, I said:

Making outgoing connections is always technically possible but then you rely on the seed/peer to have their ports open! At least one side must be. There's no way around.

There are only few possible scenarios:

you have open ports

other peer has open ports

your/their NAT does not fall into the category of 'strict' NATs and sort of 'soft-reserves' the port you're using. I.e. without explicit configuration, the port always leads back to you for the duration of your active communication.

NAT hole punching relies on that last point, the ability to send out some packets to a destination, then the port is temporarily 'yours' and connectable from the outside world.

Bittorrent as a protocol has an extension that uses a 3rd peer to facilitate a 'rendez-vous' between two NAT'ed peers. I've done some searching last time around and both this feature support as well as NAT UDP hole punching are either not implemented at all or not properly advertised. This is the territory where only direct questions to developers can shed light on.

Usually if you see a non-zero number of peers reported by the tracker but nobody's connected to you and you're the only seed (unless someone's tricking the tracker), you've hit the 10% and the unlikely NAT situation I talked about. Totally depends on the kind of torrents you're going for.

Wikipedia lists the typical 4 types of NAT in the article on it, but it's a bit hard to understand just going by the descriptions there. I tried to explain but a textual explanation is destined to failure.

1

u/TheTurkishWarlord Aug 18 '21

Other people with port forwarding on can still connect to you.

1

u/[deleted] Aug 18 '21

So, if 2 people don't have port-forwarding turned ON, they'll never be able to transfer files over bittorrent to each other?

1

u/TheTurkishWarlord Aug 18 '21

Yes, that is the case.

1

u/[deleted] Aug 18 '21

What about what these fellas are saying at the bottom here?: https://superuser.com/questions/104462/how-does-bittorrent-work-with-only-outbound-connections

1

u/TheTurkishWarlord Aug 19 '21

I don't know that much about it. But usually when there's no peer at my local private tracker with forwarded ports, we have to request someone with port forwarding on to help us be able to download that torrent.

1

u/[deleted] Aug 19 '21

And, then it works for everyone else somehow?

u/Adamblastia Aug 18 '21

How do you know when it's working? When I use the process you describe with Mullvad port forwarding, this site shows my success. I can't get similar results with TorGuard under any circumstances yet. I'm left unsure whether I've accomplished anything. Do you have a process you use for verification?

2

u/iqBuster Aug 18 '21

Usually a fair way to tell is when you see people in the peer list with an incoming arrow, the clients like qBittorrent then tell you the connection is fine.

Unfortunately I do not have an easy way or tool to recommend. Sometimes/some these websites don't work, sometimes the VPN (needs like a reconnect or something). Generally you want the client running on that port before checking on the website, otherwise it'll not open a connection (no application to connect to) and tell you it's "closed"

The first time went smooth, yet last time I did it, I nearly went insane. This doesn't sound motivational for this post, but after half an hour of logging my attempts (write everything down when troubleshooting!) it just started working after repeating steps I had done before. In reality you need to check all of the following:

The (Website) Checker works? -> got correct VPN's public IP? -> got correct VPN public(remote)/local port? -> firewall on computer blocking? -> client listening on correct port?

Keep in mind most of these websites only check for TCP, not UDP. For Bittorrent you ideally want both (TCP-only works fine with trackers with impaired DHT, UDP is used for DHT+transfers and sometimes trackers). Usually though an open TCP port = open UDP port.

For your sanity: just tested and the website reports correctly but only when the client is running on that port.

1

u/[deleted] Aug 18 '21

Usually a fair way to tell is when you see people in the peer list with an incoming arrow , the clients like qBittorrent then tell you the connection is fine.

Where do I find this arrow?

1

u/Adamblastia Aug 18 '21 edited Aug 18 '21

I see the tiny flags along with the swarm IPs, but don't see any arrows, if that's where I'm supposed to see them.

Update on TorGuard port forwarding - YouGetSignal now shows it working. Yay! (I need a few more testing websites so I'm not entirely dependent on the one.)

Edit:

Port Checker and CanYouSeeMe do just the same thing, so one isn't over-relying on a single site.

2

u/sgben52 Aug 20 '21

Hey. I use TorGuard too, but am a bit confused as to all the settings for setting up port forwarding. Could you send me a censored version of your settings?

1

u/Wide-Monk6722 Dec 09 '21

Same here i am really confused with this setup

u/Heisenbergxyz Aug 18 '21

3 guides you made is awesome, should post on r/piracy

u/jdk309 Aug 18 '21

Ivacy is easy to get the paid option as a free option. Some of the sales included LIFETIME membership ($34 at the time iirc) and all paid features were even included. Best buy ever.

u/[deleted] Aug 18 '21

How does IPv6 factor into all of this?

2

u/iqBuster Aug 19 '21

Theoretically IPv6 has enough address space such that each VPN user on a server could get his own for the duration of the connection. Therefore the need for port-forwarding/mapping is eliminated. The problem with IPv4 is that all users share the same 65535 ports.

Residential users of ISPs that offer Dual-stack Lite do not need to worry about IPv6-to-IPv6 connections, they already have a unique IPv6. But they do not have a dedicated IPv4 and due to the nature of it are behind CGNAT for IPv4 connections without the ability to manually port forward. Enter all the NAT hole punching techniques...

If your VPN has both IPv4+6 and your client seeks simultaneous connection, there's an interesting (rare) phenomenon to be observed. Peers behind NAT can accept (from their PoV) incoming IPv6 connections, but not for IPv4. Also their port numbers will differ (although it's the same computer): because IPv6 shows the real port number and IPv4 shows an ephemeral port number used by a NAT server inbetween.

IPv6 is a special case with VPNs. Sure they must first implement it, such that each user gets a unique IPv6. But do they now forward ALL incoming traffic to the user? That's not desirable. It will either still be manual (but instead of 'port-forwarding' it would technically be 'lifting a restriction' in the firewall) or be connection-tracking, i.e. functioning like the not restrictive NAT I talked about in another comment.

1

u/[deleted] Aug 19 '21

My VPN uses Wireguard.

My ISP is still working on moving to dual-stack, so I'm still using IPv4.

More importantly, my VPN offers IPv6 and IPv4 through an IPv4 endpoint that I connect to.

I notice that many IPv6 peers that I connect to are all not in the US or Canada -- most are from developing countries like India, Indonesia, etc.

That makes sense because they didn't get dibs on IPv4 spaces like the developed world did.

And, they, thank the lord, don't have strong internet piracy laws like we in the developed world do.

2

u/iqBuster Aug 19 '21

And, they, thank the lord, don't have strong internet piracy laws like we in the developed world do.

Amen. Though not for long: https://torrentfreak.com/president-sends-south-africas-new-copyright-bill-back-to-parliament-after-us-and-eu-pressure-200624/

All WTO member countries are bound by the Berne convention and its later amendments. On paper they ought to... in practice there's no money to be had so the trolls don't bother yet imo.

1

u/[deleted] Aug 19 '21

Don't mean to sound offensive, but, I guess they're too broke to sue for any worthwhile amount of money.

Though, I guess that it's the richer people in the developing world that are engaging in torrenting -- long live these folks!

1

u/iqBuster Aug 19 '21

Too broke for the first world? Yes. But not in relation to the own countrymen imho.

I think the main reason is the lack of easy laws. The IP industry had spent billions to push their laws in the west. A well oiled legal machine makes it easy for them to the point of it being a tangible source of income: If IP holder doesn't legally distribute their trash video or whatever, they'd just sell exclusive rights (time-limited and geo-restricted) to local troll lawyers and these wreck havoc in their hunt for easy money. So yeah I think it's for the lack of laws.

<3

1

u/[deleted] Aug 19 '21

That's not desirable.

What does the standard/average residential router do with IPv6 in this case?

Will we have to rely on OS firewalls alone?

How will that work? Set anything coming to your WAN IPv6 into a "public" firewall profile and everything coming to your Link-Local or Unique-Local addresses into a "private" firewall profile?

Then, you'd open a port on your WAN IPv6 "public" firewall for all your torrenting needs?

1

u/iqBuster Aug 19 '21

I think technically the consideration was to have firewalls, but ain't no one wishing early 2000s Windows worms back. All good questions I can't answer :) But I think that all routers default to the old port/address restricted NAT: let traffic through if your computer (IPv6) has previously contacted that other address. Aka stateful firewall/connection tracking etc.

Then, you'd open a port on your WAN IPv6 "public" firewall for all your torrenting needs?

I think yes, if you give out the complete 2001:db8:0:3::4567 address, there's nothing to reroute and it points to your device. It's just a matter of not discarding the traffic.

u/[deleted] Aug 18 '21

Is downloads failing in 10% of cases worth the loss in privacy?

1

u/iqBuster Aug 19 '21

I will answer that under the top comment.

u/blondbeaast Jan 16 '22

Hi! Thank you for your explanation. I am a bit of a noob and I wondered if it is also neccessary to setup port forwarding in the router with the private pc IP adress? If yes should I then use the same port as used in torrent client and VPN?

Also, can I use proxy, via the VPN provider, in the torrent client while port forwarding?

I am a little late to the party, but hope you can help. :)

2

u/iqBuster Jan 21 '22

The point of using VPN/proxy is to not let any traffic go raw through your real router connection. This is the reason you must not port-forward on your router, it's the VPN server's job now and that's where it must be configured.

If you use the proxy you'll lose port-forwarding.

You -> router -> VPN -> proxy:proxyPort and that's different from

You -> router -> VPN:port (port-forwarded)