Transmission Private Internet Access

Sometimes I want to work on client assignments (penetration-tests) from home, if I do that I am using my company VPN so that all traffic is routed thorugh their public IP address (which is white-listed by the client). I do not want for traffic to ever leave that VPN as that would look like as if I’d be performing cyber attacks from my private home IP address. The same requirements arise for different use-cases, e.g., when downloading bittorrent files or forcing traffic through the tor network if whistle-blowing.

To achieve a secure setup I want to combine the following:

A Private Internet Access VPN tunnel – this hides (or should hide) my identity. You can replace that with your company or tor proxy for the other use cases. The software that should run through/behind the VPN. To improve reusability I will use docker images for those. The DSL service is delivered simultaneously over the telephone line because DSL uses high frequency bands for data transmission Cable Internet: a form of access that uses the cable television infrastructure. It uses network edge connectivity (last mile access from the internet.

ProtonVPN might be the 1 last update 2021/04/19 Private Internet Access And Transmission for 1 last update 2021/04/19 you if you care about. No data logging: ProtonVPN cant be forced to log your data under Swiss law. Not part of Ipvanish Maximum Connections a Private Internet Access And Transmission surveillance alliance: Switzerland is not part of Ipvanish Maximum Connections Five. Transmission Control Protocol (TCP) is a connection-oriented protocol that computers use to communicate over the internet. It is one of the main protocols in TCP/IP networks. TCP provides error-checking and guarantees delivery of data and that packets will be delivered in the order they were sent. Private Internet Access actually allows torrents in all server locations, but a little-known secret is that they actually reroute torrent traffic behind the scenes for many of those server locations.

  • a Private Internet Access VPN tunnel – this hides (or should hide) my identity. You can replace that with your company or tor proxy for the other use cases.
  • the software that should run through/behind the VPN. To improve reusability I will use docker images for those.

Transmission Private Internet Access Point

This setup should be fail-secure: if the VPN tunnel gets disconnected, the bittorrent download container will loose network connectivity. This is good. What you wouldn’t want is the container to automatically use my “normal” network connection — this would use my public IP address and throught that might leak my identity.

I did some searching around and found dperson’s docker images which nicely provide all needed functionality. Sadly the inital setup did not work as smooth as I assumed, so I wrote my setup procedure up.

Setup OpenVPN image

The openvpn-client docker image does support using an user-supplied configuration file, so I went with that. For testing purposes I’ve created /tmp/vpn and adapted an PIA openvpn config file to use file-based authentication (change auth-user-pass to auth-user-pass login.conf in the PIA configuration file). this file must be named vpn.conf and be placed within the /tmp/vpn directory (on the host):

The username and password are stored in /tmp/vpn/login.conf. The file has a very simplistic format: the first line contains the username, the second line contains the corresponding password:

There is another important hint: on Fedora SELinux is in use and prevents using the host files as docker volumes. To fix this, we need to apply the right label to the VPN directory:

Now we can start up the OpenVPN-client container:

We pass in the vpn-diretory and use a containter option (-f ') to configure it’s firewall to block all traffic if the VPN is not opened (to prevent stray communications from happening).

Test the VPN tunnel through a minimal image

You should never trust your configuration without testing it.. so let’s fire up an alpine linux container, connect it to the internet through the VPN and retrieve our external IP-Adress (which should be different to our Host computer’s external IP address):

Use transmission-web images (and an nginx to allow for web access to the container)

Now we can start-up additional images for transmission and a web-server for controlling it. We will use the vpn-network configured through the openvpn-client image:

Now you should be able to access the transmission web interface through http://localhost/transmission or https://localhost/transmission. There is an HTTP BASIC AUTH based authentication, use admin as username and admin as password.

And that’s it.. steps for the future include moving this setup onto my Raspberry Pi and/or migrating it to Docker-Compose.

A few years ago, a close friend of mine was hit with a subpoena claiming that his unsecured WiFi network was used to illegally pirate movies. Though they may have never been able to prove who exactly was pirating the movies, the legal fees would have cost thousands just to prove their innocence.

Ever since then, I’ve been an advocate for using VPNs to protect your privacy when browsing the web.

When I upgraded my storage solution to a NAS, one of the first settings I changed was to route my NAS internet through a VPN.

Unfortunately, this meant all my local browsing was also going through the VPN making everything slow to a crawl.

After many hours of studying different forums, Reddit, and YouTube later, I think I have found the best solution to keep your only your torrent traffic running through a VPN while all other network activities are kept local.

If you enjoy this guide and would like to support additional content creation, consider making a qualifying purchase using any of the affiliate links below.

What you'll need

Here is the setup I used to get this project up and running.

I've been using Private Internet Access for many years and they work perfectly with this guide. You can check the latest pricing information here.

If you decide to use a different VPN, this guide should still get you at least 95% of the way there. Check out their respective communities on Reddit or reach out to your VPN's customer support for any additional steps.

  • NAS: Synology DS918+
  • DSM Version: 6.2.2 and newer
  • VPN: Private Internet Access

Installation Steps

Install Docker

1. Find and install Docker in the Package Center.

2. Search the registry for haugene
3. Download the latest image for haugene/transmission-openvpn

While the image is downloading, we'll complete the next steps.

Create Transmission Directory

Next, we'll create a couple of folders. One for your Transmission configuration files and another for your downloads.

  1. Inside the docker folder, create a folder named transmission-openvpn
  2. In your root directory, create a folder named Downloads

Create Adapter and Configuration File

To create your own files, copy the scripts below into a plain text editor save the files as the following:

Optional: Since these are Google's Public domain nameservers (DNS), this may result in your container leaking website requests. To fix this, change the nameservers to your VPN's public DNS servers.

For PIA users your resolv.confshould look like this:

Move these files over to your transmission-openvpn folder.

Schedule Adapter to Run on Boot

1. Open Control Panel
2. Open Task Scheduler
3. Create a Task to run the TUN.sh script on boot-up.

4. In the Task Settings, point to the location of the script.

5. Run the script for the first time.

Launch the Docker Image

Back in Docker, the image should be done downloading now. Launch the image with the following settings:

Transmission Private Internet Access

1. Execute container using high privilege

2. Select Advanced Settings
3. Enable auto-restart

4. Add the resolv.conf file and the Downloads folder.
5. Point the File/Folder to the following mount paths.

5.5 Change the Local Ports from Auto to some unused port numbers.

If you leave this on auto, you will have to constantly look up what port your container has changed to.

6. Add your VPN details into the OpenVPN Environment variables:

OPENVPN_USERNAMEp00*****
OPENVPN_PASSWORD**password**
OPENVPN_PROVIDERPIA

You can experiment with the remaining default variables after you have the container up and running.

PIA NextGen Updates

PIA has updated their VPN network to NextGen which has broken previous containers.

If you're having trouble launching your old containers, delete all of your old images and containers.

Redownload the latest image and add the additional environmental variables:

OPENVPN_CONFIGca_montreal
PIA_OPENVPN_CONFIG_BUNDLEopenvpn

All OPENVPN_CONFIG values are now lowercase and have underscores instead of spaces.

Additionally, this value can accept a list of servers to randomly connect to. e.g. ca_montreal,ca_toronto,ca_vancouver

Run Container

1. Apply the settings and launch the container.
2. Click on the container details to the local port number.
3. Open a browser, go to your local IP and container's port number. ie. 192.168.1.100:30000 or 10.0.0.1:30000.

4. You should now be connected to your transmission docker container:

Transmission Private Internet Access Control

Transmission

Verify VPN is Working

1. To verify Transmission is working as intended, visit http://checkmyip.torrentprivacy.com/ and download the test torrent file.

2. If everything worked properly, your browsing IP should be different than your Torrent IP.

For Seeding/Uploading:

Transmission Private Internet Access

To upload/seed files, you need to select a VPN gateway that has Port Forwarding enabled.

If you are using PIA, you can find more information here: https://www.privateinternetaccess.com/helpdesk/kb/articles/how-do-i-enable-port-forwarding-on-my-vpn

Currently the enabled gateways values that support port forwarding are:

  • ca_montreal
  • ca_toronto
  • ca_vancouver
  • czech_republic
  • france
  • de_berlin
  • de_frankfurt
  • israel
  • romania
  • spain
  • sweden
  • switzerland

1. To force the container to use a specific server, add the following Environment Variable to point it to an enabled gateway.

Transmission Private Internet Access Services

  • OPENVPN_CONFIG: ca_montreal
Transmission private internet access

2. To verify this is working, open the Transmission Settings and go to the Network Tab. The Peer Listening port should say Open.

Congrats!

You now have a Docker container of Transmission connected through a VPN provider.

Simply add torrents to Transmission and your downloads will appear in your Downloads folder when they are completed.

Other Tidbits

The Chrome Extensions Remote Transmission ++ is a great tool that allows you to open up magnet links without having to open up the full-blown Transmission web interface. Thanks to bricked3ds for sharing this on Reddit.

Transmission Private Internet Access Service

References: