- Home MikroTik router
- Static IP: 203.0.113.2
- Dedicated server
- Static IP: 203.0.113.1
51413 home router port will be forwarded to/from dedicated server via wireguard interface, this allows server to download torrents without exposing it's IP or hosting provider knowing about it.
MikroTik Dedicated server
203.0.113.2:51413 (dst-nat tcp+udp) <---> 10.100.1.1:51413 (transmission-daemon)
203.0.113.2:13232 (wireguard) <---> 203.0.113.1:51830 (wireguard)
Wireguard
$ pacman -S wireguard-tools
$ mkdir ~/wireguard-keys && cd wireguard-keys
$ wg genkey | (umask 0077 && tee TORRENT-PROXY-SRV.key) | wg pubkey > TORRENT-PROXY-SRV.pub
$ wg genkey | (umask 0077 && tee TORRENT-PROXY-MTIK.key) | wg pubkey > TORRENT-PROXY-MTIK.pub
$ wg genpsk > TORRENT-PROXY-SRV-MTIK.psk
Conf assumes you have TCP/UDP chain in iptables
Enables 51413, 51830 ports and adds routes 10.100.1.1 traffic via wireguard
/etc/wireguard/torrent-proxy.conf
-
[Interface]
PrivateKey = # content of TORRENT-PROXY-SRV.key #
Address = 10.100.1.1/24
ListenPort = 51830
PostUp = iptables -A UDP -p udp -m udp --dport 51830 -j ACCEPT
PostUp = iptables -A UDP -p udp --dport 51413 -j ACCEPT
PostUp = iptables -A TCP -p tcp --dport 51413 -j ACCEPT
PostUp = ip rule add from 10.100.1.1/32 table 100
PostUp = ip route add default via 10.100.1.1 table 100
PostDown = iptables -D UDP -p udp -m udp --dport 51830 -j ACCEPT
PostDown = iptables -D UDP -p udp --dport 51413 -j ACCEPT
PostDown = iptables -D TCP -p tcp --dport 51413 -j ACCEPT
PostDown = ip route del default via 10.100.1.1 table 100
PostDown = ip rule del from 10.100.1.1/32 table 100
Table = off
[Peer]
PublicKey = # content of TORRENT-PROXY-MTIK.pub #
PresharedKey = # content of TORRENT-PROXY-SRV-MTIK.psk #
Endpoint = 203.0.113.2:13232
AllowedIPs = 0.0.0.0/0
$ systemctl --now enable wg-quick@torrent-proxy
Transmission
$ pacman -S transmission-cli
$ systemctl enable --now transmission
$ systemctl stop transmission
$ cp /var/lib/transmission/.config/transmission-daemon/settings.json /var/lib/transmission/.config/transmission-daemon/settings.json.bak
Bind transmission-daemon to 10.100.1.1, port already set to 51413 by default
/var/lib/transmission/.config/transmission-daemon/settings.json
—
- "bind-address-ipv4": "0.0.0.0",
- "bind-address-ipv6": "::",
+ "bind-address-ipv4": "10.100.1.1",
+ "bind-address-ipv6": "fe80::",
- "lpd-enabled": true,
+ "lpd-enabled": false,
- "port-forwarding-enabled": true,
+ "port-forwarding-enabled": false,
Optional changes, setup custom folders etc, not related to required IP bindings
/var/lib/transmission/.config/transmission-daemon/settings.json
—
- "rpc-bind-address": "0.0.0.0",
+ "rpc-bind-address": "127.0.0.1",
- "cache-size-mb": 4,
+ "cache-size-mb": 64,
- "download-dir": "/var/lib/transmission/Downloads",
+ "download-dir": "/mnt/vault/transmission/downloads",
- "incomplete-dir": "/var/lib/transmission/Downloads",
+ "incomplete-dir": "/mnt/vault/transmission/incomplete",
- "incomplete-dir-enabled": false,
+ "incomplete-dir-enabled": true,
$ mkdir -p /mnt/vault/transmission/downloads
$ mkdir -p /mnt/vault/transmission/incomplete
$ chown transmission:transmission /mnt/vault/transmission/downloads
$ chown transmission:transmission /mnt/vault/transmission/incomplete
$ chmod 750 /mnt/vault/transmission/downloads
$ chmod 750 /mnt/vault/transmission/incomplete
$ systemctl start transmission
> WireGuard
> [Add New]
Name: TORRENT-PROXY-MTIK
Listen Port: 13232
Private Key: # content of TORRENT-PROXY-MTIK.key #
> [OK]
> WireGuard > Peers
> [Add New]
Interface: TORRENT-PROXY-MTIK
Public Key: # content of TORRENT-PROXY-SRV.pub #
Endpoint: 203.0.113.1
Endpoint Port: 51830
Allowed Address: 0.0.0.0/0
Preshared Key: # content of TORRENT-PROXY-SRV-MTIK.psk #
> [OK]
> IP > Addresses
> [Add New]
Address: 10.100.1.2/24
Network: 10.100.1.0
Interface: TORRENT-PROXY-MTIK
> [OK]
> IP > Firewall > NAT
> [Add New]
Chain: dstnat
Protocol: tcp
Dst. Port: 51413
In. Interface List: WAN
Action: dst-nat
To Addresses: 10.100.1.1
Comment: admin: accept torrent on 51413 and forward it to 10.100.1.1 via wireguard TORRENT-PROXY-MTIK
> [OK]
> IP > Firewall > NAT
> [Add New]
Chain: dstnat
Protocol: udp
Dst. Port: 51413
In. Interface List: WAN
Action: dst-nat
To Addresses: 10.100.1.1
> [OK]
> IP > Firewall > Filter Rules
> [Add New]
Chain: input
Protocol: udp
Dst. Port: 13232
Action: accept
Comment: admin: accept wireguard TORRENT-PROXY-MTIK
> [OK]
> Drag rule below rule 'defconf: accept ICMP'