GUIDE: Setting up Transmission with OpenVPN and PIA

[Clinderw]

I must have messed up something - i created another new jail and the automated script worked that time.

one question, i dont see a .conf file in the /usr/local/etc/openvpn/ location, how would i change which server i'm connecting through for PIA?

Thanks

 

[D G]

Look for the step in the guide where you copy the .opvn file and change it to .conf. Run that command but substitute the first file for the server you are wanting. Be sure to add the pass.txt reference to the new file, though.

It is the last command of Step 21 in the OP.

 

[Clinderw]

Sorry i wasn't clear. I used the script by Jafrey and it worked. However, i dont see the .conf file in the openvpn folder. Here is what i'm seeing.

My questions is where is the .conf file or how do i switch which server i want to use?

Thanks

 

[D G]

Sorry i wasn't clear. I used the script by Jafrey and it worked. However, i dont see the .conf file in the openvpn folder. Here is what i'm seeing.

My questions is where is the .conf file or how do i switch which server i want to use?
View attachment 8867
Thanks

I could be blunt and tell you to read the script you used-it is well explained how it sets everything up for you.

That said, look at lines 85-87 of the script:

85. # Enable openvpn in rc.conf
86. echo 'openvpn_enable="YES"' >> /etc/rc.conf
87. echo 'openvpn_configfile="/usr/local/etc/openvpn/Switzerland.ovpn"' >> /etc/rc.conf

The script sets it up in rc.conf (located in /etc) to point openvpn to look for the config file at the name listed in step 87. Open up rc.conf, look at the openvpn_configfile entry, and change that to the desired server. Double check that .ovpn file to make sure it lists your pass.txt file for authentication. It looks like the script does this to each .ovpn file, but it would be good to check anyway.

 

[Clinderw]

Doh #facepalm

Thanks - i should have looked through that. Thanks for explaining

 

[fmdx]

I'm trying to install OVPN (for PIA) following these instructions and get this error:

Code:

[root@sabnzbd_1 /media]# /usr/local/etc/rc.d/openvpn start
bash: /usr/local/etc/rc.d/openvpn: No such file or directory

While checking the logs I get:

Code:

[root@sabnzbd_1 /media]# tail /var/log/messages
Oct 15 16:00:32 sabnzbd_1 pkg: serf upgraded: 1.3.7 -> 1.3.8
Oct 15 16:00:32 sabnzbd_1 pkg: libidn upgraded: 1.28_1 -> 1.31
Oct 15 16:00:32 sabnzbd_1 pkg: bash-4.3.42 installed
Oct 15 16:00:33 sabnzbd_1 pkg: aria2 upgraded: 1.18.7 -> 1.19.0
Oct 15 16:00:33 sabnzbd_1 pkg: subversion upgraded: 1.8.10_1 -> 1.8.14_2
Oct 15 16:00:37 sabnzbd_1 pkg: python27 upgraded: 2.7.8_4 -> 2.7.10
Oct 15 16:00:38 sabnzbd_1 pkg: wget upgraded: 1.15_1 -> 1.16.3
Oct 15 17:06:28 sabnzbd_1 pkg: nano-2.4.2 installed
Oct 15 17:15:24 sabnzbd_1 pkg-static: dialog4ports-0.1.5_2 installed
Oct 15 17:20:12 sabnzbd_1 pkg-static: m4-1.4.17_1,1 installed

I've done it twice now, without success.

After even more research (I still don't know how you can add it manually), I found out that it is added during the installation process and something must have gone wrong. Sure enough, I ran the installer again and was able to catch some errors due to missing dependencies. Once I installed those packages, and re-installed openvpn, worked like a charm.

Can anyone (or D G themself) explain what they did to get this running?

 

[D G]

I don't remember which packages were missing, but I tried to install openvpn a second time, and when it failed, I was able to find I the output in the console what dependencies were missing. I noted those and manually installed those (I don't remember if I did it through ports or pkg). Then I restarted the jail and installed openvpn again. That time it worked.

 

[fmdx]

I ran the script that was posted in this thread, and it did install a lot of dependencies which showed up on the list of dependencies on the openports site. However, the script is still failing, it doesn't modify my IP address.

I am still getting this error in console on the monitor the box is hooked up to:

Code:

sabnzbd_1: openvpn(471271): TLS Error:  TLS handshake failed.

I was getting this same error when I was trying to use OpenVPN through AirVPN (before I sub'd for a month of PIA to test). Any ideas what this could be?

EDIT: I forgot to upgrade some port forwarding, now getting a different error relating to "'auth' password cannot be from a file"

 

[TheBlackTruth]

I am interested in using the port forward feature of PIA. I hacked together this script starting from the PIA script, and it seems to work (forwards port to Transmission). I am still learning FreeNAS and scripting so if anyone has a more elegant solution I would be interested.

(this runs inside the jail with OpenVPN and Transmission)

Code:

#! /usr/local/bin/bash
#
# Enable port forwarding
#
# Requirements:
#   your Private Internet Access user and password as arguments
#
# Usage:
#  ./port_forward.sh <user> <password>

error( )
{
  echo "$@" 1>&2
  exit 1
}

error_and_usage( )
{
  echo "$@" 1>&2
  usage_and_exit 1
}

usage( )
{
  echo "Usage: `dirname $0`/$PROGRAM <user> <password>"
}

usage_and_exit( )
{
  usage
  exit $1
}

version( )
{
  echo "$PROGRAM version $VERSION"
}


port_forward_assignment( )
{
  echo 'Loading port forward assignment information..'
  if [ "$(uname)" == "Linux" ]; then
    local_ip=`ifconfig tun0|grep -oE "inet addr: *10\.[0-9]+\.[0-9]+\.[0-9]+"|tr -d "a-z :"|tee /tmp/vpn_ip`
    client_id=`head -n 100 /dev/urandom | md5sum | tr -d " -"`
  fi
  if [ "$(uname)" == "FreeBSD" ]; then
    local_ip=`ifconfig tun0 | grep "inet " | cut -d\  -f2|tee /tmp/vpn_ip`
    client_id=`head -n 100 /dev/urandom | md5 -r | tr -d " -"`
  fi
  json=`wget --no-check-certificate -q --post-data="user=$USER&pass=$PASSWORD&client_id=$client_id&local_ip=$local_ip" -O - 'https://www.privateinternetaccess.com/vpninfo/port_forward_assignment' | head -1`
  echo $json
  PORTNUM=`echo $json | grep -oE "[0-9]+"`
}

EXITCODE=0
PROGRAM=`basename $0`
VERSION=1.0
USER=$1
PASSWORD=$2

while test $# -lt 2
do
  case $1 in
  --usage | --help | -h )
    usage_and_exit 0
    ;;
  --version | -v )
    version
    exit 0
    ;;
  *)
    error_and_usage "Unrecognized option: $1"
    ;;
  esac
  shift
done

port_forward_assignment

transmission-remote -p $PORTNUM

exit 0

Newbie question:
Where does one save this script and does it need to be runat every start of openvpn? If so, how do we trigger it to run at openvpn start?

 

[g00mbs]

I found that the port would get closed on me every day or so. So I started some cron jobs to keep my port open and the torrents running.

Code:

#run the port forwarding script on p.2 of the other thread
jexec transmission_1 /usr/local/etc/pia_change_port_forward.sh

#reannounce all torrents
jexec transmission_1 transmission-remote -t all --reannounce

# resume all torrents
jexec transmission_1 transmission-remote -t all --start

The above commands need to be run as root, as per this other post I had.

 

[Eric Ruud]

I found that the port would get closed on me every day or so. So I started some cron jobs to keep my port open and the torrents running.

Code:

#run the port forwarding script on p.2 of the other thread
jexec transmission_1 /usr/local/etc/pia_change_port_forward.sh

#reannounce all torrents
jexec transmission_1 transmission-remote -t all --reannounce

# resume all torrents
jexec transmission_1 transmission-remote -t all --start

The above commands need to be run as root, as per this other post I had.

Yes, I found it dropped connections occasionally, your cron jobs looks better than mine. And good idea reannouncing the torrents, I forgot to do that. Mine are set to renew ports on the hour and restart OpenVPN every day, probably overkill.

 

[STREBLO]

0) Full script on gist. I made this for myself to automate a boring and long process. If you don't know what you're doing you should probably do it the 'hard' way first so you understand at least what the script is doing. It's also just for Private Internet Access (PIA) because I have PIA.

1) Tested on my: 9.3-RELEASE-p5 FreeBSD 9.3-RELEASE-p5 #1 f8ed4e8: Fri Dec 19 20:25:35 PST 2014

2) Not responsible for this losing your data, formatting your drives or your wife leaving you. This is supposed to be run inside the jail. It requires at least curl or wget to be installed. Tested with Transmission plugin jail &

3) Code should work like this:

Code:

jls
jexec [JAILID] tcsh
cd /tmp
wget --quiet --no-check-certificate -O pia.sh https://gist.githubusercontent.com/jedediahfrey/6d475dcc34c710f62a7c/raw/d9e2c8f26da0da5ba4e347df1c0210fde42884a8/pia.sh
chmod +x pia.sh
./pia.sh

The end of the script should show you this:

Code:

Starting openvpn.
Waiting 10 seconds for OpenVPN to spin up
If these are different, OpenVPN is working
Old IP: 68.[x].[x].[x]
New IP: 179.[x].[x].[x]

I'm not sure what I'm doing wrong but I've tried this a couple times now and I can't seem to get it working.

The first time I tried it I ended up manually going through it but at the end I wasn't able to access any torrents which is why I tried your script. When I ran your script it gave me the right old IP at the end, but it gave me no new IP, it was just blank. The second time I ended up with the same IP on the old IP and the new IP. After running the script I also can't connect to any torrents on my transmission client and for some reason I also can't SSH into the jail any longer.

Is there a step I'm missing besides setting up transmission and then going through the OpenVPN steps?

 

[STREBLO]

Have you tried running OpenVPN directly and seen what it says?

What do you mean by directly?

Also, say I dont have a firewall set up, will I still need to setup ipfw?

 

[Glorious1]

I followed the procedure in first post, but at the first blue screen, I accidentally hit return before putting the X at PW_Save. I've tried going back and starting over but now it just skips that blue screen. What would I need to delete to get rid of any openvpn configuration files and truly start over?

Or is it possible to make that setting afterwards?

EDIT: I found it: /var/db/ports/security_openvpn/options needed to be deleted

 

[Glorious1]

And then it seems be failing like this, after the tests:

Code:

===>  Staging for openvpn-2.3.8
===>   openvpn-2.3.8 depends on package: easy-rsa>=0 - not found
===>   easy-rsa-2.2.2 depends on executable: autoconf-2.69 - not found
===>   autoconf-2.69 depends on executable: gm4 - found
===>   autoconf-2.69 depends on executable: help2man - not found
===>   help2man-1.43.3_1 depends on package: p5-Locale-gettext>=0 - not found
===>  Installing for p5-Locale-gettext-1.06
===>   p5-Locale-gettext-1.06 depends on file: /usr/local/bin/perl5.16.3 - found
===>   p5-Locale-gettext-1.06 depends on shared library: libintl.so - found (/usr/local/lib/libintl.so)
===>  Checking if p5-Locale-gettext already installed
===>   Registering installation for p5-Locale-gettext-1.06 as automatic
pkg-static: Unable to access file /usr/ports/devel/p5-Locale-gettext/work/stage/usr/local/lib/perl5/site_perl/mach/5.16/auto/Locale/gettext/gettext.so: No such file or directory
pkg-static: Unable to access file /usr/ports/devel/p5-Locale-gettext/work/stage/usr/local/lib/perl5/site_perl/mach/5.16/Locale/gettext.pm: No such file or directory
pkg-static: Unable to access file /usr/ports/devel/p5-Locale-gettext/work/stage/usr/local/lib/perl5/site_perl/man/man3/Locale::gettext.3.gz: No such file or directory
*** [fake-pkg] Error code 74

Stop in /usr/ports/devel/p5-Locale-gettext.
*** [build-depends] Error code 1

Stop in /usr/ports/misc/help2man.
*** [install] Error code 1

Stop in /usr/ports/misc/help2man.
*** [build-depends] Error code 1

Stop in /usr/ports/devel/autoconf.
*** [build-depends] Error code 1

Stop in /usr/ports/security/easy-rsa.
*** [run-depends] Error code 1

Stop in /usr/ports/security/openvpn.
*** [install] Error code 1

Stop in /usr/ports/security/openvpn.

 

[STREBLO]

Do you need to do anything on the outside FreeNAS system to open up the tun? When I'm in my jail I have a tun device showing up when I run ifconfig but I can't ping out. My OpenVPN starts correctly and I've even tried it in a jail by itself without transmission. Other than setting up OpenVPN in the jail what else needs to be done? I'm not very knowledgeable at networking and I've looked around and there is just so much information I'm confused as to what advice I should follow. I found answers for FreeBSD where they talk about unhiding the tun but I know FreeBSD =/ FreeNAS. Do I need to change something on my router? I didn't think I needed to because when I used pia on my desktop in the past it didn't require any changes outside of my computer. What have you guys done besides installing OpenVPN in order to get this to work?

 

[STREBLO]

While rereading thread I decided to try changing my resolve.conf like mentioned earlier in the thread to Google's 8.8.8.8, pinged out and was able to get a connection. Why would this make a difference? Why where my original values not working when they were working fine before starting OpenVPN? Also, will this change on its own? Do I need to do something extra to keep my DNS set to Google?

 

[Glorious1]

While rereading thread I decided to try changing my resolve.conf like mentioned earlier in the thread to Google's 8.8.8.8, pinged out and was able to get a connection. Why would this make a difference? Why where my original values not working when they were working fine before starting OpenVPN? Also, will this change on its own? Do I need to do something extra to keep my DNS set to Google?

Did you set up a firewall (ipfw)? If so, what are the rules?

 

[STREBLO]

Did you set up a firewall (ipfw)? If so, what are the rules?

No, I was going to try it without and possibly set it up eventually.

 

[Nodja]

For the guys using port forwarding, I would like to let you know that the script on pg 2 is creating a new client id every time it runs, making PIA think you're using a different client, changing your port assignments.

To fix this run this in any terminal:

Code:

head -n 100 /dev/urandom | md5sum | tr -d " -"

Then replace the client_id value in lines 45 and 49 with the output of the command.

You will need to run the script at least once an hour so the port doesn't change. If you do this your port should only change if you get a new IP address assigned.

Here's my personal script, it is based on eric's but it reads credentials from a file. Where line 1 is username, line 2 is password and line 3 is the generated client id.

Code:

#! /usr/local/bin/bash
# 
# Script based on Eric Rudd's script at https://forums.freenas.org/index.php?threads/guide-setting-up-transmission-with-openvpn-and-pia.24566/page-2#post-174778
#
# Make sure you have a file named piacreds in the same directory as the script
# 1st line of the file is pia username, 2nd password and third client id
#
# to generate a new client id run
#   head -n 100 /dev/urandom | md5sum | tr -d " -"
# in any terminal
#

SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

PROGRAM=`basename $0`
USER=`head -n 1 $SCRIPTDIR/piacreds`
PASSWORD=`head -n 2 $SCRIPTDIR/piacreds | tail -1`
CLIENT_ID=`head -n 3 $SCRIPTDIR/piacreds | tail -1`

local_ip=`ifconfig tun0 | grep "inet " | cut -d\  -f2|tee /tmp/vpn_ip` 
json=`wget --no-check-certificate -q --post-data="user=$USER&pass=$PASSWORD&client_id=$CLIENT_ID&local_ip=$local_ip" -O - "https://www.privateinternetaccess.com/vpninfo/port_forward_assignment"  | head -1`
PORTNUM=`echo $json | grep -oE "[0-9]+"`
echo $PORTNUM
transmission-remote -p $PORTNUM

exit 0

If you don't want to use a separate file you can just replace the values in the script.