GUIDE: Setting up Transmission with OpenVPN and PIA

[verinas]

Now that it's working I've noticed I get errors in /var/logs/messages frequently

Apr 25 19:33:31 transmission_1 transmission-daemon[41712]: Couldn't connect socket 28 to xxx.xxx.xxx.xxx, port 51413 (errno 13 - Permission denied) (net.c:290)

Any ideas what this is ?

 

[verinas]

You can put both anywhere, but I recommend you put the port_forward.sh script in the root folder of the jail. That way it is easy to access if you need to fire it off manually.
To run the script, you can log into the jail, root folder, and type ./port_forward.sh
You can set up a cron job to do it every hour or so. Go into the regular WebGUI and set up the cron task:
jexec transmission_1 bash /port_forward.sh

Within the jail "./port_forward.sh" results in "./port_forward.sh: Command not found"
Running the cron results in "Apr 27 23:02:55 freenas cronjob: jexec: execvp: bash: No such file or directory"

I can't get the script to run at all from any location within the jail.

 

[travanx]

Within the jail "./port_forward.sh" results in "./port_forward.sh: Command not found"
Running the cron results in "Apr 27 23:02:55 freenas cronjob: jexec: execvp: bash: No such file or directory"

I can't get the script to run at all from any location within the jail.

I have the exact same problem.

 

[Glorious1]

Within the jail "./port_forward.sh" results in "./port_forward.sh: Command not found"
Running the cron results in "Apr 27 23:02:55 freenas cronjob: jexec: execvp: bash: No such file or directory"

I can't get the script to run at all from any location within the jail.

Are you certain you are in the same directory as the script when you type ./port_forward.sh? Can you see it when you do ls -la?
Also, you may need to install bash in the jail. As I recall it is a bash script?

 

[travanx]

Are you certain you are in the same directory as the script when you type ./port_forward.sh? Can you see it when you do ls -la?
Also, you may need to install bash in the jail. As I recall it is a bash script?

Since I have the same problem, I followed the instructions on the first page to install openvpn with PIA. Running ./port_forward.sh from the command line in the same directory says,

root@transmission_1:/ # ./portforward.sh
./portforward.sh: Permission denied.

 

[Glorious1]

That's a different problem. Are you logged in to the jail as root? If so, I'm not sure what might be wrong.

 

[verinas]

Dear god this is hard to setup. But I've finally got it working.

Code:

pkg install bash

Thanks Glorious1 for the tip!

now I can run the ./port_forward.sh fine; However, my next problem and the problem anyone who's set a password on the RPC for transmission will also have is that the port forward script does not support this and you will just get:

Code:

Unexpected response: <h1>401: Unauthorized</h1>Unauthorized User

So you need to modify the port forward script to support authenticated RPC. Here is my updated port_forward.sh with the following additions:

1. Removed command line authentication and piacreds. Passwords are hard coded into the file - one file is easier to manage. Again thanks Glorious1 for the tip.
2. Changed the call to transmission-remote to log in first

Code:

#! /usr/local/bin/bash
#
# Script also based on Nodja's script at https://forums.freenas.org/index.php?threads/guide-setting-up-transmission-with-openvpn-and-pia.24566/page-10#post-248580
#
# to generate a new client id run
#   head -n 100 /dev/urandom | md5 -r | tr -d " -"
# in any terminal
#
# usage: ./port_forward.sh
# note: you must install bash in the jail first "pkg install bash"

SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"

PROGRAM=`basename $0`
USER=xxxxxxxxxxx
PASSWORD=xxxxxxxxxxx
RPCUSER=xxxxxxxxxxx
RPCPASSWORD=xxxxxxxxxxx
CLIENT_ID=xxxxxxxxxxx

local_ip=`ifconfig tun0 | grep "inet " | cut -d\  -f2|tee /tmp/vpn_ip`
json=`wget --no-check-certificate -q --post-data="user=$USER&pass=$PASSWORD&client_id=$CLIENT_ID&local_ip=$local_ip" -O - "https://www.privateinternetaccess.com/vpninfo/port_forward_assignment"  | head -1`
PORTNUM=`echo $json | grep -oE "[0-9]+"`
echo $PORTNUM
transmission-remote --auth $RPCUSER:$RPCPASSWORD -p $PORTNUM

exit 0

Additionally, Here is a list of servers that port forwarding works with on PIA:
CA Toronto
CA North York
Netherlands
Sweden
Switzerland
France
Germany
Russia
Romania
Israel

 

[Glorious1]

Dear god this is hard to setup. But I've finally got it working.

Hey, nobody said it was easy to be a computer geek. But how the girls do swoon! Glad you got it working.

 

[verinas]

A few niggling issues:
1) I get thousands of these in the /var/log/messages

Code:

Apr 25 19:33:31 transmission_1 transmission-daemon[41712]: Couldn't connect socket 28 to xxx.xxx.xxx.xxx, port 51413 (errno 13 - Permission denied) (net.c:290)

Not sure why. Port forwarding is setup and working. Anyone know how I can resolve this?

2) Every couple of days my jail loses the ability to resolve hostnames. So everything starts failing as it can only connect to direct IPs, name resolution is lost. The only way I can find to fix this is to restart the jail then it instantly starts working again.
Is there some initial setup of the networking / interfaces that I've missed when first installing FreeNAS?

 

[verinas]

I've also noticed the transmission plugin also seems to crash every few hours. I have to restart the jail to get it working again. I can't see any errors in /var/log/messages any ideas where else I could look to see why it's constantly crashing?

Edit: Solved. Was crashing due to buffers. Have added a sysctl to modify the udp buffers under Tunables. See gist. You can do this in the FreeNAS GUI now. New tuntable>type=sysctl>name/value
i.e. name=kern.ipc.maxsockbuf and value=5242880
Restart the NAS or it wont do anything.

Code:

# Setup buffers
# can do this under Freenas GUI Tunables > select sysctl as the type
# echo 'kern.ipc.maxsockbuf=5242880' >> /etc/sysctl.conf
# echo 'net.inet.udp.recvspace=4194304' >> /etc/sysctl.conf

 

[Jamie_A]

**EDIT - The great people on this forum have created an easy to use script (Link to Script by Jafrey) that automates what I outline below. I'd recommend doing it the 'hard way' once to understand what's happening, then use the automated script from then on. Thanks Jafrey!

Here's my first attempt at making an actual guide for PrivateInternetAccess (PIA) and OpenVPN.

I'm going to assume you are:

• A subscriber to PIA
• Have a username (hence forth USER1)
• Have a password (hence forth PASSWRD)
• Have transmission set up with storages attached. (probably add this portion later but check out here until then: Awesome Link
  Note - you don't have to add the DLNA, Sickbeard or Couchpotato for the following guide to work.
• Can get Transmission to download items by adding a torrent in some manner.
• Want Transmission to use OpenVPN to connect to the PIA servers

You'll need this URL: https://www.privateinternetaccess.com/openvpn/openvpn.zip
FYI - it's the files we're going to download in the jail.

Basically we're going to install OpenVPN creating a Portsnap OpenVPN version that allows us to save our username (USER1) and password (PASSWRD) to a txt file that will be used everytime the OpenVPN service is started.

HERE WE GO!

Code:

##Step 1: SSH into freenas. (I use PuTTy)

##Step 2: Get a list of jails
root@freenas ~# jls
JID    IP Address    Hostname             Path
4        -           transmission_1       /mnt/<volumename>/jails/transmission_1

##Step 3: jexec into the jail (mine happens to be 4 - yours may vary)
root@freenas ~# jexec 4 tsch
root@transmisssion_1:/ #

##Step 4: install bash. May be prompted several times - reply Y then press enter each time.
root@transmission_1:/ # pkg install bash

##step 5: install nano. Again, may be prompted several times. Reply Y each time.
root@transmission_1:/ # pkg install nano

##Step 6: move to the /etc folder.
root@transmission_1:/ # cd /etc
root@transmission_1:/etc #

##Step 7: Fetch Portsnap via portsnap fetch
root@transmission_1:/etc # portsnap fetch

## This will take a while to download and ask for several prompts -
you know the drill.

Code:

##Step 8: Extract Ports to /usr/ports
root@transmission_1:/etc # portsnap extract

## This will also take a long time and A LOT of scrolling will happen. It's normal.

##Step 9: Navigate to /usr/ports/security/openvpn
root@transmission_1:/etc # cd /usr/ports/security/openvpn
root@transmission_1:/usr/ports/security/openvpn #

##Step 10: Make a clean install which allows us to set the option of a password file.
root@transmission_1:/usr/ports/security/openvpn # make install clean

## Blue screen should appear. Press the DOWN arrow and the SPACE bar to
ensure the [ ] next to PW_Save ( 5th option down) has an X in it.
## should look this:
x+[X] PW_Save   Interactive passwords may be read from a file
## then press enter. Lots of things should happen now -
and it will look like it's hanging. It's not. Just taking a while.

We've successfully created OpenVPN that will have an interactive passwords read from a file.
Yeay!
Now to set it up.

Code:

##Step 11: go to root directory of the transmission_1 jail.
root@tranmission_1:/usr/ports/security/openvpn # cd /
root@transmission_1:/ #

##Step 12: Enter Bash
root@transmission_1:/ bash
[root@transmission_1 /]#
##Step 13: Make a directory for OpenVPN & our files we download from PIA
[root@transmission_1 /]# mkdir /usr/local/etc/openvpn
##Step 14: Add lines to the rc.conf so OpenVPN starts when the jail starts.
[root@transmission_1 /]# cd / etc
##note - use Ctrl+o will write the file and Ctrl+X will exit.
[root@transmission_1 /etc]# nano rc.conf

##File is open.
##Add the following (can copy/paste using ctrl+C then right clicking in the shell)

openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"

##Write via Ctrl+O. Press Enter
##Exit via Ctrl+X.

Code:

##Step 15: Move to a new folder (helps me keep things straight)
[root@transmission_1 /etc]# cd /media/
[root@transmission_1 /media]#

##Step 16: wget the PIA files, you'll likely need to add --no-check-certificate so it will actually download.
[root@tranmission_1 /media]# wget https://www.privateinternetaccess.com/openvpn/openvpn.zip --no-check-certificate

##Step 17: unzip the PIA openvpn files.
[root@tranmission_1 /media]# unzip openvpn.zip

##Step 18: make a pass.txt file to hold your username and password.
[root@tranmission_1 /media]# nano pass.txt

##Nano will pop up. ONLY type in the following (substituting your REAL username and password of course)
USER1
PASSWRD

##Press Ctrl+o. call it pass.txt. then enter. then Ctrl+X

##Step 19: Configure the .ovpn file of your selected server. (I did UK London)
[root@tranmission_1 /media]# nano "UK London.ovpn"

## On the auth-user-pass line add pass.txt after it like so:
auth-user-pass pass.txt

####Press Ctrl+o. call it UK London.ovpn. then enter. then Ctrl+X

Getting very close to being done.

Code:

##Step 20: skipped.

##Step 21: Move the fixed PIA files into the correct folder we just created
##The actual OpenVPN files we created earlier.
##ca.crt next
[root@transmission_1 /media]# cp /media/ca.crt /usr/local/etc/openvpn/ca.crt
##crl.pem next
[root@transmission_1 /media]# cp /media/crl.pem /usr/local/etc/openvpn/crl.pem
##our pass.txt file we created
[root@transmission_1 /media]# cp /media/pass.txt /usr/local/etc/openvpn/pass.txt
##finally renaming the <Server>.ovpn file to .conf file --- You'll have to use "" around the name if there is a space in it.
[root@transmission_1 /media]# cp /media/"UK London.ovpn" /usr/local/etc/openvpn/openvpn.conf

Now to see if it works!!

Code:

[root@transmission_1 /]# /usr/local/etc/rc.d/openvpn start
Starting OpenVPN

WORKED FOR ME (5 times).

Also - shoutout to a LOT of people on here. There are several works I used to make this:
LIKE this amazing post by mjws00

Great post! ..thanks. Could this method be adapted for use with other VPN providers? (..in my case, Giganews/VyprVPN) ..or is it PIA-specific?

Jamie.

 

[verinas]

Great post! ..thanks. Could this method be adapted for use with other VPN providers? (..in my case, Giganews/VyprVPN) ..or is it PIA-specific?
Jamie.

Works with any provider so long as you can get the relevant openvpn configuration files (substitute the .ovpn files in this guide) and the relevant certificates. See step 21. You need the ca.crt and crl.pem.

Code:

##Step 21: Move the fixed PIA files into the correct folder we just created
##The actual OpenVPN files we created earlier.
##ca.crt next
[root@transmission_1 /media]# cp /media/ca.crt /usr/local/etc/openvpn/ca.crt
##crl.pem next
[root@transmission_1 /media]# cp /media/crl.pem /usr/local/etc/openvpn/crl.pem
##our pass.txt file we created
[root@transmission_1 /media]# cp /media/pass.txt /usr/local/etc/openvpn/pass.txt
##finally renaming the <Server>.ovpn file to .conf file --- You'll have to use "" around the name if there is a space in it.
[root@transmission_1 /media]# cp /media/"UK London.ovpn" /usr/local/etc/openvpn/openvpn.conf 

 

[vizir]

ok complete noob first post. i've set everything up but i need to make sure transmission only accesses the world through VPN. so something about ipfw rules.. port forwarding.. cron job.. i got everything working but i was wondering if there is an updated guide on exactly how to set all this up or if there is something easier by now. i hope you understand how this looks to me scrolling through posts from 3 years ago

 

[indivision]

Is there a way to make it impossible to reach the internet UNLESS openvpn is working?

I changed my VPN password and forgot to update this solution. Then discovered that Transmission was running outside of the VPN. This makes me wonder if it also occasionally starts transferring outside of VPN if/when the VPN stutters.

 

[vizir]

https://github.com/amussey/FreeNAS-Transmission-OpenVPN
Best solution I've found

 

[verinas]

Yes setup IPFW. See https://gist.github.com/verisgit/16825ab5bd1726d5020f8fd7e2672340

There is no 'do everything for me' script out there. Including the one posted next by amasey. That doesn't work either you will still need to make a whole range of changes to get it working perfectly.

IPFW is what you want to make sure the jail can't talk to the Internet without the VPN.

You can also see previous posts by Glorius1 who created the IPFW info for us.

Is there a way to make it impossible to reach the internet UNLESS openvpn is working?

I changed my VPN password and forgot to update this solution. Then discovered that Transmission was running outside of the VPN. This makes me wonder if it also occasionally starts transferring outside of VPN if/when the VPN stutters.

 

[lazybones]

Hi there, seems like an awesome guide, however I cannot find the PW_Save when I do a clean install of OpenVPN, any solutions to this?=)

 

[verinas]

Hi there, seems like an awesome guide, however I cannot find the PW_Save when I do a clean install of OpenVPN, any solutions to this?=)

You don't need to. It's set in the script already.

Code:

echo "_FILE_COMPLETE_OPTIONS_LIST=DOCS EASYRSA EXAMPLES PKCS11 PW_SAVE OPENSSL POLARSSL" >> /var/db/ports/security_openvpn/options

 

[indivision]

https://github.com/amussey/FreeNAS-Transmission-OpenVPN
Best solution I've found

I tried that. But, it looks like it requires starting it from CLI. I'd like a solution that boots up ready to go. I imagine it's pretty easy for someone to set up who knows the os. But, I'm not on that level with this system...

Yes setup IPFW. See https://gist.github.com/verisgit/16825ab5bd1726d5020f8fd7e2672340

There is no 'do everything for me' script out there. Including the one posted next by amasey. That doesn't work either you will still need to make a whole range of changes to get it working perfectly.

IPFW is what you want to make sure the jail can't talk to the Internet without the VPN.

You can also see previous posts by Glorius1 who created the IPFW info for us.

Thank you. I looked at the script. It looks like there is a dependency for the IPFW part. It references ipfw_rules. Where do I get that? And how do I integrate just the IPFW part into what I already have working? I have it booting up and using OpenVPN (updated the password). But, would still like to add IPFW to ensure that it doesn't fail and leak information.

 

[lazybones]

I am not sure if this is an issue that I have caused or what has caused it at all but I followed the guide and it seemed to work but I woke up today and found out that none of my torrents were seeding at all. "ifconfig" showed that the tunnel was still active so I dunno.

If anyone knows how to maybe troubleshoot this I wouldn't mind knowing :)