Raspberry PI Secure VPN Torrentbox
Setup
Install Arch Linux Arm
Install base-devel
I used the AUR manager aurutilsAUR to download and setup any AUR packages.
If used, setup repo for aurutils.
OpenVPN
ipv6 should be disabled since PIA doesn't support it. Add ipv6.disable=1
to /boot/cmdline.txt
and reboot. To check if it's disabled, see if you get an ipv6 address with ip addr
. If disabled, inet6
will not be present.
Install openvpn.
In order to install openvpn, required scripts need to be downloaded and renamed,
-L
,--location
Follow re-direct if the server reports that the requested page has moved to a different location
-O
,--remote-name
Write output to a local file named like the remote file we get.
-J
,--remote-header-name
This option tells the -O, --remote-name option to use the server-specified filename.
Replace all .ovpn
extensions on the files downloaded with .conf
and remove spaces in names.
To view the renames first, run.
If you're happy do the rename.
Move the files to /etc/openvpn/client
, which is where OpenVPN expects them to be. Make sure they're owned by root
.
Configuration
The above configs can be used as is, or a custom one can be used. They contain the following. For /etc/openvpn/client/Netherlands.conf
:
Copy the config to a new file.
Edit the file, replace the server remote nl.privateinternetaccess.com 1197
with the PIA servers you want to use. The servers are in the openvpn files. They can all be listed with a grep
for privateinternetaccess.com
.
To use a random server from a list, remote-random
can be used. Replace the single server in /etc/openvpn/client/custompivpn.conf
with the list of servers you would like to use. After the list add remote-random
.
To auto-login to the vpn with your PIA user path, add your user and password to a file. Add the file path to the config after auth-user-pass
, with the username on line one, and password on line two.
I created /etc/openvpn/pia_auth
So as of now my config consists of the following:
If you're connected over SSH to your pi, connection to the pi will drop if openvpn is started. This is because the default gateway changes. To make local connections continue to be routed over the same interface that SSH was started on, add a new table using the ip
command.
For me this look like the following since the IP address of my pi was 172.20.30.4
, and my interface was eth0
.
I added these as an ExecStartPre
to `systemd-networkd.
Now open VPN can be started. A systemd unit exists that lets any client configurations be started from the directory where we put our configuration, so long as they end in .conf
. If everything is setup correctly we should be able to start our VPN connection with systemctl start openvpn-client@custompivpn
.
I was concerned about losing connection and not being able to get back into my pi, so the first time I started the service in tmux
with a five minute kill timer so that if I wasn't able to reconnect I knew that after 5 minutes the service would be stopped and I would be able to get back in.
Fortunately everything was setup correctly so my connection wasn't dropped.
To make sure that the VPN is working correctly, and that your IP is changing, check your IP address before and after the VPN is started with curl -s checkip.dyndns.org
. After starting the VPN I got a swedish IP address meaning the VPN was working.
Create User
I'll be using the media
user and group for everything torrent related. Create it.
Network Shares
If mounting NFS shares install the nfs-utils package.
NFS Configuration
Enable NFSv4 idmapping
Set permanent in /etc/modprobe.d/nfsd.conf
.
Optionally start nfs-client.target
.
Mount Shares
Add mounts to /etc/fstab
.
Generate fstab entries and copy paste nfs mounts into fstab.
DNS
Using systemd-resolvd
, DNS can by dynamically updated when OpenVPN starts using the update-systemd-resolved script. Install from github or install the openvpn-update-systemd-resolvedAUR package.
You can then add the following into your OpenVPN configuration file:
It will then follow dhcp-option
commands set in OpenVPN.
We can use PIA's DNS servers this way:
Now, after starting the OpenVPN you should see the following new lines in /etc/resolv.conf
.
Start and anable OpenVPN.
My final config was the following.
iptables killswitch
Enable ip forwarding, add the net.ipv4.ip_forward=1
sysctl.
Reload sysctls.
Create an iptables rules file in /etc/iptables/iptables.rules
.
Start with a filter table in the iptables-restore syntax.
Drop all traffic by default.
Start with input rules.
Only allow established connections and SSH from LAN, (use your LAN subnet).
Open ports deluge needs.
For remote access:
Now output rules.
Allow the loopback interface and ping.
Allow LAN traffic (use your lan subnet).
Allow PIA DNS servers.
Optionally allow your own DNS server.
Allow the VPN port and the interface.
Finally commit the table.
My final rules looks like the following:
Save the file.
Test starting the VPN and firewall.
Check they started successfully.
Try to ping google.
Stop OpenVPN, and try again.
Your connection should be blocked.
Start and enable the iptables service.
You may also want to set up a regular firewall to block unwanted incoming traffic. The arch Wiki has a good reference for a simple stateful firewall
Deluge
Now to setup the deluge service.
Install deluge
Start and enable the system service, which runs as deluge.
To connect remotely, create a user in ~deluge/.config/deluge/auth
with USER:PASSWORD:PERMISSIONS
(10 is admin). For example:
Stop deluge and set "allow_remote": true
in ~deluge/.config/deluge/core.conf
. If core.conf
doesn't exist, connect to the console.
Now you should be able to connect to deluge from <ip address>:<port>
, likely port 58846, while the VPN is off.
Settings:
Network
Incoming Ports:
From: 56881
To: 56889
Outgoing Ports
Use random ports: yes
Network Extras
Peer Exchange: yes
DHT: yes
Encryption
Inbound: Forced
Outbound: Forced
Level: Full Stream
Encrypt entire stream: yes
Proxy
Peer
Type: Socksv5 W/ Auth
Username:
Password:
Host: I use proxy-nl.privateinternetaccess.com
Port: 1080
Add deluge user to media group:
Using the proxy, check your ip is masked using an IP checker torrent. More info here (May need to restart deluge).
References
Last updated