I have recently acquired a BeagleBone Black, onto which I've installed Ubuntu using this method. It has all worked so far.
I want to use my BeagleBone as a torrent box, but I don't want to do it directly over my Internet connection (I don't think my ISP will like it) – so I've purchased a VPN subscription from a European server. I've manually connected my laptop to this VPN before and the run Transmission. I know that the VPN connection works in Ubuntu, and the host provides setup information for OpenVPN. Annoyingly, the dynamic nature of the assigned IP address means it would change frequently, so when I used my laptop with the VPN I would manually set the listening address in Transmission to the required value.
Ideally I'd like the following setup:
- Transmission runs only over the VPN, and is prohibited from running torrents over the normal WAN connection
- Only traffic directed to Transmission will be accepted or sent through the VPN, all other unsolicited traffic will be dropped
- Transmission uses the appropriate port to listen on, based on the assigned IP address
- OpenVPN starts automatically on boot, which then subsequently starts Transmission
- Transmission's web GUI can be accessed over the LAN, and possibly over the Internet from my WAN connection (i.e. not back through the VPN)
Best Answer
Note: (2016-02-22) I've realised this config leaks DNS queries to the torrent trackers through the normal WAN, instead of sending it through the VPN. I'm investigating how to fix this. I'm going to keep running my config though, since the connection itself does use the VPN properly.
Update: I've noticed that when I set Transmission to download overnight on the Beaglebone, CPU usage goes to 100% after a while. It doesn't seem to happen after the same amount of time, sometimes it's fine all night, other times it struggles after 10 minutes. It can also recover by pausing all torrents and waiting for CPU load to return to normal, then starting again. I'm still investigating. A workaround might be to pause and resume torrents periodically, although it's not a very good workaround. Note this issue only applies to the Beaglebone, and probably other ARM devices. I've never had this issue on a x86 CPU.
Introduction
I've developed and tested this solution for Ubuntu 14.04, running on a BeagleBone Black. The VPN provider I am using is called ibVPN. It should work with any supported hardware though (i.e. on a "normal" x86 computer), with any OpenVPN compatible VPN provider - and should probably work for 14.10 or later. At some point I believe Ubuntu will use SystemD for boot, which will mean the Upstart scripts used here will need to be migrated. Update: Jonas Kalderstam has an answer below for using SystemD. I'm also assuming that ufw is being used as the firewall, if you are using something different then the ufw commands here will need to be changed.
I assume that all work is done over an SSH connection to the system, although it would work just as well if typed out into a physical terminal.
This is quite a long tutorial, please read all of it first and make sure you are comfortable with what you will be doing.
I've also noticed that Transmission does not properly bind to an IP address for sending UPnP/NAT-PMP data - i.e. torrent data correctly goes through the VPN, but if UPnP port forwarding is enabled Transmission will request the port forward from the local router, not through the VPN from the VPN server. Hence I've made the Upstart script disable port forwarding, since it might appear as though it has worked, but it has not. It should be possible to use iptables and iproute to force all traffic from the debian-transmission user through the VPN, but I am still looking into this. It should also work if the default route was changed to send all Internet data through the VPN, but I didn't want to do that because I use this server for other things too, and this would also cause all system updates to come through the VPN. The effect of this is that Transmission will probably download torrents slower than it could if port forwarding worked - but I've found that reasonable speeds can be achieved for most torrents without port forwarding. This question has further information if you really want to get UPnP working over the VPN. Update: falk0069 has a fantastic tip below for helping to encourage UPnP over the VPN.
Installing and configuring OpenVPN
I'd recommend that you try getting your VPN connection to work using Ubuntu before trying to get it to work here - i.e. from a desktop. This will confirm that you have the correct configuration and reduce time spent debugging.
First, install the required packages
Next, make a directory to store the configuration files in. I'm using /opt/ibVPN, since that's the provider I'm using. Change it to whatever you like.
The first thing to do in this new directory is to create the config file for running the VPN client. ibVPN provides a basic config file for Linux users, which I've mostly just copied and pasted.
Copy and paste your edited version into vim, using the settings for your VPN provider. (FYI, paste in the Ubuntu terminal is
Ctrl+Shift+V
) You should be able to get this from your VPN provider.For those unfamiliar with vim, press
Insert
to type or paste text, then pressEscape
and type:wq
to save and quit. Of course, you don't have to use vim - any text editor will work.I'll quickly explain this config file: The first 18 lines specify the specific settings to use with the server, these came from ibVPN - yours will probably be slightly different if you have a different provider. The next lines are modified options I've specified.
If your settings file had any lines with
auth-user*
, comment these out. For this setup to work automatically, we need to have a file with the username and password in it - so make sure the password you chose for the VPN provider is strong, random, and unique.The
auth-user-pass pass
tells OpenVPN to look for a file calledpass
to read the user and password from.auth-nocache
removes the password from memory, which might slightly increase security if you are worried about it.persist-tun
will try to keep the same IP address from the server if your connection drops out, which should hopefully mean less starting and stopping of Transmission-daemon.route-noexec
tells the OpenVPN client not to automatically use the routes provided by the server - which would pull all network traffic over the VPN. We just want to send torrent traffic, so we will need to use different routing settings.lport 1195
tells the OpenVPN client to use port 1195 instead of 1194 - in my case I also want to run an OpenVPN server on the same device, and the server will need to use port 1194. Even if you aren't running an OpenVPN server, it doesn't hurt to make this change.I changed the line
dev tap
todev tap1
, to force the virtual device to be tap1 instead of being assigned by OpenVPN, again because of running a separate OpenVPN server. Even if you're not running a VPN server, this change shouldn't matter. The firewall scripts have been written to usetap1
, so if you would rather use another device then remember to change those scripts where appropriate.lladdr 00:FF:11:AA:BB:CC
tells OpenVPN to assign the tap interface to have this MAC address, which can be useful for iptables firewall rules.route-up
anddown
run scripts to start and stop Transmission-daemon as required - these are needed here because they run with environment variables containing information about the connection, which is needed to correctly bind Transmission to the right IP address and port.In my case, I had a server certificate from the VPN provider - which also has to be in the same directory as the config file.
Copy and paste this, or move it via SCP or SSHFS.
Obviously if you aren't using an ibVPN account, your certificate will be different.
Let's now make the password file:
The first line must be the full username, then the second line must be the password. This must be the only contents of this file.
We also have to secure the permissions on this file, or OpenVPN won't start.
This will make the file read-only, and only for the owner (i.e. no other user can read it at all)
These commands will create the files to run at startup, and set them to be executable only by root.
At this point, it is probably a good idea to test if the VPN connection actually works. Start the connection with:
You will see warnings that the up and down external commands could not be run, but don't worry about that. If it works, you will see
Initialization Sequence Completed
on the terminal. PressControl+C
to end the connection. If it doesn't work, you will have to investigate why not and fix it before continuing. I found that it sometimes it took a few goes to start working. Make sure your password file is correct. There are lots of great resources on the Internet about OpenVPN, so have a look around.At this point, it's probably easiest to move on to getting Transmission up and running. Once you are sure that both the VPN and Transmission can run separately, they can be combined.
Installing and configuring Transmission
Install the required packages:
By default, Transmission will run automatically on boot. Since we will eventually be using OpenVPN to start Transmission, we want to disable this. To do so, edit the config file for Transmission-daemon
And change the following line to read:
Now Transmission will not start on boot.
Let's now create a directory for the Transmission settings to reside in, and for the downloaded torrents to go into. This assumes you've already set up a disk of some sort, and it's mounted at /media/arm-disk/. For security purposes, the daemon will be run by its own user rather than as root or as "ubuntu". A new user is created by the installer for transmission-daemon, "debian-transmission". This user needs to own the folder that we create, and have read and write access to the storage location for the torrents being downloaded.
Now we need to start transmission, just briefly, so that it creates the settings file we need:
This command starts transmission-daemon as the debian-transmission user, tells it to use the /opt/transmission directory for the settings files, and tells it to keep running in the foreground. Once it has run for a few seconds, press
Control+C
to end it. We can now edit the settings file.We now need to change to following lines from their defaults to read:
Save and exit (Escape, type :wq and press Enter)
The middle two edits will enable the use of the "incomplete" directory, separating your finished torrents from the unfinished ones. This isn't completely necessary, but I personally find it extremely useful. The last edit enables the web GUI to be accessed by any computer on the LAN (assuming your LAN subnet is 192.168.1.0, modify this if it is different).
It's now a good idea to run Transmission again, to see if it works and can actually download a torrent. We will use a web browser window to access the GUI and to add a torrent. First, let's allow access to the web GUI through the firewall from the LAN, then run transmission-daemon again.
Visit this URL in Firefox (or whichever browser you prefer): http://XXX.XXX.XXX.XXX:9091 , where XXX is replaced by the address of your server on the LAN (i.e. 192.168.1.10). Find a torrent to download, for example Big Buck Bunny in 1080p60hz. This is a free short film, legally available for free download. In the Transmission GUI, click the "Open Torrent" button, and paste this link (or any other torrent you like) into the first box. Then press "Upload". If Transmission is working correctly, the torrent will begin to download. If it does not, then you will need to work out why before continuing. There are lots of resources available on the Internet for using transmission-daemon. It could also be the torrent you chose isn't working, try a few others first.
Once the download is finished, press
Control+C
in the terminal window to stop transmission-daemon.Configure binding Transmission to the VPN interface
Now let's make an Upstart script, which will be used to start Transmission when the VPN is ready.
Don't worry if this complains, it's just to make a backup of the Upstart file, if one existed - it might not have. Let's open vim to edit the new one:
Paste this into the editor:
Save and close vim. (
Escape
, then type:wq
). Again, open vim:And paste this:
Again, save and close vim. (
Escape
, then type:wq
). Finally:Paste this:
These scripts tell Upstart to listen for the "transmission-vpn-up" signal. The "transmission-up.conf" script then sets up the required routing rules to send traffic from the local VPN address via the VPN interface, and sets the firewall to allow in traffic from the VPN to the listening port for Transmission. Traffic directed to Transmission's listening port from the normal LAN interface is blocked. The "transmission-daemon.conf" script then starts transmission-daemon with the required settings to bind it to the VPN IP address. Note that this command will also ensure UPnP/NAT-PMP is disabled - see my note at the top about port forwarding. The "nice -15" sets Transmission to have a lower priority, which I found useful when using the lower spec'd BeagleBone - sometimes Transmission can hog resources, which slows the system down. At least with a low priority, more important system tasks can still run. The "transmission-down.conf" script will remove the firewall rules when the VPN is stopped. Three different scripts are used so that transmission-daemon can be run as an unprivileged user, but the firewall rules can be run as root.
Now let's go back to the OpenVPN settings, and edit the "route-up" and "down" scripts to trigger starting and stopping our Transmission script.
Paste this into vim:
All this script does is say to Upstart that transmission-daemon should start, and gives it the information it needs to attach to the VPN connection.
Again, more pasting:
This script is even more simple - it signals for transmission-daemon to stop.
At this point, it is probably a good idea to make sure that the owner of the entire VPN config folder is the root user - since these scripts run as root, anyone who could change them could run anything they wanted to as the root user.
This now means that only the root user can modify or view the VPN connection settings.
OK, we're nearly done! Let's test if our setup is working so far:
Connect again to the Transmission web GUI, and resume the existing torrent or add a new one. It should be able to download, maybe after a few minutes of waiting for peers. A nifty way I found of testing whether or not it is working is to look at iftop. Install iftop, and run:
This screen will be showing all connections running through the VPN. If your torrent is downloading and is correctly using the VPN, there will be lots of IP addresses and host names here. Also look at iftop for the LAN connection:
Here you should see a large amount of traffic to a single IP address, being the VPN server, and then only minimal traffic to other LAN devices - assuming that you aren't running other services on your BeagleBone.
You can confirm that the VPN is working by following these instructions.
This site lets you download a torrent to see the IP address other peers use to connect to you - if everything is working this will be the VPN IP address and not your own WAN IP address.
If you are experiencing issues, you can see the Upstart error log by doing:
In a separate terminal/SSH window, try running the tail command while starting the VPN connection as above and look for any error messages. Hopefully you can resolve the issue from seeing the error messages, if not have a dig around on the Internet, or post a comment.
Configure it all to start automatically
If you are happy with manually issuing the command to start the OpenVPN tunnel, or you want to do it with your own script, then you are done. But I wanted it to start on boot, so I made another Upstart script to launch OpenVPN.
This is the last thing we have to paste!
All this does is wait for the system to signal that the network is ready, and then it will start the OpenVPN tunnel - which will in turn start Transmission. When the system is turned off, or if networking is shut down for some reason, Upstart will remove the firewall rules and close transmission-daemon. Simple! This will continue to work after a reboot too, so now you're all set.
To interact with Transmission, use the web GUI as we did during the setup phase. It is also possible to make the GUI accessible over the Internet, by setting up port forwarding. There are lots of tutorials on how to do this, so I won't repeat it here.
As for getting the completed downloads off the BeagleBone, I'm using NFS. I can get speeds of about 8 MB/s copying over the LAN from the BeagleBone to my desktop computer - which is pretty good for such a low-powered device. Ubuntu provides some handy information for setting this up.