GUIDE: Setting up Transmission with OpenVPN and PIA

[Glorious1]

Not having much luck with this so far. I've installed from the script twice and both times after running it appears to all be working but I have no connectivity once OpenVPN starts up.

It's probably best to do it manually so you understand what is going on and can troubleshoot more effectively. I would stop and delete the jail and start from scratch. Also read through this thread thoroughly as there are ideas for fixing things.
I don't know what "PPTP/L2TP/SOCKS Username and Password" means. I just used the user and pw provided by PIA.

 

[jvhutchisonjr]

I second Glorious1's suggestion for the same reasons. And using PIA it is safe to ignore the PPTP/L2TP/SOCKS option in the PIA control panel. That has nothing to do with what you are trying to do.

 

[travanx]

I must be doing something wrong with the port forward script. Can someone explain where I should put that .sh and the piacreds file and how to run it?

 

[Glorious1]

I must be doing something wrong with the port forward script. Can someone explain where I should put that .sh and the piacreds file and how to run it?

You can put both anywhere, but I recommend you put the port_forward.sh script in the root folder of the jail. That way it is easy to access if you need to fire it off manually.

As far as piacreds, I don't see any point in that. It is easier and, in my opinion, just as secure, to put the user and password right in the script. Like:
USER=l123456
PASSWORD=2345tyujklk

To run the script, you can log into the jail, root folder, and type ./port_forward.sh
You can set up a cron job to do it every hour or so. Go into the regular WebGUI and set up the cron task:
jexec transmission_1 bash /port_forward.sh

 

[Castigo]

Hy,

Sorry to barge in...

I followed the initial guide on 9.3 and it worked like a charme. I had to reinstall and I'm going through the process again. I seem to be unable to select "PW_Save" when I do a clean install of openvpn, the option is no longer there...

Has something changed in the interim? Have I missed something?

Thanks!

 

[Castigo]

Sorry, noob question,

I read here: https://www.freshports.org/security/openvpn/ that the feature is always enabled, sorry again. :)

 

[Castigo]

Still, I can't really get it to work... I've used both the script and followed the manual procedure and it just won't work. Not new IP, ip leak returns my home ip...

Just out of curiosity, my transmission jail has vimage disabled and I assigned to it a Static IP. Could it be a problem with the vpn? I guess not, but any input is well accepted. Thanks! :)

 

[Glorious1]

Still, I can't really get it to work... I've used both the script and followed the manual procedure and it just won't work. Not new IP, ip leak returns my home ip...

Just out of curiosity, my transmission jail has vimage disabled and I assigned to it a Static IP. Could it be a problem with the vpn? I guess not, but any input is well accepted. Thanks! :)

No, I have a static IP for my transmission jail also (assigned in Jails > Edit Jail) and everything works fine.
I have no idea what VIMAGE is, but it seems to be checked by default, and I left it that way.

Otherwise, I think it is very difficult to troubleshoot remotely, not know exactly what you've done. There are many details you glossed over, and that's where the devil is. If I were you, I would provide a very detailed, clear description of what you have done.

If you start over, I think it's a good idea to stop the jail and delete it. Then start from the beginning. And do it manually so you know what is going on.

 

[Castigo]

Hy Glorius1, you're right, I should have been a little more detailed. But, I did follow the manual instruction at the top of this thread with no deviation via SSH.

The only difference is that during the installation of openvpn I cannot select the PSW option, but as the doc states in my previous post it should be enabled by default in the latest distro of openvpn.

So, the service starts, transmission works, but there is no IP masking. User and Passw in text.txt are correct, config is correct. So i deleted the plugin, the jail and i used the script at post #3 on page one. NO dice, the old Ip and new Ip are the same.

I have been experiencing problems with plugin and jail setup in 9.10, the only way to get them to work was to set static IPs to the relative jails and, in the case of transmission, disable vimage.

So, the way I see it, there are two possible problems:

A) Openvpn does not really read user and pass from pass.txt, so there's no real login, in which case I need to find a workaround to force login

B) the static setup I needed to use in 9.10, contrary to 9.3, messes with openvpn and does not allow it to run properly.

That's my tow cents. I'm going to upgrade now to the new version of 9.10 that show up tonight (well, it was night here) and see what happens.

Ciao soci and thanks for any input!

 

[Glorious1]

So, the service starts, transmission works, but there is no IP masking. User and Passw in text.txt are correct, config is correct. So i deleted the plugin, the jail and i used the script at post #3 on page one. NO dice, the old Ip and new Ip are the same.

OK, well I'm still on 9.3 so don't know if 9.10 would mess things up. Maybe someone else on 9.10 can chime in. But I suspect most likely something else isn't right. Let's run down a few things to check.

1. You refer to old and new IP. How are you checking them? How do you know that it's not working?
2. You called your user/password file 'text.txt', then later 'pass.txt'. Whichever it is, make sure the file name and the reference to it in openvpn.conf (the line 'auth-user-pass pass.txt') are the same.
   
3. You referred to your 'config'. That should be named 'openvpn.config'. I can't tell if you're using shorthand or you've named it wrong.
4. Make sure you also have the files ca.crt and crl.pem
5. All these files should be in /usr/local/etc/openvpn
6. Make sure your/etc/rc.conf to has these lines. This probably has to be redone after any OS update.
   openvpn_enable="YES"
   openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
   firewall_enable="YES"
   firewall_type="/pathto/your/ipfw_rules"
7. Check your firewall rules. Here are mine, and they work (your local IP and user will be different):
   add 00010 allow all from any to any via tun0 uid tranny
   add 00101 allow all from me to 192.168.0.0/24 via epair* uid tranny
   add 00102 allow all from 192.168.0.0/24 to me via epair* uid tranny
   add 00107 deny all from any to any uid tranny
8. Restart your jail.
9. See if ipfw is running: service ipfw start What does it return?
10. See if openvpn is running: service openvpn start What does it return?

 

[Castigo]

Hy!

1) With the mangnet file form checkmyip or whatever it's called. Also, if you follow the scripted procedure, it will show you at the end of the setup an 'old IP' and a 'new Ip' as a proof that the VPN is working.
2) Done
3) it's correct, just writing fast
4) check
5)yap
6) I didn't have to set up firewall rules before, I didn't do it now... I'll look into that!
8) done
9) the service was running, confirmed
10) "starting openvpn"

Ok, that's what I'm going to do, just for a laugh. Update freenas, new plugin and new jail and start form scratch with the manual procedure. I'll give it a try tonight.

hey, many thanks for your help and your time! Much appreciated! I'll post when I'm done the new install!

:)

 

[Glorious1]

Yes, you certainly need firewall rules. I don't remember what the default is, but it's not what you want. And, the response to #10 shows that openvpn wasn't even running.

Rather than rebuild from scratch, I would make rules file and make sure /etc/rc.conf is set up as shown, then stop and restart everything. The commands in that file make sure things start when the jail starts. Cross your fingers, it might work fine.

I put the ipfw rules file in my jail storage so I can open the file through a regular share and edit it easily.

 

[Scharbag]

Thanks for all the information on this. I think I have it setup.

Couple questions:

My ipfw -show returns:

Code:

ipfw show
00010 2872646 2431241762 allow ip from any to any via tun0 uid transmission
00100       0          0 allow ip from any to any via lo0
00101    4644    4861139 allow ip from me to 10.0.1.0/24 via epair* uid transmission
00102    5808    1655354 allow ip from 10.0.1.0/24 to me via epair* uid transmission
00107      85       5004 deny ip from any to any uid transmission
00200       0          0 deny ip from any to 127.0.0.0/8
00300       0          0 deny ip from 127.0.0.0/8 to any
00400       0          0 deny ip from any to ::1
00500       0          0 deny ip from ::1 to any
00600       0          0 allow ipv6-icmp from :: to ff02::/16
00700       0          0 allow ipv6-icmp from fe80::/10 to fe80::/10
00800       0          0 allow ipv6-icmp from fe80::/10 to ff02::/16
00900       0          0 allow ipv6-icmp from any to any ip6 icmp6types 1
01000       0          0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
65535 3875416 2642268327 allow ip from any to any

my ipfw_rules:

Code:

cat ipfw_rules
add 00010 allow all from any to any via tun0 uid transmission
add 00101 allow all from me to 10.0.1.0/24 via epair* uid transmission
add 00102 allow all from 10.0.1.0/24 to me via epair* uid transmission
add 00107 deny all from any to any aid transmission

I am a bit confused as to where the IPv6 rules and the last rule are coming from.

Also, what is the best way to verify that the VPN is active and that all transmission traffic is going through the VPN?

Thank you all again!!

Cheers,

 

[Glorious1]

I am a bit confused as to where the IPv6 rules and the last rule are coming from.

Also, what is the best way to verify that the VPN is active and that all transmission traffic is going through the VPN?

IPFW apparently inserts its own rules with yours. But I wouldn't worry, I think yours are in the right order in the full set to do what you want.

I think the most certain way to verify is to use the special torrents available for that purpose. They tell you what your IP is in torrent-land. It should be your VPN's outward facing IP, not the one you get from your internet provider.
https://torguard.net/checkmytorrentipaddress.php
http://ipmagnet.services.cbcdn.com
The latter also assigns you a URL that you can use later to see a short log of your IP over time.

 

[Scharbag]

Thank you.

My IP verified to be a PIA address. Yippee.

Not really sure why I did not do this sooner!! Would recommend this to ANYONE!! PIA speed seems to be totally fine.

Cheers,

 

[verinas]

Still having some issues with mine.

When openvpn is running my DNS stops working. As soon as openvpn starts I can no longer resolve addresses so transmission stops working, I can't check my IP, etc.

Additionally, when ipfw is running - I can't access the transmission WebGUI anymore. It seems the connections are blocked. I can obviously still SSH. When I check netstat it's empty with ipfw running.

My router is 192.168.1.1
My IPs for jails, other servers, etc go all the way from 192.168.1.2 to 192.168.1.100 then DHCP goes from 192.168.1.100 onwards.

edit: I'm also on 9.10

I believe the connection to the VPN is correctly spinning up - I can see a PIA IP in the /var/log/messages output when it starts up. So I assume openvpn is actually running and authenticating. But the logs are crap. Is there someone i can access better logs? Like we can with this other script https://github.com/amussey/FreeNAS-Transmission-OpenVPN which seems to dump detailed openvpn logs into the openvpn folder.

 

[Glorious1]

I'm not sure I fully understand, verinas, what does it mean to check your IP in this context? Assuming you have correct IPFW rules and they are not getting loaded, perhaps you need to make sure the path/filename of the rules matches exactly what is in etc/rc.conf. Did you check the other stuff in my post above?

 

[verinas]

I'm not sure I fully understand, verinas, what does it mean to check your IP in this context? Assuming you have correct IPFW rules and they are not getting loaded, perhaps you need to make sure the path/filename of the rules matches exactly what is in etc/rc.conf. Did you check the other stuff in my post above?

Firstly, thanks for taking the time to help.

In regards to checking my IP address. I just meant I can't run "wget -qO- http://wtfismyip.com/text" or similar as I can't resolve any hostnames when OpenVPN is running. That's my only remaining issue once I can get to the bottom of that one everything will work I think.

The VPN is working as I can see this in /var/log/messages Apr 25 10:17:39 transmission_1 openvpn[29662]: [Private Internet Access] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:1194
I was able to find an IP service that works with a direct IP (icanhazip.com) "wget http://64.182.208.181/" which shows me having the IP from PIA so that part all appears to be running properly.

I've also resolved the issue with IPFW blocking access to Transmission WebGUI - it was a stupid error I copied your ipfw config and forgot to change the x.x.0.0 to x.x.1.0. I've copied it below in case I've missed anything else.

All I need to do now is figure out why the jail can't resolve any hostnames. Do you think it's anything to do with the uid? I've changed transmission to run as media using this guide.

Code:

root@transmission_1:/usr/local/etc/openvpn # ipfw show
00010    0      0 allow ip from any to any via tun0 uid media
00100    0      0 allow ip from any to any via lo0
00101  232 229136 allow ip from me to 192.168.1.0/24 via epair* uid media
00102  217  85503 allow ip from 192.168.1.0/24 to me via epair* uid media
00107    0      0 deny ip from any to any uid media
00200    0      0 deny ip from any to 127.0.0.0/8
00300    0      0 deny ip from 127.0.0.0/8 to any
00400    0      0 deny ip from any to ::1
00500    0      0 deny ip from ::1 to any
00600    0      0 allow ipv6-icmp from :: to ff02::/16
00700    0      0 allow ipv6-icmp from fe80::/10 to fe80::/10
00800    0      0 allow ipv6-icmp from fe80::/10 to ff02::/16
00900    0      0 allow ipv6-icmp from any to any ip6 icmp6types 1
01000    0      0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
65535 5168 991070 allow ip from any to any

 

[verinas]

Think I just resolved it (pardon the pun). I edited my /etc/resolve.conf and changed it to Google's DNS instead of my ISP and now I can resolve addresses. Slight problem though. Everytime I restart the Jail the file is overwritten back to my ISPs settings even though I've changed it in the freenas config. Any ideas on that one?

 

[verinas]

Ok I think I've got it working. I've edited the /etc/dhclient.conf file to stop it overwriting the resolv.conf constantly.

Code:

# $FreeBSD: releng/10.3/etc/dhclient.conf 85575 2001-10-27 03:14:37Z rwatson $
#
#       This file is required by the ISC DHCP client.
#       See ``man 5 dhclient.conf'' for details.
#
#       In most cases an empty file is sufficient for most people as the
#       defaults are usually fine.
#
supersede domain-search "local";
supersede domain-name-servers 8.8.8.8, 8.8.4.4;

Seems to be persisting the new changes after boot.