Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

OpenVPN wont create tun0 in transmission jail

Western Digital Drives - The Preferred Drives of FreeNAS and TrueNAS CORE
Status
Not open for further replies.

UF8FF

Member
Joined
Jan 16, 2016
Messages
29
Hey everyone,
I have been having issues with my transmission jail so I decided to start from scratch. I have gone through setting up openVPN but here's the error I'm getting:

Code:
openvpn --config /usr/local/etc/openvpn/openvpn.conf
Wed Dec  5 18:32:08 2018 WARNING: file '/usr/local/etc/openvpn/pass.txt' is group or others accessible
Wed Dec  5 18:32:08 2018 OpenVPN 2.4.6 amd64-portbld-freebsd10.4 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Sep 29 2018
Wed Dec  5 18:32:08 2018 library versions: OpenSSL 1.0.1s-freebsd  1 Mar 2016, LZO 2.10
Wed Dec  5 18:32:08 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]23.237.102.106:1198
Wed Dec  5 18:32:08 2018 UDP link local: (not bound)
Wed Dec  5 18:32:08 2018 UDP link remote: [AF_INET]23.237.102.106:1198
Wed Dec  5 18:32:08 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Dec  5 18:32:08 2018 [b4117f68b4777880ecc9060473c914b9] Peer Connection Initiated with [AF_INET]23.237.102.106:1198
Wed Dec  5 18:32:09 2018 TUN/TAP device /dev/tun0 opened
Wed Dec  5 18:32:09 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Dec  5 18:32:09 2018 /sbin/ifconfig tun0 10.51.15.6 10.51.15.5 mtu 1500 netmask 255.255.255.255 up
ifconfig: interface tun0 does not exist
Wed Dec  5 18:32:09 2018 FreeBSD ifconfig failed: external program exited with error status: 1
Wed Dec  5 18:32:09 2018 Exiting due to fatal error


This is my conf file:
Code:
client
dev tun
proto udp
remote ca-toronto.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /usr/local/etc/openvpn/pass.txt
compress
verb 1
reneg-sec 0
crl-verify /usr/local/etc/openvpn/crl.rsa.2048.pem
ca /usr/local/etc/openvpn/ca.rsa.2048.crt
disable-occ

I can log in to the PIA website using the same username and password without issue... let's see -- also my server is at 192.168.2.200, the gateway being 192.168.2.1.

Here's the ifconfig:

Code:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair8b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:ff:b0:00:0f:0b
    inet 192.168.2.211 netmask 0xffffff00 broadcast 192.168.2.255
    nd6 options=9<PERFORMNUD,IFDISABLED>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active    


Any help would be greatly appreciated!
 

UF8FF

Member
Joined
Jan 16, 2016
Messages
29

JTBTek

Member
Joined
Dec 1, 2018
Messages
32
No problem at all. I was at a bit of an advantage, as i just had the same issue last week..lol! Working great now.

Qbittorrent + OpenVPN + IPVANISH
 

JTBTek

Member
Joined
Dec 1, 2018
Messages
32
Just in case someone stumbles on this, I'm post the take-away from the linked post.
  1. Remove any existing openvpn support hacks, such as the devfs pre-init command.
  2. Stop all of the jails that are using OpenVPN
    iocage stop <jail-name>

  3. Update your openvpn jail(s) to include the allow_tun=1 setting. FreeNAS should support this via UI eventually, but as of now I'm unaware of a way to do this with UI. This can be done by running:
    iocage set allow_tun=1 <jail-name>

  4. Reboot your NAS, to clear any resident state from previous hack(s).
  5. Start the jail again.
    iocage start <jail-name>
 

JTBTek

Member
Joined
Dec 1, 2018
Messages
32
11.2-RC2 still requires this, that is what i'm running.

I could be mistaken (i'm still new to freenas), but I believe this is a new security feature in jails to restrict tun creation. Going forward, you will need to expressly tell freenas that it is ok for the jail to create a tun interface.

Anyone with more knowledge, please feel free to correct me if i'm wrong.
 

Toast

Junior Member
Joined
Jun 17, 2014
Messages
16
I really don't know. I was under the impression that it's because of an older iocage version. But I don't know. Hopefully someone makes it clear
 

Baenwort

Member
Joined
Feb 19, 2015
Messages
75
11.2 Release still needs the allow_tun=1 to work for me.
 

Skyler

Junior Member
Joined
Feb 8, 2014
Messages
18
I'm still having issues with OpenVPN + Transmission in 11.2 release (iocage jail). The OpenVPN service starts fine and I can see tun0 is available when running ifconfig in the jail. I can even run curl icanhazip.com from within the jail and I get a different IP address than running it outside of the jail. However, when the OpenVPN service is running, nothing will download in Transmission. As soon as I stop the OpenVPN service, everything resumes downloading.

Any idea why Transmission isn't downloading when OpenVPN is running?
 

JTBTek

Member
Joined
Dec 1, 2018
Messages
32
I'm still having issues with OpenVPN + Transmission in 11.2 release (iocage jail). The OpenVPN service starts fine and I can see tun0 is available when running ifconfig in the jail. I can even run curl icanhazip.com from within the jail and I get a different IP address than running it outside of the jail. However, when the OpenVPN service is running, nothing will download in Transmission. As soon as I stop the OpenVPN service, everything resumes downloading.

Any idea why Transmission isn't downloading when OpenVPN is running?
So from within the jail with openvpn running, you can ping an outside source like google and it doesn't time out?

It the ping doesn't time out, your vpn provider may be blocking ports (but this is unlikely), or maybe some firewall rules blocking it (this is what happened to me when I got my rules backwards for my kill switch).
 

Skyler

Junior Member
Joined
Feb 8, 2014
Messages
18
So from within the jail with openvpn running, you can ping an outside source like google and it doesn't time out?

It the ping doesn't time out, your vpn provider may be blocking ports (but this is unlikely), or maybe some firewall rules blocking it (this is what happened to me when I got my rules backwards for my kill switch).
Correct. I can ping any outside source from within the jail while openvpn is running. I'm using PIA as my VPN provider, and I've tried 2 different config files. I haven't implemented any IPFW rules yet.

This same setup was working in 11.1U6 under the old warden jail system.
 

JTBTek

Member
Joined
Dec 1, 2018
Messages
32
I'm not sure from here. I just started using freenas about 2 weeks ago. But have successfully got my entire media server setup and working 100% automated last night. I wish I would have documented all the little tweaks I ended up making.

Hopefully someone will come along with more experience than myself and help provide some insight to the issue. Good luck.
 

Skyler

Junior Member
Joined
Feb 8, 2014
Messages
18
I'm not sure from here. I just started using freenas about 2 weeks ago. But have successfully got my entire media server setup and working 100% automated last night. I wish I would have documented all the little tweaks I ended up making.

Hopefully someone will come along with more experience than myself and help provide some insight to the issue. Good luck.
No worries. I resolved this by setting up the OpenVPN client on my router. I targeted the Transmission jail IP and was able to setup a killswitch as well. I'm not sure why/how setting up OpenVPN on my router was any different than in the jail, but it's working as expected now.
 
Status
Not open for further replies.
Top