Raspberry PI Secure VPN Torrentbox

Setup

I used the AUR manager aurutilsAUR to download and setup any AUR packages.

If used, setup repo for aurutils.

OpenVPN

ipv6 should be disabled since PIA doesn't support it. Add ipv6.disable=1 to /boot/cmdline.txt and reboot. To check if it's disabled, see if you get an ipv6 address with ip addr. If disabled, inet6 will not be present.

Install openvpn.

In order to install openvpn, required scripts need to be downloaded and renamed,

  • -L, --location

    • Follow re-direct if the server reports that the requested page has moved to a different location

  • -O, --remote-name

    • Write output to a local file named like the remote file we get.

  • -J, --remote-header-name

    • This option tells the -O, --remote-name option to use the server-specified filename.

Replace all .ovpn extensions on the files downloaded with .conf and remove spaces in names.

To view the renames first, run.

If you're happy do the rename.

Move the files to /etc/openvpn/client, which is where OpenVPN expects them to be. Make sure they're owned by root.

Configuration

The above configs can be used as is, or a custom one can be used. They contain the following. For /etc/openvpn/client/Netherlands.conf:

Copy the config to a new file.

Edit the file, replace the server remote nl.privateinternetaccess.com 1197 with the PIA servers you want to use. The servers are in the openvpn files. They can all be listed with a grep for privateinternetaccess.com.

To use a random server from a list, remote-random can be used. Replace the single server in /etc/openvpn/client/custompivpn.conf with the list of servers you would like to use. After the list add remote-random.

To auto-login to the vpn with your PIA user path, add your user and password to a file. Add the file path to the config after auth-user-pass, with the username on line one, and password on line two.

I created /etc/openvpn/pia_auth

So as of now my config consists of the following:

If you're connected over SSH to your pi, connection to the pi will drop if openvpn is started. This is because the default gateway changes. To make local connections continue to be routed over the same interface that SSH was started on, add a new table using the ip command.

For me this look like the following since the IP address of my pi was 172.20.30.4, and my interface was eth0.

I added these as an ExecStartPre to `systemd-networkd.

Now open VPN can be started. A systemd unit exists that lets any client configurations be started from the directory where we put our configuration, so long as they end in .conf. If everything is setup correctly we should be able to start our VPN connection with systemctl start openvpn-client@custompivpn.

I was concerned about losing connection and not being able to get back into my pi, so the first time I started the service in tmux with a five minute kill timer so that if I wasn't able to reconnect I knew that after 5 minutes the service would be stopped and I would be able to get back in.

Fortunately everything was setup correctly so my connection wasn't dropped.

To make sure that the VPN is working correctly, and that your IP is changing, check your IP address before and after the VPN is started with curl -s checkip.dyndns.org. After starting the VPN I got a swedish IP address meaning the VPN was working.

Create User

I'll be using the media user and group for everything torrent related. Create it.

Network Shares

If mounting NFS shares install the nfs-utils package.

NFS Configuration

Enable NFSv4 idmapping

Set permanent in /etc/modprobe.d/nfsd.conf.

Optionally start nfs-client.target.

Mount Shares

Add mounts to /etc/fstab.

Generate fstab entries and copy paste nfs mounts into fstab.

DNS

Using systemd-resolvd, DNS can by dynamically updated when OpenVPN starts using the update-systemd-resolved script. Install from github or install the openvpn-update-systemd-resolvedAUR package.

You can then add the following into your OpenVPN configuration file:

It will then follow dhcp-option commands set in OpenVPN.

We can use PIA's DNS servers this way:

Now, after starting the OpenVPN you should see the following new lines in /etc/resolv.conf.

Start and anable OpenVPN.

My final config was the following.

iptables killswitch

Enable ip forwarding, add the net.ipv4.ip_forward=1 sysctl.

Reload sysctls.

Create an iptables rules file in /etc/iptables/iptables.rules.

Start with a filter table in the iptables-restore syntax.

Drop all traffic by default.

Start with input rules.

Only allow established connections and SSH from LAN, (use your LAN subnet).

Open ports deluge needs.

For remote access:

Now output rules.

Allow the loopback interface and ping.

Allow LAN traffic (use your lan subnet).

Allow PIA DNS servers.

Optionally allow your own DNS server.

Allow the VPN port and the interface.

Finally commit the table.

My final rules looks like the following:

Save the file.

Test starting the VPN and firewall.

Check they started successfully.

Try to ping google.

Stop OpenVPN, and try again.

Your connection should be blocked.

Start and enable the iptables service.

You may also want to set up a regular firewall to block unwanted incoming traffic. The arch Wiki has a good reference for a simple stateful firewall

Deluge

Now to setup the deluge service.

Install deluge

Start and enable the system service, which runs as deluge.

To connect remotely, create a user in ~deluge/.config/deluge/auth with USER:PASSWORD:PERMISSIONS (10 is admin). For example:

Stop deluge and set "allow_remote": true in ~deluge/.config/deluge/core.conf. If core.conf doesn't exist, connect to the console.

Now you should be able to connect to deluge from <ip address>:<port>, likely port 58846, while the VPN is off.

Settings:

  • Network

    • Incoming Ports:

      • From: 56881

      • To: 56889

    • Outgoing Ports

      • Use random ports: yes

    • Network Extras

      • Peer Exchange: yes

      • DHT: yes

    • Encryption

      • Inbound: Forced

      • Outbound: Forced

      • Level: Full Stream

      • Encrypt entire stream: yes

  • Proxy

    • Peer

      • Type: Socksv5 W/ Auth

      • Username:

      • Password:

      • Host: I use proxy-nl.privateinternetaccess.com

      • Port: 1080

Add deluge user to media group:

Using the proxy, check your ip is masked using an IP checker torrent. More info here (May need to restart deluge).

References

Last updated