portsup DD-WRT User
Joined: 20 Oct 2018 Posts: 210
|
Posted: Sun Aug 04, 2019 14:39 Post subject: Transmission Crashing, PIA, portforwarding, killswitch,cron |
|
OK so I have had for a long time a good setup for Transmission using PIA so openvpn with portforwarding and a killswitch. Except I have had some other issues which I resolved because of a fragmented SMR drive aka nightmare drive. Remaining issues were transmission crashing or just going a bit funny. So I have come to solve it with cron scripts to monitor things and restart periodically. I also came to rework much of the way I was setting up transmission for the VPN with killswitch etc. I think the code is now much better.
I will now give the code,setup and explanation.
I setup jffs in nvram. I had an issue with mount times and openvpn starting when using another drive. You could restart openvpn to avoid the need for nvram.
You obviously need transmission from entware installed, but I think you also need busybox to run scripts as "#!/bin/sh", which is important.
This is my first script portforward.sh
Code: | #!/bin/sh
cp -a /jffs/openvpncl/* /tmp/openvpncl/
cp -a /opt/transmission/config/settingscopyfrom.json /opt/transmission/config/settings.json |
I load it in the openvpn config with "up /jffs/portforward.sh". This script overwrites some things. At /jffs/openvpncl/ I have previously saved the route-up.sh and route-down.sh scripts from /tmp/openvpncl/. I have altered them so when copied back they have extra code I want run. The transmission overwrite is to restore the settings file from one I backed up. I have another problem where the settings file gets altered by the various remotes I use to control transmission.... this really messed me around before I worked it out. Anyway this solves that.
Next script route-up.sh
Code: |
#!/bin/sh
iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE
iptables -I POSTROUTING -t nat -o tun1 -j MASQUERADE
iptables -D INPUT -i tun1 -j ACCEPT
iptables -D FORWARD -i tun1 -j ACCEPT
iptables -D FORWARD -o tun1 -j ACCEPT
iptables -I INPUT -i tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -j ACCEPT
iptables -I FORWARD -o tun1 -j ACCEPT
for IP in `cat /tmp/openvpncl/policy_ips` ; do
ip rule add from $IP table 10
done
ip addr add 192.168.168.168 dev tun1
ip route add default via $route_vpn_gateway table 10
ip route flush cache
echo $ifconfig_remote >>/tmp/gateway.txt
echo $route_vpn_gateway >>/tmp/gateway.txt
echo $ifconfig_local >>/tmp/gateway.txt
stopservice dnsmasq -f
startservice dnsmasq -f
cat /tmp/resolv.dnsmasq > /tmp/resolv.dnsmasq_isp
env | grep 'dhcp-option DNS' | awk '{ print "nameserver " $3 }' > /tmp/resolv.dnsmasq
cat /tmp/resolv.dnsmasq_isp >> /tmp/resolv.dnsmasq
sleep 2
touch /tmp/resolv.dnsmasq
/jffs/portforward1.sh
|
2 bits I added to this. One is "ip addr add 192.168.168.168 dev tun1" which gives the vpn device tun1 that IP in addition to others it has. This sets up some of the routing for that IP to work over the VPN. I also added 192.168.168.168 to the pbr, which sets up the rest of the routing, you could add it here with "ip rule add from 192.168.168.168 table 10",. I bind transmission to that ip. That ip has no other routing than through the vpn, so it can not leak, vpn up down or not running. You could use another ip just make sure it is not in the usual range you use otherwise it could leak, unless you where to use other methods, iptables or preserving the pbr ip rules etc .
The other code I add is "/jffs/portforward1.sh" to run the next script which is
Code: | #!/bin/sh
/jffs/portforward2.sh &
exit 0 |
Why am I using a script to jump to the next script? Well openvpn has some restrictions on the way scripts run from it and some how this gets around it. This is the next script
Code: | #!/bin/sh
nice -n 1 /opt/bin/transmission-daemon -g /opt/transmission/config
sleep 15
port=$(curl --interface tun1 "http://209.222.18.222:2000/?client_id=##YOUR SHA CALC HERE##" 2>/dev/null | awk -F ':' '{ print $2 }'| awk -F '}' '{ print $1 }')
echo $port>/tmp/port.txt
/opt/bin/transmission-remote 192.168.3.1 -p "$port"
iptables -t nat -I PREROUTING -p tcp --dport $port -j DNAT --to 192.168.168.168
|
"nice -n 1 /opt/bin/transmission-daemon -g /opt/transmission/config" this runs transmission with my config stored at that location. I am actually running it on an additional non smr hard drive (mounted as /opt/) to also save it's parts there and then copy to the SMR drive to avoid "messing it up"... Nice -n 1 reduces the process priority so transmission isn't so much of a hog on the rest of things. AKA makes it play "nice" lol linux and names...
"port=$(curl --interface tun1 "http://209.222.18.222:2000/?client_id=##insertyour sha256sum from calc here##" 2>/dev/null | awk -F ':' '{ print $2 }'| awk -F '}' '{ print $1 }')" is actually ONE LINE ( forum wraps it) and you will need to enter your sha256sum calc number to make it work. Here https://emn178.github.io/online-tools/sha256.html the first google result for a "sha256sum calculator", just hit some random caracters into the top box for your number in the bottom one. This code gets the port from PIA and saves it as $port. The "sleep 15" above it is import to make this work! You can take a look at https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=313661 for more info. There I posted my original code which worked fine. The next poster obviously didn't read it and went on for another 7 pages....
"echo $port>/tmp/port.txt" is just for debug and unnecessary.
"/opt/bin/transmission-remote 192.168.3.1 -p "$port"" this sends the port to transmission while it is running, hence you need to start it before.
"iptables -t nat -I PREROUTING -p tcp --dport $port -j DNAT --to 192.168.168.168" this forwards the port to that ip I am using for transmission.
Other code is the route-down.sh script
Code: |
#!/bin/sh
iptables -D INPUT -i tun1 -j ACCEPT
iptables -D POSTROUTING -t nat -o tun1 -j MASQUERADE
ip route flush table 10
killall transmission-daemon |
I only add "killall transmission-daemon" which is sort of a extra or double kill switch but isn't necessary for that as it won't leak without it. It does prevent a duplicate process when the route comes back up and my script launches transmission again. You could setup the launch of transmission outside the vpn process and so not need this. Or do an if statement to check if it is already running. It may be better to get the port entered into the settings file for my next bit. I am not sure if transmission writes to the settings file when crashing? or when it writes to the settings file, maybe only on shutdown. It does lock it or something when running.
So here is the cronjobs
Code: |
*/5 * * * * root /jffs/transmissionstayup.sh
0 */5 * * * root /jffs/transmissionrestart.sh
|
this runs the first script transmissionstayup.sh every 5 minutes. Which is this
Code: | #!/bin/sh
vpn=$(ip link show |grep -v grep |grep -c tun1)
trans=$(ps |grep -v grep |grep -c transmission-daemon)
if [ "$vpn" -eq "1" ] && [ "$trans" -eq "0" ]
then
nice -n 1 /opt/bin/transmission-daemon -g /opt/transmission/config
fi
if [ "$vpn" -eq "0" ] && [ "$trans" -eq "1" ]
then
killall transmission-daemon
sleep 30
openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --route-pre-down /tmp/openvpncl/route-down.sh --daemon
fi
if [ "$vpn" -eq "0" ] && [ "$trans" -eq "0" ]
then
openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --route-pre-down /tmp/openvpncl/route-down.sh --daemon
fi
if [ "$trans" -gt "1" ]
then
killall transmission-daemon
sleep 30
nice -n 1 /opt/bin/transmission-daemon -g /opt/transmission/config
fi |
This restarts transmission if it crashes, kills duplicates of transmission, restarts openvpn if it crashes.
The second script transmissionrestart.sh runs every 5 hours and is this
Code: | #!/bin/sh
vpn=$(ip link show |grep -v grep |grep -c tun1)
trans=$(ps |grep -v grep |grep -c transmission-daemon)
if [ "$vpn" -eq "1" ] && [ "$trans" -eq "1" ]
then
killall transmission-daemon
sleep 30
nice -n 1 /opt/bin/transmission-daemon -g /opt/transmission/config
fi |
Doing this just keeps transmission from going strange. Time from restart is obviously something you would have to play at. Every hour seems silly but 5 is reasonable.
Extra info( may help)
This is my transmission config, with port changed and password for some anonymity here.
Code: | {
"alt-speed-down": 50,
"alt-speed-enabled": false,
"alt-speed-time-begin": 540,
"alt-speed-time-day": 127,
"alt-speed-time-enabled": false,
"alt-speed-time-end": 1020,
"alt-speed-up": 50,
"bind-address-ipv4": "192.168.168.168",
"bind-address-ipv6": "::",
"blocklist-enabled": false,
"blocklist-url": "http://www.example.com/blocklist",
"cache-size-mb": 12,
"dht-enabled": true,
"download-dir": "/tmp/mnt/sda1/torrents",
"download-queue-enabled": true,
"download-queue-size": 20,
"encryption": 0,
"idle-seeding-limit": 30,
"idle-seeding-limit-enabled": false,
"incomplete-dir": "/opt/transmission/parts",
"incomplete-dir-enabled": true,
"lpd-enabled": false,
"message-level": 2,
"peer-congestion-algorithm": "",
"peer-id-ttl-hours": 6,
"peer-limit-global": 1020,
"peer-limit-per-torrent": 200,
"peer-port": 34987,
"peer-port-random-high": 65535,
"peer-port-random-low": 49152,
"peer-port-random-on-start": false,
"peer-socket-tos": "default",
"pex-enabled": true,
"port-forwarding-enabled": true,
"preallocation": 2,
"prefetch-enabled": false,
"queue-stalled-enabled": true,
"queue-stalled-minutes": 30,
"ratio-limit": 2,
"ratio-limit-enabled": false,
"rename-partial-files": true,
"rpc-authentication-required": false,
"rpc-bind-address": "0.0.0.0",
"rpc-enabled": true,
"rpc-host-whitelist": "",
"rpc-host-whitelist-enabled": true,
"rpc-password": "deleted",
"rpc-port": 9091,
"rpc-url": "/transmission/",
"rpc-username": "",
"rpc-whitelist": "127.0.0.1,192.168.3.*",
"rpc-whitelist-enabled": true,
"scrape-paused-torrents-enabled": true,
"script-torrent-added-enabled": false,
"script-torrent-added-filename": "",
"script-torrent-done-enabled": false,
"script-torrent-done-filename": "",
"seed-queue-enabled": false,
"seed-queue-size": 10,
"speed-limit-down": 100,
"speed-limit-down-enabled": false,
"speed-limit-up": 100,
"speed-limit-up-enabled": false,
"start-added-torrents": true,
"trash-original-torrent-files": false,
"umask": 18,
"upload-slots-per-torrent": 100,
"utp-enabled": true
}
|
These settings are working for me with a r7000. Using parts storage (incomplete-dir) on another drive protects the the smr drive. I use preallocate on that drive to reduce fragmentation but it is not really needed. Preallocate is meant to reduce messing up a SMR drive if you write to it, but I don't see that at all working as torrents get written piece by piece all over the place and even though the space is reserved it will still damage the data next to each piece as it is written and the drive goes on long long i/o waits fixing it's self. SMR is fine but you can only use them for write large and seldom, read when ever.
Disabling encryption speeds things up a bit. But an interesting thing I stumbled on was setting the peer-limit-global closer to 1024 restricts the amount of files transmission can keep open and so reduces drive i/o, and so improving drive access for other things like ftp. I have it at 1020 but 1024 before, both seem to work well, transmission, ftp are all more responsive. Side effect is I have occasionally crashed openvpn or the tunnel with that setting so I will have to see how that goes with my new cron scripts. I found a post here https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=311060 about monitoring the tunnel with a ping through it, I may use that if I have more issues with it.
Also using EXT4 on the drives with ddwrt significantly improves performance over NTFS. NTFS is like really bad and the linux drivers still mess things up on it after so many years.
Ext2fsd https://sourceforge.net/projects/ext2fsd/ is a great driver to read write to ext drives on windows. It even includes the linux command mke2fs.exe to format drives to any ext. JUST BE CAREFUL as I learnt the hard way with one drive wiped that using windows device safely remove corrupts ext4 partitions. Would be nice if that bug was "fixed"....
That's all for now, hope I have helped someone. |
|