Fork me on GitHub

This recipe is for Debian 7 (Wheezy). All of this needs to be performed as root. Install OpenVPN and Transmission with

apt-get install openvpn transmission-daemon

Replace the string {connection name} throughout this recipe with whatever name you choose to give this VPN connection. Other strings wrapped in {braces} should also be replaced with suitable values

Obtain an OpenVPN configuration file (.opvn) and save it to /etc/openvpn/{connection name}.conf. The VPN provider that I choose had a configuration generator that made this really easy

Create /etc/openvpn/ with contents

#!/usr/bin/env bash

export VPN_IP=$4

echo ${VPN_IP} > /var/run/openvpn.${1}

/etc/init.d/transmission-daemon start

Create /etc/openvpn/ with contents

#!/usr/bin/env bash

/etc/init.d/transmission-daemon stop

rm -f /var/run/openvpn.${1}

Mark these as executable with

chmod 750 /etc/openvpn/*.sh

In /etc/default/openvpn set the following

AUTOSTART={connection name}
OPTARGS="--script-security 2 --up /etc/openvpn/ --down /etc/openvpn/"

In /etc/default/transmission-daemon

OPTIONS="--config-dir ${CONFIG_DIR} --bind-address-ipv4 ${VPN_IP}"

Since Transmission flushes it's configuration file when it exits you must stop it if it's running with

service transmission-daemon stop

Edit /etc/transmission-daemon/settings.json. The bind address setting defaults to something safe but will be overridden from the command line. Generate a random token for the password. When Transmission is restarted it will replace the plaintext value in the configuration file with an encrypted representation. The peer port setting is whatever the port that you are forwarding from your VPN providers IP address to your Transmission host. The VPN provider that I choose made this easy for me by randomly selecting an unused port and setting up the forwarding via their website. The RPC settings restrict access for the web interface to the local host

"bind-address-ipv4": "",
"peer-port": {VPN forwarded port},
"rpc-bind-address": "",
"rpc-password": "{remote password}",
"rpc-port": 9091,
"rpc-username": "transmission",
"rpc-whitelist": "",
"rpc-whitelist-enabled": true,

Use a SSH pipe from your client

/usr/bin/ssh -f -N -i ~/.ssh/{private key} -L 9091:localhost:9091 {transmission host}

and then point your web browser at localhost:9091 to access Transmission's web interface once it has been restarted

Create this script, remote_magnet, make it executable and configure your browser to call it when you click on a magnet link. It will load the link in a paused state into the remote Transmission client

#!/usr/bin/env bash

link=${1}; [ -n "${link}" ] || exit 1

ssh {remote user}@{transmission host} /usr/bin/transmission-remote --start-paused \
   --auth "transmission:{remote password}" --add '"'${link}'"'

exit ${?}

Restart OpenVPN. Starting the VPN service will also start Transmission listening on the VPN's local address

service openvpn start

To prevent Transmission from using the network directly add the following packet filter rule

iptables -A OUTPUT -m owner --gid-owner debian-transmission -o eth0 -j REJECT

To make this permanent install iptables-persistent with

apt-get install iptables-persistent
iptables-save > /etc/iptables/rules