Truenas Core 12 + Transmission Jail + OpenVPN

[erik w]

I've been trying to get Transmission running through OpenVPN using the Community Transmission Jail.

I've followed this guide:

Reddit - Dive into anything

www.reddit.com

I successfully install openVPN and do the config, but upon start, my IP is still from my WAN connection.

When I cat /var/log/messages, I get this error after 60 seconds:

Code:

Mon Mar 21 11:12:48 2016 XX.XX.XX.XX:57804 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

So that seems to be the primary issue.

It seems like this might be a firewall or port forwarding issue. OpenVPN tries to connect to the VPN through port 1198. I've made sure that this port is open and that it gets forwarded in the Jail config. I've also had it forward from my router to my FREENAS box. Nothing seems to work.

One clue seems to be related to the TUN devices. They're enabled, but after installing OpenVPN and running it no tunnel device gets created.

I've manually created one with ifonfig create tun0 and make sure the openvpn.conf points to that device name (dev0). Ive made sure the jail is allowed to us TUN devices and restarted the box to make sure those settings hold.

Any insight is appreciated. Do you thinking being on v12 is related? In the past it seems like people have had issues with point releases that need working out.

 

[JohnDigital]

ovpn runs on 1194 no?

One other thing to try is to run the VPN config manually from the command line, youll get more info. For example, yours may vary..
openvpn /usr/local/etc/openvpn/myVPNserver.conf

 

[erik w]

Fellow Iowan (IC here), OVPN's standard is 1194 but it's configurable. E.g., https://www.privateinternetaccess.com/helpdesk/kb/articles/what-ports-are-used-by-your-vpn-service -- PIA runs it on several different ports depending. They provide the config files which you edit.

I did run the command to get config earlier, and didn't get much.

While I'd prefer to use a jail, I was able to pretty quickly just install Docker on an Ubuntu VM, and run an image that ports Transmission through OpenVPN. All the contact works fine through all those layers of networking, so I'm reasonably confident there's no hardware network configuration problem.

 

[JohnDigital]

Fellow Iowan (IC here), OVPN's standard is 1194 but it's configurable. E.g., https://www.privateinternetaccess.com/helpdesk/kb/articles/what-ports-are-used-by-your-vpn-service -- PIA runs it on several different ports depending. They provide the config files which you edit.

Fight for Iowa my man!! Welcome! Im over here in the QC.

Fellow Iowan (IC here), OVPN's standard is 1194 but it's configurable. E.g., https://www.privateinternetaccess.com/helpdesk/kb/articles/what-ports-are-used-by-your-vpn-service -- PIA runs it on several different ports depending. They provide the config files which you edit.

I figured as much, just checking..


Your post piqued my interest because I just had to go thru setting all this up again. I did it from scratch from memory in a blank VNET jail so ultimately im unsure about the plugin. However, I was able to get mine to work after a bit of tinkering, the major thing I remember is doing iocage set allow_tun=1 JAILNAME Theres an option for it way down in the GUI as well. A few releases back things were hokey like this and I still had the PRE INIT command in my config, im unsure if that is still needed or not, doubtful.

The other thing I wonder, is if you do a service ipfw stop in that jail and then service openvpn start will it start and create the tun/connect? It seems I also ditched the commonly referenced ipfw.rules and created my own based on device/port and not UID, in your case 1198. I also allow DNS out to verizons servers. Check out my rules. Your might differ a bit but will be similar. Also make sure your ipfw.rules and vpn.conf (and pass.txt, certs) are owned by root with 600 permission and not transmission.

Code:

#!/bin/bash
# Flush out the list before we begin
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
vpn="tun0"

# allow all local traffic on the loopback interface
$cmd 00001 allow all from any to any via lo0

# allow any connection to/from VPN interface
$cmd 00010 allow all from any to any via $vpn
$cmd 00020 allow all from me to 4.2.2.2 via epair0b
# allow connection to/from LAN by Transmission
$cmd 00101 allow all from me to 192.168.1.0/24
$cmd 00102 allow all from 192.168.1.0/24 to me

# deny any Transmission connection outside LAN that does not use VPN
$cmd 00105 allow all from any to any 1194 out via epair0b
$cmd 00106 deny all from any to any out via epair0b

I have just reverified all of this works as expected. The DNS request isnt getting out so the tun cant be established I bet. I think I had to add the DNS line because my configs come with domains and not IPs. Check cat /etc/resolv.conf and change the 4.2.2.2 (in ipfw.rules) to whatever your DNS is (dont use your ISP ones).

 

[erik w]

Fight for Iowa my man!! Welcome! Im over here in the QC.

Nice. Yeah, I gave FreeNAS a shot. Bored with quarantine,I I upgraded (side-graded?) from UnRAID after I invested in shucking some more drives so I didn't have a big mismatched set. So far, the file system/share system with FreeNAS is clearly superior. The Plugin/VM situation on UnRAID is different. Not using Docker is nice, because of annoyances with Docker, but the available Docker resources are nice to have. Right now, just using Ubuntu with Docker installed to do anything I need to that I can't do in Jails.


I made some progress. Turns out the reason it wouldn't connect was because I was trying to connect to a VPN server with PIA that simply wouldn't accept OpenVPN connections. When I switched to a Canadian server, it worked. Rings a bell--I remember having similar issues before.

Now my issue is that I can't access the transmission web panel when the VPN is on. Any tips on how to forward requests to port 9091 around the VPN? Tried a few things, no luck.

 

[JohnDigital]

Yes if memory serves there is a whitelist in the config.json file that has to be changed from 127.0.0.1 to 0.0.0.0 (or the actual lan IP)

 

[JohnDigital]

I went and looked, here is the location of that file for me..
nano /mnt/iocage/jails/transmission/root/usr/local/etc/transmission/home/settings.json

And the relevant section:

Code:

    "rpc-authentication-required": true,
    "rpc-bind-address": "192.168.1.99",
    "rpc-enabled": true,
    "rpc-host-whitelist": "192.168.*.*",
    "rpc-host-whitelist-enabled": false,
    "rpc-password": "{266ba92b9a7a052577d35e5e1401d713bbcc0fadXeZZfwRn",
    "rpc-port": 9091,
    "rpc-url": "/transmission/",
    "rpc-username": "jbd",
    "rpc-whitelist": "0.0.0.0",
    "rpc-whitelist-enabled": false,

 

[JohnDigital]

Im using a reverse proxy to access things, so you might want to review what I have there just in case it isnt world readable best practice. Also to be clear you only need to forward 9091 if you want to access the gui from the world. This is because all ports/connections are allowed thru the VPN. So minimalize your port forwards to that jail. You also dont need to open the other random port even though it says "closed".

 

[JohnDigital]

Once you get BSD mastered youll never go back to unraid.. Some simple things to keep in mind.

Try to get familiar with the BSD port system, pkg, and creating your jails and such from scratch from the CLI. Ive never had to use docker because im very efficient at the CLI. Ive never had out of date software waiting for the plugin maintainer to update it.

Another place ive seen new users get confused and tripped up is trying to get too clever with their usernames.. Make it the exact same as your windows user/group on the TrueNAS host, also create this user/group in each jail you make and make sure the UID/GID matches across all.

Last, you do not need a separate jail for each of these "plugins". They can easily all be installed into the same jail at the CLI, then you dont have so many working parts. People get into permissions issues when they have 20 jails and 20 different usernames..

If you ever need any help or advice, reach out. Im always lurking somewhere.