Home Blog DIY Raspberry Pi Torrent & Media Server with VPN DIY Raspberry Pi Torrent & Media Server with VPN Required Hardware For optimal performance, you'll need: - Raspberry Pi 4 Model B (8GB RAM recommended) - 32GB+ microSD card (Samsung EVO/PRO or SanDisk Extreme) - External HDD/SSD for media storage (4TB+ recommended) - Official Raspberry Pi power sup...
October 13, 2025 • 5 min read
Required Hardware
For optimal performance, you'll need:
- Raspberry Pi 4 Model B (8GB RAM recommended)
- 32GB+ microSD card (Samsung EVO/PRO or SanDisk Extreme)
- External HDD/SSD for media storage (4TB+ recommended)
- Official Raspberry Pi power supply (3.0A)
- ICE Tower CPU Cooler or FLIRC case for cooling
- Ethernet cable for reliable network connection
Total cost: $150-200 depending on storage capacity
Initial Setup & OS Installation
Installing Raspberry Pi OS
1. Download the Raspberry Pi Imager from https://www.raspberrypi.org/software/
2. Insert microSD card and launch Imager
3. Choose "Raspberry Pi OS Lite (64-bit)" for headless server setup
4. Click Advanced Options (gear icon) and:
- Set hostname (e.g., mediaserver)
- Enable SSH
- Configure WiFi (if needed)
- Set username/password
- Set locale settings
First Boot & Basic Configuration
```bash
sudo apt update && sudo apt upgrade -y
sudo apt install -y \
git curl wget htop \
unzip unrar-free \
python3-pip \
ufw fail2ban \
ntfs-3g exfat-fuse
sudo timedatectl set-timezone YOUR_TIMEZONE
sudo apt install -y lm-sensors
sudo sensors-detect --auto
```
Storage Setup
External Drive Configuration
```bash
lsblk
sudo mkdir /mnt/media
sudo blkid
sudo nano /etc/fstab
UUID=YOUR-UUID-HERE /mnt/media ext4 defaults,auto,nofail 0 0
sudo mount -a
sudo chown -R pi:pi /mnt/media
sudo chmod -R 775 /mnt/media
```
VPN Setup & Kill Switch
We'll use WireGuard for its performance and simplicity.
```bash
sudo apt install -y wireguard
sudo nano /etc/wireguard/wg0.conf
[Interface]
PrivateKey = YOUR_PRIVATE_KEY
Address = YOUR_VPN_IP/32
DNS = 1.1.1.1
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = vpn.example.com:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
sudo nano /etc/sysctl.conf
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
sudo nano /etc/iptables-rules
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i wg0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o wg0 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 51820 -j ACCEPT
COMMIT
sudo nano /etc/systemd/system/iptables-restore.service
[Unit]
Description=Restore iptables rules
After=network.target
[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore /etc/iptables-rules
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
sudo systemctl enable iptables-restore
```
Transmission Setup
```bash
sudo apt install -y transmission-daemon
sudo systemctl stop transmission-daemon
sudo nano /etc/transmission-daemon/settings.json
{
"download-dir": "/mnt/media/downloads",
"incomplete-dir": "/mnt/media/downloads/incomplete",
"incomplete-dir-enabled": true,
"rpc-username": "YOUR_USERNAME",
"rpc-password": "YOUR_PASSWORD",
"rpc-whitelist": "127.0.0.1,192.168.1.*",
"rpc-whitelist-enabled": true,
"bind-address-ipv4": "0.0.0.0",
"peer-port": 51413,
"encryption": 2,
"umask": 2,
"download-queue-enabled": true,
"download-queue-size": 5,
"ratio-limit": 2,
"ratio-limit-enabled": true
}
sudo mkdir -p /mnt/media/downloads/incomplete
sudo chown -R debian-transmission:debian-transmission /mnt/media/downloads
sudo nano /etc/systemd/system/transmission-daemon.service.d/override.conf
[Service]
Environment="BIND_ADDRESS_IPV4=YOUR_VPN_IP"
sudo systemctl daemon-reload
sudo systemctl start transmission-daemon
```
Plex Media Server Installation
```bash
echo deb https://downloads.plex.tv/repo/deb public main | sudo tee /etc/apt/sources.list.d/plexmediaserver.list
curl https://downloads.plex.tv/plex-keys/PlexSign.key | sudo apt-key add -
sudo apt update
sudo apt install plexmediaserver
sudo usermod -aG pi plex
sudo chown -R plex:plex /mnt/media
sudo nano /etc/ufw/applications.d/plexmediaserver
[plexmediaserver]
title=Plex Media Server
description=Plex Media Server
ports=32400/tcp|3005/tcp|5353/udp|8324/tcp|32410:32414/udp
sudo ufw allow plexmediaserver
```
Jellyfin Alternative
```bash
curl https://repo.jellyfin.org/debian/jellyfin_team.gpg.key | sudo apt-key add -
echo "deb [arch=$( dpkg --print-architecture )] https://repo.jellyfin.org/debian $( lsb_release -c -s ) main" | sudo tee /etc/apt/sources.list.d/jellyfin.list
sudo apt update
sudo apt install jellyfin
sudo systemctl enable jellyfin
sudo systemctl start jellyfin
sudo usermod -aG pi jellyfin
sudo chown -R jellyfin:jellyfin /mnt/media
```
Automated Torrent Management
We'll use Flexget for RSS automation:
```bash
pip3 install flexget
mkdir -p ~/.config/flexget
nano ~/.config/flexget/config.yml
tasks:
tv-shows:
rss: https://example.com/tv-shows.rss
accept_all: yes
transmission:
host: localhost
port: 9091
username: YOUR_USERNAME
password: YOUR_PASSWORD
path: /mnt/media/downloads/tv
sudo nano /etc/systemd/system/flexget.service
[Unit]
Description=Flexget Daemon
After=network.target
[Service]
Type=simple
User=pi
Group=pi
ExecStart=/usr/local/bin/flexget daemon start
ExecStop=/usr/local/bin/flexget daemon stop
ExecReload=/usr/local/bin/flexget daemon reload
[Install]
WantedBy=multi-user.target
sudo systemctl enable flexget
sudo systemctl start flexget
```
Monitoring & Maintenance
```bash
sudo apt install -y prometheus node-exporter grafana
nano ~/monitor.sh
#!/bin/bash
cpu_temp=$(vcgencmd measure_temp | cut -d= -f2 | cut -d"'" -f1)
load_avg=$(uptime | awk -F'load average:' '{ print $2 }')
disk_usage=$(df -h /mnt/media | tail -1 | awk '{print $5}')
echo "CPU Temperature: ${cpu_temp}°C"
echo "Load Average: ${load_avg}"
echo "Disk Usage: ${disk_usage}"
chmod +x ~/monitor.sh
crontab -e
*/5 * * * * ~/monitor.sh >> /var/log/system-stats.log
```
Security Hardening
```bash
sudo nano /etc/ssh/sshd_config
Port 2222
PermitRootLogin no
PasswordAuthentication no
MaxAuthTries 3
LoginGraceTime 60
ssh-keygen -t ed25519 -C "mediaserver"
ssh-copy-id -i ~/.ssh/id_ed25519.pub pi@mediaserver
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp
sudo ufw enable
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 3
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
```
Remote Access Setup
For secure remote access, we'll use Nginx as a reverse proxy:
```bash
sudo apt install -y nginx certbot python3-certbot-nginx
sudo nano /etc/nginx/sites-available/mediaserver
server {
listen 443 ssl;
server_name mediaserver.example.com;
ssl_certificate /etc/letsencrypt/live/mediaserver.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mediaserver.example.com/privkey.pem;
location /transmission/ {
proxy_pass http://127.0.0.1:9091/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
location /plex/ {
proxy_pass http://127.0.0.1:32400/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
sudo ln -s /etc/nginx/sites-available/mediaserver /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx
sudo certbot --nginx -d mediaserver.example.com
```
Troubleshooting Common Issues
1. VPN Connection Drops
```bash
sudo wg show
sudo systemctl status wg-quick@wg0
sudo systemctl restart wg-quick@wg0
```
2. Transmission Not Starting
```bash
sudo journalctl -u transmission-daemon -n 50
sudo chown -R debian-transmission:debian-transmission /mnt/media/downloads
```
3. Plex Media Not Scanning
```bash
sudo journalctl -u plexmediaserver -n 100
sudo chown -R plex:plex /mnt/media
sudo systemctl restart plexmediaserver
```
4. High CPU Temperature
```bash
vcgencmd measure_temp
echo "conservative" | sudo tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor
```
This guide provides a solid foundation for a Raspberry Pi media server. Remember to:
- Regularly backup configuration files
- Monitor system resources and temperatures
- Keep software updated
- Check logs for potential issues
- Test VPN kill switch periodically
The setup can be further customized with additional services like Sonarr, Radarr, or Jackett for enhanced media management.🎯 REAL VPN RANKINGS - NO BS ⚡ ONLY community-driven rating system on internet
⚡ 100% factual reviews - No paid placements
⚡ ZERO bias - Community votes decide rankings
⚡ EXCLUSIVE discounts negotiated for our audience!
SEE COMMUNITY RANKINGS → Join 50,000+ users who found their perfect VPN through real reviews
