Backup ftp server + pluxml on Raspberry

Written by pmd - - no comments

Information from


The following command recursively downloads your site with all its files and folders from FTP server and saves them to the current directory.

wget -r -l 0 -nH -X folder_to_skip


option description
user FTP username
pass FTP password IP address or domain name of an FTP server
-r Recursive retrieving
-l Maximum recursion depth (0 = unlimit) (default = 5)
-nH Disable generation of host-prefixed directories
-X exclude a list of directories


Now you can compress the folder with your site as follows:

tar -czf site-backup-$(date +%Y%m%d-%H%M%S).tar.gz

Install pluxml on raspberry pi

I am using nginx + php7 + pluxml following these 3 links:

$ sudo nano /etc/php/7.3/fpm/pool.d/www.conf
user = www-data
group = www-data
listen = /run/php/php7.3-fpm.sock
listen.owner = www-data = www-data
;listen.mode = 0660
$ sudo nano /etc/nginx/sites-available/default
server {
        listen 80 default_server;
        listen [::]:80 default_server;

        # Add index.php to the list if you are using PHP
        index index.php index.html index.htm index.nginx-debian.html;

        server_name _;

        location @handler {
                rewrite ^/(.*)$ /index.php? last;

        # pass PHP scripts to FastCGI server
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.3-fpm.sock;

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        location ~ /(data/configuration|version|update|\.ht) {
                deny all;

Then restart both services.


Interesting problem : Nginx sucessfully password protects PHP files, but then prompts you to download them

Answer : The problem is a fundamental misunderstanding as to how nginx processes a request. Basically, nginx chooses one location to process a request.
You want nginx to process URIs that begin with /admin in a location block that requires auth_basic. In addition, URIs that end with .php need to be sent to PHP7.
So you need two fastcgi blocks, one to process normal PHP files and one to process restricted PHP files.



Transmission exclusively using VPN

Written by pmd - - no comments

I would like to have my transmission client to exchange data only through a VPN.


First of all, it is necessary to set some rules so the 'debian-transmission' user (running transmission) can only route through the VPN:

# 'debian-transmission' user only accepted through 'tun0'
# after these 3 first rules, transmission cannot access internet
$ sudo iptables -A OUTPUT -m owner --uid-owner 'debian-transmission' -o tun0 -j ACCEPT
$ sudo iptables -A OUTPUT -m owner --uid-owner 'debian-transmission' -o lo -j ACCEPT
$ sudo iptables -A OUTPUT -m owner --uid-owner 'debian-transmission' -j REJECT
# marking all packets used by users different than 'debian-transmission' with '42'
$ sudo iptables -t mangle -A OUTPUT -m owner ! --uid-owner 'debian-transmission' -j MARK --set-mark 42
$ sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
$ net.ipv4.conf.wlan0.rp_filter = 2 # reverse path filtering

FYI: these rules will be set only until next reboot.

If you are sure that these iptables rules we set are OK, you can make them permanent (resistant to reboot):

$ sudo apt-get install iptables-persistent
$ sudo dpkg-reconfigure iptables-persistent # if already installed

Tap yes to both prompts. Done, these rules are persistent: transmission cannot communicate without an active tun0 interface (VPN).


The strategy I used is this one:

  • all packets not marked '42' following main route table
  • all packets marked '42' following route table named '42'

Create a systemd .service to create and populate route table '42' when Pi3 starts:

$ sudo nano /etc/systemd/system/copy_route_pmd.service

We will wait to find an IP address containing "192", then we will create the new table "42" and copy all rules from main table to "42" table.

Description=Copy the route of main table to table 42 at system startup
After =
Wants =

#ExecStart=/bin/bash -c "while ! [[ -n $(ifconfig | grep 192) ]]; do sleep 1; done; ip rule add fwmark 42 table 42; ip route show table main | while read LINE; do ip route add $LINE table 42; done"
ExecStart=/bin/bash -c "while ! [[ -n $(ifconfig | grep 192) ]]; do sleep 1; done; ip rule add fwmark 42 table 42; ip route show table main | grep -v tun0 | while read LINE; do ip route add $LINE table 42; done"


We reload systemd to update with the new service we made and make the service execute at system startup.

# Reloading
$ systemctl daemon-reload # Run if *.service file has changed
# Try the new service

$ sudo systemctl start copy_route_pmd.service
# If OK (check tables main and 42), set service to execute at startup
$ sudo systemctl enable copy_route_pmd.service

Now, debian-transmission will use main table to route packets, and users different than debian-transmission will use the table 42.

Link to article to check routes



Configure openvpn

Make sure that you let openvpn push new rules in main route table in order to use the VPN.

Now that openvpn made up tun0 interface, check that the routes are respected:

$ wget -qO-
$ sudo -u debian-transmission wget -qO-

These two commands will return different IP address!


Install transmission

Verify that transmission-daemon is run by correct user:

$ top -u debian-transmission

Check your visible torrent IP with this:

Access to transmission web interface will require nginx


Install nginx:

$ sudo apt-get install nginx

Edit the default configuration:

$ sudo nano /etc/nginx/sites-available/default

Replace section location by this :

location /transmission {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Restart nginx:

$ sudo service nginx restart

Access your interface worldwide using: http://yourIPadress/transmission/web/

DNS leak

To prevent DNS leak and/or not to rely on the router you are connected to the internet, modify the file:

$ sudo nano /etc/resolv.conf.head
#OpenDns Servers
#Google Servers

In fact I want to set the DNS servers directly in the Raspberry Pi, because it allows me to remove the default route to the router in table 42 and keep it as tidy as possible.

Then reboot the Pi 3:

$ sudo reboot

You can now check that these are the first DNS server is use:

pi@raspberrypi:~ $ cat /etc/resolv.conf
# Generated by resolvconf
#OpenDns Servers
#Google Servers
domain home

From your Pi3, check the DNS leakage from this website:

Rss feed of the tag