Torrenting Virtual Machine with Debian and OpenVPN

I take no responsibility for how this information is used.

Requirements

  • Debian 8.0+ Virtual Machine
  • OpenVPN server

Static IP Address

  1. Set a static IP address so it doesn’t change DNS servers to your ISPs or uses your local router’s DNS server.

    /etc/network/interfaces

    1
    2
    3
    4
    5
    6
    7
    auto eth0
    iface eth0 inet static
    address ADDRESS
    netmask NET_MASK
    broadcast BROADCAST
    gateway GATEWAY_IP
    dns-nameservers 8.8.8.8 8.8.4.4
  2. Edit /etc/resolv.conf

    1
    2
    nameserver 8.8.8.8
    nameserver 8.8.4.4
  3. Reboot.

Transmission

Transmission is a fantastic BitTorrent client for Linux that also has a web interface.

  1. Install transmission.
    apt-get install transmission-daemon

  2. Stop the service.
    systemctl stop transmission-daemon.service

  3. Edit the config /etc/transmission-daemon/settings.json
    These two must be changed so that you may login to the web interface:

    1
    2
    "rpc-authentication-required": false
    "rpc-bind-address": "LOCAL LAN IP"

    Three more that you might want to change:

    1
    2
    3
    "blocklist-enabled": true,
    "blocklist-url": "http://john.bitsurge.net/public/biglist.p2p.gz",
    "encryption": 2
  4. Start.
    systemctl start transmission-daemon.service

OpenVPN

  1. Install OpenVPN.
    apt-get install openvpn

  2. Copy your OpenVPN client configs to /etc/openvpn. The file extension must be .conf for the config file.

  3. Start OpenVPN.
    systemctl enable [email protected]_NAME.service
    systemctl start [email protected]_NAME.service

  4. Verify that you are now utilizing the VPN.
    ip a
    curl icanhazip.com

IPTables

This final part will be to configure iptables to only allow inbound/outbound connections to the VPN tunnel interface based on the transmission user group. This will prevent transmission from communicating before the VPN starts.

Some VPN providers allow you to use an API to open up a port for your current tunnel IP. This is very handy if you wish to also seed torrents more effectively. PrivateInternetAccess allows this in certain regions. For PIA, the port will always be different so you will need to implement it into your firewall script.

Be sure to edit the INBOUND_PORT text, otherwise remove it if you are not planning to open a port.

1
2
3
4
5
6
7
8
9
10
# Transmission web UI
iptables -A INPUT -p tcp --dport 9091 -m state --state NEW -i eth0 -j ACCEPT
# Allow inbound connections through the tunnel interface (change the port)
iptables -A INPUT -p tcp --dport INBOUND_PORT -m state --state NEW -i tun0 -j ACCEPT
iptables -A INPUT -p udp --dport INBOUND_PORT -m state --state NEW -i tun0 -j ACCEPT
# Prevent transmission from communicating on anything but the VPN tunnel interface
iptables -A OUTPUT -p tcp -m owner --gid-owner debian-transmission --sport 9091 ! -o tun0 -j ACCEPT
iptables -A OUTPUT -m owner --gid-owner debian-transmission ! -o tun0 -j REJECT

DNS Leak Test

If you installed a GUI on your VM you can check to make sure you are not leaking any DNS requests. Assuming you’ve changed your DNS servers and do not see your own IP you should not need to worry about leaking DNS queries.