How To Turn Your Raspberry Pi Into An Always-On Downloading Megalith

James Bruce 28-05-2014

Do your part for the global “Linux distribution network” by building a dedicated, secure, torrent-downloading megalith that barely uses 10W of power. It is possible, and it will, of course, be based on a Raspberry Pi.


Downloading and seeding (you do seed, right? Good people seed to at least a 2.0 ratio) is an arduous task for any regular computer, and means you’re sucking down far more electricity than you ought to be by having to leave it on overnight. What if you could offload that task to a low-powered Raspberry Pi, small enough to stuff under a floorboard and barely breaking 10W of power to do it all. That’s exactly what I’ll show you how to do today.

Here’s the plan:

  • Set up a Raspberry Pi with some USB storage, and move the system drive over to USB to extend the life of our SD card.
  • Share that over the network.
  • Configure a VPN so that all traffic is routed over the VPN, securely – and everything stops if that connection fails. We don’t want out ISP knowing which Linux distro we favour.
  • Install a remotely-manageable torrent client, Transmission.

Sounds complicated, doesn’t it? No more than a few hundred Terminal commands, I assure you. A lot of this overlaps with our Raspberry Pi NAS Turn Your Raspberry Pi Into An NAS Box Do you have a couple of external hard drives lying around and a Raspberry Pi? Make a cheap, low powered networked attached storage device out of them. While the end result certainly won't be as... Read More tutorial, so if you’re not so interested in the torrenting and VPN side of things, you might want to check that out instead.

USB Storage

Begin with a fresh Raspian install and connect the Ethernet interface, and plug in your USB storage (through a powered USB hub, or it’s likely you’ll face errors later as I did) – it needn’t be formatted yet. Log in remotely with the default pi /raspberry username and password combination, then run:

sudo raspi-config

Change the amount of memory given over graphics to 16 megabytes – we’ll be running this completely headless, so you don’t need graphic memory. Exit, and let’s setup some partitions on the USB. We’re going to setup at least two – one to use for the system so as to preserve the life of our SD card, and the other one for downloads to be stored. Figure out first which drive is your USB.

tail /var/log/messages

In my case, it was easy to identify as “sda”. With that in mind, adjust the following command to enter the fdisk utility on the appropriate device.

sudo fdisk /dev/sda

Press p to list current partitions. To delete any existing ones, press d. Create a new primary partition, with n, then p. When it asks you for size, enter +8G. Now go ahead and create another partition for your torrent data (again, primary), or more partitions too if you wish. W will write the new partition map to the drive when you’re done.

Once the new table has been written, use the following commands to format the drives as linux ext4. Use additional commands if you partitioned your drive with more than two partitions.

sudo mkfs.ext4 /dev/sda1
sudo mkfs.ext4 /dev/sda2
sudo mkdir /mnt/systemdrive
sudo mkdir /mnt/torrents
sudo mount /dev/sda1 /mnt/systemdrive
sudo mount /dev/sda2 /mnt/torrents
df -h

The last command will confirm that you’ve got the partitions mounted correctly. Next, we want to copy the SD card data to the drive – this will extend its life by avoiding constant read/write operations to caches etc. Install rsync to do this:

sudo apt-get install rsync
sudo rsync -axv / /mnt/systemdrive

This will initiate a long series of file copying, so twiddle your fingers for a bit.

sudo cp /boot/cmdline.txt /boot/cmdline.orig
sudo nano /boot/cmdline.txt

Adjust this to read:

dwc_otg.lpm_enable=0 console=ttyAMA0,115200 kgdboc=ttyAMA0,115200 console=tty1 root=/dev/sda1 rootfstype=ext4 elevator=deadline rootwait rootdelay=5

Next, modify fstab to mount them on start up.

sudo nano /etc/fstab

Add the following lines:

/dev/sda1 / ext4 defaults,noatime 0 1
/dev/sda2 /mnt/torrents ext4 defaults 0 2

Comment out the following line which refers to the SD card:

#/dev/mmcblk0p2 / ext4 defaults,noatime 0 1

Reboot the Pi with

sudo reboot

Sorted! Your Pi will now mount a both a root data partition and your torrents partition

Share The Drive: Samba

Make sure we’re updated first, remove Wolfram Mathematica packages which have always caused me trouble when doing absolutely anything on the Pi (something to do with math-kernel), then install the required packages

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get remove wolfram-engine
sudo apt-get install samba samba-common-bin
sudo nano /etc/samba/smb.conf

Hit CTRL-W and type “security” to find the following line, and uncomment it.

security = user

Add the following to define our torrents shared folder:

comment = torrents
path = /mnt/torrents
valid users = @users
force group = users
create mask = 0775
force create mode = 0775
security mask = 0775
force security mode = 0775
directory mask = 2775
force directory mode = 2775
directory security mask = 2775
force directory security mode = 2775
browseable = yes
writeable = yes
guest ok = no
read only = no

Restart the Samba service:

sudo service samba restart

Next we need to add a user to the system. Replace “jamie” with your desired username which you’ll be logging in with to access the shared folder. The following commands then ask you to create your passwords, the first at a system level and the next for Samba. Modify the last commands if you called your data drive something else (and here’s a primer on file ownership in linux).

sudo useradd jamie -m -G users
sudo passwd jamie
sudo smbpasswd -a jamie
sudo chown pi:users /mnt/torrents
chmod g+w /mnt/torrents

Test – you should be able to connect from another machine on your network, and read/write files to the new share. Check they appear on the Pi too with ls from within the /mnt/torrents folder.

VPN Setup

Install the required packages

sudo apt-get install openvpn resolvconf

Download the OpenVPN config files from your provider. You can check out a list of the best VPNs The Best VPN Services We've compiled a list of what we consider to be the best Virtual Private Network (VPN) service providers, grouped by premium, free, and torrent-friendly. Read More here, but be sure to find one that’s torrent-friendly. I use myself, but Private Internet Access is another popular option within torrent communities. Either way, you should be able to grab a ZIP file of configurations and a certificate. Put these into your torrents folder, within a directory called openvpn. Modify the following command so it points to your config file, which will almost certainly differ from privacyIO.ovpn

sudo openvpn --client --config /mnt/torrents/openvpn/privacyIO.ovpn --ca /mnt/torrents/openvpn/ --script-security 2


If you get an output like this, you’re good. Hit CTRL-C to terminate it. It’s annoying having to type the password in though, and we need a few modifications to add start and stop scripts. Edit the config file (again, replace privacyIO.ovpn with the .ovpn file your provider gave you)

nano /mnt/torrents/openvpn/privacyIO.ovpn

Modify the following line first. Basically we’re saying we’ll store the username and password in a file called pass.txt

auth-user-pass /mnt/torrents/openvpn/pass.txt

Save, and type:

nano /mnt/torrents/pass.txt

Enter your username on the first line, and password on the next. Save, and try connecting again:

sudo openvpn --client --config /mnt/torrents/openvpn/privacyIO.ovpn --ca /mnt/torrents/openvpn/ --script-security 2

You shouldn’t be bugged to log in this time. Yay! Next, open up the config file again, and add the following lines:

route-up /mnt/torrents/openvpn/
down /mnt/torrents/openvpn/

This specifies some scripts we’re going to create later to perform tasks when the connection either comes up successfully, or goes down. Make sure you’re in the mnt/torrents/openvpn directory, then run the following:


Add the following which ensures traffic is sent out over the VPN:

iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE

Next, create the script



iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE

Finally, we want a script to open the connection, instead of starting it from the command line as we just did.


Paste in the VPN launch command from before. In case you’ve forgotten:

sudo openvpn --client --config /mnt/torrents/openvpn/privacyIO.ovpn --ca /mnt/torrents/openvpn/ --script-security 2

Now, make all those scripts executable, and launch the VPN script at startup.

chmod +x
chmod +x
chmod +x
sudo nano /etc/rc.local

Add the following line before the exit 0 line. We’re just telling it to start this script at startup.


Finally, reboot your system again.


Log in again, and run ifconfig. You’ll know it’s working if you see an entry for tap0 (or tun0), and are able to successful curl a webpage:

curl //

The Torrent Client

Nearly there now. Finally, we’re going to install Transmission, which is lightweight and has a nice web GUI. The following commands install, then stops the daemon – since we need to configure it first – then opens up the settings file for editing.

sudo apt-get install transmission-daemon
sudo /etc/init.d/transmission-daemon stop
sudo nano /etc/transmission-daemon/settings.json

Change “rpc-authentication-required” to false; change “rpc-whitelist” to include your local subnet – for example:

"rpc-whitelist": ",10.0.1.*",

Add or adjust the following if already present:

"download-dir": "/mnt/torrents",
"watch-dir": "\/mnt\/torrents\/",
"watch-dir-enabled": true,
"umask": 2,

Next, edit the daemon startup file itself to deal with some permission problems.

sudo nano /etc/init.d/transmission-daemon

Change the USER=transmission-daemon to USER=root. Reload the daemon.

sudo service transmission-daemon reload

Finally, we’ll install avahi-daemon to setup bonjour/zeroconf networking, which means we won’t need to use the IP address of the Pi to access it from a browser – instead we’ll be able to use the raspberrypi.local address.

sudo apt-get install avahi-daemon

Assuming your hostname is the default (raspberrypi, but can be changed using raspi-config), navigate to:


First, check your torrent IP is being correctly disguised through the VPN. Download the test torrent file from TorGuard – the download graphic looks like an advertisement, but it isn’t – and drop it in the torrents shared folder.


We’ve already configured Transmission to watch this folder for new torrents, so it should be added immediately. Go ahead and drop some legal Linux distro torrents in there as well.


The IP checking torrent should return an error, along with the IP address it detected. Make sure that isn’t your home IP – if it is, the VPN hasn’t been set up right. By default, any torrents you drop in the folder will be renamed to .added, and a .part file should be created until the transfer is finished. Verify this is the case in your shared folder.


That’s it! You now have a super low-powered, secure, torrent-downloading Pi – leaving your workstation available for better things. You might now want to look at adding a UPnP server to for streaming media around the network, or using BitTorrent Sync to create your own cloud storage Build Your Own Cloud Storage with Raspberry Pi and BitTorrent Sync Don't believe the hype: the Cloud is far from secure. But have no fear - now you can roll out your own private, unlimited, and secure cloud storage platform. Read More . What features will you be adding in?

Related topics: BitTorrent, Raspberry Pi.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. RC
    May 3, 2017 at 4:27 pm


  2. Billy
    March 24, 2017 at 12:41 pm

    I only followed the VPN section on this article. The VPN starts up fine but the terminal hangs at " Initialization Sequence Completed" and I never get my prompt back. I tried adding "&" to the end of rc.local like another another person commented example: "/mnt/torrents/openvpn/ &". But this did not work for me. Running Raspbian Jessie Lite

    Has anyone found a fix for this?

  3. tedthabug
    November 5, 2016 at 2:50 am

    Quick tip for people that got hung up like me. This is for Private Internet Access.
    I got to the point where you are supposed to reboot and see the tunnel interface in ifconfig but it never would work. I tried everything from creating a service with to adding the script to cron @reboot.

    What finally worked was adding the full path of the .pem file to the .conf file. I also stuck the .pem file and the .crt file in /etc/openvpn. In my .conf:
    crl-verify /etc/openvpn/crl.rsa.2048.pem
    Hope this helps someone!

    • sajtalma
      October 29, 2017 at 1:36 pm

      Thanks, this was of great help! One more thing though...
      My file looks like this now:
      sudo openvpn --client --config /root/config/openvpn/Switzerland.ovpn --ca /root/config/openvpn/ca.rsa.2048.crt --crl-verify /root/config/openvpn/crl.rsa.2048.pem --script-security 2
      route-up /root/config/openvpn/
      down /root/config/openvpn/
      Are you supposed to put the route-up, down-pre and down parameters in this config file or another? Also i was not able to test a fallback, when i killed openvpn via pid transmission just switched over to the regular internet.

  4. Phil
    November 1, 2016 at 11:32 pm

    I had tons of issues with Transmission and switched to Deluge and it worked well.
    Only question I have is how do I test the route-up,down pre,down functions of OpenVPN to make sure they work (simulate a failure to connect, and disconnect)?
    I had a few odd times it failed to connect on boot and it went on downloading with Non-VPN IP how can we ensure that doesn't happen?


  5. Mega Therion
    October 29, 2016 at 8:52 pm

    This guide has worked perfectly till the moment you have to add a VPN server. Since is no longer online, and PIA is a bit too expensive for me atm, how could I possibly circumvent this problem?? Any tips?

  6. Dan
    October 28, 2016 at 9:56 pm

    When I plug in my external hard drive raspberry pi automatically recognizes and mounts it. Quick and easy. The problem comes when trying to get a windows machine to access it. The folder permissions for where it has been mounted are root so no matter what I do to grant access in samba to pi user no number of correct password entries work. I can force user = root and bam I have access but this is not what I'm looking for - ultimately I want guest read to some folders and pi user write access to all folders of the external hard drive. Any idea how to mount a drive to the pi user's folder where I'll probably have better luck or perhaps make a setting change in samba or the file permissions to allow this? I've read a ton of samba walk throughs and nobody seems to touch on this as something to look out for. I know this is slightly off topic but this article is so well written I'm hoping perhaps someone might be willing to throw a few suggestions my way if they have a few moments. Many thanks if you do.

    • Zac
      July 3, 2017 at 5:18 am

      I found the drive was mounted in the wrong place as well, and also found very little talk about it. My problem was solved by unmounting the drive (umount sda1) and mounting it in the correct slot, most of the instruction pages should tell you where the correct slot is, sorry it's not much information but i'll help where i can with what little i have :)

  7. uno
    September 25, 2016 at 6:50 pm

    this guide has an incredible amount of problems, from the samba share to the transmission permissions. you should revise it.

  8. Kunou
    September 11, 2016 at 12:33 am

    Is it all right to skip this step?:

    Hit CTRL-W and type “security” to find the following line, and uncomment it.
    security = user

    I couldn't find it in the file. I'm on RPi3, maybe that's why? I've no idea. I'm new to Raspberry and I'm hardly familiar with Linux coding and whatnot.

    • uno
      September 25, 2016 at 6:06 pm

      you have to add that line after [global]

  9. Dan3008
    August 27, 2016 at 6:17 pm

    Thanks for this :)

    I've followed these instructions both on my pi, and my home media server (for different locations) and its worked both on raspian (jessy) and unbuntu server :)

  10. sp
    August 7, 2016 at 4:31 am

    Hi James, great post! Worked really well for me. However I am having trouble getting transmission to seed behind the PIA VPN. Seems to have something to do with the listening port, which is listed as closed. I can download just fine but seeding won't work. Any ideas on what to do? Googling doesn't give a conclusive answer, and it's complicated by all the people trying to get remote access do their Transmission through the VPN, which is not what I want to do. I just want to be able to seed.

  11. Bradley4681
    July 31, 2016 at 3:11 pm

    When ever I have the "iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE" in I can not browse the internet or download torrents. If I remove the iptables entry it works fine.

    Does anyone know what this issue is?

  12. Philipp
    June 28, 2016 at 9:35 pm

    i'm trying this on OSMC, but even after changing the file permissions i'm getting this error: Options error: --route-up script fails with '/media/ext/torrents/openvpn/': Permission denied
    can anyone explain this to me?

  13. amk
    May 31, 2016 at 2:48 am

    can we use a pi zero as a torrentbox

    • James Bruce
      May 31, 2016 at 6:30 am

      Sure, but given the lack of USB ports or networking, you'd be spending as much as a proper Rpasberry Pi just on expansions. Could you? Yes. Should you? No.

  14. Anonymous
    January 18, 2016 at 9:24 pm

    So I've tried reinstalling using this guide a few times now and I keep ending up with the same problem. Transmission daemon won't start. Doesn't matter if where or when I start it but when I run "sudo service /etc/init.d/transmission-daemon start" I get the output:

    [FAILED] Failed to start Transmission BitTottent Daemon.
    See 'systemctl status transmission-daemon.service' for details.

    Running "systemctl status transmission-daemon.service" gives me the output:

    transmission-daemon.service - Transmission BitTorrent Daemon
    Loaded: loaded (/lib/systemd/system/transmission-daemon.service; enabled)
    Active: failed (result: exit-code) since Mon 2016-01-18 21:12:02 UT; 7in ago
    Process: 592 ExecStart=/usr/bin/transmission-daemon -f --lo-error (code=exited, status=255)
    Main PID: 592 (code=exited, status=255)

    This is no copy-paste, so there might be a few typing errors..


  15. WFM
    January 5, 2016 at 7:34 am

    Hey James is there a way to get port forwarding to the pi working with a vpn setup? Seems to tell me the port is closed whatever I try.

  16. Scaw
    January 5, 2016 at 7:03 am

    Hi! I have followed all the instructions very carefully, and I am having a couple of issues. First is that, like many commenters, I am not able to use the pi manually since starting the VPN at launch seems to prevent further input, including ^c. I can, however, ssh into the pi which is what I will be doing anyway so that is minor.

    More important is that when I add files to the torrents folder, they successfully show up in transmission's web UI but the moment they start downloading they fail with an "error: Permission denied (/mnt/torrents/name-of-file.filetype)" I double checked "/etc/init.d/transmission-daemon" and the USER=root line is correct, as I thought that might cause the issue. Does anyone know what else might cause this to happen, and how I might correct it? I am new to linux so still learning about permissions and stuff. I assume I need to give transmission-daemon permission to modify the folder? If anyone can help, let me know!

    • Scaw
      January 5, 2016 at 7:22 am

      And now in trying to fix this issue I seem to have somehow broken transmission watching for new torrents in the /mnt/torrents folder. Damn.

    • Sam
      March 20, 2016 at 2:30 am

      Add an "&" to the end of the line you added in the rc.local to call the script in background.


  17. Alex
    January 4, 2016 at 8:30 pm

    I receive the following error when trying to execute sudo fdisk /dev/sda

    fdisk: unable to open /dev/sda: No medium found

    What's the problem here? I couldn't find any solution for this particular scenario anywhere.

    • WFM
      January 6, 2016 at 3:28 am

      Are you sure it's /dev/sda? If you had multiple disks plugged in it could be /dev/sdb sdc etc.

      • Alex
        January 6, 2016 at 7:27 am

        I'm positive. I only have the SD card and the one and only external HDD. The problem persists and I have no clue what to do.

  18. radwan
    December 31, 2015 at 10:21 pm

    Hello . Is there any chance to get to know how to make the same things on OSMC?
    I have tried to use instucions above but not all commnads are working.

  19. Johannes
    December 22, 2015 at 11:38 am

    First of all, thanks for your tutorial. I set up my Raspberry Pi like you described. But the iptables configuration could be improved, I think. When I kill the openvpn process while downloading torrents, transmission continues but using my real ip address. Unfortunately I have never used iptables before. Do you have an idea how to configure iptables in a way that network traffic just stopps if there is no vpn interface?

    • James Bruce
      December 23, 2015 at 7:30 am

      I think you've missed a step, because that's exactly what the confiugration will do - kill the internet when the VPN goes down, as in the script.

    • flash
      January 30, 2018 at 12:16 am

      I know both the guide and the comment I'm replying to are pretty old already but for completeness sake I thought it best to mention this: what James Bruce described in this guide is the creation of shell scripts that are executed whenever OpenVPN experiences a connection/disconnection event. This isn't a very secure method to implement a killswitch/"firewall" because the control lies solely with the application that manages the VPN tunnel.

      If you simply kill the process or if it crashes then all network traffic will continue to flow after the VPN tunnel goes down. The never has a chance to be executed in this case. Using this method means that you put all your trust into the OpenVPN client never crashing and working perfectly in general. Maybe it will, maybe it won't, but you certainly gamble with the ultimate privacy you are trying to achieve.

      The solution is to create a method that works independently of OpenVPN or any other method of connecting to an encrypted tunnel such as Libreswan (an IPsec implementation that can be used to connect via the generally more performant IKEv2 if the VPN provider supports it). The safest way of doing this is by creating a set of iptables rules that limit connections to only the IP address(es) of the VPN server. For maximum safety these rules should only be removed/changed if you desire to connect to a different VPN server. If an application supports the binding to an interface, then that should be used. Another way is to use netns to associate the VPN tunnel interface to a namespace and then launch an application by binding it to the namespace.

      One last piece of advice: If you've been searching for other methods of binding to a certain IP or interface, you shouldn't ever use LD_PRELOAD, Bindhack, liboverride et al in this situation as all these methods which dynamically link code only rebind TCP connections and not UDP which is frequently used in torrent clients. This applies to any such method that I'm familiar with, but I don't claim to know them all.

  20. Anonymous
    December 7, 2015 at 5:07 pm

    hi, James Great thanks for the nice instructions. I have learned a lot from it. I just would like to know what these two following commands do. "iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE and iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE" does it block all the internet access after vpn server is done?

    • James Bruce
      December 7, 2015 at 5:20 pm

      Hi Chris. iptables is a routing configuration, in this case it lets machines on one side go through the VPN tunnel, using the dynamic VPN IP address, and still get routed back to where they should be on your side of the network. Essentially it does the "hiding" part of your local IP.

      • Anonymous
        December 7, 2015 at 6:24 pm

        so, when the vpn server is down, what's going to happen to transmission , as indicated in script?

        • James Bruce
          December 8, 2015 at 3:51 pm

          the -D parameter deletes the route, so it no longer works (ie, stops all traffic).

  21. Andy Tuson
    November 22, 2015 at 10:55 pm

    I have tried to follow the tutorial with a newly installed Raspbian Jessie and get as far as installing Samba. When I search smb.conf it cannot find security = user.

    If I enter all of [torrents] testparm advises that security mask, force security mode, directory security mask and force directory security mode are unknown parameters and ignored.

    When I try to restart samba I get the error message "Failed to restart samba.service: Unit samba.service is masked.

    This is with Samba version 4.1.17-Debian.

    Do you have any idea what my problem is?

    • steve
      November 25, 2015 at 9:49 pm

      I noticed the same problem; I left out the "security=user" and just rebooted the pi and samba works fine!

      • Andy Tuson
        November 29, 2015 at 1:52 pm

        I downloaded Raspbian Wheezy and it looks like that what the instructions were written with as it worked fine.


  22. tyler
    November 12, 2015 at 7:54 pm

    I used a much shorter tut I found and decided to just manually activate the vpn each time

    One issue Im having though is connecting to the webUI from outside my LAN
    Even this guide seems to only get you lan and not wan access.

    Is WAN possible?
    thanks nice guide either way

  23. Anonymous
    September 4, 2015 at 1:29 am

    This is one of the better guides I've seen for this, thanks.

    A wrinkle that I'm using is binding deluge to the tunnel IP, so there's no leaks and no awkward worries about traffic going outside if the tunnel is down. But in this case, I'm deleting the default route to the tunnel, because I don't want my web browsing traffic being VPN'd. I'm doing that with a script command in the config which is kind of inelegant. I couldn't figure out the official openvpn way to do it. I wonder if you might know?

    I'm also trying to get a script running to automatically fill in the tunnel IP in the deluge config, but the examples I've found are not for raspbian and need some work.

    Love to hear your thoughts on this.

    • James Bruce
      September 4, 2015 at 7:06 am

      Sounds ingenius, but beyond me, Cory, sorry!

  24. Anonymous
    August 31, 2015 at 3:23 am

    Hey, I have a problem with avahi, he stop working after a short time. Can you help-me? I have a Raspberry Pi 2.

  25. Anonymous
    August 19, 2015 at 2:58 am

    Hey, im going through this and everything is working good up untill the rc.local part.

    I actually got it to automatically start the command at startup and it connects, but i am unable to do anything after. It just hangs at Initialization Sequence Completed, and I am unable to cancel it.

    I checked through and I don't think i missed anything about that, but can you help me figure out what I am doing wrong?

  26. rpg
    March 4, 2015 at 4:34 am

    Hi – The tutorial is fantastic from what I can see – Thanks.
    I have one issue though.
    My VPN seams to be working perfectly and I can curl/ping pages all day.
    I cannot however access the transmission webui. Any ideas anyone?
    I have tried using the local name and the ip address.
    Many thanks

    ^ Was this ever solved? I'm having the same issue. Everything works dandy, everything copied properly. I still cannot access this however...

    • Hyperderpz
      March 7, 2015 at 5:02 pm

      I've got the exact same problem :/

      Any ideas how to resolve it?

    • Anonymous
      July 26, 2015 at 3:24 pm

      Hi, Yep. I had a problem too. I added the entries into the Transmission config file after all other entries. It looks like the final entry must NOT have a trailing comma (note the final entry in the default file reads: "utp-enabled": true
      (No comma!)

      hope that helps.

    • Anonymous
      July 29, 2015 at 1:38 pm

      Sounds like you may have white listed the wrong subnet, the default is only local host ( and the author added a common subnet issued by Apple Routers (10.0.1.*). If you have a different router manufacturer you may have a different subnet (usually 192.168.1.*). Alternatively the host name isn't broadcasting correctly, have you tried connecting via the direct ip?

  27. Lid
    February 25, 2015 at 8:00 am

    Interesting project. How about the average transfer rate for the Raspberry NAS? And would this work on the Raspberry Pi B+?

  28. Keith
    February 11, 2015 at 6:23 pm

    Terrific explanation and instructions for a moderately complicated process. I struggled with a few odd issues (such as Samba apparently not liking my use of an underscore in the new username), but got through in the end. Shoutout to commenter "Steve" on September 1st, 2014 who noted the very necessary --crl-verify option when using PIA proxy. Otherwise, rc.local won't setup the tun0 and gives no indication as to why.

    One question I have for the author is: Why put all the OpenVPN configs and various scripts in the /mnt/torrents folder? Since this is shared and writeable, aren't they unnecessarily exposed to tampering (intentional or not)?

    I may move that stuff to the /mnt/systemdrive, if there isn't a reason against it.

    Thanks for the article!

    • James Bruce
      February 12, 2015 at 8:58 am

      That's an excellent suggestion Keith, thanks. I can't see any reason not to do that, I just don't think about security much ;)

  29. bozo
    February 5, 2015 at 12:14 pm

    Yeah, slow as shit though.

  30. Jack
    January 19, 2015 at 12:41 am

    Hi - The tutorial is fantastic from what I can see - Thanks.
    I have one issue though.

    My VPN seams to be working perfectly and I can curl/ping pages all day.

    I cannot however access the transmission webui. Any ideas anyone?

    I have tried using the local name and the ip address.

    Many thanks

    • Anonymous
      July 26, 2015 at 3:25 pm

      Hi, Yep. I had a problem too. I added the entries into the Transmission config file after all other entries. It looks like the final entry must NOT have a trailing comma (note the final entry in the default file reads: "utp-enabled": true
      (No comma!)

      hope that helps.

  31. Zachary
    January 10, 2015 at 9:00 pm

    Hi, thanks so much for the tutorial. I followed all of your instructions to the letter, but for some reason my vpn is not booting at startup. I made the edit/addition to the rc.local, but still nothing. Am I missing something?

  32. james
    September 20, 2014 at 2:25 am

    I have a question regarding access to the Pi once it is connected to the VPN. Currently everything is working on my Pi and I can SSH to it and use the Transmission WebUI while I am on my local network of 10.10.1.*, Now the issue I have been struggling to figure out is how to remotely access the Pi properly so I can use the WebUI. I have a Asus RT-AC68U as my main router and have a OpenVPN server running on it. This allows me to VPN into my house and access all my local devices. It is using tun as I need the Android support. This issue with tun is that it assigns a different IP to my clients - 10.8.0.* so when I try to SSH to the Pi or use the WebUI the VPN client on the Pi is redirecting this traffic over the Pi VPN and I never get back a response. I switched my VPN server to use TAP and DHCP of my local LAN and the issue was solved as in that configuration my client has a local LAN IP. I imagine I should be able to change the IPtables on the Pi so my 10.8.0.* traffic is not routed over the Pi VPN client but I cannot for the life of me figure it out. If anyone has any suggestions please point me in the right direction I have been reading for hours and hours with no luck.

    • James B
      September 20, 2014 at 9:52 am

      Sorry James - that's completely beyond my abilities, hopefully some other readers can help out here. Sounds more like a problem for StackOverflow though...

    • Johnny R
      October 10, 2014 at 9:44 pm

      I add the following lines in before the iptables command:

      ip rule add from x.x.x.x table 10
      ip route add default via y.y.y.y table 10

      (where x.x.x.x is the ip of my network interface wlan0 in my case)
      (where y.y.y.y is the ip of my lan gateway)

      This allows the ssh connection to be made and packets to route properly back out on the wlan0 interface through the gateway, not the tunnel.

      comment on

  33. steve
    August 27, 2014 at 4:43 pm

    On second thought... I'm ssh-ed into my Pi from my mac via, could it be that, since the VPN kicks in the ssh-connection is lost because the VPN changes the ip, and on my mc it seems like the Pi is dead?

    • James B
      August 31, 2014 at 5:22 pm

      No, I did it all over the local network, should be fine like that. The only thing that seems odd from you've said is powering both the Pi itself and the USB hard drive from the same powered USB port - which is then also plugged BACK into the Pi as the host controller. I'm wondering if there's some weird power loop messing around with things, as that might also manifest itself like a hardware error.

      But, you could also rule out the SSH thing by hooking a keyboard and monitor up, best to try both.

    • steve
      September 1, 2014 at 6:36 am

      Thanks again :-) So I did go out and got myself a Keyboard and got it all working (after a complete new install, just to make sure).

      One (similar to before) thing is still strange: when I boot everything boots well right up to "Initialization Sequence complete". Then I get a blinking cursor on my attached TV/monitor and nothing more. No prompt. On my attached USB keyboard I can type, sure, but to no avail. alt, command, control-C are all nicely printed on the screen, but that's it. I CAN, though, at the same time ssh in from my mac, get a prompt, everything works. I can also rdp in and get the GUI. Everything runs fine. Only on my TV/monitor the cursor keeps blinking away with so far nothing I can do about it...

      And if anyone should ask: if you use PrivateInternetAccess, download the default and add --crl-verify /mnt/torrents/openvpn/crl.pem to the vpn launch command :-)

  34. steve
    August 27, 2014 at 4:17 pm

    Hi :-)

    Great tutorial so far, thank you very much!

    I'm stuck. I'm using PrivateInternetAccess, did everything you said. When I initiate the VPN, the Pi runs through to the point where it says "Initializationtion Sequence Complete" - which isn't too bad - then I get a blinking cursor and that is that. A blinking Cursor. Then the Pi shuts down. The end. I repeated that circle 5 times, now I give up. For now. Maybe you have an idea?

    • James B
      August 28, 2014 at 10:40 am

      That is very messed up - usually indicates either a power supply issue (not strong enough to initiate the wifi perhaps?) or some kind of hardware corruption (SD card, I mean, they do tend to corrupt rather easily). I would try using a powered USB hub for anything you've got plugged directly into the board right now, and if that doesn't help give it a try with a fresh SD card.

    • steve
      August 28, 2014 at 11:53 am

      Hi James, thank you for your response. I wrote a second post shortly after my first, that seemingly didn't come through.

      I'm always SSH-ed into my Pi from my Mac. No USB keyboard yet. So maybe the VPN connection screws up the SSH-connection? (I'm no expert, in case this sounds like a dumb thought...) Thought I try the same procedure with a real keyboard attached, which I'll get Friday night.

      Maybe it's PrivateInternetAccess and their configs that screws up things? Their online-chat briefly told me Pi is not supported... Tried to get a one-day-pass from, but they're having payment problems currently. So I'll wait for that to resolve.

      And, sure, my SSD might be corrupted, though it's only a week old. Your setup is my first project with my new Pi since it's one thing that actually makes sense :-)

    • steve
      August 28, 2014 at 11:55 am

      oh, and yes, Pi and external HD both are powered by the same 4-port-USB hub...

  35. Jon
    August 25, 2014 at 2:00 am

    when i run the script it shows that the script is not working, is anyone else experiencing this issue

    • James Bruce
      August 25, 2014 at 4:09 pm

      The only thing in that script is the iptables command. Perhaps checks you're using the correct tun or tap connection?

    • Jon B
      August 26, 2014 at 9:58 pm

      Below is the log from running the vpn script. notice the error with route-up. not really sure what the problem is.. i have the exact script copied in. after running i am also unable to curl a webpage and am confused why the hardware address is all 0s
      any help is greatly appreciated

      ]0;pi@raspberrypi: /mnt/torrents/openvpnpi@raspberrypi /mnt/torrents/openvpn $ Tue Aug 26 21:55:17 2014 OpenVPN 2.2.1 arm-linux-gnueabihf [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Oct 12 2013
      Tue Aug 26 21:55:17 2014 WARNING: file '/mnt/torrents/pass.txt' is group or others accessible
      Tue Aug 26 21:55:17 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Tue Aug 26 21:55:17 2014 LZO compression initialized
      Tue Aug 26 21:55:17 2014 RESOLVE: NOTE: resolves to 4 addresses
      Tue Aug 26 21:55:17 2014 UDPv4 link local: [undef]
      Tue Aug 26 21:55:17 2014 UDPv4 link remote: [AF_INET]
      Tue Aug 26 21:55:18 2014 WARNING: this configuration may cache passwoirds in memory -- use the auth-nocache option to prevent this
      Tue Aug 26 21:55:19 2014 [Private_Internet_Access] Peer Connection Initiated with [AF_INET]
      Tue Aug 26 21:55:22 2014 TUN/TAP device tun0 opened
      Tue Aug 26 21:55:22 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
      Tue Aug 26 21:55:22 2014 /sbin/ifconfig tun0 pointopoint mtu 1500
      Tue Aug 26 21:55:22 2014 WARNING: Failed running command (--route-up): could not execute external program
      Tue Aug 26 21:55:22 2014 Initialization Sequence Completed

      ]0;pi@raspberrypi: /mnt/torrents/openvpnpi@raspberrypi /mnt/torrents/openvpn $ ifconfig
      eth0 Link encap:Ethernet HWaddr b8:27:eb:33:80:42
      inet addr: Bcast: Mask:
      RX packets:438 errors:0 dropped:0 overruns:0 frame:0
      TX packets:439 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:43815 (42.7 KiB) TX bytes:59737 (58.3 KiB)

      lo Link encap:Local Loopback
      inet addr: Mask:
      UP LOOPBACK RUNNING MTU:65536 Metric:1
      RX packets:2 errors:0 dropped:0 overruns:0 frame:0
      TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0
      RX bytes:100 (100.0 B) TX bytes:100 (100.0 B)

      tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
      inet Mask:
      RX packets:4 errors:0 dropped:0 overruns:0 frame:0
      TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:100
      RX bytes:304 (304.0 B) TX bytes:780 (780.0 B)

    • James B
      August 27, 2014 at 3:59 pm

      "could not execute" - did you make the route-up script executable?

    • Jon
      August 30, 2014 at 1:04 pm

      I am pretty sure I did, i will try again today

    • Jon
      August 30, 2014 at 1:52 pm

      Well evidently i didn't because i am no longer getting that error but now i am still unable to connect to anything or curl a webpage below is the output of the VPN script, i dont really see any errors so i am not sure what could be wrong

      pi@raspberrypi /mnt/torrents/openvpn $ ./
      Sat Aug 30 13:54:10 2014 OpenVPN 2.2.1 arm-linux-gnueabihf [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Oct 12 2013
      Sat Aug 30 13:54:10 2014 WARNING: file '/mnt/torrents/openvpn/pass.txt' is group or others accessible
      Sat Aug 30 13:54:10 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Sat Aug 30 13:54:10 2014 LZO compression initialized
      Sat Aug 30 13:54:10 2014 RESOLVE: NOTE: resolves to 4 addresses
      Sat Aug 30 13:54:10 2014 UDPv4 link local: [undef]
      Sat Aug 30 13:54:10 2014 UDPv4 link remote: [AF_INET]
      Sat Aug 30 13:54:10 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
      Sat Aug 30 13:54:12 2014 [Private_Internet_Access] Peer Connection Initiated with [AF_INET]
      Sat Aug 30 13:54:14 2014 TUN/TAP device tun0 opened
      Sat Aug 30 13:54:14 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
      Sat Aug 30 13:54:14 2014 /sbin/ifconfig tun0 pointopoint mtu 1500
      Sat Aug 30 13:54:15 2014 Initialization Sequence Completed

    • James B
      August 31, 2014 at 5:24 pm

      Everything looks like it should have worked. What do you get when you do an "ifconfig" - is there a tun or tap0 listed?

      • Anonymous
        August 28, 2015 at 1:52 pm

        I have a very similiar ifconfig output. It lists tun0 but still doesn't work.
        It looks like this.

        tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
        inet addr: P-t-P: Mask:
        RX packets:0 errors:0 dropped:0 overruns:0 frame:0
        TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
        collisions:0 txqueuelen:100
        RX bytes:0 (0.0 B) TX bytes:304 (304.0 B)

        My script output seem OK. I did everything as said in the tutorial, except I moved my openvpn directory from /mnt/torrents/ to /etc/. However I did update all scripts and configs with the right location. My VPN (NordVpn) works fine on my Windows PC though.
        I realise this article is pretty old but I hope to find some help here. Thanks.

  36. Johan
    August 20, 2014 at 9:30 pm

    Hi James,

    thanks for the guide, it helped me a lot. Unfortunately I have a little problem. ifconfig shows that there is neither a tap0 nor a tun0. Curling a webpage results in: Couldn't resolve host xyz. Do you have any idea how to fix this?

    • James B
      August 21, 2014 at 9:02 am

      Your VPN isn't working right, so check the output when your run the "sudo openvpn --client ..." bit. Should be something in there to indicate the error.

    • Johan
      August 21, 2014 at 2:53 pm

      Thanks for your reply. The vpn wasn't working due to a DNS problem, which I fixed. Now the Pi is working as intended. Thanks for the guide.

  37. Dave
    July 8, 2014 at 2:36 pm

    I know this is an old article, but do you know of a way to also port forward the Raspberry Pi using Private Internet Access?

    • James Bruce
      July 8, 2014 at 2:58 pm

      I can't confirm, but this is how they recommend doing it: [Broken Link Removed]

  38. Mat
    June 2, 2014 at 1:12 pm

    James, I have yet to locate an error for the /etc/rc.local issue. It just seems like it isn't be called at all. I'll keep digging.

  39. Mat
    May 31, 2014 at 3:30 am

    Thanks for the guide! I am experiencing an issue. It doesn't seem like any of my changes are surviving a reboot. The VPN doesn't auto connect and the mounts don't seem to be correct. The VPN connects fine if I launch the script. My rc.local edits survive a reboot as well as changes to fstab. Also, a mount -a seems to mount fstab entries that exist but aren't mounting at system start.

    Any ideas what I might be experiencing? Thanks.

    • James Bruce
      June 1, 2014 at 9:38 am

      Hi Mat. The mounts might be incorrect because after the initial SD card boot, everythign is handed over to USB, and the fstab is different at that point - if you see what I mean?

      As for the VPN - can you verify you have a, which is exectuable by all, and does work to connect the VPN? And it's been added to /etc/rc.local? Have you checked the sysem log for errors?

    • Aigars
      June 3, 2014 at 6:24 am

      fstab should always end up with blank line.