Implementing a low-power, secure torrent box based on a Raspberry Pi Zero W, Deluge and OpenVPN

01〉 Copy the operating system to a Micro SD Card using

dd if=2017-08-16-raspbian-stretch-lite.img of=/dev/mmcblk0 bs=4M

02〉 Create an empty file named ssh at /boot

03〉 In /boot/config.txt, add

# Enable the activity LED when the micro SD card is accessed
dtparam=act_led_activelow=on

04〉 Copy the files ca.rsa.2048.crt and crl.rsa.2048.pem (provided by the PIA VPN service) to /home/pi

05〉 In /etc/hostname and /etc/hosts, replace raspberrypi by micro

06〉 In /etc/wpa_supplicant/wpa_supplicant.conf, change the country code to PT and add

network={
ssid="<WiFi network SSID>"
psk="<password>"
}

07〉 Power ON

08〉 Access the Raspberry Pi through SSH (user: pi, password: raspberry)

09〉 Update old packages , if any, using

sudo apt-get update

followed by

sudo apt-get upgrade

10〉 Install Deluge (including the Web UI), openVPN and Samba using

sudo apt-get install deluged deluge-web openvpn samba

11〉 Create the deluge user using

sudo adduser --system --group --disabled-password --home /var/lib/deluge deluge

12〉 Remove the init.d scripts related to Deluge using

sudo /etc/init.d/deluged stop

followed by

sudo rm /etc/init.d/deluged

and

sudo update-rc.d deluged remove

13〉 In /etc/systemd/system, create an empty file named deluge-web.service and add

[Unit]
Description=Deluge BitTorrent client web interface
#After=deluged.service
#Requisite=deluged.service
StartLimitIntervalSec=0
[Service]
Type=simple
User=deluge
Group=deluge
UMask=0022
ExecStart=/usr/bin/deluge-web
RestartSec=10
Restart=always
[Install]
WantedBy=multi-user.target

14〉 In the same directory, create an empty file named deluged.service and add

[Unit]
Description=Deluge BitTorrent client daemon
After=network-online.target
#BindsTo=firewall.service
StartLimitIntervalSec=0
[Service]
Type=simple
User=deluge
Group=deluge
UMask=0022
ExecStart=/usr/bin/deluged -d
RestartSec=10
Restart=always
[Install]
WantedBy=multi-user.target

15〉 Start these services using

sudo systemctl start deluged.service deluge-web.service

16〉 Once the folder /var/lib/deluge/.config/deluge is populated, stop these services using

sudo systemctl stop deluged.service deluge-web.service

17〉 Uncomment the commented lines (#) in deluged.service and deluge-web.service

18〉 In /var/lib/deluge/.config/deluge, edit the file core.conf and change

"max_active_limit": 10
"max_active_downloading": 10
"max_active_seeding": 10

19〉 Similarly, edit the file web.conf and change

"sidebar_show_zero": true
"session_timeout": 43200
"default_daemon": "127.0.0.1:58846"
"port": 8000

20〉 Backup these files using

for f in /var/lib/deluge/.config/deluge/{core,web}.conf; do sudo cp $f{,.backup}; done

21〉 In /etc/openvpn, create an empty file named pia.conf and add

client
dev tun
remote nl.privateinternetaccess.com 1198
proto udp
resolv-retry infinite
nobind
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass credentials.txt
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt
tls-exit
ping-exit 600
auth-retry none

22〉 In the same directory, create an empty file named credentials.txt with permissions 0600 and add

<PIA VPN username>
<PIA VPN password>

23〉 In /etc/systemd/system, create the directory openvpn@pia.service.d

24〉 Inside this new directory, create an empty file named override.conf and add

[Unit]
After=firewall.service
BindsTo=firewall.service
StartLimitIntervalSec=0
[Service]
RestartSec=10
Restart=always

25〉 Move the files ca.rsa.2048.crt and crl.rsa.2048.pem from /home/pi to /etc/openvpn

26〉 In /etc/samba, clear the file smb.conf and add

[global]
create mask = 0744
directory mask = 0755
disable netbios = yes
disable spoolss = yes
dns proxy = no
force create mode = 0600
force directory mode = 0755
guest account = deluge
load printers = no
log file = /var/log/samba/samba.log
log level = 0
map to guest = Bad User
max log size = 5000
printcap name = /dev/null
printing = bsd
security = user
server string = SMB
workgroup = GROUP
[shared]
browseable = no
guest ok = yes
max connections = 5
only guest = yes
path = /var/lib/deluge/Downloads
writable = no

27〉 In /etc, create an empty file named resolv.conf.head and add

nameserver 84.200.69.80
nameserver 84.200.70.40

28〉 In /etc/systemd/system, create an empty file named firewall.service and add

[Unit]
Description=Firewall rules for VPN
Before=network-pre.target
Wants=network-pre.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/sbin/iptables -t nat -I POSTROUTING -o tun+ -j MASQUERADE
ExecStart=/sbin/iptables -A OUTPUT -o tun+ -j ACCEPT
ExecStart=/sbin/iptables -A OUTPUT -o lo -j ACCEPT
ExecStart=/sbin/iptables -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
ExecStart=/sbin/iptables -A OUTPUT -p udp -m udp --dport 1198 -j ACCEPT
ExecStart=/sbin/iptables -A OUTPUT -j DROP
[Install]
WantedBy=multi-user.target

29〉 Enable the relevant services to automatically start at boot time using

sudo systemctl enable firewall.service openvpn@pia.service deluged.service deluge-web.service

30〉 Power-off the Raspberry Pi using

sudo poweroff

Installation concluded, the Raspberry Pi is ready to roll.