GUIDE-VPN Torrent in a stand-alone jail with killswitch enabled

[gb123]

I’ve pieced this together from many places. Here is the guide I’ve put together using PIA for the VPN and Transmission for torrent.

VPN TORRENT TRUENAS JAIL SETUP

CREATE A NEW JAIL AND ENTER THE JAIL SHELL

pkg install nano wget

nano /etc/pkg/FreeBSD.conf

EDIT THIS LINE
url:“pkg+http://pkg.FreeBSD.org/$(ABI)/quarterly”,
TO LOOK LIKE THIS
url: “pkg+http://pkg.FreeBSD.org/$(ABI)/latest”,

pkg install openvpn

mkdir /usr/local/etc/openvpn

touch /usr/local/etc/openvpn/auth.txt

echo USERNAME > /usr/local/etc/openvpn/auth.txt

echo PASSWORD >> /usr/local/etc/openvpn/auth.txt

chmod 0600 /usr/local/etc/openvpn/auth.txt

mkdir /usr/local/etc/openvpn/download

cd /usr/local/etc/openvpn/download

wget https://www.privateinternetaccess.com/openvpn/openvpn.zip

unzip openvpn.zip

touch /usr/local/etc/openvpn/openvpn.conf

CHANGE "LOCATION" TO YOUR DESIRED OVPN LOCATION FILE

cp LOCATION.ovpn /usr/local/etc/openvpn/openvpn.conf

nano /usr/local/etc/openvpn/openvpn.conf

ADD THE FOLLOWING LINE TO THE BOTTOM OF THE FILE:

auth-user-pass /usr/local/etc/openvpn/auth.txt
auth-nocache

sysrc openvpn_enable="YES"
sysrc openvpn_if="tun"

EXIT THE JAIL CONSOLE, ENTER THE MAIN TRUENAS/FREENAS CONSOLE

CHANGE “JAILNAME” TO YOUR JAIL’S NAME

iocage set allow_tun=1 JAILNAME

REBOOT THE TRUENAS/FREENAS SERVER

FROM THE JAIL CONSOLE, TEST OPENVPN

wget -qO - http://wtfismyip.com/text

DISPLAY PUBLIC IP ON JAIL SHELL LOGIN

nano /etc/ipcheck.sh

#!/bin/bash
printf "\\33[0;34mYour public IP address is:\033[0;31m\n"
wget -qO - http://wtfismyip.com/text
printf "\\033[0m"

chmod +x /etc/ipcheck.sh

nano ~/.login

/bin/sh /etc/ipcheck.sh

SETUP KILLSWITCH

nano /usr/local/etc/openvpn/ipfw.rules

THE FILE SHOULD LOOK AS FOLLOWS:

#!/bin/sh
##
# OpenVPN Kill Switch Configuration.
#
# From:
# https://github.com/danjacques/freenasdocs
##

. /etc/network.subr

RULE_NO=1000
fwcmd="/sbin/ipfw"
add_fw() {
${fwcmd} add ${RULE_NO} $*
RULE_NO=$((${RULE_NO}+1))
}

# Flush all current rules before we start.
${fwcmd} -f flush

# Enable loopback.
add_fw allow ip from any to any via lo0

# Enable VPN traffic.
add_fw allow ip from any to any via tun*

# Internal Routing
#
# Change these addresses accordingly for your internal network and netmask.
add_fw allow log ip from any to 192.168.1.0/24 keep-state

# Allow DNS traffic.
#
# OpenVPN configs may use host names, and we'll need to look these up.
# Default route.
add_fw allow log udp from any to any dst-port 53 keep-state

# Allow traffic on OpenVPN UDP port.
#
# If you're using TCP VPN and/or a different port, update accordingly. Consult
# your OpenVPN config for details.
add_fw allow log udp from any to any dst-port 1198 keep-state

# Cleanup rules.
RULE_NO=4000
add_fw allow ip from 127.0.0.1 to any

# VPN Network Access.
RULE_NO=5000
add_fw allow ip from 10.0.0.0/7 to any
add_fw allow ip from any to 10.0.0.0/7

# Block everything else.
RULE_NO=65534
add_fw deny log ip from any to any

nano /etc/rc.conf

ADD THE FOLLOWING LINES

firewall_enable="YES"
firewall_script="/usr/local/etc/openvpn/ipfw.rules"

/etc/rc.d/ipfw start

TEST YOUR FIREWALL

/usr/local/etc/rc.d/openvpn stop

ping 8.8.8.8
SHOULD NOT WORK

/usr/local/etc/rc.d/openvpn start
ping 8.8.8.8
SHOULD WORK

KILLSWITCH IS WORKING

INSTALL/CONFIGURE TRANSMISSION

pkg install transmission

sysrc transmission_enable="YES"
sysrc transmission_user="root"
sysrc transmission_group="wheel"

service transmission stop

nano /usr/local/etc/transmission/home/settings.json

CHANGE
"rpc-whitelist-enabled": true,
TO
"rpc-whitelist-enabled": false,

CHANGE
"umask": 18,
TO
"umask": 7,

CHANGE DOWNLOAD DIRECTORY (IF DESIRED)

sysrc transmission_download_dir="/path/to/download/dir"

service transmission start

 

[winnielinnie]

nano /etc/pkg/FreeBSD.conf

Don't edit this file.

Rather, create/edit this file: /usr/local/etc/pkg/repos/FreeBSD.conf

The instructions are found within the main file itself:

# To disable this repository, instead of modifying or removing this file,
# create a /usr/local/etc/pkg/repos/FreeBSD.conf file:
#
# mkdir -p /usr/local/etc/pkg/repos
# echo "FreeBSD: { enabled: no }" > /usr/local/etc/pkg/repos/FreeBSD.conf

It would be in this new file where you specify "latest" for the binary pkg repository.
/usr/local/etc/pkg/repos/FreeBSD.conf

Here's what mine looks like, which overrides the repository specified under /etc/pkg/FreeBSD.conf:

Code:

% cat /usr/local/etc/pkg/repos/FreeBSD.conf

FreeBSD: {
  url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
  mirror_type: "srv",
  signature_type: "fingerprints",
  fingerprints: "/usr/share/keys/pkg",
  enabled: yes
}

Rather than simply "disabling" it, you are instead overriding the URL for the "FreeBSD" binary pkg repository.

 

[AfroUSA]

Hello all,
I have a trouble to start openvpn on my transmission 4.0.4 plugin inside iocage on my TrueNAS-13.0-U5.3.

Firewall works OK, but when I'm trying to start openvpn, it wont start, after creating iocage and setting transmission plugin, I needed to ifconfig tun create instide the jail.

shell

Code:

root@transmission:~ # ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=0<> metric 0 mtu 33160
        groups: pflog
epair0b: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:ff:60:ab:5b:56
        hwaddr 02:bf:cb:ee:01:0b
        inet 192.168.1.227 netmask 0xffffff00 broadcast 192.168.1.255
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=1<PERFORMNUD>
root@transmission:~ # ifconfig create tun
ifconfig: interface create does not exist
root@transmission:~ # ifconfig tun create
tun256
root@transmission:~ # ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=0<> metric 0 mtu 33160
        groups: pflog
epair0b: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:ff:60:ab:5b:56
        hwaddr 02:bf:cb:ee:01:0b
        inet 192.168.1.227 netmask 0xffffff00 broadcast 192.168.1.255
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=1<PERFORMNUD>
tun256: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        groups: tun
        nd6 options=9<PERFORMNUD,IFDISABLED>
root@transmission:~ #
root@transmission:~ # service openvpn start
Starting openvpn.
root@transmission:~ # service openvpn status
openvpn is not running.
root@transmission:~ #

ipfw.rules

Code:

    #!/bin/sh

    ##

    # OpenVPN Kill Switch Configuration.

    #

    # From:

    # https://github.com/danjacques/freenasdocs

    ##


    . /etc/network.subr


    RULE_NO=1000

    fwcmd="/sbin/ipfw"

    add_fw() {

    ${fwcmd} add ${RULE_NO} $*

    RULE_NO=$((${RULE_NO}+1))

    }


    # Flush all current rules before we start.

    ${fwcmd} -f flush


    # Enable loopback.

    add_fw allow ip from any to any via lo0


    # Enable VPN traffic.

    add_fw allow ip from any to any via tun*


    # Internal Routing

    #

    # Change these addresses accordingly for your internal network and netmask.

    add_fw allow log ip from any to 192.168.1.0/24 keep-state


    # Allow DNS traffic.

    #

    # OpenVPN configs may use host names, and we'll need to look these up.

    # Default route.

    add_fw allow log udp from any to any dst-port 53 keep-state


    # Allow traffic on OpenVPN UDP port.

    #

    # If you're using TCP VPN and/or a different port, update accordingly. Consult

    # your OpenVPN config for details.

    add_fw allow log udp from any to any dst-port 1198 keep-state


    # Cleanup rules.

    RULE_NO=4000

    add_fw allow ip from 127.0.0.1 to any


    # VPN Network Access.

    RULE_NO=5000

    add_fw allow ip from 10.0.0.0/7 to any

    add_fw allow ip from any to 10.0.0.0/7


    # Block everything else.

    RULE_NO=65534

    add_fw deny log ip from any to any

openvpn.conf

Code:

client
dev tun
proto udp
remote uk-london.privacy.network 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server

auth-user-pass /usr/local/etc/openvpn/auth.txt
auth-nocache
compress
verb 1
reneg-sec 0
<crl-verify>
-----BEGIN X509 CRL-----

-----END X509 CRL-----
</crl-verify>

<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>

disable-occ

rc.conf

Code:

cron_flags="$cron_flags -J 15"

# Disable Sendmail by default
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

# Run secure syslog
syslogd_flags="-c -ss"

# Enable IPv6
ipv6_activate_all_interfaces="YES"
transmission_enable="YES"
transmission_download_dir="/usr/local/etc/transmission/home/Downloads"

TRANSMISSION_WEB_HOME="/usr/local/share/transmission/public_html/flood"

firewall_enable="YES"
firewall_script="/usr/local/etc/openvpn/ipfw.rules"
openvpn_enable="YES"
openvpn_if="tun"
transmission_user="root"
transmission_group="wheel"

 

[Davvo]

and setting transmission plugin

That's likely the issue, you can't use the plugin.

 

[AfroUSA]

That's likely the issue, you can't use the plugin.

thank you for help, will set the jail again.

 

[cdiddy]

I also had to make a modification to get this to work:

ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=0<> metric 0 mtu 33160
groups: pflog
epair0b: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether ae:1f:6b:03:aa:47
hwaddr 02:8a:67:25:bf:0b
inet 10.0.0.124 netmask 0xffffc000 broadcast 10.0.63.255
groups: epair
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
nd6 options=1<PERFORMNUD>
tun99: flags=8043<UP,BROADCAST,RUNNING,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet 10.120.34.44 netmask 0xfffffe00 broadcast 10.120.35.255
groups: tun
nd6 options=9<PERFORMNUD,IFDISABLED>
Opened by PID 11744

Note the line in bold - that IP changes every time openvpn or the jail or the whole server restarts.


This line in the ipfw.rules did not have any explanation:

# VPN Network Access.
RULE_NO=5000
add_fw allow ip from 10.0.0.0/7 to any
add_fw allow ip from any to 10.0.0.0/7

Maybe it's obvious that the 10.0.0.0/7 is the assumed network of the VPN connection?
I would personally add a comment to explain.


My VPN seems to range between 10.120.x.x and 10.125.x.x every time openvpn or the jail or the whole server restarts.
I personally use a 10.0.0.0/18 network for my server and all jails. So, 10.0.0.0/7 in this section of ipfw.rules overlap my home network and did NOT activate the kill switch, everything was still within that range! SOOOooooo - below is how i fixed this overlap.

I edited ipfw.rules to use a network/mask combo that only includes the narrow range my VPN was using and does not overlap with my home network:

# VPN Network Access.
# Change this to match the network address/mask your VPN connects to
RULE_NO=5000
add_fw allow ip from 10.120.0.0/13 to any
add_fw allow ip from any to 10.120.0.0/13

This only allows 10.120.0.1 - 10.127.255.254 to have internet access, which seems like a safe range to use as my VPN hasn't assigned me an IP outside that range yet. I will adjust as needed in the future.
My home network uses 10.0.0.1 - 10.0.255.254, so 10.120.0.0/13 may be a little tighter than i actually need, but like i said, i'll adjust that as needed.



It's unfortunate this post hasn't gotten more attention. This is the ONLY kill switch that is working for me in TrueNAS-13.0-U6.1

Other guides' kill switches - while they did work for me in the past - for some reason no longer work (when OpenVPN stops, transmission just keeps downloading away). This ipfw.rules kill switch is working GREAT. I love the addition of the wget wtfismyip on jail console login =-)