FreeNAS 11.2 + Transmission plugin + OpenVPN + AirVPN + IPFW Killswitch

Intended Audience

This post may be of interest if you are setting up the Transmission plugin for the first time under FreeNAS 11.2, or, you are switching from using Transmission under legacy versions of FreeNAS (version 11.1 or earlier). If you are on FreeNAS 11.3, refer to the post here instead.

Assumptions

1. The reader has a working knowledge of FreeNAS.
2. AirVPN is the reader’s VPN service provider.

Background

FreeNAS 11.1 was the last version to place the legacy UI front and centre. The modern UI was there in the background, but largely still experimental. FreeNAS 11.2 set the modern FreeNAS UI as the default, but allowed the legacy UI to run in tandem with it. Legacy plugins that were already installed could continue to run, but were no longer being updated. Consumers had the option of staying with the legacy plugins, which used a Warden backend manager, or migrating to modern plugins on the modern FreeNAS UI, which use the iocage backend manager.

The upcoming FreeNAS 11.3 will drop the legacy FreeNAS UI altogether. As I was still using the legacy Transmission plugin, to allow me to upgrade to FreeNAS 11.3 in the future, it has become necessary for me to remove any dependency on legacy plugins.

At the time of writing this, I am working with FreeNAS 11.2-U7 and Transmission plugin 2.94_3. As a passing point of interest, the legacy Transmission plugin stopped at version 2.92.

Note that both the legacy and modern Transmission plugins can run at the same time as long as each has a unique jail address. There is, therefore, no requirement to switch the legacy Transmission plugin off before switching on the modern plugin, which simplifies the transition considerably.

Overview

The aim of this post is to set up the Transmission plugin on the modern FreeNAS 11.2 UI. It must use a VPN for data and remain well-behaved if the VPN goes down.

The key steps for the set-up  are:

1. Install the Transmission plugin
2. Allow access to Transmission
3. Modify the Transmission jail properties
4. Install required packages in the jail
5. Configure OpenVPN
6. Test OpenVPN
7. Configure the IPFW killswitch
8. Test the IPFW killswitch
9. Housekeeping

Step 1: Install the Transmission Plug-in

Edit (14/02/2020): Before continuing with these instructions, Step 1 of the post here should be completed first. Without it, some of you may find that you cannot get Transmission to work.

Plugins ⇒ Available ⇒ Transmission ⋮ Install

The screen below will appear. Click Save to continue.

On completion of the installation of the Transmission plugin, a dialogue box similar to the one below will be displayed. Of particular note is the highlighted text.

Now we hit the first stumbling block. Attempting to access Transmission from the UI…

Plugins ⇒ Installed ⇒ transmission_2 ⋮ Management

…throws up the error below. Note that transmission_2 is the name of the Transmission jail referred to in this post. Replace it with the name of your Transmission jail.

Step 2: Allow access to Transmission

This step cannot be completed while the jail is running so stop the plugin first:

Plugins ⇒ Installed ⇒ transmission_2 ⋮ Stop

From a UI shell, trace the location of the settings.json file in the transmission jail. The image below shows the path to this file on my system. The path will be similar, but not necessarily the same for you.

Now edit the file using your favourite editor and update rpc-whitelist to include the address of clients that should have access to the admin portal. I was happy for all clients on my local network to have access to the portal so this is what the amended entry looked like for me.

"rpc-whitelist": "127.0.0.1, 10.1.1.*",

Now save your changes and exit the editor. Back in the UI, start the Transmission plugin:

Plugins ⇒ Installed ⇒ transmission_2 ⋮ Start

You should now be able to access Transmission from the UI:

Plugins ⇒ Installed ⇒ transmission_2 ⋮ Management

Step 3: Modify the Transmission jail properties

There are three objectives here:

• Give the jail a static IP address;
• Allow the jail to create tun devices; and
• Set up additional storage.

A: Give the jail a static IP address

To modify the jail properties, the jail has to be stopped first.

Jails ⇒ transmission_2 ⋮ Stop

Edit its properties.

Jails ⇒ transmission_2 ⋮ Edit

Uncheck DHCP Autoconfigure IPv4. Make sure you select vnet0 for the IPv4 interface. Choose a unique IPv4 Address for the Transmission jail, specify your network IPv4 Netmask and your IPv4 Default Router. An example is shown below.

Once you’ve configured the Basic Properties, click on Custom Properties.

B: Allow the jail to create tun devices

OpenVPN uses a tun device by default to make a virtual network. Check allow_tun and then click Save.

C: Set up additional storage

The Transmission jail is given access to two areas outside the jail on the FreeNAS system. The first allows Transmission to save data to a storage area outside the jail so that the data is accessible to the FreeNAS system. The second provides temporary access to the external location where I have stored my AirVPN configuration, certificate and key files so that these can be copied into the jail.

Additional storage is set up using mount points:

Jails ⇒ transmission_2 ⋮ Mount points ⇒ Actions ⇒ Add Mount Point

For the purpose of this exercise, the external location where Transmission will save its downloads will map to the jail media mount point, and the external location where AirVPN files are kept will be mapped temporarily to the jail mnt mount point. An example mapping is shown below.

Having set up the mount points, start the jail again before proceeding to the next step.

Plugins ⇒ Installed ⇒ transmission_2 ⋮ Start

Step 4: Install required packages in the jail

I’ll be installing the following packages in the Transmission jail.

1. OpenVPN – As a client to my VPN service provider AirVPN.
2. Bash – As the preferred command shell.
3. Nano – As my preferred text editor.
4. Wget – Used for testing the VPN.

Shell into the jail:

Jails ⇒ transmission_2 ⋮ Shell

We now hit our second stumbling block. When attempting to install a package (see below), nothing happens.

From a UI shell (make sure you exit the jail shell), trace the location of the FreeBSD.conf file in the transmission jail. The image below shows the path to this file on my system. The path will be similar, but not necessarily the same for you.

Edit the file using your favourite editor. There’s only one entry in the file. Enable the flag to allow FreeBSD packages to be installed in the jail.

FreeBSD: { enabled: yes }

Save your changes and exit the editor. Return to the jail shell:

Jails ⇒ transmission_2 ⋮ Shell

Run the following commands from the shell to update the package repository and upgrade any installed packages:

pkg update
pkg upgrade

Next, install the required packages:

pkg install bash openvpn wget nano

Step 5: Configure OpenVPN 

Using an editor, append the following lines to /etc/rc.conf so that OpenVPN and the IP FireWall (IPFW) start when the jail starts.

openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

Note that firewall_script tells IPFW where the rules are to be loaded so make sure to change the path to reflect where you are storing the file with the rules.

Now amend the parameter transmission_download_dir to point to the media mount point.

transmission_download_dir="/media"

Save and exit the editor to return to the command prompt.

Next, create the directories for the OpenVPN configuration file, certificates and keys.

mkdir /usr/local/etc/openvpn
mkdir /usr/local/etc/openvpn/keys

The example directory listing below is for the mnt mount point that contains stored AirVPN files and IPFW firewall rules. The next few commands reference these locations and files. You will need to adapt these to your specific setup.

Copy across the AirVPN configuration file making sure to rename it openvpn.conf. For example:

cp /mnt/AirVPN/AirVPN_Europe_UDP-443.ovpn /usr/local/etc/openvpn/openvpn.conf

Next, copy over the AirVPN certificates and keys. For example:

cp /mnt/AirVPN/keys/*.* /usr/local/etc/openvpn/keys

Now edit openvpn.conf and make sure the paths to the certificates and keys are correct. For example:

ca "/usr/local/etc/openvpn/keys/ca.crt"
cert "/usr/local/etc/openvpn/keys/user.crt"
key "/usr/local/etc/openvpn/keys/user.key"
tls-auth "/usr/local/etc/openvpn/keys/ta.key" 1

Save and exit the editor to return to the command prompt.

Step 6: Test OpenVPN

Check that the wget command below returns your internet gateway’s external IP address:

wget http://ipinfo.io/IP -qO -

Start OpenVPN:

service openvpn start

Wait a minute or so (don’t be impatient!) and then repeat the wget command.  Confirm that it now returns your VPN IP.

Step 7: Configure the IPFW killswitch

Execute the command below.

ifconfig

It should show a tun device, which is the VPN tunnel. Make a note of the device id.

Copy across the file with the firewall rules. For example:

cp /mnt/ipfw.rules /usr/local/etc

The contents of ipfw.rules:

#!/bin/bash
ipfw -q -f flush
cmd="ipfw -q add"
vpn="tun2"
$cmd 00001 allow all from any to any via lo0
$cmd 00010 allow all from any to any via $vpn
$cmd 00101 allow all from me to 10.1.1.0/24 uid transmission
$cmd 00102 allow all from 10.1.1.0/24 to me uid transmission
$cmd 00103 deny all from any to any uid transmission

Change the parameter vpn to use the device id you made a note of. Change the 10.1.1.0/24 to whatever your personal network is set up to.

Step 8: Test the IPFW killswitch

Start the firewall:

service ipfw start

Make sure the firewall has loaded the firewall rules above.

ipfw list

Restart the Transmission plug-in.

Plugins ⇒ Installed ⇒ transmission_2 ⋮ Restart

Shell back into the Transmission jail:

Jails ⇒ transmission_2 ⋮ Shell

Test the firewall by running a large torrent file (I used ubuntu torrent), and stopping the OpenVPN service during the download.

service openvpn stop

If the firewall is working, downloading should stop. Once it does, start OpenVPN again and downloading should resume.

service openvpn start

Step 9: Housekeeping

Finally, remove the temporary mount point from the UI. You need to stop the jail first.

Jails ⇒ transmission_2 ⋮ Stop

Jails ⇒ transmission_2 ⋮ Mount points ⇒ Actions ⇒ <relevant table entry> ⋮ Delete

Restart the jail.

Jails ⇒ transmission_2 ⋮ Start

At some point, after you’re satisfied that Transmission is operating correctly under the modern UI, remember to delete the legacy Transmission plugin.

References

1. (Tutorial) 11.1 warden jail to 11.2 iocage jail – Plex migration and rebuild of transmission + openvpn (pia) + ipfw + tvnamer
2. How to use Openvpn & ipfw in a jail so it only connects to the VPN
3. What should I know about “allow_tun=1”?
4. FN11.2 iocage jails – Plex, Tautulli, Sonarr, Radarr, Lidarr, Jackett, Transmission, Organizr