A friend of mine recently got two emails from her ISP in rapid succession. Despite using BTGuard as they recommended, her first letter identified a single thingover the BitTorrent protocol. She tightened the encryption she used (set all to "Forced") and made sure everything in her client, Deluge, was set to use a proxy for everything.

Just a little under two days later, a second notice for the same thing appeared in her inbox. She was extremely confused about why.

tl;dr: What settings are best for torrenting safely?


My findings:

The EFF says:


If a client sees a uDP peer and realizes a proxy cannot connect to it (it's a TCP-only proxy), they may ignore proxy settings!
libTorrent and uTorrent (likely Deluge and BitTorrent too) can leak your IP address. Granted, they will pass your IP address to other peers anonymously, but you probably didn't want to send it!
"If the Bittorrent peer communications aren't encrypted, the Tor exit relay you pick can also watch the traffic and do the attack.


What BTGuard says:


Keep encryption disabled (https://btguard.com/support/index.php?/Knowledgebase/Article/View/32/3/should-i-enable-the-proxy-encryption-myentunnel)(!) If you don't, uDP connections won't load (uh-oh, this sounds bad).
DHT, uDP, Peer Exchange... all of the things are safe to keep enabled (https://wiki.btguard.com/index.php/Bittorrent).
The warning is even harsher here (https://wiki.btguard.com/index.php/MyEnTunnel):
We DO NOT recommend encryption on the proxy.
It only works with TCP, which means many torrents will not work because they require UDP. Your IP is still safely hidden without the encryption.

I would suggest swapping BTGuard's proxy for a good log-free OpenVPN with port forwarding, plus an updated IP blacklist for added security.

To minimize leaks, she can set a static LAN IP on her "real" connection with no default gateway or DNS servers, then manually add routes for the VPN server(s).

That's what I'd do, although it may not be for everyone as a VPN is for the entire OS (unless you force programs to bind to the physical adapter, etc.).

I would suggest swapping BTGuard's proxy for a good log-free OpenVPN with port forwarding, plus an updated IP blacklist for added security.
I suggested both. Right now she's running a VPN service on OpenVPN with BTGuard still enabled (but with its settings relaxed). Both BTGuard and the VPN have been paid up at least a few months in advance.

[QUOTE=anon;3756627]To minimize leaks, she can set a static LAN IP on her "real" connection with no default gateway or DNS servers, then manually add routes for the VPN server(s).
She's got a static IP address as far as her LAN goes... Windows makes sure of that. As to removing the default gateway and DNS servers, I'm a little lost there. Any links with an explanation, perhaps? It sounds like you've written about this before.

Right now she's running a VPN service on OpenVPN with BTGuard still enabled (but with its settings relaxed).

That's overkill :P But hey, safety first.


As to removing the default gateway and DNS servers, I'm a little lost there. Any links with an explanation, perhaps? It sounds like you've written about this before.

Assuming she's on Windows, the procedure is: open the connection's properties, then go to the TCP/IPv4 settings and wipe the content of the "Default gateway", "Preferred DNS server" and "Alternate DNS server" fields.

Now you have to manually add the route as we spoke before. Open a command prompt as administrator and run NSLOOKUP to find out the server's IP(s):


C:\Users\Username>nslookup vpn.example.com
Server: localhost
Address: 127.0.0.1

Non-authoritative answer:
Name: vpn.example.com
Addresses: 234.55.66.77

Then run ROUTE PRINT and you may see something like this (followed by a long route table, scroll up if necessary):


C:\Users\Username>route print
===========================================================================
Interface List
10...00 17 63 ed b2 e9 ......Brand Name Ethernet Adapter
1...........................Software Loopback Interface 1
===========================================================================

Note the number immediately at the beginning of the last two lines. That's the interface ID.

Now you can finally add the route. This example assumes there's only one VPN server whose address is 234.55.66.77, while the LAN gateway of her router is 192.168.1.1 and the interface ID is 10 - change accordingly, add lines if there's more than one server.


C:\Users\Username>route add 234.55.66.77 MASK 255.255.255.255 192.168.1.1 IF 10
OK!

Then connect to the VPN as usual. (If it doesn't work, you may have to rewrite the .ovpn file to use the server's IP instead of its hostname, since local DNS can no longer be used to resolve the name.)

Anyway, to use BTGuard through a VPN as you tell me she is doing, you'd have to do this twice - first to create a route from the "real" connection to the VPN, then from the there to BTGuard. The first step we've already discussed; the second is slightly more difficult since you probably can't set a fixed IP in the virtual adapter. Assuming its interface ID is 11 and its name on Network Connections is VPN Service, she'll have to run the following commands as administrator once everything is online:


route delete 0.0.0.0 if 11
netsh interface ip set dnsservers name="VPN Service" static 0.0.0.0 primary

All of this may be a little mind-boggling at first, but once you've got all the server IPs and interface IDs, you can just write a script that does all the work automatically. NetRouteView (http://www.nirsoft.net/utils/network_route_view.html) provides a friendlier way of seeing and controlling routing tables, too.

tl;dr: What settings are best for torrenting safely?

Use a cheap seedbox and ftp stuffz instead?

Why no VPN ?

The best way to protect yourself is by investing a little money into your security. First thing is stop using public trackers. Use only priavte trackers. Then, get a seedbox and make sure the FTP transfers allow explicit FTP over TLS. That way your data is encrypted when transferring to your computer. Essentially that is all that's needed. Good luck.

Where's a good place to get an updated ip blocklist/blacklist?

Where's a good place to get an updated ip blocklist/blacklist?

https://www.iblocklist.com/list.php?list=ydxerpxkpcfqjaybcssw&fileformat=p2p&archiveformat=gz

Only the .p2p format is free, but you can use Blocklist Manager to convert it to .dat.

There aren't many good sources these days as far as I have seen, and most require you to pay. If you want to do a search, make sure what you find is 1. updated, 2. not for eMule (those block seedboxes and other dedicated servers).

Same happened to me...I thought I'd be safe using torrent with Vyprvpn... and giganews wasted no time in throwing me under the bus...

VPN has worked well in the past

FWIW I've been using Private Internet Access without any ISP issues so far, but I'm a noob, so maybe I'm just getting lucky.

Either get a VPN or switch to Usenet.

To my knowledge a seedbox is a good way to protect yourself. Use a secure ftp program to get your items off your seedbox.

Seedbox with a good secure ftp program to transfer stuff off of it.

I primarily use that and a correctly configured filezilla and have never had any problems in going on 5 years now...

Alternatively for the stretch of time my seedbox was having issues I set up a virtual machine to use private internet access vpn and it did the job pretty well...

BTgarued Peerblock Freenet TOR & a VPN service.

A good seedbox that has an encrypted connection will work great. Never had an issue. Some will also give you a vpn through your seedbox to use as well for your home connection. Keep in mind some ISPs will still throttle FTP bandwidth, so if your downloads to your computer slow down you can usually request a SOCKS proxy to connect through via your seedbox provider.

BTgarued Peerblock Freenet TOR & a VPN service.

BTGuard is only moderately usable, and it is greatly frowned upon to use TOR for filesharing media.

Bottom line: pay for a VPN service if you want VPN-level security.

I live with another friend who has been sailing across the cyber sea in search of a good VPN for a long time & every single one he tries out including the free ones end up sucking i saw him one day try out a VPN called Tunnel Bear & he only had it for a short period of time cause he hated it also i know TOR when it comes to torrenting on it with anonymity & all that is not all that good & popular but hey not everything is going to work for everyone i guess.

Tin foil hat your computer

Stopped using BT a while ago. Sick of the Comcast letters. Usenet is still my way to go. (I might have to read up on this seedbox thing)