Skip to main content

Creating a low-power, secure torrent box based on a Raspberry Pi 3 Model A+, Samba, Deluge and PIA OpenVPN

Install the Raspberry Pi OS Lite 64-bit (2022-04-04) to a SanDisk Ultra 200 GB micro SD card.

Create a new file called wpa_supplicant.conf in the root of the first partition of the micro SD card and add the text shown below. Adjust the ssid and psk as needed.
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=SE
network={
ssid="NAME"
psk="PASSWORD"
}

In the same directory, create a new file called userconf and add the text shown below.
pi:$6$oLZglrx6toCFaoR/$06EmZ9/BN2tAjU5kbuxUxU6W.se66etapF0b9bftdw/LDd1yncSDhWPM2eZCOIEgH1iAn4ygozxNPbHc3Easg1

Still in the same directory, create an empty file called ssh.

In the second partition, open the files hostname and hosts in the directory /etc/ and replace raspberrypi by micro (the new hostname). Comment all the lines related to IPv6.

In the same directory, add the line net.ipv6.conf.all.disable_ipv6 = 1 at the end of the file sysctl.conf.

Still in the same directory, add the line noipv6 at the end of the file dhcpcd.conf.

In the directory /etc/profile.d/, rename the file sshpwd.sh to sshpwd.sh.disabled.

In the directory /home/pi/, create an empty file called .hushlogin.

Copy the OpenVPN files ca.rsa.2048.crt and crl.rsa.2048.pem provided by PIA to the directory /home/pi/.

Insert the micro SD card into the Raspberry Pi 3 Model A+ and power on the system using the official Raspberry Pi power supply.

Access the Raspberry Pi remotely using SSH (username: pi, password: raspberry) and make sure that the operating system is up to date by executing 2 commands: sudo apt-get update followed by sudo apt-get upgrade.

Install Deluge (including the Web UI), OpenVPN and Samba using the command sudo apt-get install deluged deluge-web openvpn samba.

Create the deluge user using the command sudo adduser --system --group --disabled-password --home /var/lib/deluge deluge.

Remove the init.d scripts related to Deluge by executing 3 commands: sudo /etc/init.d/deluged stop, followed by sudo rm /etc/init.d/deluged, followed by sudo update-rc.d deluged remove.

Create a new file called deluged.service in the directory /etc/systemd/system/ and add the text shown below.
[Unit]
Description=Deluge BitTorrent Client Daemon
Documentation=man:deluged
#After=network-online.target
#BindsTo=firewall.service
StartLimitIntervalSec=0
[Service]
Type=simple
User=deluge
Group=deluge
UMask=0000
ExecStart=/usr/bin/deluged -d
RestartSec=10
Restart=always
[Install]
WantedBy=multi-user.target

In the same directory, create another new file called deluge-web.service and add the text shown below.
[Unit]
Description=Deluge BitTorrent Client Web Interface
Documentation=man:deluge-web
After=deluged.service
StartLimitIntervalSec=0
[Service]
Type=simple
User=deluge
Group=deluge
UMask=0000
ExecStart=/usr/bin/deluge-web -d
RestartSec=10
Restart=always
[Install]
WantedBy=multi-user.target

Start these 2 services using the command sudo systemctl start deluged.service deluge-web.service.

Once the directory /var/lib/deluge/.config/deluge/ is populated (after a few seconds), stop the services using the command sudo systemctl stop deluged.service deluge-web.service.

In the directory /var/lib/deluge/.config/deluge/, open the file core.conf and edit as shown below.
"add_paused": true
"download_location": "/mnt/d/download"
"max_active_downloading": 4
"max_active_limit": 12
"max_active_seeding": 12
"max_download_speed": 300.0
"max_upload_speed": 80.0
"move_completed_path": ""
"torrentfiles_location": ""

In the same directory, open the file web.conf and edit as shown below. Set the value of default_daemon to the first entry found in the file hostlist.conf.
"default_daemon": "DAEMON"
"port": 8000
"session_timeout": 86400

Back up these 2 files using the command for f in /var/lib/deluge/.config/deluge/{core,web}.conf; do sudo cp $f{,.backup}; done.

Enable the 2 commented lines in the previously created file deluged.service using the command sudo sed -i 's/^#//' /etc/systemd/system/deluged.service.

Create a new file called pia.conf in the directory /etc/openvpn/client/ and add the text shown below.
client
dev tun0
remote swiss.privacy.network 1198
proto udp4
resolv-retry 60
nobind
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass pia.password
compress
verb 4
reneg-sec 0
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt
tls-exit
ping-restart 120
auth-retry none
pull-filter ignore "route-ipv6"
allow-recursive-routing

In the same directory, create another new file called pia.password with the username of the PIA VPN in the first line and the corresponding password in the second line.

Change the permissions of this file to 0600 using the command sudo chmod 0600 /etc/openvpn/client/pia.password.

Create a new file called resolv.conf.head in the directory /etc/ and add the text shown below.
nameserver 209.222.18.222
nameserver 209.222.18.218

Create a new directory called openvpn-client@pia.service.d inside the directory /etc/systemd/system/.

Create a new file called override.conf inside this new directory and add the text shown below.
[Unit]
StartLimitIntervalSec=0
[Service]
RestartSec=10
Restart=always
TimeoutSec=3600

Move the files ca.rsa.2048.crt and crl.rsa.2048.pem from the directory /home/pi/ to the directory /etc/openvpn/client/.

In the directory /etc/samba/, copy the file smb.conf to a new file called smb.conf.backup.

Replace the text in the file smb.conf with the text shown below.
[global]
disable netbios = yes
disable spoolss = yes
dns proxy = no
guest account = nobody
load printers = no
log file = /var/log/samba/samba.log
log level = 0
map to guest = Bad User
max log size = 5000
printcap name = /dev/null
security = user
server string = SMB
workgroup = GROUP
[download]
browseable = no
guest ok = yes
inherit permissions = yes
max connections = 5
guest only = yes
path = /mnt/d/download
writeable = yes
[cloud]
browseable = no
guest ok = yes
inherit permissions = yes
max connections = 5
guest only = yes
path = /mnt/c/cloud
writeable = yes

Create a new disk called disk.download using 2 commands: sudo dd if=/dev/zero of=/mnt/disk.download bs=1 count=0 seek=107G followed by sudo mkfs.ext4 /mnt/disk.download.

Create a new directory called d inside the directory /mnt/.

Mount the disk in this new directory using the command sudo mount -o loop /mnt/disk.download /mnt/d.

Create a new directory called download inside the directory /mnt/d/ and change the permissions of this new directory to 0777 using the command sudo chmod 0777 /mnt/d/download.

Unmount the disk using the command sudo umount /mnt/d.

Create another new disk called disk.cloud using 2 commands: sudo dd if=/dev/zero of=/mnt/disk.cloud bs=1 count=0 seek=59G followed by sudo mkfs.ext4 /mnt/disk.cloud.

Create a new directory called c inside the directory /mnt/.

Mount the disk in this new directory using the command sudo mount -o loop /mnt/disk.cloud /mnt/c.

Create a new directory called cloud inside the directory /mnt/c/ and change the permissions of this new directory to 0777 using the command sudo chmod 0777 /mnt/c/cloud.

Unmount the disk using the command sudo umount /mnt/c.

Add the 2 lines shown below at the end of the file fstab in the directory /etc/.
/mnt/disk.download /mnt/d ext4 defaults,noatime,loop 0 2
/mnt/disk.cloud /mnt/c ext4 defaults,noatime,loop 0 2

Create a new file called firewall.service in the directory /etc/systemd/system/ and add the text shown below. Adjust the 192.168.0.0/24 if needed.
[Unit]
Description=Firewall rules for VPN
Before=network-pre.target
Wants=network-pre.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/nft add table ip ipv4
ExecStart=/usr/sbin/nft add chain ip ipv4 _forward_ { type filter hook forward priority 0 \; policy drop \; }
ExecStart=/usr/sbin/nft add chain ip ipv4 _input_ { type filter hook input priority 0 \; }
ExecStart=/usr/sbin/nft add rule ip ipv4 _input_ meta iifname "lo" accept
ExecStart=/usr/sbin/nft add rule ip ipv4 _input_ ip saddr 192.168.0.0/24 accept
ExecStart=/usr/sbin/nft add rule ip ipv4 _input_ meta iifname "tun0" accept
ExecStart=/usr/sbin/nft add rule ip ipv4 _input_ ct state { established, related } accept
ExecStart=/usr/sbin/nft add chain ip ipv4 _output_ { type filter hook output priority 0 \; }
ExecStart=/usr/sbin/nft add rule ip ipv4 _output_ meta oifname "lo" accept
ExecStart=/usr/sbin/nft add rule ip ipv4 _output_ ip daddr 192.168.0.0/24 accept
ExecStart=/usr/sbin/nft add rule ip ipv4 _output_ meta oifname "tun0" accept
ExecStart=/usr/sbin/nft add rule ip ipv4 _output_ udp dport 1198 accept
ExecStart=/usr/sbin/nft chain ip ipv4 _input_ { policy drop \; }
ExecStart=/usr/sbin/nft chain ip ipv4 _output_ { policy drop \; }
[Install]
WantedBy=multi-user.target

In the same directory, create another new file called power.service and add the text shown below.
[Unit]
Description=Power management for wlan0
Before=network.target
Wants=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/iw dev wlan0 set power_save off
[Install]
WantedBy=multi-user.target

Execute the command sudo dpkg-reconfigure tzdata and change the local time from Europe/London to Europe/Stockholm.

Execute the command sudo dpkg-reconfigure locales, remove the en_GB.UTF-8 UTF-8 from the list, add en_US.UTF-8 UTF-8, and then select en_US.UTF-8 as the default locale.

Configure the relevant services to start automatically using the command sudo systemctl enable firewall.service power.service openvpn-client@pia.service deluged.service deluge-web.service.

Reboot using the command sudo reboot. After this reboot, the Raspberry Pi will be ready.

Location: Lund, Sweden