Linux penguin protected by a shield and lock symbol representing securing your indexers with an always-on VPN for Prowlarr, Sonarr, and Radarr on Linux

Securing Your Indexers

by

Always-On VPN with Custom systemd Scripts

This post documents how I believe you should be securing your indexers; primarily Prowlarr, Sonarr and Radarr, along with the automation services that depend on it behind an always-on VPN using custom systemd scripts.

These services do not download torrents themselves, but they make constant outbound requests to indexers and third-party APIs. I don’t want that traffic coming directly from my home IP.

The goal is simple and strict: if the VPN isn’t up, the indexers should not be running.

What This Setup Is Responsible For

This setup covers:

  • Prowlarr (indexer management)
  • Sonarr and Radarr (which depend on indexers)

It explicitly does not cover:

  • Torrent clients
  • Port forwarding
  • Download traffic

Those concerns belong to a separate system and will be covered in a dedicated
“Securing the Torrent Box” article.

Why Indexers Need to Be Secured

Indexer traffic may look harmless, but it is:

  • Frequent
  • Automated
  • Highly identifiable over time

Search queries, RSS polling, and metadata lookups all build a profile. Even without torrent traffic, I prefer to isolate that activity behind a VPN endpoint.

Why This Uses Custom systemd Scripts

This guide intentionally uses a native OpenVPN + systemd approach.
The reason is control.

  • I can guarantee startup order
  • I can force hard dependencies
  • I can see exactly what fails and why

For a small, always-on Linux box, this approach is simple, explicit, and predictable.

Using PIA Manual Connections

This setup relies on Private Internet Access’s official manual OpenVPN connection scripts.
These scripts handle authentication, server selection, DNS configuration, and tunnel setup without requiring the PIA desktop client.

If you want to understand how these scripts work, customize regions or protocols, or troubleshoot connection issues, the official documentation lives here:
https://github.com/pia-foss/manual-connections

That repository is maintained by PIA and is the authoritative reference for the workflow used in this guide.

Creating the pia.env File

The manual connection scripts are interactive by default, which will cause systemd services to hang indefinitely.

To avoid that, credentials are provided via an environment file that systemd can load at startup.

sudo nano /etc/pia.env

Add your credentials:

PIA_USER=p1234567
PIA_PASS=your_password_here

Then lock the file down:

sudo chmod 600 /etc/pia.env
sudo chown root:root /etc/pia.env

PIA OpenVPN systemd Service

This custom service ensures the VPN starts on boot and automatically restarts if it
fails.

[Unit]
Description=Start PIA VPN on boot
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
Environment="VPN_PROTOCOL=openvpn"
Environment="PIA_DNS=true"
Environment="DISABLE_IPV6=yes"
EnvironmentFile=/etc/pia.env
ExecStart=/path/to/manual-connections/run_setup.sh
Restart=on-failure
RestartSec=5
StandardOutput=journal
StandardError=journal

[Install]
WantedBy=multi-user.target

Ensuring Indexers Only Start After the VPN

This is the most important enforcement step.
Indexer-dependent services must not start unless the VPN is already active.

Edit each service override:

sudo systemctl edit prowlarr
sudo systemctl edit sonarr
sudo systemctl edit radarr

Add the following:

[Unit]
After=pia-vpn.service
Requires=pia-vpn.service

This creates a hard dependency. If the VPN fails to start, the indexers stay down. No fallback. No accidental leaks.

Failure Behavior

If the VPN drops:

  • The VPN service restarts automatically
  • Indexer services remain stopped until it recovers
  • No indexer traffic leaves the system unprotected

This behavior is boring — and that’s exactly what you want.

Next article suggestion: Securing the Torrent Box

Final Thoughts

Securing your indexers doesn’t require complex networking or firewall rules. It requires strict ordering and refusing to run when the environment is unsafe. Custom systemd scripts provide that control.

There is a cleaner long-term approach using Docker with a dedicated VPN gateway such as Gluetun. That setup is more flexible and scales better, but it deserves a full article of its own.

If you want a VPN that works well on Linux and supports OpenVPN cleanly, Private Internet Access is what I use.: Try Private Internet Access

1 thought on “Securing Your Indexers”

  1. Pingback: Securing the Torrent Box - Just One More Fix

Leave a Comment