Skip to content

Instantly share code, notes, and snippets.

@AndersonIncorp

AndersonIncorp/wireguard-mikrotik-torrent-proxy.md

Created December 30, 2023 14:25
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save AndersonIncorp/73c28f0abe00390b078b2cb80738edd5 to your computer and use it in GitHub Desktop.
Save AndersonIncorp/73c28f0abe00390b078b2cb80738edd5 to your computer and use it in GitHub Desktop.
Download ZIP
Proxy torrent traffic via home router, hides and encrypts torrent traffic to dedicated server running torrent client.
Raw
wireguard-mikrotik-torrent-proxy.md

Overview

  • Home MikroTik router
    • Static IP: 203.0.113.2
  • Dedicated server
    • Static IP: 203.0.113.1

51413 home router port will be forwarded to/from dedicated server via wireguard interface, this allows server to download torrents without exposing it's IP or hosting provider knowing about it.

MikroTik                                  Dedicated server
203.0.113.2:51413 (dst-nat tcp+udp) <---> 10.100.1.1:51413  (transmission-daemon)
203.0.113.2:13232 (wireguard)       <---> 203.0.113.1:51830 (wireguard)

Setup

Server (arch linux)

Wireguard

$ pacman -S wireguard-tools
$ mkdir ~/wireguard-keys && cd wireguard-keys
$ wg genkey | (umask 0077 && tee TORRENT-PROXY-SRV.key) | wg pubkey > TORRENT-PROXY-SRV.pub
$ wg genkey | (umask 0077 && tee TORRENT-PROXY-MTIK.key) | wg pubkey > TORRENT-PROXY-MTIK.pub
$ wg genpsk > TORRENT-PROXY-SRV-MTIK.psk

Conf assumes you have TCP/UDP chain in iptables
Enables 51413, 51830 ports and adds routes 10.100.1.1 traffic via wireguard

/etc/wireguard/torrent-proxy.conf
-
[Interface]
PrivateKey = # content of TORRENT-PROXY-SRV.key #
Address = 10.100.1.1/24
ListenPort = 51830
PostUp = iptables -A UDP -p udp -m udp --dport 51830 -j ACCEPT
PostUp = iptables -A UDP -p udp --dport 51413 -j ACCEPT
PostUp = iptables -A TCP -p tcp --dport 51413 -j ACCEPT
PostUp = ip rule add from 10.100.1.1/32 table 100
PostUp = ip route add default via 10.100.1.1 table 100
PostDown = iptables -D UDP -p udp -m udp --dport 51830 -j ACCEPT
PostDown = iptables -D UDP -p udp --dport 51413 -j ACCEPT
PostDown = iptables -D TCP -p tcp --dport 51413 -j ACCEPT
PostDown = ip route del default via 10.100.1.1 table 100
PostDown = ip rule del from 10.100.1.1/32 table 100
Table = off

[Peer]
PublicKey = # content of TORRENT-PROXY-MTIK.pub #
PresharedKey = # content of TORRENT-PROXY-SRV-MTIK.psk #
Endpoint = 203.0.113.2:13232
AllowedIPs = 0.0.0.0/0
$ systemctl --now enable wg-quick@torrent-proxy

Transmission

$ pacman -S transmission-cli
$ systemctl enable --now transmission
$ systemctl stop transmission
$ cp /var/lib/transmission/.config/transmission-daemon/settings.json /var/lib/transmission/.config/transmission-daemon/settings.json.bak

Bind transmission-daemon to 10.100.1.1, port already set to 51413 by default

/var/lib/transmission/.config/transmission-daemon/settings.json
—
- "bind-address-ipv4": "0.0.0.0",
- "bind-address-ipv6": "::",
+ "bind-address-ipv4": "10.100.1.1",
+ "bind-address-ipv6": "fe80::",
- "lpd-enabled": true,
+ "lpd-enabled": false,
- "port-forwarding-enabled": true,
+ "port-forwarding-enabled": false,

Optional changes, setup custom folders etc, not related to required IP bindings

/var/lib/transmission/.config/transmission-daemon/settings.json
—
- "rpc-bind-address": "0.0.0.0",
+ "rpc-bind-address": "127.0.0.1",
- "cache-size-mb": 4,
+ "cache-size-mb": 64,
- "download-dir": "/var/lib/transmission/Downloads",
+ "download-dir": "/mnt/vault/transmission/downloads",
- "incomplete-dir": "/var/lib/transmission/Downloads",
+ "incomplete-dir": "/mnt/vault/transmission/incomplete",
- "incomplete-dir-enabled": false,
+ "incomplete-dir-enabled": true,
$ mkdir -p /mnt/vault/transmission/downloads
$ mkdir -p /mnt/vault/transmission/incomplete
$ chown transmission:transmission /mnt/vault/transmission/downloads
$ chown transmission:transmission /mnt/vault/transmission/incomplete
$ chmod 750 /mnt/vault/transmission/downloads
$ chmod 750 /mnt/vault/transmission/incomplete
$ systemctl start transmission

MikroTik

> WireGuard
    > [Add New]
        Name: TORRENT-PROXY-MTIK
        Listen Port: 13232
        Private Key: # content of TORRENT-PROXY-MTIK.key #
        > [OK]
> WireGuard > Peers
    > [Add New]
        Interface: TORRENT-PROXY-MTIK
        Public Key: # content of TORRENT-PROXY-SRV.pub #
        Endpoint: 203.0.113.1
        Endpoint Port: 51830
        Allowed Address: 0.0.0.0/0
        Preshared Key: # content of TORRENT-PROXY-SRV-MTIK.psk #
        > [OK]
> IP > Addresses
    > [Add New]
        Address: 10.100.1.2/24
        Network: 10.100.1.0
        Interface: TORRENT-PROXY-MTIK
        > [OK]
> IP > Firewall > NAT
    > [Add New]
        Chain: dstnat
        Protocol: tcp
        Dst. Port: 51413
        In. Interface List: WAN
        Action: dst-nat
        To Addresses: 10.100.1.1
        Comment: admin: accept torrent on 51413 and forward it to 10.100.1.1 via wireguard TORRENT-PROXY-MTIK
        > [OK]
> IP > Firewall > NAT
    > [Add New]
        Chain: dstnat
        Protocol: udp
        Dst. Port: 51413
        In. Interface List: WAN
        Action: dst-nat
        To Addresses: 10.100.1.1
        > [OK]
> IP > Firewall > Filter Rules
    > [Add New]
        Chain: input
        Protocol: udp
        Dst. Port: 13232
        Action: accept
        Comment: admin: accept wireguard TORRENT-PROXY-MTIK
        > [OK]
> Drag rule below rule 'defconf: accept ICMP'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment