Select Page
VPN Gateway With Dead Man Switch

VPN Gateway With Dead Man Switch

VPN Gateway Server with Dead Man Switch

Overview

Keep machines on your network safe with all internet traffic leaving using end to end encryption via AirVPN. A dead man switch ensures internet traffic can never be broadcast over your clear internet.

  • A VPN gateway that any client on your network can use.
  • Stop prying eyes seeing your internet activity.
  • Protect yourself on public networks.
  • Protect your net neutrality.

This guide is aimed at Raspberry Pis, but will work for any Debian based OS. E.g. Ubuntu 18.04 server, so just use what suits you. I’ve chosen a Raspberry Pi as it makes for a great low power client.

Technical Jargon

VPN

VPN stands for virtual private network. VPN secures your computer’s internet connection by ensuring all of the data being sent and recieved is encrypted and secure from prying eyes.

Click here for a full detailed description of VPN.

DNS

Domain Name System (DNS) translates easily rememberable names such as google.com into addresses that a machine understands.

Click here for a full detailed description of DNS.

DNS Server

A DNS server is like a telephone directory, you ask for the address of a computer and it will tell you what the address is.

Click here for a full detailed description of DNS server.

DNS Leak

DNS leaking is when your requests are being sent to DNS servers that are not your designated ones (usually your VPN server). This means that while no one can read your encrypted traffic, they can see which addresses you are requesting. To ensure you stay as safe online as possible making sure your DNS does not leak is critical.

Click here for a full detailed description of DNS leak.

VPN Gateway

A computer that routes internet traffic from other computers via its VPN connection.

IPTables

IPTables is a utility program that allows admins to define rules on how to treat packets of data.

Click here for a full detailed description of IPTables.

Assumptions

This guide assumes you have a fresh install of Raspbian on a headless server

This guide assumes you have a VPN client installed and configured on your device.

This guide assumes you have set a static IP for your device.

This guide assumes your network connection is called eth0.

Install Software

We only need to install two extra pieces of software (iptables-persistent & dnsmasq) to get the VPN Gateway working.

Type the following into the command line:

sudo apt install iptables-persistent dnsmasq -y

Select “<yes>” for both IPv4 and IPv6 rules and allow it to complete the installation.

Enable Forwarding

The Raspberry Pi is going to be setup to forward incoming requests from other clients to its VPN connection. By default this is not enabled or setup so we’re going to configure it now.

First ssh into your Raspberry Pi with a sudo enabled user.

Now we need to enable forwarding in the sysctl.conf file by removing the # at the start of line 28 “#net.ipv4.ip_forward=1”:

sudo nano /etc/sysctl.conf

Delete “#” infront of “net.ipv4.ip_forward=1” then press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

Enable the forwarding service:

sudo sysctl -p

Update IPTables

Inorder to forward the incoming traffic correctly we need to make some changes to the IPTables on our Raspberry Pi. These updates will create a dead man switch so traffic from any client using our VPN Gateway can only exit it via its VPN connection. This means, if the VPN connection is lost, the clients will lose their internet.

Make sure to update the network interface name to match the one being used on the device. My network interface is called “eth0” for this example. If you were using a Raspberry Pi Zero W and using the WiFi connection, the interface name is wlan0. Use the command “ip -c a” to show all network interface information and confirm the name, as described in the guide set a static IP.

Paste the following into the command line to update the IPTables:

sudo iptables --flush
sudo iptables --delete-chain
sudo iptables -t nat -F
sudo iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE
sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -i lo -m comment --comment "loopback" -j ACCEPT
sudo iptables -A OUTPUT -o lo -m comment --comment "loopback" -j ACCEPT
sudo iptables -I INPUT -i eth0 -m comment --comment "In from LAN" -j ACCEPT
sudo iptables -I OUTPUT -o tun+ -m comment --comment "Out to VPN" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp --dport 443 -m comment --comment "openvpn" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp --dport 123 -m comment --comment "ntp" -j ACCEPT
sudo iptables -A OUTPUT -p UDP --dport 67:68 -m comment --comment "dhcp" -j ACCEPT
sudo iptables -A OUTPUT -o eth0 -p udp --dport 53 -m comment --comment "dns" -j ACCEPT
sudo iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun+ -m comment --comment "LAN out to VPN" -j ACCEPT
sudo iptables -P FORWARD DROP

The change we’ve made is only temporary. To make it permanent type:

sudo netfilter-persistent save

To ensure these rules are applied every time the device turns on type:

sudo systemctl enable netfilter-persistent

Now that we’ve enabled forwarding, we need to make an edit to the route-up.sh and down.sh files in /etc/openvpn to ensure client traffic is routed correctly.

Navigate to the OpenVPN directory:

cd /etc/openvpn

Open route-up.sh:

sudo nano route-up.sh

At the bottom of the file add:

/etc/openvpn/update-resolv-conf

Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

Now update down.sh:

sudo nano down.sh

At the bottom of the file add:

/etc/openvpn/update-resolv-conf

Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

Finally reboot your Raspberry Pi to ensure the changes have been loaded

Client Configuration

Now the VPN Gateway is setup we need to configure a client to use it and do some final checks that everything is working as expected!

It’s as easy as changing two options to point at your VPN Gateway:

  • Default gateway
  • DNS server

Depending what operating system your client is using there are a number of different ways of achieving this. I’ll try to briefly outline the most common ones. I would recommend setting a static IP address for the clients and the below examples will assume that.

Raspberry Pi

The easiest option is to follow the static IP guide and use the VPN Gateway IP address for the static routes and static domain_name_servers.

Linux – Debian Based

If you are running a Debian based Linux distro, open the command line (or ssh into the client) and we’re going to update the static IP options to make sure it’s using our VPN Gateway.

sudo nano /etc/network/interfaces

Find the line “iface eth0 inet static” and just below that look for:

  • gateway
  • dns-nameservers

Now update both of them to be the VPN Gateway IP address.

Once updated save and exit and to be sure the change has stuck reboot the client.

Windows 10

Go to the search tool on the task bar and type “Network Settings” to open the network settings panel.

Once open find and click “Change Adaptor Options” to show all of your network adaptors. Locate the one you use to connect to the internet, right click it and select properties.

In the properties window double click “Internet Protocol Version 4 (TCP/IPv4)” to set a static IP address.

Fill in the boxes with the appropriate configuration, My VPN Gateway has an IP address of 10.8.60.185.

Click OK to close the panels and Windows will take care of updating your settings.

Final Checks

Now we have updated our client to use the VPN Gateway for all of its internet traffic we need up run some checks and make sure everything is working as expected.

There are 3 checks we’ll be carrying out:

  • Can it see the outside world?
  • Does it have the correct external IP?
  • Is the DNS leaking?

We’ll run through two methods of checking these for if you have a command line only client, or one with a full desktop.

Command line

If like me your client is a headless server and you only have a command line we’ll go about making these checks as follows, in the command line type:

ping google.com -c 4

You should see returns from google.

To check if you have the correct external IP type:

wget -qO- ifconfig.me/ip

The IP address shown should be the same as the VPN Gateway shows when you run the same command there.

Finally to check if the DNS is leaking we’ll use the same script we did when setting up the VPN Gateway.

There is a commandline tool that will check if our DNS is leaking. For more information on the script we’re going to use see the authors GitHub page.

First make sure all dependencies are installed:

sudo apt install curl jq -y

We’re going to download it to the opt folder:

cd /opt

Download using:

sudo wget https://raw.githubusercontent.com/macvk/dnsleaktest/master/dnsleaktest.sh

Let’s make it executable:

sudo chmod +x dnsleaktest.sh

To run the script from /opt use:

./dnsleaktest.sh

Or outside this folder use:

/opt/dnsleaktest.sh

If everything is successful you should see something like the image below:

From a Web Browser

If you have a web browser on your client the checks are very quick and easy.

To see if you have access to the outside world let’s open up the browser and try navigating to your favourite site. e.g. https://philldavis.co.uk

If you can see the site, great news! You’re connected to the internet.

Now lets have a look at our IP address, go to https://whatismyipaddress.com/ and you’ll be shown your current external IP address. This should be the same one you see on your VPN Gateway.

To see if our DNS is leaking lets going to https://dnsleaktest.com and click “Standard Test”. Let it run and it should return the same DNS servers that your VPN Gateway returned when running the command line tool.

Check the Dead Man Switch

The final and possibly most immportant check is the dead man switch. Will the internet connection be terminated when the VPN connection drops?

This is easy to test, SSH into your VPN Gateway and stop the VPN client by typing:

sudo systemctl stop openvpn

Now back on your client machine try to access the internet. You shouldn’t be able to get any internet connection at all. If this is the case, hop back into the VPN Gateway and start the VPN client by typing:

sudo systemctl start openvpn

Finished

Congratulations! Assuming all of the checks passed with flying colours you have successfully created a VPN Gateway and are providing secure connection to the world to any clients that use it.

So what do we actually have in this setup?

  • A VPN Client that is not leaking its IP address or DNS.
  • A VPN Client that still has access to the internet when the VPN connection drops so regular maintenance and updates are simple.
  • A VPN Gateway with a dead man switch so no client traffic can accidentally go out via the regular internet connection.

Setup a Secure Torrent Client

Setup a Secure Torrent Client

Setup a Secure Torrent Client with AirVPN

Overview

 Keep yourself safe with all traffic leaving your Raspberry Pi using end to end encryption via AirVPN.

  • Download and upload peer 2 peer files with anonymity.
  • Increase your privacy from your ISP
  • Protect your net neutrality

This guide is aimed at Raspberry Pis, but will work for any Debian based OS. E.g. Ubuntu 18.04 server, so just use what suits you. I’ve chosen a Raspberry Pi as it makes for a great low power, always on torrent client.

There is nothing too complicated, but it is a long guide. Setup time could be a couple of hours.

Disclaimer

This tutorial is provided with the intention of protecting your identity and for use with strictly legal torrent files.

I do not in any way, shape or form condone or support the downloading of illegal or copyrighted material.

Technical Jargon

VPN

VPN stands for virtual private network. VPN secures your computer’s internet connection by ensuring all of the data being sent and recieved is encrypted and secure from prying eyes.

Click here for a full detailed description of VPN.

Port Forwarding

Port forwarding allows remote computers to connect to a specific computer within a LAN. When a router sees an incoming connection on a set port it will forward all that traffic to the computer named in the port forwarding rules.

Click here for a full detailed description of Port Forwarding.

Samba

Samba is a network protocol to allow Windows clients to share files, printers and access other Windows services such as Active Directory.

Click here for a full detailed description of Samba.

SSH

SSH stands for secure shell. SSH is an encrypted connection established between two computer programs. On the server side (the computer being connected to) a service is running that listens for another computer trying to contact it via SSH.

Click here for a full detailed description of SSH.

What you’ll need

  • A Raspberry Pi  4 Model B (for better ethernet).
  • A powered USB hard drive.
  • An active account with AirVPN.

Note Other VPN services will work, but this guide will concentrate on AirVPN. If you chose another provider ensure they are reputable, do not keep logs and are pro net neutrality. Often you get what you pay for.

How to Setup a Secure Torrent Client

We’re going to split this tutorial into 5 parts:

  • Install and configure the OpenVPN client.
  • Install qBittorrent.
  • Configure qBittorrent.
  • Configure port forwarding.
  • Creating a network share to access the downloaded content.

Assumptions

This guide assumes you have a fresh install of Raspbian on a headless server.

This guide assumes you have set a static IP address.

This guide assumes you have mounted an external USB hard drive

This guide assumes your Raspberry Pi is able to use any DNS server it choses. If it can’t, you’ll need to make an exception in your firewall.

Install the VPN Client

Before we start we’re going to ensure the Raspberry Pi is up to date. Run the following commands to grab and install the latest packages:

sudo apt-get update
sudo apt-get upgrade -y

Now we’re ready to install our VPN client, which for this guide will be OpenVPN. Install using:

sudo apt-get install openvpn -y

Once OpenVPN has been installed you’ll notice a new folder at /etc/openvpn.

This is where we’re going to do the next few bits so lets cd into it:

cd /etc/openvpn

Before we start thinking about connecting to AirVPN we’re going to create 2 files.

  • route-up.sh – To divert all traffic to AirVPN once a connection is established.
  • down.sh – Remove the divert rule and restore normal routing.

Create the file called route-up.sh that will divert all traffic to AirVPN:

sudo nano route-up.sh

Now add the instruction to route all traffic over the VPN connection:

#!/bin/sh
/etc/openvpn/update-systemd-resolved
# replace /etc/resolv.conf with special version for AirVPN
rm /etc/resolv.conf
cp /etc/resolv.conf.airvpn /etc/resolv.conf

Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

Create the file called down.sh that will reverse the actions of route-up.sh:

sudo nano down.sh

Now add the instruction to stop routing traffic over the VPN connection:

#!/bin/sh
/etc/openvpn/update-systemd-resolved
# restore default resolv.conf
rm /etc/resolv.conf
cp /etc/resolv.conf.original /etc/resolv.conf

Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

Now let’s give them the correct permissions, we want only the owner (root) to be able to read, write and execute the files:

sudo chmod 700 route-up.sh
sudo chmod 700 down.sh

If it’s all gone to plan, our folder should look like this. To check file permissions use:

ls -al

You’ll have noticed that we referenced some files that don’t currently exist:

  • update-systemd-resolved
  • /etc/resolve.conf.original
  • /etc/resolve.confairvpn

These files are used to ensure we don’t get any DNS leakage and this will help keep our connection more secure and private.

Let’s grab a copy of update-systemd-resolved from github:

sudo wget https://raw.githubusercontent.com/jonathanio/update-systemd-resolved/master/update-systemd-resolved -P /etc/openvpn/

Once it’s downloaded we need to give it the correct permissions:

sudo chmod +x /etc/openvpn/update-systemd-resolved

Double check the file permissions and folder contents, it should look like:

ls -al

Finally let’s make sure OpenVPN uses the AirVPN DNS servers for all of its requests so nothing is leaked. This change will mean the Raspberry Pi will use AirVPNs DNS servers while the VPN connection is established and the default DNS servers when the VPN connection drops.

Let’s copy resolve.conf so we have an original to default back to when there is no VPN connection:

sudo cp /etc/resolv.conf /etc/resolv.conf.original

And now let;s create a new resolv.conf file that includes AirVPNs DNS servers. I’ve chosen two of their servers that work well for me, but feel free to check out their website if you want to use different servers:

sudo nano /etc/resolv.conf.airvpn

Inside this file paste the following:

# --- BEGIN PVE ---
search local.lan
nameserver 10.4.0.1
nameserver 10.5.0.1
# --- END PVE --

Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

There is a risk here that if the VPN connection drops your traffic will be sent over your clear internet and will be fully visible to your internet provider. To remove this risk, follow the tutorial on setting up a VPN gateway server with dead man switch to ensure traffic is only sent over VPN.

We’re all sorted now and can go on to create the AirVPN config!

Create an AirVPN Config File

To be able to connect to AirVPN we need to generate a config from the Client Area. For a direct link to the generator click here.

  • Login to AirVPN.
  • Click Client Area from the tabs across the top.
  • Click Config Generator from the menu on the left hand side.
  • Select your operating system (RPi).
  • Select UDP protocol.
  • Choose a server – I’m using Europe.
  • Scroll to the bottom.
  • Diligently read the Terms of Service.
  • Accept both terms of services boxes.
  • Select Generate.
  • Download the .ovpn file.

If you open up the .ovpn file in a text editor (I recommend something like Visual Studio Code) you’ll see a comment about the file, some VPN parameters, two certificates, a private key and a static key. The top should look something like:

# --------------------------------------------------------
# Air VPN | https://airvpn.org | Sunday 24th of February 2019 09:50:09 PM
# OpenVPN Client Configuration
# AirVPN_Europe_UDP-443
# --------------------------------------------------------

client
dev tun
remote europe.vpn.airdns.org 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
route-delay 5
verb 3
explicit-exit-notify 5
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
proto udp
key-direction 1

We have chosen the UDP protocol on port 443, if you have issues connecting or have frequent dropouts your Internet Service Provider may be monitoring your connection a little more closely than mine. Some will throttle or not allow VPN traffic and if this is the case you will want to try using TCP instead of UDP. If you’ve had to do this change the line “proto udp” to “proto tcp” in the .ovpn file.

We need to add 7 more lines to the .ovpn file to make sure route-up.sh and down.sh are used when we establish or close the VPN connection. While the .ovpn file is open in your text editor add the following lines below “key-direction 1”:

dhcp-option DOMAIN-ROUTE .
script-security 2
setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
up /etc/openvpn/route-up.sh
up-restart
down /etc/openvpn/down.sh
down-pre

script-security 2 allows the execution of the two scripts and down-pre means that this line is executed before the connection is lost. I.e. no traffic is sent from the device before this line is executed in the event of the connection failing.

Configure AirVPN on the Raspberry Pi

We now have everything we need to connect our Raspberry Pi to AirVPN.

If you’ve left the directory, cd back into /etc/openvpn and create a new file called AirVPN.conf:

cd /etc/openvpn
sudo nano AirVPN.conf

Now paste the content of the .ovpn file you edited in the section above into AirVPN.conf before saving and exiting. Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

Now ensure it has the right file permissions with:

sudo chmod 644 AirVPN.conf

If it’s all gone to plan, our folder should look like this:

Before we connect to the VPN lets make sure we know what our clear public IP address is.

wget -qO- ifconfig.me/ip

Make a note of the number returned to be confident your VPN connection works.

Auto Connect to AirVPN on Boot

There is no point having a headless secure torrent client that requires human input each time it reboots to make sure it connects to VPN server. This would make unexpected power outages a security nightmare. Let’s make sure OpenVPN connects using your AirVPN config every time the Raspberry Pi boots up.

Open the file responsible for default actions on OpenVPN:

sudo nano /etc/default/openvpn

Now scroll to the bottom and add:

AUTOSTART="AirVPN"

Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

This new line tells OpenVPN to use our AirVPN.conf config file each time it starts. Now go ahead and reboot the Raspberry Pi.

Once the Raspberry Pi has rebooted, check that is is now connected to the VPN:

wget -qO- ifconfig.me/ip

Compare the IP address shown now to the one taken before and if all things have gone to plan they should be different!

Check if DNS is Leaking

There is a commandline tool that will check if our DNS is leaking. For more information on the script we’re going to use see the authors GitHub page.

First make sure all dependencies are installed: 

sudo apt install curl jq -y

We’re going to download it to the opt folder:

cd /opt

Download using:

sudo wget https://raw.githubusercontent.com/macvk/dnsleaktest/master/dnsleaktest.sh

Let’s make it executable:

sudo chmod +x dnsleaktest.sh

To run the script from /opt use:

./dnsleaktest.sh

Or outside this folder use:

/opt/dnsleaktest.sh

If everything is successful you should see something like the image below:

Install qBittorrent

qBittorrrent is available from the standard Raspbian packages so installation is a simple case of:

sudo apt-get install qbittorrent-nox -y

Now you may be wondering why we’ve used qbittorrent-nox for the install. The Nox edition is the headless version of qbittorrent so it’s perfect for our needs.

Once the install is complete it’s time to set everything up before we can access the web interface. We’re going to:

  • Create a new use to run qBittorrent.
  • Create a service.
  • Initialise the configuration of qBittorrent.
  • Disable the user from logging in via SSH.
  • Start the service.

User

It is recommended to run qBittorrent as its own user for security purposes. We’re going to create a new user with a password and leave all other options blank by just pressing return to continue:

sudo adduser qbtuser

When prompted with “Is the information correct? [Y/n]” type “y” and hit return to create the user.

Create a Service

 We’re going to create a file under /etc/systemd/system that will tell the Raspberry Pi how to handle qBittorrent and ensure it runs as a service:

sudo nano  /etc/systemd/system/qbittorrent.service

Now that we’ve created the file, paste the following into it:

[Unit]
Description=qBittorrent Daemon Service
After=network.target

[Service]
User=qbtuser
ExecStart=/usr/bin/qbittorrent-nox
ExecStop=/usr/bin/killall -w qbittorrent-nox

[Install]
WantedBy=multi-user.target

Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

Initialise the Configuration

Before continuing we need to accept the disclaimer from when qBittorrent first runs, and to do this we need to run it manually. As it’s set to be run by qbtuser lets impersonate them:

sudo su qbtuser

Now lets start qBittorrent:

qbittorrent-nox

And accept the legal notice by pressing “y”.

Once done you’ll see an information readout with the default username, password and listening port:

  • User: admin
  • Password: adminadmin
  • Listening Port: 8080

To get back to the command line press Ctrl+C until you see “qbtuser@”.

Stop impersonating qbtuser by typing:

exit

Improve Security

To improve security we’re going to disable qbtuser from logging in via SSH:

sudo usermod -s /usr/sbin/nologin qbtuser

Start the qBittorrent-nox Service

If everything has gone to plan we can start the service.

Start the service for the first time with:

sudo systemctl start qbittorrent

Check it all Works

Now we’ve finished installing qBittorrent and the service is running, lets check it all works by going to http://*Rasbperry Pi Ip Address*:8080 and we should see a login screen.

Login to qBittorrrent using the default username and password shown earlier in the guide, we will be updating these.

  • Username: admin
  • Password: adminadmin

You will see an empty interface that is ready to start downloading torrents. BUT we’re not at that point yet as we’ve got some configuration left and we need to make sure the qBittorrent automatically stops when we lose the VPN connection and starts when the connection returns.

Auto Start qBittorrent

We’re going to go back to the OpenVPN files so cd into /etc/openvpn:

cd /etc/openvpn

To auto start qBittorrent when the VPN connection is established we need to edit route-up.sh.

sudo nano route-up.sh

And paste the following at the bottom of the file:

systemctl start qbittorrent

The file should look like:

#!/bin/sh
/etc/openvpn/update-systemd-resolved
# replace /etc/resolv.conf with special version for AirVPN
rm /etc/resolv.conf
cp /etc/resolv.conf.airvpn /etc/resolv.conf
systemctl start qbittorrent

 Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

Auto Stop qBittorrent

To make sure no peer 2 peer traffic is sent over your clear internet connection we’re going to ensure the qBittorrent service is stopped before we lose our VPN connection.

To do this we’re going to add a line to down.sh:

sudo nano down.sh

Paste the following on line 2, above /etc/openvpn/update-systemd-resolved:

systemctl stop qbittorrent

The contents of the file should look like:

#!/bin/sh
systemctl stop qbittorrent
/etc/openvpn/update-systemd-resolved
# replace /etc/resolv.conf with special version for AirVPN
rm /etc/resolv.conf
cp /etc/resolv.conf.airvpn /etc/resolv.conf

Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

Reboot your Raspberry Pi to ensure all our changes are applied:

sudo reboot

Check Everything is Working

After the reboot lets check everything is working as we expect.

In your web browser navigate to the qBittorrent Web UI as you did earlier and make sure it loads.

Now in the command line of the Raspberry Pi make sure the VPN has started automatically:

wget -qO- ifconfig.me/ip

Confirm the IP address is different from your clear public address.

Now we’re going to stop the OpenVPN service, make sure it stops qBittorrent and that we are now accessing the internet via our clear IP address:

sudo systemctl stop openvpn

Back in your web browser refresh the qBittorrent Web UI page and it should be unavailable.

Now start OpenVPN back up and do one final check to make sure qBittorrent came back to life:

sudo systemctl start openvpn

Once we’ve confirmed everything is working as expected we can pat our selves on the back for a job well done on installing the basics of our secure torrent client.

Configure qBittorrent

We won’t be storing the active or completed torrent files on the Raspberry Pi’s microSD card, we’ll want these stored on the external hard drive so we want to make sure qbtuser has access to this external drive. 

I’m mounting the drive to /mnt/Torrents so let’s update that with the right owner:

sudo chown -R qbtuser:qbtuser /mnt/Torrents

This will now allow qBittorrent to create and delete files from this directory.

We’re going to store the active and completed torrent files in separate folder on our external drive, so let’s create those:

sudo mkdir /mnt/Torrents/Active
sudo mkdir /mnt/Torrents/Finished

Now we have our folders setup, let’s login to the qBittorrent web ui and get configuring some basics.

Once logged in, click the options button from the top bar (crossed spanner and screw driver), or go to Tools then Options to open the options dialog.

Note: Depending on the version installed, the options button may be a cog as seen below.

The Options dialog will open on the Downloads tab. From here we’re going to update where finished and active torrents are stored.

In Save files to location replace the default with:

/mnt/Torrents/Finished

Tick the box to the left of Keep incomplete torrents in, and update the textbox to be:

/mnt/Torrents/Active

With the folder locations sorted now we want to update the port that qBittorrent listens on.

Click on theConnection tab at the top of the open dialog and at the top you will see Listening Port.

Lets update the Port used for incoming connections:

  • 165587

It can be anything (usually higher than 2048), but best to try and find something that is very rarely used as it will improve the odds of it being available when we request port forwarding from AirVPN.

Finally we want to change the default password for the Web UI.

Click on the Web UI tab at the top of the open dialog and scroll to the bottom.

In the Authentication section update the password to something secure that only you know and you’ll remember.

Port Forwarding

To be able to download torrents we need to do some port forwarding on our router and to get the best performance port forwarding for our VPN connection.

Port Forwarding AirVPN

To forward ports in AirVPN we do this from the Forwarded Ports section of the Client Area. For a direct link to Forwarded Ports click here.

    • Login to AirVPN.
    • Click Client Area from the tabs across the top.
    • Click Forwarded Ports from the menu on the left hand side.
    • In the large box at the top: 16587.
    • Protocol: TCP & UDP.
    • Local port: 16587.
    • Leave DDNS (?) blank.
    • Click Add.

If you get a message telling you the port is already reserved by another user, don’t worry, just keep trying others until you find one that works. Make sure to update qBittorrent as well.

Port Forwarding on Your Router

The principle of port forwarding is universal across all routers, but for this guide I’ll be showing how to do it with pfSense.

To add and apply the port forwarding follow the steps below:

  • Login to pfSense.
  • Firewall -> NAT -> Port Forward.
  • Add.
  • Interface – WAN.
  • Protocol – TCP/UDP.
  • Destination – WAN_Address.
  • Destination Port range – Other, 16587, Other, 16587.
  • Redirect target IP – Raspberry Pi IP (10.9.10.115).
  • Redirect target port – Other, 16587.
  • Description – qBittorrent Port Forward.
  • Save.
  • Apply Changes – At the top of the NAT page.

Your new NAT rule should like the one above before clicking save and applying the settings.

Once you’ve added and enabled the rule it should be visible on the page of NAT rules and look similar to the image above.

Firewall Rules

If you’re using pfSense you’ve most likely got everything locked down as much as possible. We’re going to need to open some ports to allow the torrent trackers to work. The trackers run on ports:

  • 1337.
  • 6969.

To enable these, let’s hop onto the firewall rules page, Firewall -> Rules -> LAN (or VLAN that the Raspberry Pi is on).

  • Firewall -> Rules -> LAN (or VLAN that the Raspberry Pi is on).
  • Add.
  • Action – Pass.
  • Interface – LAN (or VLAN that the Raspberry Pi is on).
  • Protocol TCP/UDP.
  • Source – Single host or alias 10.8.10.115 (Raspberry Pi IP Address).
  • Destination *tick Invert match*, LAN Address (I have multiple LAN networks so have an alias setup).
  • Destinate Port Range – Other, 1337, Other, 1337.
  • Description – Torrent tracker port 1337.

Let’s create another rule for port 6969. We could add these to an alias so only one rule is required, but fow now it keeps it simple and clear.

  • Firewall -> Rules -> LAN (or VLAN that the Raspberry Pi is on).
  • Add.
  • Action – Pass.
  • Interface – LAN (or VLAN that the Raspberry Pi is on).
  • Protocol TCP/UDP.
  • Source – Single host or alias 10.8.10.115 (Raspberry Pi IP Address).
  • Destination *tick Invert match*, LAN Address (I have multiple LAN networks so have an alias setup).
  • Destinate Port Range – Other, 6969, Other, 6969.
  • Description – Torrent tracker port 6969.

Once you’ve added and enabled the rules they should be visible on the page of firewall rules and look similar to the image below.

Complete!

The port forwarding is now complete. We can check that everything is working as expected by logging into qBittorrent and at the bottom the connection should now be green instead of yellow.

Download First Torrent

Now that everything is configured and setup let’s download our first torrent.

I use qBittorrent to download all my Linux images, so that’s a good place to start to check everything is working. Head on over to the Raspbian download page again and download the torrent file (ending .torrent).

In qBittorrent click the green Plus icon in the top left to add a new torrent file.

In the dialog that opens click brows to find your torrent file and select it.

Confirm the download location is correct (This was setup earlier and will stay the default).

Click Upload Torrents to start downloading.

Once you’ve added the torrent file you’ll notice it starts downloading. The download speed will depend on a number of factors, total seeds, your connection speed, speed of the VPN connection and on very fast connections, the processing power of the Raspberry Pi may be the limiting factor to maximising connection speeds as it needs to encrypt and de-encrypt all the traffic.

Once the download is complete lets check the finished folder to make sure it’s saved in the right place and with the correct user and group.

ls -al /mnt/Torrents/Finished/

Finished!

That’s it, we’ve finished setting up the secure torrent client. Now all downloads will be done via a VPN connection and it has a kill switch to stop any traffic being leaked if the connection drops.

One problem, how do we get the files off the Raspberry Pi now they’re downloaded? We’ll need to setup a network share!

Create a Network Share

 This guide assumes you’ll be connecting from a Windows computer so we are going to create a Samba share by installing the Samba server package:

sudo apt-get install samba -y

Once the package has installed we can configure the Samba server, this is done by editing the smb.conf file in /etc/samba/smb.conf.

Before we make any edits, lets make a backup of the original so we can always roll back:

sudo cp /etc/samba/smb.conf /etc/samba/smb.bak

Now to update smb.conf:

sudo nano /etc/samba/smb.conf

We’re going to enable WINS (Windows Internet Name Service) support.

Look for the line:

# wins support = no

And replace it with:

wins support = yes

Now to setup the Samba share, go to the end of the file and paste the following:

[FinishedTorrents] #This is the name of the share it will show up as when you browse
comment = Finished Torrents Folder
path = /mnt/Torrents/Finished
create mask = 0775
directory mask = 0775
read only = no
browseable = yes
public = yes
force user = qbtuser
valid users = qbtuser
only guest = no

Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

We need to set a samba (memorable and secure) password for qbtuser, this will be used to connect to the share:

sudo smbpasswd -a qbtuser

Now we’ve finished setting it up lets restart the samba service:

sudo service smbd restart

Once the service has restarted let’s try and connect. If this fails, reboot your Raspberry Pi to ensure all settings have been updated.

The Raspberry Pi should be visible on your Network tab, but you can directly navigate to it using either the hostname or IP address of the Raspberry Pi in the address bar of a file explorer window.

\\10.8.10.115\FinishedTorrents

Logging in

On the first time logging in you’ll need to provide the user details

  • username: qbtuser
  • password: *Setup earlier*

Ticking Remember my credentials means you won’t have to go through this process each time you try to access the Raspberry Pi’s file share.

It’s not recommended to remember credentials on a shared computer as anyone will be able to access the share.

With everything going to plan you’ll see all of your finished torrents and be able to copy them out.

Finished! – Fully this time

Congratulations! If you’ve stuck with me until now, you have successfully finished setting up a secure torrent client with Samba server.

Pat yourself on the back and enjoy downloading completely legal torrents over a secure connection.

Further Reading

A lot of people like to manage their torrents using Sonarr, Radarr and Lidar, if this is something that interests you, checkout my guides:

Raspberry Pi Mount USB Drive

Raspberry Pi Mount USB Drive

Raspberry Pi – Set a Static IP Address

Overview

  • Expand the storage space of the Raspberry Pi.
  • Add quicker and more stable storage.
  • Auto mount the external storage.

By default the Raspberry Pi only uses a microSD card for it’s storage. While this is great in terms of power consumption and space used, microSD cards aren’t very fast and the data on them is easily corrupted.

Technical Jargon

SSH

SSH stands for secure shell. SSH is an encrypted connection established between two computer programs. On the server side (the computer being connected to) a service is running that listens for another computer trying to contact it via SSH.

Click here for a full detailed description of SSH.

SSD

SSD stands for Solid State Drive. Unlike traditional spindle hard drives an SSD uses integrated circuits to store data. They are quicker than spindle hard drives and require less power.

Click here for a full detailed description of SSD.

Assumptions

This guide assumes you have a fresh install of Raspbian on a headless server.

You have attached a powered external hard drive to the Raspberry Pi. A bus powered hard drive will most likely try to draw more current than the Raspberry Pi can deliver unless you are using an SSD.

Format Hard Drive

When you’ve selected your hard drive and plugged it in, the first thing we’ll want to do is format it to ensure there is no data left on it before continuing. To do this we need to know the name and location of the hard drive, we can do this using:

ls -l /dev/disk/by-uuid/

You should see something like the image below. This shows my two partitions of the microSD card as well as ../../sda1 which is the partition on my external hard drive. Note by default one external hard drive will be assigned to sda.

Now we know the name and unique ID of the drive we can start the format process.

To format the drive we’re going to be using fdisk:

sudo fdisk /dev/sda

We need to make sure there are no partitions so when we create a new one it will use all of the space on the hard drive.

Press “d” and hit return, if there is more than one partition it will ask which to delete. Keep selecting 1 and repeating the process until all are deleted. If there is just a single partition it will automatically delete it.

Now we have deleted all the old partitions it’s time to create a brand new one.

  • Press “n” then return to create a new partition.
  • Press “p” then return to create a new primary partition.
  • Accept all of the defaults by pressing return.

Once you’ve created the partition we need to write these changes to the disk and then exit fdisk.

  • Press “w” to write changes to the disk.
  • Press “q” to quit out of fdisk.

Now we’ve got the new partition we need to format it as ext4:

sudo mkfs.ext4 /dev/sda1

This may give a warning if it used to contain an old ext4 file system. If you see this prompt press Y to continue and allow the drive to be formatted.

The external drive is now formatted and ready to be mounted.

Mount Drive

Before we mount the drive we need to create a folder that it will be mounted to. For the purpose of this guild I’ll be creating the folder /mnt/USBDrive, but feel free to use a folder name and location that suits your purposes:

sudo mkdir /mnt/USBDrive

Once we’ve created the folder we need to assign it a user and group as it will have defaulted to root:root. I’ll be using pi:pi, but feel free to use a user and group that better suits you:

sudo chown -R pi:pi /mnt/USBDrive

We can check this has worked with the following command:

ls -al /mnt

Now we have a folder to mount the drive to we’re ready to setup an auto mount on boot. First things first we need to know the drives new UUID:

ls -l /dev/disk/by-uuid/

Copy the unique Id of your hard drive (sda1), shown in blue in the image below.

To auto mount a drive on boot we’re going to edit the fstab file that’s located at /etc/fstab:

sudo nano /etc/fstab

Add a new line at the bottom of the file, make sure to update the UUID and mount position to match your own:

UUID=e3395033-d124-4b11-8e6e-9ef34967be50 /mnt/USBDrive ext4 rw,relatime 0 2

Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

We’re not going to mount the hard drive manually, we’re going to make sure the auto-mount is working. To do this, give the Raspberry Pi a reboot:

sudo reboot

Once it’s rebooted we are going to check the free disk space of all mounted disks:

df -h

You should see your drive listed on the left side as /dev/sda1 along with it’s size, used space, available space and mount point.

Let’s check that the drive has been mounted with the correct permissions. If you have mounted it as user and group “pi” then you can go ahead and try to create a test folder. If you have mounted it as a different user we’ll need to spoof the user.

As user pi:

mkdir /mnt/USBDrive/Test
ls -al /mnt/USBDrive

If you are mounting the hard drive with a different user, let’s spoof the user. For this guide I’ll be using qbtuser:

sudo su qbtuser
mkdir /mnt/USBDrive/Test

Then we want to return to user pi so we’ll exit user qbtuser:

exit

With everything working, lets clean up after ourselves:

rm -R /mnt/USBDrive/Test

Complete!

Congratulations, you’ve added an auto mounting external hard drive to your Raspberry Pi!

Raspberry Pi Static IP

Raspberry Pi Static IP

Raspberry Pi – Set a Static IP Address

Overview

  • Set a static address.
  • Reliably connect to the Raspberry Pi.
  • No more fumbling in DHCP logs to find the current IP.

Setting a static IP allows you to run a web server, file server or any other service that relies on clients knowing where to look.

It will also simplify general maintenance as we will always know where to find our Raspberry Pi.

Technical Jargon

IP Address (IP)

An IP address is a unique (numeral) address that is used to identify a device on the network. Every computer has an IP address and these are used by computers to talk to one another.

Think of it like your postal address or telephone number. If someone wants to contact you they use your unique address, this is the same for a computer and its IP.

Click here for a full detailed description of IP address.

DHCP

DHCP stands for Dynamic Host Configuration Protocol and a DHCP server is the server tasked with giving computers without an IP address their address. It is similar to going to the theater and the box office assigning you a seat. They make a note of your seat row and number so if you’re needed during the performance someone can find you. This is the same job the DHCP server has, it gives computer A an IP address and then gives that address to the DNS server so when other computers want to find computer A they are told where they can find them.

A server usually has a range of IP addresses it is allowed to hand out. E.g. 10.8.110.100 To 10.8.10.199. If you are using a static IP address you’ll want to pick one outside of the range.

Click here for a full detailed description of DHCP.

SSH

SSH stands for secure shell. SSH is an encrypted connection established between two computer programs. On the server side (the computer being connected to) a service is running that listens for another computer trying to contact it via SSH.

Click here for a full detailed description of SSH.

Assumptions

This guide assumes you have a fresh install of Raspbian on a headless server.

Set a Static IP

Most projects we undertake will benefit from a static IP address so it’s worth setting up as a matter of course as it’ll make SSHing into our Raspberry Pi much easier because we already know it’s address.

First we’re going to update dhcpcd.conf to assign a static IP.

SSH into your Raspberry Pi using it’s IP or hostname and open dhcpcd.conf for editing:

sudo nano /etc/dhcpcd.conf

Scroll to the very bottom of the file (or Page Down) and at the very bottom paste the following. If you want to assign a static IP to the WiFi interface, the default name is wlan0:

interface eth0
static ip_address=*Desired IP address*
static routers=*Router IP address*
static domain_name_servers=*DNS server IP address*

In between the asterisks you’ll have put the static IP address of the Raspberry Pi and the IP address of your router. For example, mine are:

interface eth0
static ip_address=10.8.10.115
static routers=10.8.10.1
static domain_name_servers=10.8.10.1

Press Ctrl+x to exit and you’ll be prompted to Save modified. Type Y and then return to save the file.

Reboot the Raspberry Pi to ensure the new IP address is set:

sudo reboot

Once your Raspberry Pi has rebooted SSH back in using it’s new IP address. At any time to check the IP address of your Raspberry Pi use:

ip -c a

Finished

Congratulations you’ve now got a static IP address!

Setup a Headless Raspberry Pi Server

Setup a Headless Raspberry Pi Server

Setup a Headless Raspberry Pi Server

Overview

So you’ve bought a Raspberry Pi and want to start using it for the 101 awesome projects you’ve got lined up, but you don’t have a spare keyboard or monitor. How do you go about setting it up in a totally headless environment?

This is a very quick guide to setting up a headless Raspberry Pi that will automatically join your network and let you SSH in with a fresh install of Raspbian.

A lot of the Raspberry Pi tutorials will use this method as it’s a good starting point for any project.

Software Required

  • Etcher – Disc Imager.
  • Putty – SSH Client.

 

Technical Jargon

IP Address (IP)

An IP address is a unique (numeral) address that is used to identify a device on the network. Every computer has an IP address and these are used by computers to talk to one another.

Think of it like your postal address or telephone number. If someone wants to contact you they use your unique address, this is the same for a computer and its IP.

Click here for a full detailed description of IP address.

Hostname

A computer hostname is similar to you wearing a name badge. Computers can be known by their unique IP address, or a nick name (hostname) can be assigned to them. The hostname is the easy to remember name of a computer and like the IP address must be unique on the network.

Click here for a full detailed description of computer hostnames.

DHCP

DHCP stands for Dynamic Host Configuration Protocol and a DHCP server is the server tasked with giving computers without an IP address their address. It is similar to going to the theater and the box office assigning you a seat. They make a note of your seat row and number so if you’re needed during the performance someone can find you. This is the same job the DHCP server has, it gives computer A an IP address and then gives that address to the DNS server so when other computers want to find computer A they are told where they can find them.

A server usually has a range of IP addresses it is allowed to hand out. E.g. 10.8.110.100 To 10.8.10.199. If you are using a static IP address you’ll want to pick one outside of the range.

Click here for a full detailed description of DHCP.

DNS

DNS  stands for Domain Name System. A DNS server is like an old fashioned address book. It holds all of the hostnames and IP addresses of computers on the network so when we want to talk to Computer A we can ask the DNS server for their address and they will find it for us. Once found we can then go and contact Computer A.

Click here for a full detailed description of DNS.

SSH

SSH stands for secure shell. SSH is an encrypted connection established between two computer programs. On the server side (the computer being connected to) a service is running that listens for another computer trying to contact it via SSH.

Click here for a full detailed description of SSH.

How to Install Raspbian on a Headless Server

Installing Raspbian is easy, you’re going to:

  • Download Raspbian.
  • Write the Raspian image to a microSD.
  • Power on the Raspberry Pi.
  • SSH into the Raspberry Pi.
  • Configure basic settings.

For this process we’re going to need the following hardware:

  • 1 x Raspberry Pi.
  • 1 x microSD card (Recommended at least 8GB, or to suit for the project).
  • 1 x microSD card reader.

And the following software:

Download Raspbian

 Now we’re ready to start, grab the latest version of Raspbian from the Raspberry Pi Foundation’s website.

For most of my work I use Raspbian Stretch Lite as I very rarely have a need for a user interface. Getting the lite version will provide minimal packages and just a command line.

If you chose to “Download Zip”, now might be a good time to grab a cup of tea as the download speeds from The Raspberry Pi Foundation aren’t the best.

Unzip the File

Raspbian is provided as a compassed disk image and will need unzipping before it can be written to the microSD card.

If you’re on Windows 10, right clicking and selecting “Extract All…” should do the trick, but if you run into any problems the following programs are recommended by the Raspberry Pi Foundation:

Write Raspbian to microSD

 Writing the Raspbian image to a microSD card is a straightforward process. In this guide we’ll be using balenaEtcher.

With Etcher you’ll need to select an image and flash the disc. If you have just a single drive connected to your computer it will be automatically selected, otherwise you’ll need an extra step to select the drive. Depending on the speed of the microSD card chosen, it can take a few minutes to write the image to disc.

CAUTION ensure the correct drive is selected. Selecting the wrong drive will result in losing all data on the selected drive.

First off, open balenaEtcher.

Click “Select image” to continue.

In file explorer navigate to your unzipped copy of Raspbian, select it and then click “Open”.

Ensuring the correct removable drive has been selected click “Flash!”.

This window will be displayed and the progress of the flash will be shown.

Enable SSH

By default Rasbian disables SSH access. We will need to enable SSH to do anything as there won’t be a keyboard, mouse or monitor attached to the Raspberry Pi.

To enable SSH open the newly flashed microSD card and create a file called “ssh”.

My drive has been identified as “boot (D:)”. View the contents of the drive then right click and choose “New”, then “Text Document” and finally name it “ssh”.

By default it will have a .txt extension, this needs to be removed and select “Yes” to being sure you want to change the filename extension.

The file named ssh tells Raspbian to enable SSH access when it boots.

Click Yes to accept the change of filename extension and to create the file.

Enable WiFi

If the Raspberry Pi will not be connected to an Ethernet connection and is going to be totally headless you’ll need to configure the WiFi options before removing the microSD card from the computer.

In the same way you created a file called “ssh”, in the root directory of the D: drive create a file called “wpa_supplicant.conf”.

Once created open it in a text editor and paste the below text, modifying as necessary.

Your ISO Country Code should be updated, for example GB for United Kingdom:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=*your_ISO-3166-1_two-letter_country_code*
network={
    ssid="*your_SSID*"
    psk="*your_PSK*"
    key_mgmt=WPA-PSK
}

Save your changes and close the text editor.

Boot up the Raspberry Pi

Now that the disc image has been written and necessary files have been created and edited eject the micorSD card and place it into the Raspberry Pi. Plug in the necessary cables,  Ethernet (if needed) and power and watch the Pi come to life!

The default username is: pi

The default password is: raspberry

By default the Raspberry Pi will be assigned an IP by the DHCP server so it’s IP address can be found by interrogating whichever device provides IPs.

SSH into Your Pi

In this guide I’m using the Putty SSH Client to ssh into my Raspbery Pi. Open putty and ensure it is using port 22. In the Host Name (or IP address) type in the IP address found from the DHCP server. If your DHCP server uses hostnames, typing raspberry.*domain* will work as well. E.g. raspberry.local.lan.

Once the correct hostname or IP address are in the box click “Open” to start a connection to the Raspberry Pi. If successful a black window with login prompt will appear where you’ll want to ender “pi” for the username and “raspberry” for the password. Hit return after each command.

Ater successfully login in you will be greeted with a similar window. I use Ethernet to connect my Raspberry Pis to my network, hence the WiFi disabled message.

Update and Configure

Once logged into the Raspberry Pi you’ll want to ensure it’s using the latest software and is configured to use another password other than the default.

First you’ll want to update the package lists:

sudo apt-get update

Once using the latest packages you’ll want to update your software The “-y” automatically selects “yes” to confirmation messages:

sudo apt-get upgrade -y

Now the system is up to date, let’s change the default password:

sudo raspi-config

raspi-conig allows you to update some basic settings from an easy to understand menu. For this part we are just updating the user password.

Ensure “1 Change User Password” is selected and then hit return. On the next page that explains the process hit return again before being taken to enter your password twice. If the passwords match you’ll be prompted with a success screen. Make sure to chose a passwod that isn’t easily guessed but you can remember!

Next we’re going to set a new hostname, use the arrow keys to select “2 Network Options” and press return. On the next page “N1 Hostname” will be highlighted, hit return again, make sure to read and understand to next page before pressing return for the final time. Once you are prompted with “Please enter a hostname” delete the default “raspberrypi” and replace it with something that will be meaningful to your project. Once you’re happy hit return to accept and go back to the main page.

Finally in the raspi-config page we’re going to expand the file storage to make sure the Raspberry Pi has access to the entire microSD card. Use the arrow keys to select “7 Advanced Options”, press return and then return again on “A1 Expand Filesystem”. This will automatically expand the file system.

To close raspi-config press the right direction arrow to highlight “Select” then press once more to highlight “Finished” and hit return. You should be asked if you want to restart now, you should say “Yes” to this, otherwise you’ll then be taken back to the console.

Finished!

Now you’re finished setting up and configuring the basics of your Raspberry Pi. What are you waiting for? Get on and do something great!