-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum has become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
GUIDE: Setting up Transmission with OpenVPN and PIA
- Thread starter Tango
- Start date
When the port is open already i get this message in cli or under log
Transmission Port Forward 2016-12-22-16:15:00
Connection to google.com 80 port [tcp/http] succeeded!
VPN connection up.
Open port detected
When the port is closed and VPN is up i get this message
Transmission Port Forward 2016-12-22-16:05:00
Connection to google.com 80 port [tcp/http] succeeded!
VPN connection up.
Closed port detected
curl: try 'curl --help' or 'curl --manual' for more information
localhost:9091/transmission/rpc/ responded: "success"
Transmission Port Forward 2016-12-22-16:10:00
Connection to google.com 80 port [tcp/http] succeeded!
Transmission Port Forward 2016-12-22-16:15:00
Connection to google.com 80 port [tcp/http] succeeded!
VPN connection up.
Open port detected
When the port is closed and VPN is up i get this message
Transmission Port Forward 2016-12-22-16:05:00
Connection to google.com 80 port [tcp/http] succeeded!
VPN connection up.
Closed port detected
curl: try 'curl --help' or 'curl --manual' for more information
localhost:9091/transmission/rpc/ responded: "success"
Transmission Port Forward 2016-12-22-16:10:00
Connection to google.com 80 port [tcp/http] succeeded!
Michael Sparks
Explorer
- Joined
- Apr 23, 2014
- Messages
- 56
0) Full script on gist. I made this for myself to automate a boring and long process. If you don't know what you're doing you should probably do it the 'hard' way first so you understand at least what the script is doing. It's also just for Private Internet Access (PIA) because I have PIA.
1) Tested on my: 9.3-RELEASE-p5 FreeBSD 9.3-RELEASE-p5 #1 f8ed4e8: Fri Dec 19 20:25:35 PST 2014
2) Not responsible for this losing your data, formatting your drives or your wife leaving you. This is supposed to be run inside the jail. It requires at least curl or wget to be installed. Tested with Transmission plugin jail &
3) Code should work like this:
Code:jls jexec [JAILID] tcsh cd /tmp wget --quiet --no-check-certificate -O pia.sh https://gist.githubusercontent.com/jedediahfrey/6d475dcc34c710f62a7c/raw/d9e2c8f26da0da5ba4e347df1c0210fde42884a8/pia.sh chmod +x pia.sh ./pia.sh
The end of the script should show you this:
Code:Starting openvpn. Waiting 10 seconds for OpenVPN to spin up If these are different, OpenVPN is working Old IP: 68.[x].[x].[x] New IP: 179.[x].[x].[x]
Link is dead to script. Please renew :)
Michael Sparks
Explorer
- Joined
- Apr 23, 2014
- Messages
- 56
For some reason the script is not executing for me or something is wrong with the script (which I doubt because it was working perfectly in the past, and I doubt you changed it). This is with the new link to the script.
In transmission jail I execute the following:
cd /tmp
wget --quiet --no-check-certificate -O pia.sh https://gist.githubusercontent.com/...f18484225b0676fe0c556e7798cc08cdc7a631/pia.sh
chmod +x pia.sh
./pia.sh
Nothing happens. I can see that I downloaded the file and have changed the permissions via "ls -l" -rwxr-xr-x 1 root wheel 0 Jan 4 08:58 pia.sh
Any ideas?
Thanks
Stanbreezy
Cadet
- Joined
- Dec 29, 2015
- Messages
- 1
Code:
wget --quiet --no-check-certificate -O pia.sh https://gist.githubusercontent.com/jed-frey/6d475dcc34c710f62a7c/raw/fcf18484225b0676fe0c556e7798cc08cdc7a631/pia.sh
So what seems to be the concensus on getting something setup... seems there's lots of options with scripts, etc. Ideally what I'd like is a given jail to use VPN and only have access to the internet thru the VPN. Ideally have access to local network as well (for couch potato interface/etc). I'd like for it to be self serving (ie reconnect when disconnected) and disallow all internet traffic obviously when disconnected.
Thanks
Thanks
Wisdom
Explorer
- Joined
- Oct 15, 2016
- Messages
- 71
Hey ya'll
Short problem:
Transmission doesn't have an open port under the sun, so I can add but never actually start anything. Even the ip-checking stuff doesn't do jack. It seems like I need to find the correct port to forward through PIA, so I've ended up here. If there's an easy solution to getting the ports to open and actually getting some internet access through PIA to my transmission, then that would be great. Otherwise, read on.
Long problem:
I'm running into an issue when this:
is pointing to
I get a
I'm also having issues when trying to update my IPFW settings, as evidently ipfw isn't an acceptable command (even with the appropriate syntax).
Any advice, or more information I can supply?
Short problem:
Transmission doesn't have an open port under the sun, so I can add but never actually start anything. Even the ip-checking stuff doesn't do jack. It seems like I need to find the correct port to forward through PIA, so I've ended up here. If there's an easy solution to getting the ports to open and actually getting some internet access through PIA to my transmission, then that would be great. Otherwise, read on.
Long problem:
I'm running into an issue when this:
! /usr/local/bin/bash
#
# Script also based on Nodja's script at https://forums.freenas.org/index.php?threads/guide-setting-up-transmission-with-openvpn-and-pia.24566/page-10#post-248580
#
# to generate a new client id run
# head -n 100 /dev/urandom | md5 -r | tr -d " -"
# in any terminal
#
# usage: ./port_forward.sh
# note: you must install bash in the jail first "pkg install bash"
SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
PROGRAM=`basename $0`
USER=xxxxxxx
PASSWORD=xxxxxxx
RPCUSER=xxxxxxx
RPCPASSWORD=xxxxxxx
CLIENT_ID=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
local_ip=`ifconfig tun0 | grep "inet " | cut -d\ -f2|tee /tmp/vpn_ip`
json=`wget --no-check-certificate -q --post-data="user=$USER&pass=$PASSWORD&client_id=$CLIENT_ID&local_ip=$local_ip" -O -
"https://www.privateinternetaccess.com/vpninfo/port_forward_assignment" | head -1`
PORTNUM=`echo $json | grep -oE "[0-9]+"`
echo $PORTNUM
transmission-remote --auth $RPCUSER:$RPCPASSWORD -p $PORTNUM
exit 0
is pointing to
https://www.privateinternetacccess.com/vpninfo/port_forward_assignment I get a
No such file or directory in response. I'm also having issues when trying to update my IPFW settings, as evidently ipfw isn't an acceptable command (even with the appropriate syntax).
Any advice, or more information I can supply?
So... trying to get everything configured. Ideally I think I want everything in the jail to only access the internet thru the VPN. Based upon this, I thought of using some basic ipfw rules to disallow all traffic/etc. Would it be possible then to have openvpn run with it's own UID so that the rules could then allow only that UID access to the internet? I haven't seen any tutorials that do it this way vs just allowing the network path to the VPN provider itself to be open. Pros/cons?
Hi Centex,
I have it all setup like this.
Installed Transmission Plugin from Freenas GUI to create the jail, and then i manually installed Sabnzbd, Sickrage, and Couchpotato into the same jail.
I used this guide Here but tweaked it a bit to my liking.
Once this is all setup and working then i move to installing Openvpn in the same jail eith use the guide at the start of this thread or you can use this guide. Once this is confirmed working then move onto the Kill switch that i use. Create a file and name it pia.py paste the below in this file
*Note please change below in the script url = (To match the sever URL you are using on PIA) This is the one where in the OpenVpn guide that you have chosen. You will also need to change path to ipfw_rules (Mine is /sabnzbd/scripts/ipfw_rules) (f=Open is the location at the bottom of the script) Save this file on your freenas box.
Code:
#!/usr/local/bin/python2.7
import sys
import socket
import subprocess
url = 'Sweden.privateinternetaccess.com'
try:
# Raise if it can't ping the server or openvpn isn't running
subprocess.check_output(['service', 'openvpn', 'status'])
subprocess.check_output(['ping', '-c', '1', url])
except subprocess.CalledProcessError:
pass
else:
sys.exit()
hostname, aliaslist, ipaddrlist = socket.gethostbyname_ex(url)
content = '''
add 01006 allow ip from 192.168.2.0/24 to 192.168.2.0/24 keep-state
'''
rule_number = 2001
for ip in ipaddrlist:
content += '''
add {} allow ip from 192.168.2.0/24 to {} keep-state
add {} allow ip from {} to 192.168.2.0/24 keep-state
'''.format(rule_number, ip, rule_number + 1, ip)
rule_number += 2
content += '''
add 04000 allow ip from 127.0.0.1 to any
add 05000 allow ip from 10.0.0.0/8 to any
add 05002 allow ip from any to 10.0.0.0/8
add 65534 deny ip from any to any
'''
# Stop ipfw
subprocess.call(['service', 'openvpn', 'stop'])
subprocess.call(['service', 'ipfw', 'stop'])
f = open('/sabnzbd/scripts/ipfw_rules', 'w')
f.write(content)
f.close()
# Start ipfw
subprocess.call(['service', 'ipfw', 'start'])
# Check if running
if 'ipfw' in subprocess.check_output(['service', '-e']):
subprocess.call(['service', 'openvpn', 'start'])
sys.exit()
Now do the below
Code:
Enter Jail via putty Edit /etc/rc.conf and add the below lines ee /etc/rc.conf firewall_enable="YES" firewall_type="/sabnzbd/scripts/ipfw_rules" Copy script file to script folder (pia.py) to /sabnzbd/Scripts (Or a different location) chmod +x /sabnzbd/scripts/pia.py (Path to pia.py) in freenas gui cron job (add Cron Jobs) Name it OpenVpn Script User root command jexec transmission_1 python2.7 /sabnzbd/scripts/pia.py Every N minute 5 Every N hour 1 Day of month 1 month check all day of week check all redirect check enabled check Ip Checking in putty wget http://smart-ip.net/myip -O - -q ; echo wget -qO- http://wtfismyip.com/text
Now you need to test this to see if it is working. Do the below.
Code:
service ipfw start
This should start ipfw (firewall). Load this file into transmission to see if Open vpn is working with the firewall rules, it should come back with the open vpn address.
Now run this in putty
Code:
service openvpn stop
This will stop the Openvpn and the torrent will stop working you can check this but stopping the torrent and restarting it it wont display the ip address now, everything in that jail will be blocked as the openvpn is down. Once this is confirmed working then you can move onto setting up portforward to transmission using this script and cronjob.
For the Transmission Port forward. do the below in putty and in the Jail.
Create file with below code and edit the file with you username and credentials for PIA
Make sure the below is installed or it wont work
pkg install -y jq bash curl
Save the file as port_forward.sh
Now create a Cronjob like below.
Please note the paths of all the scripts and adjust to your paths. This will run the script every 5 mins, Test to see if OpenVpn is running if not then it will exit, If yes it will proceed to checking the port is forwarded if yes it exits if no then preceeds to creating the port and forwarding it. You can check this by checking Transmission seeting where the port is and seeing if it is open.
Create file with below code and edit the file with you username and credentials for PIA
Make sure the below is installed or it wont work
pkg install -y jq bash curl
Code:
#!/usr/local/bin/bash
# Cronable port forwarding script for PIA/transmission running on
# FreeNAS
#
# Requires bash, jq (JSON parser) and curl
# pkg install -y jq bash curl
# Assumes tunnel is tun0 if different change below
#
# Your PrivateInternetAccess credentials
PIA_USER=username
PIA_PASS=password
# Export path for when you use this in cron
export PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/root/bin"
# echo date/time for logging
echo "Transmission Port Forward $(date +%Y-%m-%d-%H:%M:%S)"
get_new_port( ) {
if ! [ -x $(curl) ]; then
echo "Curl not installed/not executable"
exit 0
fi
# get the local tunnel ip
local_ip=$(ifconfig tun0 | grep "inet " | cut -d\ -f2)
#client_id seems to want random data
client_id=$(head -n 100 /dev/urandom | md5 -r | tr -d " -")
port=$(curl --silent --data "user=$PIA_USER&pass=$PIA_PASS&client_id=$client_id&local_ip=$local_ip" https://www.privateinternetaccess.com/vpninfo/port_forward_assignment | jq .port)
if ! [[ $port =~ ^[0-9]+$ ]]; then
echo "Garbled data: $port"
exit 0
fi
transmission-remote -p $port
}
is_port_forwarded( ) {
# -pt tests for open port.
json=$(transmission-remote -pt)
if [[ $json == "Port is open: No" ]]; then
echo "Closed port detected"
get_new_port
elif [[ $json == "Port is open: Yes" ]]; then
echo "Open port detected"
exit 1
fi
}
check_for_connectivity( ) {
if nc -zw 1 google.com 80; then
echo "VPN connection up."
else
echo "VPN connection down. Exiting."
exit 0
fi
}
check_for_connectivity
is_port_forwarded
exit 1
Save the file as port_forward.sh
Now create a Cronjob like below.
Code:
crontab -e i for insert paste the below */5 * * * * /usr/local/bin/bash /sabnzbd/scripts/port_forward.sh >> /var/log/pia.log 2>&1 then type (esc wq!) This will save it.
Please note the paths of all the scripts and adjust to your paths. This will run the script every 5 mins, Test to see if OpenVpn is running if not then it will exit, If yes it will proceed to checking the port is forwarded if yes it exits if no then preceeds to creating the port and forwarding it. You can check this by checking Transmission seeting where the port is and seeing if it is open.
For me everything is working as expected Thanks to everyone on this thread and the other thread also. Alot of Trial and Error but got there in the end.
Recap. I have Transmission, Sabnabd, Sickrage, and Couchpotato all in one Jail. OpenVPN is installed in this same Jail and using PIA to do the VPN duties. I have a ipfw firewall setup in this jail and using a kill switch script it will block internet if PIA/Openvpn goes down. This will renable itself once the PIA/OpenVpn starts to work again, last but not least the cronjob script with portforwarding the port to transmission runs every 5 mins.
Hope this helps.
Recap. I have Transmission, Sabnabd, Sickrage, and Couchpotato all in one Jail. OpenVPN is installed in this same Jail and using PIA to do the VPN duties. I have a ipfw firewall setup in this jail and using a kill switch script it will block internet if PIA/Openvpn goes down. This will renable itself once the PIA/OpenVpn starts to work again, last but not least the cronjob script with portforwarding the port to transmission runs every 5 mins.
Hope this helps.
Thanks for the detailed help. How long does the kill switch take to activate with the above? 0-5 minutes depending on the chron job's next run? Also, is your local IP fixed on this jail (mine is). Local ip in your example the 192.168.2.x? I'm assuming the 10.0.0.x is the local IP range that PIA assigns as well?
Having mostly used newsgroups, I take it the port forwarding is required to get torrents to work correctly?
Just trying to understand everything fully...
I was originally wondering if it was possible to just deny everything not thru VPN except for a unique UID that would only run the VPN software. This to me seems like a super simple solution, but I haven't heard of anyone doing it or had any feedback on the concept.
Having mostly used newsgroups, I take it the port forwarding is required to get torrents to work correctly?
Just trying to understand everything fully...
I was originally wondering if it was possible to just deny everything not thru VPN except for a unique UID that would only run the VPN software. This to me seems like a super simple solution, but I haven't heard of anyone doing it or had any feedback on the concept.
Wisdom
Explorer
- Joined
- Oct 15, 2016
- Messages
- 71
Thanks for your help! I keep on getting hung up here - I'm able to past in my edited version of the cron command, but getting out of that menu is escaping me. "(esc wq!)" is just getting appended onto the back of the command, or on a new line, and isn't actually letting me escape out. I realize this is a pretty silly place to get stuck in the process, but that's what I'm running into.
In the mean time, I tried running the port_forward script your provided, and that returned the following:
Code:
root@transmission_1:/ # ./port_forward.sh Transmission Port Forward 2017-01-16-18:17:56 Connection to google.com 80 port [tcp/http] succeeded! VPN connection up. Closed port detected curl: try 'curl --help' or 'curl --manual' for more information cut: bad delimiter curl: no URL specified! curl: try 'curl --help' or 'curl --manual' for more information ./port_forward.sh: line 31: https://www.privateinternetaccess.com/vpninfo/port_forward_assignment: No such file or directory Garbled data: root@transmission_1:/ #
I realize it's not really meant to be run manually, but it still seemed like a problem worth mentioning. Please correct me if I'm wrong! I made a point of (re)installing all the libraries with your provided commands as well, so I'm not sure why curl is having problems.
EDIT: finally, something's started to shift. It's extremely slow (3.5KB/s, compared to a theoretical maximum of ~5MB/s) but something's actually working.
The ipMagnet is also giving me an IP in Switzerland, like it's supposed to, so I guess that's progress?
Still making zero headway with anything else, let alone the ipfw rules, but that's a problem for when the ports can finally be forwarded.
Last edited:
We can run it manually just to see if it works.
To centex my ip for jail is 192.168.2.253 so in the kill switch script as I forgot to mention you need to change the up from 192.168.2.0 to what range u r using ie 192.168.1.0
Mine is 192.168.2.253 so I use the 192.168.2.0.
Sent from my iPhone using Tapatalk
To centex my ip for jail is 192.168.2.253 so in the kill switch script as I forgot to mention you need to change the up from 192.168.2.0 to what range u r using ie 192.168.1.0
Mine is 192.168.2.253 so I use the 192.168.2.0.
Sent from my iPhone using Tapatalk
Related topics on forums.truenas.com for thread: "GUIDE: Setting up Transmission with OpenVPN and PIA"
Similar threads
- Locked
