Transmission exclusively using VPN

Written by pmd - - no comments

I would like to have my transmission client to exchange data only through a VPN.

Firewall

First of all, it is necessary to set some rules so the 'debian-transmission' user (running transmission) can only route through the VPN:

# 'debian-transmission' user only accepted through 'tun0'
# after these 3 first rules, transmission cannot access internet
sudo iptables -A OUTPUT -m owner --uid-owner 'debian-transmission' -o tun0 -j ACCEPT
sudo iptables -A OUTPUT -m owner --uid-owner 'debian-transmission' -o lo -j ACCEPT
sudo iptables -A OUTPUT -m owner --uid-owner 'debian-transmission' -j REJECT
# marking all packets used by users different than 'debian-transmission' with '42'
sudo iptables -t mangle -A OUTPUT -m owner ! --uid-owner 'debian-transmission' -j MARK --set-mark 42
sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
net.ipv4.conf.wlan0.rp_filter = 2 # reverse path filtering

FYI: these rules will be set only until next reboot.

If you are sure that these iptables rules we set are OK, you can make them permanent (resistant to reboot):

sudo apt-get install iptables-persistent
sudo dpkg-reconfigure iptables-persistent # if already installed

Tap yes to both prompts. Done, these rules are persistent: transmission cannot communicate without an active tun0 interface (VPN).

Routes

The strategy I used is this one:

  • all packets not marked '42' following main route table
  • all packets marked '42' following route table named '42'

Create a systemd .service to create and populate route table '42' when Pi3 starts:

sudo nano /etc/systemd/system/copy_route_pmd.service

We will wait to find an IP address containing "192", then we will create the new table "42" and copy all rules from main table to "42" table.

#/etc/systemd/system/copy_route_pmd.service
[Unit]
Description=Copy the route of main table to table 42 at system startup
After = network-online.target
Wants = network-online.target

[Service]
Type=oneshot
ExecStart=/bin/bash -c "while ! [[ -n $(ifconfig | grep 192) ]]; do sleep 1; done; ip rule add fwmark 42 table 42; ip route show table main | while read LINE; do ip route add $LINE table 42; done"

[Install]
WantedBy=multi-user.target

We reload systemd to update with the new service we made and make the service execute at system startup.

# Reloading
systemctl daemon-reload # Run if *.service file has changed
# Try the new service 
sudo systemctl start copy_route_pmd.service
# If OK (check tables main and 42), set service to execute at startup
sudo systemctl enable copy_route_pmd.service

Now, debian-transmission will use main table to route packets, and users different than debian-transmission will use the table 42.

Link to article to check routes

 

openvpn

Configure openvpn

Make sure that you let openvpn push new rules in main route table in order to use the VPN.

Now that openvpn made up tun0 interface, check that the routes are respected:

wget -qO- ifconfig.co
sudo -u debian-transmission wget -qO- ifconfig.co

These two commands will return different IP address!

transmission

Install transmission

Verify that transmission-daemon is run by correct user:

top -u debian-transmission

Check your visible torrent IP with this: https://torguard.net/checkmytorrentipaddress.php

Access to transmission web interface will require nginx

nginx

Install nginx:

sudo apt-get install nginx

Edit the default configuration:

sudo nano /etc/nginx/sites-available/default

Replace section locotion by this :

location /transmission {
    proxy_pass http://127.0.0.1:9091;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }

Access your interface worldwide using: http://yourIPadress/transmission/web/

DNS leak

To prevent DNS leak and/or not to rely on the router you are connected to the internet, modify the file:

sudo nano /etc/resolv.conf.head
#OpenDns Servers
nameserver 208.67.222.222
nameserver 208.67.220.220
#Google Servers
nameserver 8.8.8.8

In fact I want to set the DNS servers directly in the Raspberry Pi, because it allows me to remove the default route to the router in table 42 and keep it as tidy as possible.

Then reboot the Pi 3:

sudo reboot

You can now check that these are the first DNS server is use:

pi@raspberrypi:~ $ cat /etc/resolv.conf
# Generated by resolvconf
#OpenDns Servers
nameserver 208.67.222.222
nameserver 208.67.220.220
#Google Servers
nameserver 8.8.8.8
domain home
nameserver 192.168.1.1

From your Pi3, check the DNS leakage from this website: https://dnsleaktest.com/

Create a torrent on WNR3500L with Transmission

Written by pmd - - no comments

Here is the command line to use if you wanna create a torrent:

transmission-create -o /tmp/mnt/PMD/your_futur.torrent -c "your comments here" -t udp://tracker.openbittorrent.com:80 -t udp://open.demonii.com:1337 /tmp/mnt/PMD/your_file_you_wanna_share.zip

Then you need to:

  1. move your your_file_you_wanna_share.zip in your transmission download folder
  2. add the created torrent your_futur.torrent in your transmission using the web interface by example.
  3. in transmission web interface, right click on the torrent, and choose "verify local data".

You are set to share your file(s) !

Send email from WNR3500L

Written by pmd - - no comments

Router is running Tomato by Shibby.

First install Optware (see how to install here steps 1 to 6).

Then install msmtp:

ipkg install msmtp

Edit the configuration file (you may have to install nano "ipkg install nano"):

nano /opt/etc/msmtprc
account default
host smtp.gmail.com
port 587
auth on
user account@gmail.com
password password
auto_from on
from account@gmail.com
tls on
tls_starttls on
#tls_trust_file /opt/etc/ca-certificates.crt
# Use "tls_certcheck off" if you don't have ca-certificates.crt file.
tls_certcheck off
# Log to a separate file; use with no options to disable this feature
# logfile /opt/logs/msmtp
# Uncomment if you want to log to syslog facility, which is disabled by default
syslog LOG_MAIL

Test it:

echo -e "Subject: subject \n\nThis is the body" | msmtp anotheraccount@gmail.com

Done :)

If you use Gmail you might need to allow less secure apps: https://myaccount.google.com/lesssecureapps

Send email from your Raspberry Pi 3

Written by pmd - - no comments

Simple SMTP is a simple MTA (Mail Transport Agent) to deliver mail from a computer to a mail hub (SMTP server). It can be usefull to send result of your Cron jobs.

Install ssmtp:

sudo apt-get install ssmtp

Configure it:

sudo nano /etc/ssmtp/ssmtp.conf

#
# Config file for sSMTP sendmail
#
# The person who gets all mail for userids < 1000
# Make this empty to disable rewriting.
root=username@gmail.com

# The place where the mail goes. The actual machine name is required no
# MX records are consulted. Commonly mailhosts are named mail.domain.com
mailhub=smtp.gmail.com:587

# Where will the mail seem to come from?
#rewriteDomain=

# The full hostname
hostname=raspberrypi
UseSTARTTLS=YES
AuthUser=username
AuthPass=password


# Are users allowed to set their own From: address?
# YES - Allow the user to specify their own From: address
# NO - Use the system generated From: address
FromLineOverride=YES

Configure the account sending the email:

sudo nano /etc/ssmtp/revaliases

# sSMTP aliases
#
# Format:       local_account:outgoing_address:mailhub
#
# Example: root:your_login@your.domain:mailhub.your.domain[:port]
# where [:port] is an optional port number that defaults to 25.

root:username@gmail.com:smtp.gmail.com:587
pi:username@gmail.com:smtp.gmail.com:587

Try to send an email:

echo "email for test" | ssmtp -vvv email@domaine.com

If you use Gmail you might need to allow less secure apps: https://myaccount.google.com/lesssecureapps

Timer to restart Raspberry Pi 3

Written by pmd - - no comments

A timer just in case shit happens whaile playing through ssh:

sudo nano /home/pi/sshcheck.sh
#!/bin/bash
for (( c=$1; c>1; c-- ))
do
   echo -n "Reboot in $c minute(s)...  "
   date +%H:%M
   sleep 1m
done
echo "Reboot in 1 minute(s)..."
sleep 1s
for (( c=59; c>0; c-- ))
do
   echo -e "\e[101mReboot in $c second(s)... (CTRL+C to cancel rebooting)\e[49m"
   sleep 1s
done
echo -e "\e[101mReboot in $c second(s)...\e[49m"
echo -e "\e[101mREBOOT!!!\e[49m"
sudo reboot

Then need to start it in a screen:

screen bash /home/pi/sshcheck.sh number_of_minutes

Subsonic on Raspberry Pi 3

Written by pmd - - no comments

Install java:

sudo apt-get install openjdk-8-jre

Download the Subsonic .deb package and install it:

sudo dpkg -i subsonic-x.x.deb

Change user (i have set pi instead of root) :

sudo nano /etc/default/subsonic

For troubleshooting interesting files are here: /var/subsonic

It was interesting because it allowed me to understand why Subsonic web interface was OK but impossible to play a file :

cat /var/subsonic/subsonic.log
[2018-01-14 10:59:44,539] INFO TranscodeInputStream - Starting transcoder: /var/subsonic/transcode/ffmpeg -i /home/pi/Music/Paul Kalkbrenner - Berlin Calling/07_Paul_Kalkbrenner_-_Torted_Original Mix.mp3 -map 0:0 -b:a 128k -v 0 -f mp3 -
[2018-01-14 10:59:44,551] INFO InputStreamReaderThread - (/var/subsonic/transcode/ffmpeg) /var/subsonic/transcode/ffmpeg: 1: /var/subsonic/transcode/ffmpeg: Syntax error: "(" unexpected

It was a problem linked with ffmpeg. I think the problem comes from the fact that ffmpeg given in deb is made for ubuntu/debian but probably not ARM processor. THis is why I install ffmpeg from repository and then linked Subsonic folder to this ffmpeg freshly installed:

sudo apt-get install ffmpeg
sudo rm /var/subsonic/transcode/ffmpeg
sudo ln -s /usr/bin/ffmpeg /var/subsonic/transcode/ffmpeg

Restart Subsonic:

sudo service subsonic restart

Configure Subsonic using web interface and admin account.

It worked! I could play my music from Astana, Kazakhstan while it was actually stocked in my Raspberry in Paris!

In my opinion it works quiet nice! Not laggy I mean.

Samba on Raspberry Pi 3

Written by pmd - - no comments

Install samba:

sudo apt-get install samba

Edit configuration file:

sudo nano /etc/samba/smb.conf
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
interfaces = 127.0.0.0/8 wlan0
bind interfaces only = yes
[Downloads]
comment = Samba sharing on Raspberry Pi
path = /home/pi/Downloads
writable = yes
guest ok = yes
guest only = yes
create mode = 0777
directory mode = 0777
share modes = yes

Let everyone read and write on /home/pi/Downloads:

sudo chmod -R 777 /home/pi/Downloads

Restart samba:

sudo /etc/init.d/samba restart

It should be visible in windows Networks.

ddclient on Raspberry Pi 3

Written by pmd - - no comments

Install:

sudo apt-get install ddclient

Configure for for two different service with two different website to check IP adress:

sudo nano /etc/ddclient.conf

# Configuration file for ddclient generated by debconf
#
# /etc/ddclient.conf
##
## NOIP.COM
##
protocol=dyndns2
use=web, web=checkip.dyndns.com/, web-skip='Current IP Address: '
server=dynupdate.no-ip.com
login=username@gmail.com
password=password
domain.ddns.net

##
## DtDNS (www.dtdns.com)
##
protocol=dtdns,
use=web, web=ifconfig.co/ip,
#use=web, web=checkip.dyndns.com/, web-skip='Current IP Address: '
server=www.dtdns.com,
client=username,
password=password
domain.dtdns.net

 

To run ddclient as a daemon, set run_daemon to 'true' in /etc/default/ddclient.

Once it is configured as daemon, restart it:

sudo /etc/init.d/ddclient restart

To debug :

sudo ddclient -daemon=0 -debug -verbose -noquiet (-force)

Route with raspian (debian)

Written by pmd - - no comments

I only want to have some process owned by specific users to use the VPN. This means two route table, or more.

Routes

Create a new table "42" for marked packet:

sudo ip rule add fwmark 42 table 42

List all route table:

ip rule list
0:      from all lookup local
32765:  from all fwmark 0x2a lookup 42
32766:  from all lookup main
32767:  from all lookup default

Delete table 42:

sudo ip rule del fwmark 42 table 42

Show "main" table route:

ip route show table main
default via 192.168.1.1 dev wlan0 src 192.168.1.200 metric 303
10.13.0.81 dev tun0 proto kernel scope link src 10.13.0.82
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.200 metric 303

Add a default route in table 42:

sudo ip route add 0.0.0.0/1 via 10.13.0.29 dev tun0 table 42

Delete the default route in table 42:

sudo ip route del 0.0.0.0/1 via 10.13.0.29 dev tun0 table 42

You can delete all routes of a specific table:

sudo ip route flush table 42

Copy all route from table main to table 42:

ip route show table main | while read LINE; do sudo ip route add $LINE table 42; done

Firewall

 

 

 

 

 

Transmission on Raspberry Pi 3

Written by pmd - - no comments

Install transmission:

sudo apt-get install transmission-daemon

Start and stop transmission daemon:

sudo /etc/init.d/transmission-daemon start
sudo /etc/init.d/transmission-daemon stop

Edit configuration of transmission (stop transmission first):

sudo nano /etc/transmission-daemon/settings.json
"incomplete-dir": "/home/pi/Downloads/torrents/.incomplete",
"incomplete-dir-enabled": true,
"rpc-password": "write_it_here",
"rpc-whitelist": "127.0.0.1,192.168.1.*",
"umask": 2,

Check your transmission's IP:

To avoid permission issues:

sudo adduser pi debian-transmission
sudo adduser debian-transmission pi
sudo chmod -R 777 /home/pi/Downloads/torrents
sudo chmod -R 777 /home/pi/Downloads/torrents/.incomplete
Rss feed of the articles