How to use Openvpn & ipfw in a jail so it only connects to the VPN

[Glorious1]

That's odd. I didn't change their location. I just double-checked:

Code:

[root@transmission_1 /usr/pbi/transmission-amd64/etc/transmission/home]# ls -l
total 182
drwxrwxrwx  2 tranny  tranny     2 Mar  3  2015 blocklists
-rw-------  1 tranny  tranny   586 Mar  6 16:46 dht.dat
drwxrwxrwx  2 tranny  tranny    11 Mar  7 15:58 resume
-rw-------  1 tranny  tranny  2237 Mar  6 16:46 settings.json
-rw-------  1 tranny  tranny   166 Mar  7 15:58 stats.json
drwxr-xr-x  2 tranny  tranny    11 Mar  7 12:11 torrents

 

[windyboi]

Ok I found them, in /var/db/transmission. I guess if I just copy the whole transmission directory across to a new jail everything should be OK. I hope!

 

[Glorious1]

Ok I found them, in /var/db/transmission. I guess if I just copy the whole transmission directory across to a new jail everything should be OK. I hope!

OK, I had an older version of transmission, 2.84. I updated to 2.9 and it moved the directory to the same as yours. AND . . . nothing works anymore

 

[LudoB]

Well, that's a problem if you're running openvpn and the special torrent is showing your own public IP. Did you do the steps about editing the configuration file for the server you want to use (as I recall it is just adding the name of the file containing your openvpn username and password), then renaming it as (again from memory) openvpn.conf?

I have contacted the vpn service and they told me to use another openvpn conf file for Russia and set up the keys as previously mentioned in the 1st page of this thread but when I use MagnetIP I still see my French IP. I also can ping www.google.com when openvpn is stopped and/or ipfw is stopped. I think it must be due to firewall rules. I will check more on that and revert back.

 

[LudoB]

OK, I had an older version of transmission, 2.84. I updated to 2.9 and it moved the directory to the same as yours. AND . . . nothing works anymore

I personally have:

Code:

root@transmission_1:/var/db/transmission # ls -la
total 115
drwxr-x---   5 transj  transj     8 Mar 10 13:49 .
drwxr-xr-x  11 root    wheel     13 Feb 28 15:51 ..
drwxrwxrwx   2 transj  transj     2 Feb 28 16:05 blocklists
-rw-------   1 transj  transj   964 Mar 10 13:46 dht.dat
drwxrwxrwx   2 transj  transj     2 Mar  9 20:53 resume
-rw-------   1 transj  transj  2198 Mar 10 13:49 settings.json
-rw-------   1 transj  transj   147 Feb 28 19:49 stats.json
drwxrwxrwx   2 transj  transj     2 Mar 10 20:32 torrents

And I have nothing much in this folder:

Code:

root@transmission_1:/usr/pbi/transmission-amd64/etc/transmission/home # ls -la
total 1
drwxr-xr-x  2 transj  transj  2 Feb 27 08:55 .
drwxr-xr-x  3 root    wheel   3 Feb 27 08:55 ..

I am using the latest plugin version of Transmission (2.90) available as part of Freenas 9.3.

Hope this helps.

 

[Glorious1]

IHope this helps.

Thanks @LudoB. Apparently my problem was that, after the update, my /etc/rc.conf had transmission_enable="NO".
I changed it to YES and it started working, after restarting the jail and running the port_forward script. My /usr/pbi/transmission-amd64/etc/transmission/home was deleted; it looks like you have an empty folder there.

 

[windyboi]

Damnit, after wiping the jail and re-installing Transmission and setting up Openvpn and ipfw and the port script I still get the problems of loss of connectivity to the internet every day. I disabled ipfw and this still occurs.

Accidently deleted all 1000 of my torrent files and resume data too, major pissed but got over it now am starting a fresh with my torrent collection.

Suspect may be due to my port change script which is cronjobed every hour but not sure..

PROGRAM="basename $0"
USER="usr"
PASSWORD="pwd"
CLIENT_ID="81ae44b01bf22a31914164c5b0d1f47b"
local_ip=`ifconfig tun0 | grep "inet " | cut -d\ -f2|tee /tmp/vpn_ip`
json=`wget --no-check-certificate -q --post-data="user=$USER&pass=$PASSWORD&client_id=$CLIENT_ID&local_ip=$local_ip" -O - "https://www.privateinternetaccess.com/vpninfo/port_forward_assignment" | head -1`
PORTNUM=`echo $json | grep -oE "[0-9]+"`
echo $PORTNUM
transmission-remote -p $PORTNUM
exit 0


Anyone know how I can diagnose the error?

root@transmission_1:/var/log # ping google.com
ping: cannot resolve google.com: Host name lookup failure
root@transmission_1:/var/log # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: No buffer space available
ping: sendto: No buffer space available

 

[Glorious1]

Damnit, after wiping the jail and re-installing Transmission and setting up Openvpn and ipfw and the port script I still get the problems of loss of connectivity to the internet every day. I disabled ipfw and this still occurs.
Anyone know how I can diagnose the error?

Could it be that the server or the server's port forwarding is unstable? I would try a different PIA server.

 

[Drew Heath]

Has anyone gotten to this to work with Giganews VyprVPN? I see plenty of stuff of Mac via app and Ubuntu, but nada for straight FreeBSD.

 

[frozn00]

So the way this is done from the first post, EVERYTHING in that particular jail goes through he VPN right? The reason I am asking is I have Couch Potato, Sickrage, Sanbznd, plex etc running in the same jail. If I would then add transmission it would need to be in its own jail since I don't want the other programs going through the VPN?

 

[Estropelic]

Can someone suggest to me a open VPN provider that will use key authentication used in this tutorial? I signed up for PIA and had to get a refund as they did not support key auth or plex access.

Thanks

 

[Glorious1]

Can someone suggest to me a open VPN provider that will use key authentication used in this tutorial?

Looks like the original poster was using AirVPN, which appears to use keys.

 

[Ash Swainson]

Hi all,

I have followed this tutorial and have it working as i would like 99%. If i start IPFW first then OpenVPN, i can ping google. Then i turn OpenVPN off, and the ping is blocked. but if i restart OpenVPN, it wont reconnect until IPFW is restarted. Im pretty sure this is because the DNS server I have specified isnt working/isnt reachable for some reason. I have proven this by using the google DNS servers (8.8.8.8 and 8.8.4.4) and everything works as expected (turning OpenVPN on and off allows and blocks pings respectively)

any help would be appreciated.

Ash

EDIT:

here is my IPFW rules also

#add 01000 allow log udp from 192.168.20.0/24 to 46.246.46.46 dst-port 53 keep-state
#add 01002 allow log udp from 192.168.20.0/24 to 194.132.32.23 dst-port 53 keep-state

add 01000 allow log udp from 192.168.20.0/24 to 8.8.8.8 dst-port 53 keep-state
add 01002 allow log udp from 192.168.20.0/24 to 8.8.4.4 dst-port 53 keep-state


add 01006 allow ip from 192.168.20.0/24 to 192.168.20.0/24 keep-state


add 02000 allow ip from 192.168.20.0/24 to 46.246.37.130/32 keep-state
add 02004 allow ip from 192.168.20.0/24 to 46.246.41.130/32 keep-state
add 02008 allow ip from 192.168.20.0/24 to 46.24.43.130/32 keep-state
add 02012 allow ip from 192.168.20.0/24 to 46.246.47.52/19 keep-state
add 02014 allow ip from 192.168.20.0/24 to 46.246.47.0/24 keep-state
add 02016 allow ip from 192.168.20.0/24 to 46.246.47.2/32 keep-state
add 02018 allow ip from 192.168.20.0/24 to 46.246.47.52 keep-state
add 02022 allow ip from 192.168.20.0/24 to 46.246.47.1 keep-state
add 02024 allow ip from 192.168.20.0/24 to 46.246.47.87/19 keep-state

add 04000 allow ip from 127.0.0.1 to any
add 05000 allow ip from 46.0.0.0/8 to any
add 05002 allow ip from any to 46.0.0.0/8
add 65534 deny ip from any to any

 

[diskdiddler]

Can someone answer a few questions for me.


If I configure this on my Couchpotato Jail and it goes and grabs a .torrent (or magnet?) from a site, can the Couchpotato Jail still talk, internally to the Qbittorrent or Utorrent jails? Will injection still work over the local 192.168.x.x network?

I'm thinking of configuring PureVPN for at least 2 of my 5 jails.

 

[Glorious1]

If I configure this on my Couchpotato Jail and it goes and grabs a .torrent (or magnet?) from a site, can the Couchpotato Jail still talk, internally to the Qbittorrent or Utorrent jails? Will injection still work over the local 192.168.x.x network?

I don't have any experience doing that, but it should just be a matter of setting up your ipfw rules to allow the local network to work. Which is the way most people's rules are anyway I think. For example, here is my rules file (my transmission runs as user tranny)

Code:

add 00010 allow all from any to any via tun0 uid tranny
add 00101 allow all from me to 192.168.0.0/24 via epair* uid tranny
add 00102 allow all from 192.168.0.0/24 to me via epair* uid tranny
add 00107 deny all from any to any uid tranny

 

[Jacopx]

Hi everyone!
I have done the first part, VPN configuration and it's working fine! Now i'm trying to setup the IPWF, i'm using AirVPN, but i haven't understand where i can find the range IP of my VPN! Someone can help me? :)

 

[Glorious1]

Hi everyone!
I have done the first part, VPN configuration and it's working fine! Now i'm trying to setup the IPWF, i'm using AirVPN, but i haven't understand where i can find the range IP of my VPN! Someone can help me? :)

You can find out by logging into your jail and typing ifconfig. It should be the one labeled tun0 if your vpn is running.

But I don't see why you need that to set up IPFW. If it's for the rules, I wouldn't put the IP in there - it will probably change every time you connect to the VPN. See my rules in the post before yours.

 

[diskdiddler]

I don't have any experience doing that, but it should just be a matter of setting up your ipfw rules to allow the local network to work. Which is the way most people's rules are anyway I think. For example, here is my rules file (my transmission runs as user tranny)

Code:

add 00010 allow all from any to any via tun0 uid tranny
add 00101 allow all from me to 192.168.0.0/24 via epair* uid tranny
add 00102 allow all from 192.168.0.0/24 to me via epair* uid tranny
add 00107 deny all from any to any uid tranny

I imagine someone will have done this, particularly Australians. So I'll keep an eye out for others responding.
When there's a definitive guide, I'll do it for sure, but I'd rather not be the guinea pig (sorry to others)

 

[Supersonical]

My comment has already been mentioned earlier.

 

[lazybones]

Hey there, I am currently failing at the step where your sdupposed ot copy the .key files, my VPN provider doesnt seem to ahve any of those, I use PIA.