It is strongly advised to route your torrent traffic over VPN connection to protect your online privacy. An excellent and advanced way of doing this is to route only selected traffic over the VPN connection called VPN Split Tunneling.
This is Part 2 of the VPN split tunnel guide, Part 1 can be found here where you prepare your server for VPN Split Tunneling. This tutorial shows you how to install Deluge and run it under the vpn user created in Part 1 of the Split Tunnel guide. To access the Deluge Web UI you will use an nginx Reverse Proxy (even on local network).
VPN Service | ||||
---|---|---|---|---|
Private Internet Access | ($3.33 / month) | |||
Pure VPN | ($4.91 / month) | |||
IPVanish | ($6.41 / month) |
Configure Ubuntu Server for VPN Split Tunnel
You must complete Part 1: Force Torrent Traffic through VPN Split Tunnel on Ubuntu 14.x. If you have already configured Split Tunnel, then you can continue with this guide to install Deluge daemon. It is important that you have a working Split Tunnel on your server before you can proceed with installing Deluge for VPN Split Tunneling, otherwise it will not work!
Install Deluge and Web UI on Ubuntu Server 14.04 LTS
As it is very often the case with Ubuntu repositories, Deluge is included in the official Ubuntu repository but is quite outdated. The Deluge Team has its own PPA which provides the current version. I strongly recommend installing Deluge using the official PPA.
Add the required PPA to your system
sudo add-apt-repository ppa:deluge-team/ppa
Update the repository and install the Deluge Daemon (deluged) and the Deluge Web UI (deluge-web)
sudo apt-get update
sudo apt-get install deluged deluge-web -y
Create Upstart Scripts for Deluge Daemon and Web UI
One of the many great things about Deluge is that it allows to run the daemon and the Web UI independently, even as different users. As I have mentioned in the introduction, if you run Deluge Web UI as vpn user, then you need to configure nginx reverse proxy to access the Web UI.
If you want to retain direct access to the Web UI, then you need to run the Web UI service (attention: only the Web UI, not the daemon!) as your regular user. The next step is to configure the Deluge daemon to run as the vpn user. If you need direct access without reverse proxy, stay tuned, we will have a separate guide soon on how to configure direct access to Deluge Web UI with VPN Split Tunnel.
We need to make both Deluge daemon and Web UI to start automatically on system start. The user and group running Deluge is also controlled with the set uid and set gid parameters. This is very important, as for Split Tunnel to work, we must run the Deluge daemon as vpn user!
Create the Upstart Script for Deluge Daemon
The user who will run Deluge daemon is the vpn user. The logs will be located at /var/log/deluge
. We are using umask 007 value, this grants full access to the user and members of the group Deluge daemon is running and prevents access for all other users.
Create the Deluge daemon upstart script
sudo nano /etc/init/deluged.conf
Copy and paste the following
# deluged - Deluge daemon
#
# The daemon component of Deluge BitTorrent client. Deluge UI clients
# connect to this daemon via DelugeRPC protocol.
# Modified version for VPN Split Tunnel by HTPC Guides -- www.htpcguides.com
description "Deluge daemon"
author "Deluge Team"
start on filesystem and static-network-up
stop on runlevel [016]
respawn
respawn limit 5 30
env uid=vpn
env gid=vpn
env umask=007
exec start-stop-daemon -S -c $uid:$gid -k $umask -x /usr/bin/deluged -- -d -l /var/log/deluge/daemon.log -L warning
Hit Ctrl + X, Y to save and exit.
Create the Upstart Script for Deluge Web UI
We will create a separate upstart script for Deluge Web UI. By default, when the Deluge daemon is started or stopped, the Web UI is also started or stopped automatically. However, since we want to retain remote access and gain control over which user runs the WebUI we need a separate upstart script.
Create the Deluge web daemon upstart script
sudo nano /etc/init/deluge-web.conf
Copy and paste the following
# deluge-web - Deluge Web UI
#
# The Web UI component of Deluge BitTorrent client, connects to deluged and
# provides a web application interface for users.
# Modified version for VPN Split Tunnel by HTPC Guides -- www.htpcguides.com
description "Deluge Web UI"
author "Deluge Team"
start on started deluged
stop on stopping deluged
respawn
respawn limit 5 30
env uid=vpn
env gid=vpn
env umask=027
exec start-stop-daemon -S -c $uid:$gid -k $umask -x /usr/bin/deluge-web -- -l /var/log/deluge/web.log -L warning
Hit Ctrl + X, Y to Save and Exit.
Configure Deluge Logging
Both Deluge daemon and Deluge Web UI logs will be located at /var/log/deluge
. With the first line we create the required directory, with the second we modify ownership to user and group vpn, and with the third line we set the required permissions.
sudo mkdir -p /var/log/deluge
sudo chown -R vpn:vpn /var/log/deluge
sudo chmod -R 770 /var/log/deluge
Note: the chmod value 770 grants full access to the vpn user and to the members of the vpn group.
Finally, configure log rotation to properly maintain logs
sudo nano /etc/logrotate.d/deluge
Insert the following to rotate the logs
/var/log/deluge/*.log {
rotate 4
weekly
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
initctl restart deluged >/dev/null 2>&1 || true
initctl restart deluge-web >/dev/null 2>&1 || true
endscript
}
Hit Ctrl + X, Y to save and exit.
Make Deluge Web UI Auto Connect to Deluge Daemon
When you start the Deluge Web UI, after entering the password (default is deluge) it will always prompt you to select the Deluge daemon you would like to connect to. This is partly because you can have more Deluge daemons running so this is where you can select to which Deluge daemon you would like to connect. I assume that you are running one instance of Deluge daemon on your server, therefore it is preferred to configure auto connect.
Note: Transdrone requires auto connect enabled to work – more on this in a later guide.
Stop Deluge daemon to edit the web.conf file
sudo service deluged stop
Now edit the created web.conf file
sudo nano /home/vpn/.config/deluge/web.conf
Find the line
"default_daemon": "";
and set it to
"default_daemon": "127.0.0.1:58846"
Hit Ctrl + X, Y to save and Exit.
Start Deluge daemon and Web UI
sudo service deluged start
Now when you log into Deluge Web UI, it will automatically connect to the Deluge daemon.
Recommended Deluge Settings for Maximum Security
In order to make sure that none of the services included in Deluge are going to leak your IP address, I recommend to set the following settings. The following recommendations are based on many discussions on different forums.
In Deluge Web UI go to Preferences and Network tab. Disable all the Network Extras: UPnP, NAT-PMP, Peer Exchange, LSD, DHT, as you can see on the screenshot
Next step is to proceed to Encryption tab, and make sure Encrypt entire stream is selected, and set the other settings as you can see on the screenshot below. This level of encryption is enough, especially when used over VPN that is already encrypted.
Configure Deluge Remote Access with nginx Reverse Proxy
At this point you should have a fully working VPN with Split Tunneling and a running Deluge client tunneled over the VPN connection. To access Deluge Web UI you need to create a reverse proxy. The following part will show you how to configure nginx reverse proxy in less then five minutes. A very important note: this configuration uses plain, unencrypted http connection for nginx.
If you plan to access Deluge from outside of your local network you should consider to configure nginx with a secure SSL certificate using our guide Secure nginx Reverse Proxy with Let’s Encrypt, or alternatively you can configure with a self-signed certificate following the guide Enforce SSL for Secure nginx Reverse Proxy Linux (now that Let's Encrypt provides free valid certificates, I strongly recommend to use it). Deluge can be configured to retain direct access to Web UI without reverse proxy, but that will be covered in a separate guide.
Update repository and install nginx
sudo apt-get update
sudo apt-get install nginx -y
Unlink the default nginx virtual host
sudo unlink /etc/nginx/sites-enabled/default
Create the nginx virtual host file
sudo nano /etc/nginx/sites-available/reverse
Paste the nginx Deluge configuration and replace htpcguides.crabdance.com
with your dynamic DNS address and 192.168.40.100
with the device’s local IP.
Usually for reverse proxy support we set a custom web root in the application itself but Deluge support setting a special header for the web root. Here the web root is deluge, it must match for the location and the X-Deluge-Base header.
This assumes Deluge is running on the same device as nginx, if it isn’t then change 127.0.0.1 to match the local IP address of Deluge.
If you already have an nginx reverse proxy virtual host you only need to add the location block marked with blue (do not copy the last } at the bottom)
server {
listen 80;
server_name htpcguides.crabdance.com 192.168.40.100;
location /deluge {
proxy_pass http://127.0.0.1:8112/;
proxy_set_header X-Deluge-Base "/deluge/";
}
}
Ctrl+X, Y and Enter to save the deluge nginx reverse proxy virtual host
Symbolically link the virtual host so nginx will load it when the service is reloaded (if you already created a reverse virtual host, skip this step)
sudo ln -s /etc/nginx/sites-available/reverse /etc/nginx/sites-enabled/reverse
Test the nginx configuration is valid
sudo nginx -t
If you got no errors then restart nginx
sudo service nginx restart
Make sure Deluge is running
sudo service deluged start
Now you can use your local IP address http://ip.address/deluge or dynamic DNS address at http://yourdns.address/deluge to access Deluge outside your home network. The default password for Deluge Web UI is deluge (strongly recommended to change it at first login).
Confirm Deluge Uses VPN
Finally, we want to make sure that Deluge is using the VPN tunnel. A simple and reliable way to check this is to download a torrent file from TorGuard. They have a great service called Check My Torrent IP Address. To download the torrent file click on
Alternatively, you can Save Link Location (Firefox) or Copy link address (Chrome) and copy directly into Deluge's + Add URL field. The important part is the IP address under Tracker Status, marked with red. It should be the VPN server's IP address.
You can copy the IP address and check with IP Tracker. Just paste the IP address and the result should show you the location. Make sure it matches the VPN server's location you use (in our case it is Sweden).
If the IP Lookup matches the VPN server’s location, you successfully configured Deluge for VPN Split Tunneling.
Fix Permission Issues
In the VPN Split Tunnel guide we recommended to add your regular user to the vpn group, and to add vpn user to your regular user’s group. It is important to avoid any permission related issues with the downloaded torrents. We configured Deluge’s permissions for downloaded torrents to be fully accessible (read, write, execute) by vpn user and members of the vpn group.
If you use any automation tool like Sonarr or CouchPotato, the user who is running these services should be added to the vpn group. Make sure you add any users that run automation software to the vpn group like this.
sudo usermod -aG vpn user-running-automation