Torrenting (seeding) with VPN that doesn't forward a port - misconceptions

CuriousPsychosis · March 6, 2025, 6:23am

Many VPN providers that don’t provide “port forwarding” say it’s not necessary for torrenting/seeding. They cite security issues. So what do users who torrent do in these cases since my experience has been that I can’t seed at all without a port forwarded by the VPN provider.

I was under the impression that I could bind my torrent client to the VPN tunnel interface (utun on mac) and Local VPN IP address, but also open a port on my router and add that port in the torrent client to enable seeding. I guess that was a misconception, because when I do so - even though the torrent client says connections are possible - the speed is very slow.

I have been told that setup is not doing what I think it is. That the open port is not on the VPN network it’s on my non - VPN WAN! Which means any traffic going through that port would be visible.

When using the forwarded port in qBT settings, qBT achieves up to 20MiB/s down speed.

When using an open port on my router in qBT settings (while bound to the VPN interface and IP) it achieves up to 2MiB/s down speed.

This is with all traffic going over PIA VPN tunnel and using PIA DNS servers. So there shouldn’t be any ISP traffic shaping going on.

Also, when using the open port in my router, qBT is slow to pick up DHT nodes (less than 100 nodes). Whereas with the forwarded port DHT nodes populate (over 360 nodes) within a minute.

I am on Comcast, I know they are blocking torrent traffic. When not using a VPN I can’t even seed a Linux Distro.

I did cross post this in PIA and qBittorrent forums

daiqo · March 6, 2025, 6:23am

Enabling port-forwarding on a VPN has nothing to do with router.
While torrenting you can either be an “active” or “passive” node (being able to initialize connections). Without VPN you’re an active node if UPnP / NAT-PMP is enabled which usually is by default. When you connect to a VPN you become passive, unless you’re port-forwarded (again - nothing to do with router).
It’s possible to download / upload as passive node (without port-forwarding), you just connect to fewer peers. Fewer peers means slower speeds/performance. This is especially noticeable while seeding or downloading from public trackers, and especially negligible while downloading from private trackers with plenty of seedboxes.

There you go a summary.

CuriousPsychosis · March 6, 2025, 6:23am

I appreciate the clarification.

To test different configurations and see results using a linux distro, I disconnected from the VPN.

Using these settings I had non-intuitive results. It dowloaded just fine but it would not seed.

In qBittorrent client

I set the “Network Interface” to “en0” (my wired connection)
I tried to set the IP address to my external IP but the menu only showed my local IP so I set it to “All IPV4 Addresses”
I opened a port in my router and added that port to “listening port”
I checked "use UPnP/ NAT-PMP port forwarding from my router
1. after that failed to produce connections I unchecked it

I kept seeing attempts to connect but all Peers that connected were dropped. I saw this while running lsof too.

Then I tried to determine what settings might be causing this.

I checked my firewall, turned it off.
I double checked the port that I opened in the router.
I turned off DHT, PeX, Encryption, Anonymous mode. I tried TCP only Peer Connection protocol.

Occasionally one peer would connect but then it would drop out. I suppose there could be other reasons aside from my client settings. I noticed that I was seeding while I was downloading but as soon as the file completed my seeding speed dropped to nothing.

Then just gave up.

screenshot of speed graph

CuriousPsychosis · March 6, 2025, 6:23am

Mullvad doesn’t have split tunneling for Mac unless we use OpenVPN and Tunnelblick. OpenVPN is significantly slower than WireGuard. It’s also twice as expensive.

I’ve been thinking I should buy a mac mini and install Linux/Ubuntu on it and set that up to torrent instead of using my main computer. But that would take up far more time than I have… too steep a learning curve.

I think I just miscommunicated the setup. The client is bound to the VPN. I have confirmed this

I run this to see what is running on my WAN. If qbittorrent is not appearing then that’s good.

    ETH_IP=$(networksetup -getinfo Ethernet | awk -F '= |:'' ' '/^IP address/{print $2}')
    WIFI_IP=$(networksetup -getinfo Wi-Fi | awk -F '= |:'' ' '/^IP address/{print $2}')
    
    {
      LSOFR=$(/usr/sbin/lsof -lP -Tqs -i @"$ETH_IP" -sTCP:ESTABLISHED,LISTEN +c0 | \
      /usr/bin/sed 's/\\x20//g' | \
      /usr/bin/awk '{print $1,$2,$3,$5,$8,$9,$10,$11,$12}' | \
      /usr/bin/column -t)
    
      /usr/bin/printf '%b\n' \
      "$(/bin/date "+%X") - APPS BYPASSING VPN TUNNEL ON "$ETH_IP"" \
      "\n"$LSOFR"" \
      "ﬁn\n"
    }
    {
      LSOFR=$(/usr/sbin/lsof -lP -Tqs -i @"$WIFI_IP" -sTCP:ESTABLISHED,LISTEN +c0 | \
      /usr/bin/sed 's/\\x20//g' | \
      /usr/bin/awk '{print $1,$2,$3,$5,$8,$9,$10,$11,$12}' | \
      /usr/bin/column -t)
    
      /usr/bin/printf '%b\n' \
      "$(/bin/date "+%X") - APPS BYPASSING VPN TUNNEL ON $WIFI_IP" \
      "\n"$LSOFR"" \
      "ﬁn"
    }

I run this to confirm qBittorrent is connecting to VPN IP address

MYTIME=$(date "+%[%X%]")

{
printf '%b\\n' "\\n$MYTIME — QBiT CONNECTION STATUS" "$(lsof -lP -S2 -i TCP -s TCP:LISTEN +c 12 | grep "COMMAND|PID|\\USER|\\TYPE|\\NODE|NAME|qbittorrent'$FS\_PID'" | awk '{print $1,$2,$3,$5,$8,$9}' | column -t )" "ﬁn"
}

I run this to confirm the utun interface

{
echo "$(date "+%X") $(printf "UTUN INTERFACE") $(netstat -tunl inet | grep "tun" | awk '{print $9}')"
}

I run this to see details of the PIA connection

CONSTATE=$(/usr/local/bin/piactl get connectionstate)
REGION=$(/usr/bin/printf '%s%s' ": " $(/usr/local/bin/piactl get region | tr 'a-z' 'A-Z')) PFOR=$(/usr/local/bin/piactl get portforward) PUBIP=$(/usr/local/bin/piactl get pubip) VPNIP=$(/usr/local/bin/piactl get vpnip)
# PROXYIP=$(ping -c 1 proxy-nl.privateinternetaccess.com | awk -F: '{match($0,/[0-9]+.[0-9]+.[0-9]+.[0-9]+/); ip = substr($0,RSTART,RLENGTH); print ip;exit;}')

SOCK=$(netstat -tunl inet | grep "wireguard" | awk '{print $9}') UTUN\_ID=$(netstat -tunl inet | egrep -o "utun\[0-9\]")
{
/usr/bin/printf '%b' "$(date "+%\[%X%\]") - VPN HUD\\n" "STATE:\\t" "$CONSTATE$REGION\\n" "PUB IP:\\t" "$PUBIP\\n" "VPN IP:\\t" "$VPNIP\\n" "PROXY IP:\\t" "$PROXYIP\\n" "FWD PORT:\\t" "$PFOR\\n" "---\\n" "SOCKET:\\t" "$SOCK\\n" "$(netstat -i | egrep -e "($UTUN\_ID.\*\[0-9\]{1,4}.\*10.\[0-9\]{1,3}.\[0-9\]{1,3}.\[0-9\]{1,3})" -e "Name" -e "Mtu" -e "Network" -e "Address"  | awk '{print($1,$2,$3,$4)}' | column -t | tr 'A-Z' 'a-z') "
}

This is all on the desktop using GeekTool and refreshed every few seconds. It’s my connection HUD.