FN11.3 iocage jails - Plex, Tautulli, Sonarr, Radarr, Lidarr, Jackett, Transmission, Organizr

[Mannekino]

My custom port forwarding script is up and running without any issues; it based on the official scripts, are they not working for you or are you using something else?

I used an old one, but it worked prior to the update from OpenVPN and the switch to the nextgen servers.

I've tried downloading those scripts you linked. They wouldn't run at first in the jail because #!/bin/bash didn't work, so I changed it to #!/bin/sh and now I get the following error when running the get_region_and_token.sh script.

Code:

# ./get_region_and_token.sh
./get_region_and_token.sh: 23: Syntax error: "(" unexpected

Als when I run the run_setup.sh script I can't get past the first entry, after I enter my username the script terminates with an error that says I didn't enter my password.

Code:

# ./run_setup.sh

PIA username (pNNNNNNN): test

PIA password: read: Illegal option -s

Password is required, aborting.

There must be something wrong with my Jail or maybe I don't have the required packages. I did install everything they said in the README.md file.

Don't know how to proceed. Could you share your script and OpenVPN configuration?

 

[rawkus]

Getting a weird error when creating a plex jail. anyone else have this error?

 

[dak180]

I used an old one, but it worked prior to the update from OpenVPN and the switch to the nextgen servers.

The next gen servers do not handle port forwarding in the same way as previous gen so that is understandable.

They wouldn't run at first in the jail because #!/bin/bash didn't work, so I changed it to #!/bin/sh and now I get the following error when running the get_region_and_token.sh script.

keep in mind bash is not sh; you likely do not have bash installed in the jail (or it is a different path).

Could you share your script and OpenVPN configuration?

The openvpn configuration should not matter as long as it works and is running in the same jail as the script is run from.

 

[Mannekino]

The next gen servers do not handle port forwarding in the same way as previous gen so that is understandable.

keep in mind bash is not sh; you likely do not have bash installed in the jail (or it is a different path).

The openvpn configuration should not matter as long as it works and is running in the same jail as the script is run from.

Thank you, I'm looking at your script to try and understand it. From what I'm seeing this script would be for the nextgen servers?

I have a couple questions:

• Is there a typo in the required packages information? There is a package bas64 should this be base64?
• What should the contents be of the vpnUser variable? OpenVPN runs under root in my Jail but Transmission runs under a different user. Should I put OpenVPN under the same user, or is it fine to keep it under root? If so, how do I change the user for OpenVPN?
• What should the contents be for the pass.txt file? Right now it's my username on line one, and my password on line two, keep it like this?

 

[dak180]

Thank you, I'm looking at your script to try and understand it. From what I'm seeing this script would be for the nextgen servers?

Yes.

Is there a typo in the required packages information? There is a package bas64 should this be base64?

Yes; this should be fixed now.

What should the contents be of the vpnUser variable? OpenVPN runs under root in my Jail but Transmission runs under a different user. Should I put OpenVPN under the same user, or is it fine to keep it under root? If so, how do I change the user for OpenVPN?

The script assumes that openvpn and transmission are running in the same jail and that you are using ipfw (or something like it) to keep transmission from accessing the outside world except through the vpn (there are the rules for that in there too); the rules for that are based on restricting what a given user (transmission) can do. So any user that is restricted to accessing the outside world through the vpn is fine.

What should the contents be for the pass.txt file? Right now it's my username on line one, and my password on line two, keep it like this?

That is correct; it is intended that it should use the same file that is used by openvpn itself for that info.

 

[AirborneTrooper]

Getting a weird error when creating a plex jail. anyone else have this error?


View attachment 42447

Create the jail without trying to install any of the app part and then try

Code:

iocage exec jailname"mkdir -p /usr/local/etc/pkg/repos"
iocage exec jailname"nano /usr/local/etc/pkg/repos/FreeBSD.conf"

FreeBSD: {
    url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest"
},

iocage exec jailname pkg upgrade

 

[Mannekino]

The script assumes that openvpn and transmission are running in the same jail and that you are using ipfw (or something like it) to keep transmission from accessing the outside world except through the vpn (there are the rules for that in there too); the rules for that are based on restricting what a given user (transmission) can do. So any user that is restricted to accessing the outside world through the vpn is fine.

Thank you so much for your help so far. I've managed to setup a OpenVPN connection using the nextgen servers by using the PIA configuration files as provided here. I chose the 4th generation servers with strong encryption. I also managed to get your port forwarding script to work, I had to make some adjustments because I'm using a username and password for my Transmission.

I do have a couple of warnings and errors in the log from OpenVPN that I'd like to fix. Here are they:

Code:

Nov  3 12:55:34 transmission2 openvpn[99294]: GDG6: problem writing to routing socket: No such process (errno=3)
Nov  3 12:55:34 transmission2 openvpn[99294]: TUN/TAP device /dev/tun0 opened
Nov  3 12:55:34 transmission2 openvpn[99294]: /sbin/ifconfig tun0 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx mtu 1500 netmask 255.255.255.0 up
Nov  3 12:55:34 transmission2 openvpn[99294]: WARNING: OpenVPN was configured to add an IPv6 route. However, no IPv6 has been configured for tun0, therefore the route installation may fail or may not work as expected.
Nov  3 12:55:34 transmission2 openvpn[99294]: add_route_ipv6(2000::/3 -> :: metric -1) dev tun0

And unfortunately after a couple of minutes I started to see a bunch of error in the log and suddenly the port was no longer open again in Transmission. Maybe it's due to the IPv6 errors.

Many of both these types of errors. Do you have any idea how I can fix this?

Code:

Nov  3 12:26:18 transmission2 transmission-daemon[21795]: Couldn't connect socket 53 to 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx, port xxxxx (errno 49 - Can't assign requested address) (/wrkdirs/usr/ports/net-p2p/transmission-daemon/work/transmission-3.00/libtransmission/net.c:340)
Nov  3 12:26:21 transmission2 transmission-daemon[21795]: Couldn't connect socket 50 to 2001:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx, port xxxxx (errno 49 - Can't assign requested address) (/wrkdirs/usr/ports/net-p2p/transmission-daemon/work/transmission-3.00/libtransmission/net.c:340)
Nov  3 12:26:22 transmission2 openvpn[96198]: AEAD Decrypt error: bad packet ID (may be a replay): [ #808615 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Nov  3 12:26:22 transmission2 openvpn[96198]: AEAD Decrypt error: bad packet ID (may be a replay): [ #808616 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings

With regard to IPFW, I tested and saw that I have that command available in my Jail so I assume that is a feature that is enabled/available by default, is that correct?

I'm not using any firewall on the Jail right now to prevent Transmission from accessing the Internet when the OpenVPN connection goes down. This has been on my to-do list for a while.

Is all I need your IPFW script and change the variables to match my Jail?

If I run that script, are those changes permanent or will it reset to what I have now after I restart the Jail?

 

[dak180]

Is all I need your IPFW script and change the variables to match my Jail?

If you want to see how I have setup my jail you can check the script I use for that, though I would suggest specifying different network configurations, mount points and MAC addresses.

 

[Mannekino]

You don't have the IPv6 issues I mentioned above? I've been trying to disable it now for about 3 hours in the Transmission Jail with no success unfortunately.

 

[Mannekino]

If you want to see how I have setup my jail you can check the script I use for that, though I would suggest specifying different network configurations, mount points and MAC addresses.

@colmconn seems have found the solution for my IPv6 problem here: https://www.truenas.com/community/threads/pia-and-openvpn-v2-5.88459/#post-613173

Very cool.

But now I'm hitting the problem that the port closes after 15 minutes. I assume I would have to make the pia-port-foward.sh run every 10 minutes via a cron job?

 

[colmconn]

I don't know if it will help with your problem (I don't use port forwarding, but I was having trouble with my openvpn dying after no activity so I added the following to my ovpn file:

Code:

## Try to keep the link alive by pinging every 60 seconds if
## nothing is sent across the tunnel. Any server side
## provided keep-alive or ping and ping-restart options will
## override this keep-alive directive
keepalive 60 120

## run the up/down script on restarts of the tun interface. Hopefully
## this will eliminate DNS resolution issues
up-restart

With the exception of the IPv6 lines all of this is in the script I posted in another thread to auto configure PIA openvpn. See https://www.truenas.com/community/threads/tun-disappeared-after-upgrading.88330/post-611913

 

[dak180]

But now I'm hitting the problem that the port closes after 15 minutes. I assume I would have to make the pia-port-foward.sh run every 10 minutes via a cron job?

That is by design with the new system; 10 mins would work but you could even run it as often as 2 mins if you like, it would not hurt anything.

 

[Mannekino]

@dak180 I got everything up and running now and after about 13 hours the connection is still up and the port is open. I wrote everything I did here: https://github.com/pia-foss/manual-connections/issues/30#issuecomment-721326610

I haven't implemented the IPFW rules yet. Maybe I'll try to test your IPFW script today to see if that works.

Edit:

@dak180 is there a typo in your ipfw.rules script also perhaps? Should the line cmd="ipfw -q" be cmd="ipfw -q add"?

Edit 2:

After applying the IPFW rules I'm getting a couple of messages like this in my log.

Code:

transmission-daemon[21963]: Couldn't connect socket 74 to xxx.xxx.xxx.xxx, port xxxxx (errno 13 - Permission denied) (/wrkdirs/usr/ports/net-p2p/transmission-daemon/work/transmission-3.00/libtransmission/net.c:340)

Not sure why this is happening only incidentally.

 

[jag131990]

The sonarr jail I built using the guide has become inaccessible for me with "ERR_CONNECTION_REFUSED". I suspect it was due to older version of mono I was still running but radarr works fine. Anyone else suddenly experience this with sonarr?

 

[jag131990]

The sonarr jail I built using the guide has become inaccessible for me with "ERR_CONNECTION_REFUSED". I suspect it was due to older version of mono I was still running but radarr works fine. Anyone else suddenly experience this with sonarr?

I've resolved this issue by upgrading to mono 6.8 and moving to newer sonarr V3 (pkg install sonarr-devel)

 

[AirborneTrooper]

I've resolved this issue by upgrading to mono 6.8 and moving to newer sonarr V3 (pkg install sonarr-devel)

I think once these instructions are updated it will include the quick mono upgrade fix I posted about on page 46. Sonarr v3 and Radarr v3 are fantastic.

 

[rknaub]

Looking forward to an updated guide for TrueNAS 12. I updated the other day and just can't get things back to the way they were before. Ended up having to re-create every jail (except plex!). While everything works ok, Radarr and Sonarr are renaming and copying files ok, I cannot for the life of me figure out how to make them delete the old folders that they renamed, so I end up with two copies of everything that downloads. Latest Mono is installed, jails are on the 12.1-Release. Anyone else having these problems?

 

[rknaub]

Looking forward to an updated guide for TrueNAS 12. I updated the other day and just can't get things back to the way they were before. Ended up having to re-create every jail (except plex!). While everything works ok, Radarr and Sonarr are renaming and copying files ok, I cannot for the life of me figure out how to make them delete the old folders that they renamed, so I end up with two copies of everything that downloads. Latest Mono is installed, jails are on the 12.1-Release. Anyone else having these problems?

I fixed this by upgrading both radar and sonar to v3!

 

[dak180]

Edit:

@dak180 is there a typo in your ipfw.rules script also perhaps? Should the line cmd="ipfw -q" be cmd="ipfw -q add"?

No; that script is exactly what I currently run.

After applying the IPFW rules I'm getting a couple of messages like this in my log.

Code:
transmission-daemon[21963]: Couldn't connect socket 74 to xxx.xxx.xxx.xxx, port xxxxx (errno 13 - Permission denied) (/wrkdirs/usr/ports/net-p2p/transmission-daemon/work/transmission-3.00/libtransmission/net.c:340)


Not sure why this is happening only incidentally.

Sounds like it is trying to make a connection that is being blocked by the firewall which would be by design.

 

[Mannekino]

No; that script is exactly what I currently run.

Weird, when I put the script in like you have I get these error messages in console:

Code:

ipfw: bad command `allow'
ipfw: bad command `allow'
ipfw: bad command `allow'
ipfw: bad command `allow'
ipfw: bad command `deny'
Firewall rules loaded.
Firewall logging enabled.

So I looked at what might be wrong and found on this website (https://www.freebsd.org/doc/handbook/firewalls-ipfw.html) a snippet of the a script that had this in it: cmd="ipfw -q add" after I changed that line in your script it did work.

Do you have any idea why your script as is would not work for me?

Sounds like it is trying to make a connection that is being blocked by the firewall which would be by design.

For privacy reasons I removed the IP and port in that bit of the log, but that is the IP from the VPN and the forwarded port. That's why I thought something wasn't right, with this new information, do you still think it's by design or maybe if there might be something wrong?[/CODE]