jerrybme
Dabbler
- Joined
- Sep 28, 2011
- Messages
- 40
I wanted to use Openvpn with my Transmission plugin but didn't want any of my other network traffic to go through the VPN. Additionally, I didn't want Transmission to access the internet except through the VPN. This "how-to" assumes you have a VPN service you're connecting to and have downloaded the config file, certs and user keys.
It was rather easy; here's how:
Once you've installed the Transmission plugin, have the jail running and storage attached, ssh into your jail to list the jails, then where "N" is equal to your jail number.
Now you'll need to add packages, I prefer to use bash rather than tcsh and nano over vi. Make sure to use not to use pkg_add
Next time you enter the jail you can use:
For now we'll just drop into the bash shell
Next we need to create the directory for the config file and certs and keys for Openvpn
Next you need to add the lines to the rc.conf so openvpn and ipfw starts when the jail starts. go to the /etc directory and fire up nano
Note: to save files in nano Ctrl+o will write the file and Ctrl+x will exit.
Once you've got the rc.conf file opened in nano add the following lines:
Note that "firewall_type=" tells ipfw where the rules are to be loaded so make sure change the path to reflect where you are storing the file with the rules.
Now copy over your openvpn config file (usually your VPN service provider will supply this) make sure to name it openvpn.conf.
Double check the paths to the location of the keys and certs listed in the config file match where you will be placing them (/usr/local/etc/openvpn/keys).
Then copy over the certs and keys
Now let's fire it up and see if it works:
If it works you should see
Assuming that is all working now it's time to setup the the firewall to only allow connections to your VPN service. ipfw is already installed in the jail so the main trick is getting the IP addresses of your VPN service provider. I use AirVPN and when you generate the config file you can specify them to resolve the hosts and it will list all of the IP addresses. You will also need the IP addresses for your DNS servers. I use a combo of OpenDNS and the AirVPN DNS. I put the firewall rules in my attached storage so I can easily change them if needed. Note that my FreeNAS server and gateway are in the 192.168.0.0/16 range so you'll need to adjust the firewall rule reflect the IP addresses that you have established on your network.
The first set of rules allow access to the DNS servers
The next rule allows access on my local network to and from the jail:
The next set allow access to the ip addresses provided by your VPN service provider. You'll need to add as many as you are given:
Please note that each of the above lines end with "keep-state" but the forum website sometimes shortens them to "keep-$" (see MarchHare's post below).
And the last group allow access to local loop and deny everything else. the 10.0.0.0/8 is for AirVPN, you'll need to find out the ip range for your provider (I found this info in their forums)
All of these go into the ipfw_rules, I just broke them down to explain their function.
Now fire up ipfw
Test by pinging www.google.com then stop your vpn
If it is setup correctly you will get the following with the vpn off:
The final test is to make sure your work survives a reboot, so turn the jail off from the Freenas GUI and start it up again. Then ssh back into your jail and verify openvpn is running and the firewall rules are loaded:
Thanks to all of the folks who have posted on the AirVPN and Freenas forums, I just pulled all of the info together.
Cheers
It was rather easy; here's how:
Once you've installed the Transmission plugin, have the jail running and storage attached, ssh into your jail
Code:
jls
Code:
jexec N tcsh
Now you'll need to add packages, I prefer to use bash rather than tcsh and nano over vi. Make sure to use not to use pkg_add
Code:
[root@transmission_1 /]# pkg install bash [root@transmission_1 /]# pkg install nano [root@transmission_1 /]# pkg install openvpn
Next time you enter the jail you can use:
Code:
jexec N bash
For now we'll just drop into the bash shell
Code:
[root@transmission_1 /]# bash
Next we need to create the directory for the config file and certs and keys for Openvpn
Code:
[root@transmission_1 /]# mkdir /usr/local/etc/openvpn [root@transmission_1 /]# mkdir /usr/local/etc/openvpn/keys
Next you need to add the lines to the rc.conf so openvpn and ipfw starts when the jail starts. go to the /etc directory and fire up nano
Code:
[root@transmission_1 /]# cd /etc [root@transmission_1 /etc]# nano rc.conf
Note: to save files in nano Ctrl+o will write the file and Ctrl+x will exit.
Once you've got the rc.conf file opened in nano add the following lines:
Code:
firewall_enable="YES" firewall_type="/media/ipfw_rules" openvpn_enable="YES" openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
Note that "firewall_type=" tells ipfw where the rules are to be loaded so make sure change the path to reflect where you are storing the file with the rules.
Now copy over your openvpn config file (usually your VPN service provider will supply this) make sure to name it openvpn.conf.
Code:
[root@transmission_1 /]# cp /media/VPNproviderfile.ovpn /usr/local/etc/openvpn/openvpn.conf
Double check the paths to the location of the keys and certs listed in the config file match where you will be placing them (/usr/local/etc/openvpn/keys).
Then copy over the certs and keys
Code:
[root@transmission_1 /]# cp /media/ca.crt /usr/local/etc/openvpn/keys/ca.crt [root@transmission_1 /]# cp /media/user.crt /usr/local/etc/openvpn/keys/user.crt [root@transmission_1 /]# cp /media/user.key /usr/local/etc/openvpn/keys/user.key [root@transmission_1 /]# cp /media/ta.key /usr/local/etc/openvpn/keys/ta.key
Now let's fire it up and see if it works:
Code:
[root@transmission_1 /]# /usr/local/etc/rc.d/openvpn start
If it works you should see
Code:
Starting openvpn. [root@transmission_1 /]#
Assuming that is all working now it's time to setup the the firewall to only allow connections to your VPN service. ipfw is already installed in the jail so the main trick is getting the IP addresses of your VPN service provider. I use AirVPN and when you generate the config file you can specify them to resolve the hosts and it will list all of the IP addresses. You will also need the IP addresses for your DNS servers. I use a combo of OpenDNS and the AirVPN DNS. I put the firewall rules in my attached storage so I can easily change them if needed. Note that my FreeNAS server and gateway are in the 192.168.0.0/16 range so you'll need to adjust the firewall rule reflect the IP addresses that you have established on your network.
Code:
[root@transmission_1 /etc]# cd /media [root@transmission_1 /media]# nano ipfw_rules
The first set of rules allow access to the DNS servers
Code:
add 01000 allow log udp from 192.168.0.0/16 to 208.67.222.222 dst-port 53 keep-$ add 01002 allow log udp from 192.168.0.0/16 to 10.4.0.1 dst-port 53 keep-state add 01004 allow log udp from 192.168.0.0/16 to 208.67.220.220 dst-port 53 keep-$
The next rule allows access on my local network to and from the jail:
Code:
add 01006 allow ip from 192.168.0.0/16 to 196.168.0.0/16 keep-state
The next set allow access to the ip addresses provided by your VPN service provider. You'll need to add as many as you are given:
Code:
add 02000 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state add 02004 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state add 02008 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state add 02012 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state add 02014 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state add 02016 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state
Please note that each of the above lines end with "keep-state" but the forum website sometimes shortens them to "keep-$" (see MarchHare's post below).
And the last group allow access to local loop and deny everything else. the 10.0.0.0/8 is for AirVPN, you'll need to find out the ip range for your provider (I found this info in their forums)
Code:
add 04000 allow ip from 127.0.0.1 to any add 05000 allow ip from 10.0.0.0/8 to any add 05002 allow ip from any to 10.0.0.0/8 add 65534 deny ip from any to any
All of these go into the ipfw_rules, I just broke them down to explain their function.
Now fire up ipfw
Code:
[root@transmission_1 /etc]# /etc/rc.d/ipfw start
Test by pinging www.google.com then stop your vpn
Code:
[root@transmission_1 /etc]# usr/local/etc/rc.d/openvpn stop
If it is setup correctly you will get the following with the vpn off:
Code:
[root@transmission_1 /etc]# ping www.google.com PING www.google.com (74.125.225.82): 56 data bytes ping: sendto: Permission denied ping: sendto: Permission denied ping: sendto: Permission denied ping: sendto: Permission denied ping: sendto: Permission denied ping: sendto: Permission denied ping: sendto: Permission denied ^C --- www.google.com ping statistics --- 7 packets transmitted, 0 packets received, 100.0% packet loss [root@transmission_1 /etc]#
The final test is to make sure your work survives a reboot, so turn the jail off from the Freenas GUI and start it up again. Then ssh back into your jail and verify openvpn is running and the firewall rules are loaded:
Code:
[root@transmission_1 /etc]# ipfw list
Thanks to all of the folks who have posted on the AirVPN and Freenas forums, I just pulled all of the info together.
Cheers