OpenVPN in 11.3U1 iocage Transmission Jail Issues

[relli10]

I'm trying to get openVPN (in client mode) working in a Transmission plugin jail created in 11.3-U1. I've followed the following guides, but have not been successful and believe I have some kind of DNS issue.

[GUIDE] VPN Killswitch inside of jail

This is a bit of a work in progress. But for anyone who pays or uses openvpn to connect to a client and would like to prevent anything from leaking out into the world, I am using UFW to block all outgoing data, except through the VPN tunnel. I originally did this in my router, but the poor...

www.ixsystems.com

How to use Openvpn & ipfw in a jail so it only connects to the VPN

I wanted to use Openvpn with my Transmission plugin but didn't want any of my other network traffic to go through the VPN. Additionally, I didn't want Transmission to access the internet except through the VPN. This "how-to" assumes you have a VPN service you're connecting to and have downloaded...

www.ixsystems.com

I have been able to install and configure the openvpn client to connect/authenticate with my VPN provider, NordVPN.

However the VPN does not appear to work. Once the VPN is connected, I am not able to ping / drill / wget any services using domain names. However when I try these commands with IP addresses of the domains, the commands return sensible data. See below.

Code:

root@transmission:~ # drill google.com
Error: error sending query: Could not send or receive, because of network error
root@transmission:~ # ping google.com
ping: cannot resolve google.com: Host name lookup failure
root@transmission:~ # wget -qO - http://wtfismyip.com/text
root@transmission:~ # ping 216.58.203.110
PING 216.58.203.110 (216.58.203.110): 56 data bytes
64 bytes from 216.58.203.110: icmp_seq=0 ttl=57 time=7.108 ms
64 bytes from 216.58.203.110: icmp_seq=1 ttl=57 time=7.564 ms
64 bytes from 216.58.203.110: icmp_seq=2 ttl=57 time=7.842 ms
^C
--- 216.58.203.110 ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 7.108/11.493/30.780/8.631 ms
root@transmission:~ # wget -qO - http://69.195.159.158/text
144.48.36.4

Before I try and get IPFW configured, I want to ensure the VPN is working. Does anybody have any ideas on what could be happening or suggestions on what I should be investigating to get the VPN functioning normally?

Please note the last command in the code above is actually returning the public IP of the VPN service. This is not my home networks public IP.

Some further information that may help is as follows:

My home private network is on 10.0.0.0/24 (255.255.255.0)
My modem/router/gateway is 10.0.0.138.
My FreeNAS server is 10.0.0.17.

The Transmission plugin jail appears to be on 172.16.0.0/30
The Transmission plugin jail is 172.16.02 (It is using NAT within FreeNAS)

The NordVPN private network looks to be 10.8.8.0/24 (255.255.255.0)
The NordVPN DNS Servers are = 103.86.96.100 and 103.86.99.100.

Once the VPN is connected, I am unable to access the Transmission GUI at http://10.0.0.17:9091 from other devices on my local LAN.

Transmission jail is set up with allow_tun selected in the custom properties and the following port forwarding within the jail:

tcp 9091(jail) ->9091(host) for transmission GUI
udp 1194(jail) ->1194(host) for openVPN connection to NordVPN


After executing:
root@transmission:~ # service openvpn start

The logs in /var/log/messages are:

Code:

Apr 20 00:59:47 transmission openvpn[25415]: OpenVPN 2.4.8 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 31 2020
Apr 20 00:59:47 transmission openvpn[25415]: library versions: OpenSSL 1.0.2s-freebsd  28 May 2019, LZO 2.10
Apr 20 00:59:47 transmission openvpn[25416]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Apr 20 00:59:47 transmission openvpn[25416]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Apr 20 00:59:47 transmission openvpn[25416]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Apr 20 00:59:47 transmission openvpn[25416]: TCP/UDP: Preserving recently used remote address: [AF_INET]144.48.36.3:1194
Apr 20 00:59:47 transmission openvpn[25416]: Socket Buffers: R=[42080->42080] S=[9216->9216]
Apr 20 00:59:47 transmission openvpn[25416]: UDP link local: (not bound)
Apr 20 00:59:47 transmission openvpn[25416]: UDP link remote: [AF_INET]144.48.36.3:1194
Apr 20 00:59:47 transmission openvpn[25416]: TLS: Initial packet from [AF_INET]144.48.36.3:1194, sid=7d86a5dd 631f146f
Apr 20 00:59:47 transmission openvpn[25416]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Apr 20 00:59:47 transmission openvpn[25416]: VERIFY OK: depth=2, C=PA, O=NordVPN, CN=NordVPN Root CA
Apr 20 00:59:47 transmission openvpn[25416]: VERIFY OK: depth=1, C=PA, O=NordVPN, CN=NordVPN CA4
Apr 20 00:59:47 transmission openvpn[25416]: VERIFY KU OK
Apr 20 00:59:47 transmission openvpn[25416]: Validating certificate extended key usage
Apr 20 00:59:47 transmission openvpn[25416]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Apr 20 00:59:47 transmission openvpn[25416]: VERIFY EKU OK
Apr 20 00:59:47 transmission openvpn[25416]: VERIFY OK: depth=0, CN=au263.nordvpn.com
Apr 20 00:59:47 transmission openvpn[25416]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Apr 20 00:59:47 transmission openvpn[25416]: [au263.nordvpn.com] Peer Connection Initiated with [AF_INET]144.48.36.3:1194
Apr 20 00:59:48 transmission openvpn[25416]: SENT CONTROL [au263.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Apr 20 00:59:48 transmission openvpn[25416]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 103.86.96.100,dhcp-option DNS>
Apr 20 00:59:48 transmission openvpn[25416]: OPTIONS IMPORT: timers and/or timeouts modified
Apr 20 00:59:48 transmission openvpn[25416]: OPTIONS IMPORT: explicit notify parm(s) modified
Apr 20 00:59:48 transmission openvpn[25416]: OPTIONS IMPORT: compression parms modified
Apr 20 00:59:48 transmission openvpn[25416]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Apr 20 00:59:48 transmission openvpn[25416]: Socket Buffers: R=[42080->524288] S=[9216->524288]
Apr 20 00:59:48 transmission openvpn[25416]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 20 00:59:48 transmission openvpn[25416]: OPTIONS IMPORT: route options modified
Apr 20 00:59:48 transmission openvpn[25416]: OPTIONS IMPORT: route-related options modified
Apr 20 00:59:48 transmission openvpn[25416]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Apr 20 00:59:48 transmission openvpn[25416]: OPTIONS IMPORT: peer-id set
Apr 20 00:59:48 transmission openvpn[25416]: OPTIONS IMPORT: adjusting link_mtu to 1657
Apr 20 00:59:48 transmission openvpn[25416]: OPTIONS IMPORT: data channel crypto options modified
Apr 20 00:59:48 transmission openvpn[25416]: Data Channel: using negotiated cipher 'AES-256-GCM'
Apr 20 00:59:48 transmission openvpn[25416]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 20 00:59:48 transmission openvpn[25416]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 20 00:59:48 transmission openvpn[25416]: ROUTE_GATEWAY 172.16.0.1/255.255.255.252 IFACE=epair0b HWADDR=3c:d9:2b:03:aa:47
Apr 20 00:59:48 transmission openvpn[25416]: TUN/TAP device /dev/tun0 opened
Apr 20 00:59:48 transmission openvpn[25416]: /sbin/ifconfig tun0 10.8.8.20 10.8.8.1 mtu 1500 netmask 255.255.255.0 up
Apr 20 00:59:48 transmission openvpn[25416]: /sbin/route add -net 10.8.8.0 10.8.8.1 255.255.255.0
Apr 20 00:59:48 transmission openvpn[25416]: /sbin/route add -net 144.48.36.3 172.16.0.1 255.255.255.255
Apr 20 00:59:48 transmission openvpn[25416]: /sbin/route add -net 0.0.0.0 10.8.8.1 128.0.0.0
Apr 20 00:59:48 transmission openvpn[25416]: /sbin/route add -net 128.0.0.0 10.8.8.1 128.0.0.0
Apr 20 00:59:49 transmission openvpn[25416]: Initialization Sequence Completed

Code:

root@transmission:~ # ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 3c:d9:2b:03:aa:47
        hwaddr 02:a0:76:00:07:0b
        inet 172.16.0.2 netmask 0xfffffffc broadcast 172.16.0.3
        nd6 options=1<PERFORMNUD>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        groups: epair
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet 10.8.8.20 --> 10.8.8.1 netmask 0xffffff00
        nd6 options=1<PERFORMNUD>
        groups: tun
        Opened by PID 25416

Code:

root@transmission:~ # cat /etc/resolv.conf
# Generated by resolvconf
search local gateway
nameserver 10.0.0.138

Code:

root@transmission:~ # netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
0.0.0.0/1          10.8.8.1           UGS        tun0
default            172.16.0.1         UGS     epair0b
10.8.8.0/24        10.8.8.1           UGS        tun0
10.8.8.1           link#3             UH         tun0
10.8.8.20          link#3             UHS         lo0
127.0.0.1          link#1             UH          lo0
128.0.0.0/1        10.8.8.1           UGS        tun0
144.48.36.3/32     172.16.0.1         UGS     epair0b
172.16.0.0/30      link#2             U       epair0b
172.16.0.2         link#2             UHS         lo0

Internet6:
Destination                       Gateway                       Flags     Netif Expire
::/96                             ::1                           UGRS        lo0
::1                               link#1                        UH          lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%lo0/64                     link#1                        U           lo0
fe80::1%lo0                       link#1                        UHS         lo0
ff02::/16                         ::1                           UGRS        lo0
root@transmission:~ #

 

[relli10]

After re-reading all my details in the post above, I ended up manually adding the NordVPN DNS servers into /etc/resolv.conf and the VPN is functioning correctly after this. I suspect as my private network and the NordVPN network are both use the 10.0.0.0/16 range and with the VPN active, my jail was requesting the DNS server of 10.0.0.138 on the NordVPN private network and it does not exist. The contents of my resolve.conf file is now:

Code:

root@transmission:~ # cat /etc/resolv.conf
# Generated by resolvconf
search local gateway
#nameserver 10.0.0.138
nameserver 103.86.96.100
nameserver 103.86.96.100

I'll now have a crack at getting IPFW working with Transmission....

 

[Jack828]

Hey, did you ever solve this issue?

I've also got Transmission + NordVPN and I cannot for the life of me get the ipfw "kill switch" working - if I enable NordVPN i can't access Transmission!

Not trying to hijack yer thread, just hoping I can steal your solutions...

 

[relli10]

Hey, did you ever solve this issue?

I've also got Transmission + NordVPN and I cannot for the life of me get the ipfw "kill switch" working - if I enable NordVPN i can't access Transmission!

Not trying to hijack yer thread, just hoping I can steal your solutions...

Hi @Jack828, sorry about the delay in replying, but yes I have it working. If transmission is successfully connected through your VPN, I suspect your issue is probably in your IP table settings in the "ipfw_rules" file.

Run the following from the transmission jail shell to check that the public IP for transimssion is routing via NordVPN and not your ISP's public IP.

wget -qO - http://wtfismyip.com/text

If the IP address returned above is different to your public IP, the transmission VPN is working.

The contents of my /media/ipfw_rules file is as follows:

Code:

#!/bin/bash
# Flush out the list before we begin
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
vpn="tun0"

# allow all local traffic on the loopback interface
$cmd 00001 allow all from any to any via lo0

# allow any connection to/from VPN interface
$cmd 00010 allow all from any to any via $vpn

# allow connection to/from LAN by Transmission
$cmd 00101 allow all from me to 10.0.0.0/24
$cmd 00102 allow all from 10.0.0.0/24 to me
$cmd 00103 allow all from me to 172.16.0.0/30
$cmd 00104 allow all from 172.16.0.0/30 to me

You will have to change the last section of this file to match your network. in my file 10.0.0.0/24 is my local LAN and 172.16.0.0/30 is the IP freenas has allocated my transmission jail on my system.

Also, confirm that your vpn tun device name is "tun0" and edit the top part of the file if this is not the case. Check by running ifconfig

Hope this helps :)