GUIDE: Setting up Transmission with OpenVPN and PIA

[UK_Dave]

Hi UK_Dave,

I am having exactly the same issue with FreeBSD ifconfig failed as shown in your post. And I also had tried to install a VPN on my freenas to allow me VPN access from outside. What did you do to solve the issue? I have deleted and recreated a jail multiple times gone through the whole process only to find the identical issue at the end.

Thanks in Advance
Steve

Hi Steve,

I've not been able to get both a VPN client and server running on my NAS box yet but I've not really looked into it after getting my PIA VPN working again - it is on my to do list though so I'll post back if / when I ever work out how to do it. I'm really not familiar with FreeBSD, FreeNAS and OpenVPN so there's a few things stacked against me! I think the problem might be that both the VPN client and server are trying to use the tun0 interface, I had originally assumed that the jail created this but I've read things that suggest it might be the FreeNAS root that handles this but I really don't know enough at the moment to say.

Sorry I can't be more help

 

[tobylh]

Right. After reading Dave's update to his thread, I was also trying to setup an OpenVPN server in it's own jail.
After deleting the whole jail with the OpenVPN server, the service would start correctly, but I couldn't ping, for example, kat.cr which is blocked by my ISP.
I solved this by editing the nameserver in/etc/resolv.conf to 8.8.8.8. That seems to have fixed the problem and has stopped any DNS leak that might have been occurring.
Just need to remember to change it again on reboot...

 

[Wirefree]

Hi, I am sure this is a simple or foolish issue, but when trying to get OpenVPN working through the script everything goes fine until the step it tries to download the openvpn.zip file from PIA. I am a bit stumped. The freenas box clearly is able to download all the other packages so internet connection is fine. Looking at the error message, it appears that wget connects to PIA, but 403 Forbidden says it isn't going to send the file. From my desktop machine the file downloads correctly. Any thoughts?

Code:

root@transmission_1:/media # wget https://www.privateinternetaccess.com/openvpn/openvpn.zip --no-check-certificate
--2015-09-13 21:53:49--  https://www.privateinternetaccess.com/openvpn/openvpn.zip
Resolving www.privateinternetaccess.com (www.privateinternetaccess.com)... ::ffff:146.112.61.106, 146.112.61.106
Connecting to www.privateinternetaccess.com (www.privateinternetaccess.com)|::ffff:146.112.61.106|:443... failed: Invalid argument.
Connecting to www.privateinternetaccess.com (www.privateinternetaccess.com)|146.112.61.106|:443... connected.
WARNING: no certificate subject alternative name matches
        requested host name 'www.privateinternetaccess.com'.
HTTP request sent, awaiting response... 403 Forbidden
2015-09-13 21:53:49 ERROR 403: Forbidden.

 

[UK_Dave]

As a workaround why not just copy the files from your desktop over to your jail?

Are you able to ping the pia address from your nas jail or any external addresses?

 

[tobylh]

Looks like there's something weird going on with your DNS.
I get https://www.privateinternetaccess.com/ resolving to an entirely different IP address

Code:

--2015-09-14 14:33:49--  https://www.privateinternetaccess.com/openvpn/openvpn.zip
Resolving www.privateinternetaccess.com (www.privateinternetaccess.com)... 69.192.64.38
Connecting to www.privateinternetaccess.com (www.privateinternetaccess.com)|69.192.64.38|:443... connected.
WARNING: cannot verify www.privateinternetaccess.com's certificate, issued by 'CN=Verizon Akamai SureServer CA G14-SHA2,OU=Cybertrust,O=Verizon Enterprise Solutions,L=Amsterdam,C=NL':
  Unable to locally verify the issuer's authority.
HTTP request sent, awaiting response... 200 OK
Length: 11425 (11K) [application/zip]
Saving to: 'openvpn.zip'

openvpn.zip         100%[=====================>]  11.16K  --.-KB/s   in 0s  

2015-09-14 14:33:49 (254 MB/s) - 'openvpn.zip' saved [11425/11425]

Yours is trying to resolve to ::ffff:146.112.61.106, which, according to this page, is some sort of OpenDNS block page.
Try changing your DNS to 8.8.8.8 (Google's DNS servers) in /etc/resolv.conf, then run the script again.
That should fix it.

 

[Wirefree]

As a workaround why not just copy the files from your desktop over to your jail?

Are you able to ping the pia address from your nas jail or any external addresses?

Thanks Dave, I gave that a shot.

I did copy over the openvpn.zip file manually, however this still did not result in success. The script finishes, but the openvpn service isn't running and will not start when I try manually to start it. To you other question, yes I could ping PIA from inside the jail. So I am continuing to try and work through this.

Thanks again for your comments, everything helps.

 

[Wirefree]

Looks like there's something weird going on with your DNS.
I get https://www.privateinternetaccess.com/ resolving to an entirely different IP address

Code:

--2015-09-14 14:33:49--  https://www.privateinternetaccess.com/openvpn/openvpn.zip
Resolving www.privateinternetaccess.com (www.privateinternetaccess.com)... 69.192.64.38
Connecting to www.privateinternetaccess.com (www.privateinternetaccess.com)|69.192.64.38|:443... connected.
WARNING: cannot verify www.privateinternetaccess.com's certificate, issued by 'CN=Verizon Akamai SureServer CA G14-SHA2,OU=Cybertrust,O=Verizon Enterprise Solutions,L=Amsterdam,C=NL':
  Unable to locally verify the issuer's authority.
HTTP request sent, awaiting response... 200 OK
Length: 11425 (11K) [application/zip]
Saving to: 'openvpn.zip'

openvpn.zip         100%[=====================>]  11.16K  --.-KB/s   in 0s 

2015-09-14 14:33:49 (254 MB/s) - 'openvpn.zip' saved [11425/11425]

Yours is trying to resolve to ::ffff:146.112.61.106, which, according to this page, is some sort of OpenDNS block page.
Try changing your DNS to 8.8.8.8 (Google's DNS servers) in /etc/resolv.conf, then run the script again.
That should fix it.

I will look into this. I do have DNS filtering on the router and OpenDNS would normally try and block PIA. However, I did remove the Freenas box from that filter and it should be accessing normally. I will try and reboot everything so that any stored settings get cleared and in a worst case, I might just start with a fresh Transmission jail. I will give an update later what ends up fixing this.

Thanks again.

 

[Wirefree]

Ok, this is probably unrelated, but when trying to SSH back to the Jail I get the following:

Code:

[root@freenas] ~# jls
   JID  IP Address      Hostname                      Path
     2  -               plexmediaserver_1             /mnt/UberServer/jails/plexmediaserver_1
     4  -               transmission_1                /mnt/UberServer/jails/transmission_1
[root@freenas] ~# jexec 4 tsch
jexec: execvp(): tsch: No such file or directory

If not appropriate for this thread, I could start a different one. I hate when you go to fix one problem and you end up with another.

 

[UK_Dave]

Ok, this is probably unrelated, but when trying to SSH back to the Jail I get the following:

Code:

[root@freenas] ~# jls
   JID  IP Address      Hostname                      Path
     2  -               plexmediaserver_1             /mnt/UberServer/jails/plexmediaserver_1
     4  -               transmission_1                /mnt/UberServer/jails/transmission_1
[root@freenas] ~# jexec 4 tsch
jexec: execvp(): tsch: No such file or directory

If not appropriate for this thread, I could start a different one. I hate when you go to fix one problem and you end up with another.

I think that should be 'tcsh'

Also I prefer to install bash and use that

 

[Wirefree]

I think that should be 'tcsh'

Also I prefer to install bash and use that

Sorry, that was truly foolish of me. Working fine of course now.

 

[UK_Dave]

Sorry, that was truly foolish of me. Working fine of course now.

Haha no problem, easily done!

 

[Wirefree]

Finally working. Ended up being an issue with the DNS filtering on the router. Started a new jail, made sure the filtering was off, and the script ran correctly. Thanks for the help.

 

[Michael Sparks]

0) Full script on gist. I made this for myself to automate a boring and long process. If you don't know what you're doing you should probably do it the 'hard' way first so you understand at least what the script is doing. It's also just for Private Internet Access (PIA) because I have PIA.

1) Tested on my: 9.3-RELEASE-p5 FreeBSD 9.3-RELEASE-p5 #1 f8ed4e8: Fri Dec 19 20:25:35 PST 2014

2) Not responsible for this losing your data, formatting your drives or your wife leaving you. This is supposed to be run inside the jail. It requires at least curl or wget to be installed. Tested with Transmission plugin jail &

3) Code should work like this:

Code:

jls
jexec [JAILID] tcsh
cd /tmp
wget --quiet --no-check-certificate -O pia.sh https://gist.githubusercontent.com/jedediahfrey/6d475dcc34c710f62a7c/raw/d9e2c8f26da0da5ba4e347df1c0210fde42884a8/pia.sh
chmod +x pia.sh
./pia.sh

The end of the script should show you this:

Code:

Starting openvpn.
Waiting 10 seconds for OpenVPN to spin up
If these are different, OpenVPN is working
Old IP: 68.[x].[x].[x]
New IP: 179.[x].[x].[x]

Just wanted to say thanks for all the work you and other contributes put into creating this, it makes my life so much easier! Works exactly as stated!

 

[Limitedheadroom]

I am interested in using the port forward feature of PIA. I hacked together this script starting from the PIA script, and it seems to work (forwards port to Transmission). I am still learning FreeNAS and scripting so if anyone has a more elegant solution I would be interested.

(this runs inside the jail with OpenVPN and Transmission)

exit 0

Complete n00b question here. How do I run this script? I have copied it and pasted it into a document with text wrangler, saved it as portforward.sh I have placed this in /tmp in my transmission jail, and that is where I get stuck.

Thanks

 

[Limitedheadroom]

OK so I think I've answered my own question.

./portforward.sh followed by my username and password.

Only thing is I get an error saying invalid user, but I KNOW my username is correct as I'm copying and pasting it, and I've double/tripple checked.

 

[UK_Dave]

Complete n00b question here. How do I run this script? I have copied it and pasted it into a document with text wrangler, saved it as portforward.sh I have placed this in /tmp in my transmission jail, and that is where I get stuck.

Thanks

you don't need to copy and paste anything out of the original post other than the commands shown in the first code section of this reply. It tells you exactly how to run it.

If you've copied those commands into a script then you would run it by typing './portforward.sh' I think

edit: if you're still having trouble please list the exact commands you've entered

 

[Limitedheadroom]

Thnks Dave, I found that reply, can't beieve I missed it before.

Not sure the port forward script is working for me. It gives a different port number each time I run it and when I enter them into Transmission it still says port is blocked.

 

[D G]

I'm having the some problem that was mentioned in post #144...

[root@transmission_1 /]# service openvpn start
openvpn does not exist in /etc/rc.d or the local startup
directories (/usr/local/etc/rc.d)
[root@transmission_1 /]#

I'm at a loss as to how to add the service to that directory...transmission has an entry there, but openvpn doesn't exist in the /usr/local/rc.d directory. What did I do wrong?

 

[D G]

After even more research (I still don't know how you can add it manually), I found out that it is added during the installation process and something must have gone wrong. Sure enough, I ran the installer again and was able to catch some errors due to missing dependencies. Once I installed those packages, and re-installed openvpn, worked like a charm.

 

[Clinderw]

Thanks for the helpful tutorial. I've tried this three times and none of them have been successful. Are there other settings not discretely called out that should be taken into consideration.

Not successful = OpenVPN failed to start

3 attempts:
1. Inside an existing jail the long way
2. Inside an empty jail the long way
3. Inside an empty jail using the 4 line script (awesome by the way)

I'm not sure if there is a log i can pull to see where its failing - if there is one can anyone point me in the right direction?

Thanks