After many searches I have been able to restrict deluge network traffic to only the VPN interface tun0 using the following command:
sudo iptables -A OUTPUT -m owner --uid-owner deluge \! -o tun0 -j REJECT
But now I am unable to access the WebUI via eth0 on port 8112 (i.e. 192.168.0.23:8112)
Can I use another iptables rule to provide access to the WebUI on the local network?
Using containers (LXC/LXD/Docker):
if you start a wireguard interface on the host, then add the interface to a container running deluge as the only interface, then access is restricted solely to the wireguard interface.
You can add a proxy device that binds to the webui port on localhost inside the container and listens to any address on the host.
No iptables needed.
This will force deluge to only use the vpn tunnel with exception to your local subnet.
iptables -A OUTPUT -m owner --uid-owner deluge ! -d 192.168.1.0/24 \! -o tun0 -j REJECT
The logic is that it blocks all OUTPUT anything that isn't the VPN tunnel with exception to the local subnet.
Make sure you verify what user your deluge uses. and adjust the subnet to match yours. Also verify within ifconfig that your tunnel name, in my example, tun0
Another way is to only allow the VPN connection and the web interface to go over eth0, and block everything else:
-A INPUT -s my.vpn.net -i eth0 -p udp -m udp --sport 1194 -j ACCEPT
-A INPUT -s my.local.ip -i eth0 -p udp -m udp --sport 8112 -j ACCEPT
-A INPUT ! -i tun0 -j DROP
-A OUTPUT -d my.vpn.net -o eth0 -p udp -m udp --dport 1194 -j ACCEPT
-A OUTPUT -d my.local.ip -i eth0 -p udp -m udp --sport 8112 -j ACCEPT
-A OUTPUT ! -o tun0 -j DROP