FreeNAS 11.3 + Transmission plugin + OpenVPN + AirVPN + IPFW Killswitch

Intended Audience

This post may be of interest if you are setting up the Transmission plugin under FreeNAS 11.3. If you’re still on FreeNAS 11.2 refer to the post here instead.

Edit (22/03/2020): There are a number of advantages to installing Transmission in and iocage jail rather than use a plugin. To find out more, refer to the post FreeNAS 11.3 + Transmission Jail + OpenVPN + AirVPN + IPFW Killswitch

Assumptions

  1. The reader has a working knowledge of FreeNAS.
  2. AirVPN is the reader’s VPN service provider.

Background

At the time of writing this, I am working with FreeNAS 11.3 and Transmission plugin 2.94_3. There are also quite a lot of navigational changes in the UI, which, in part, prompted this revised post.

The Transmission plugin on FreeNAS 11.3 also appears to be packaged slightly differently. The more obvious changes are:

  1. The rpc_whitelist is actually disabled, which makes setting up Transmission easier than it was under FreeNAS 11.2; and
  2. The package has been set up to use NAT addressing by default. However, in this mode Transmission broke when I tried to integrate OpenVPN in the plugin jail, Reverting back to using a static IP got me around this issue.

Overview

The key steps for the set-up  are:

  1. Expose tun devices
  2. Install the Transmission plugin
  3. Modify the Transmission jail properties
  4. Install required packages in the jail
  5. Configure OpenVPN
  6. Test OpenVPN
  7. Configure the IPFW killswitch
  8. Test the IPFW killswitch
  9. Housekeeping

Step 1: Expose tun devices

This is the first gotcha. By default, FreeNAS 11.3 limits the devices jails can access in the host system. To allow jails to access tun devices, include the following pre-init task and reboot the server to allow the rule to take effect.

Tasks ⇒ Init/Shutdown Scripts ⇒ Add

devfs rule -s 4 add path 'tun*' unhide

screenshot.93.png

Step 2: Install the Transmission plugin

Plugins ⇒ Transmission ⇒ Install

The screen below will appear. Give the jail a name and accept the defaults for the moment. Click Save to continue.

screenshot.95.png

On completion of the installation of the Transmission plugin, a dialogue box similar to the one below will be displayed. Of particular note is the highlighted text.

screenshot.96.png

You should now be able to access Transmission from the UI:

Plugins ⇒ transmission ⇒ Manage

screenshot.3

Step 3: Modify the Transmission jail properties

There are three objectives here:

  • Give the jail a static IP address;
  • Allow the jail to create tun devices; and
  • Set up additional storage.

A: Give the jail a static IP address

To modify the jail properties, the jail has to be stopped first.

Jails ⇒ transmission ⇒ Stop

Edit its properties.

Jails ⇒ transmission ⇒ Edit

Uncheck NAT. Choose a unique IPv4 Address for the Transmission jail, specify your network IPv4 Netmask and your IPv4 Default Router. An example is shown below.

screenshot.97a.png

Once you’ve configured the Basic Properties, click on Custom Properties.

B: Allow the jail to create tun devices

OpenVPN uses a tun device by default to make a virtual network. Check allow_tun and then click Save.

screenshot.100a.png

C: Set up additional storage

The Transmission jail is given access to two areas outside the jail on the FreeNAS system. The first allows Transmission to save data to a storage area outside the jail so that the data is accessible to the FreeNAS system. The second is where AirVPN configuration files are kept.

Additional storage is set up using mount points:

Jails ⇒ transmission  ⇒ Mount points ⇒ Actions ⇒ Add

An example mapping is shown below.

screenshot.117.png

Having set up the mount points, start the jail again before proceeding to the next step.

Plugins ⇒ transmission  ⇒ Start

Step 4: Install required packages in the jail

I’ll be installing the following packages in the Transmission jail.

  1. OpenVPN – As a client to my VPN service provider AirVPN.
  2. Bash – As the preferred command shell.
  3. Nano – As my preferred text editor.
  4. Wget – Used for testing the VPN.

Shell into the jail:

Jails ⇒ transmission ⇒ Shell

We now hit our second stumbling block. When attempting to install a package (see below), nothing happens.

screenshot.4

From a UI shell (make sure you exit the jail shell), trace the location of the FreeBSD.conf file in the transmission jail. The image below shows the path to this file on my system. The path will be similar, but not necessarily the same for you.

screenshot.102.png

Edit the file using your favourite editor. There’s only one entry in the file. Enable the flag to allow FreeBSD packages to be installed in the jail.

FreeBSD: { enabled: yes }

Save your changes and exit the editor. Return to the jail shell:

Jails ⇒ transmission ⋮ Shell

Run the following commands from the shell to update the package repository and upgrade any installed packages:

pkg update
pkg upgrade

Next, install the required packages:

pkg install bash openvpn wget nano

Step 5: Configure OpenVPN 

Using an editor, append the following lines to /etc/rc.conf so that OpenVPN and the IP FireWall (IPFW) start when the jail starts.

openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

Note that firewall_script tells IPFW where the rules are to be loaded so make sure to change the path to reflect where you are storing the file with the rules.

Now amend the parameter transmission_download_dir to point to the media mount point.

transmission_download_dir="/media"

Save and exit the editor to return to the command prompt.

Next, create the directories for the OpenVPN configuration file, certificates and keys.

mkdir /usr/local/etc/openvpn
mkdir /usr/local/etc/openvpn/keys

The example directory listing below is for the mnt mount point that contains stored AirVPN files and IPFW firewall rules. The next few commands reference these locations and files. You will need to adapt these to your specific setup.

screenshot.9

Copy across the AirVPN configuration file making sure to rename it openvpn.conf. For example:

cp /mnt/scripts/AirVPN/AirVPN_Europe_UDP-443.ovpn /usr/local/etc/openvpn/openvpn.conf

Next, copy over the AirVPN certificates and keys. For example:

cp /mnt/scripts/AirVPN/keys/*.* /usr/local/etc/openvpn/keys

Now edit openvpn.conf and make sure the paths to the certificates and keys are correct. For example:

ca "/usr/local/etc/openvpn/keys/ca.crt"
cert "/usr/local/etc/openvpn/keys/user.crt"
key "/usr/local/etc/openvpn/keys/user.key"
tls-auth "/usr/local/etc/openvpn/keys/ta.key" 1

Save and exit the editor to return to the command prompt.

Step 6: Test OpenVPN

Check that the wget command below returns your internet gateway’s external IP address:

wget http://ipinfo.io/IP -qO -

Start OpenVPN:

service openvpn start

Wait a minute or so (don’t be impatient!) and then repeat the wget command.  Confirm that it now returns your VPN IP.

Step 7: Configure the IPFW killswitch

Execute the command below.

ifconfig

It should show a tun device, which is the VPN tunnel. Make a note of the device id.

Copy across the file with the firewall rules. For example:

cp /mnt/scripts/ipfw.rules /usr/local/etc

The contents of ipfw.rules:

#!/bin/bash
ipfw -q -f flush
cmd="ipfw -q add"
vpn="tun2"
$cmd 00001 allow all from any to any via lo0
$cmd 00010 allow all from any to any via $vpn
$cmd 00101 allow all from me to 10.1.1.0/24 uid transmission
$cmd 00102 allow all from 10.1.1.0/24 to me uid transmission
$cmd 00103 deny all from any to any uid transmission

Change the parameter vpn to use the device id you made a note of. Change the 10.1.1.0/24 to whatever your personal network is set up to.

Step 8: Test the IPFW killswitch

Start the firewall:

service ipfw start

Make sure the firewall has loaded the firewall rules above.

ipfw list

Restart the Transmission plug-in.

Plugins ⇒ transmission ⇒ Restart

Shell back into the Transmission jail:

Jails ⇒ transmission ⇒ Shell

Test the firewall by running a large torrent file (I used ubuntu torrent), and stopping the OpenVPN service during the download.

service openvpn stop

If the firewall is working, downloading should stop. Once it does, start OpenVPN again and downloading should resume.

service openvpn start

Step 9: Housekeeping

At some point, after you’re satisfied that Transmission is operating correctly under the modern UI, remember to delete the legacy Transmission plugin.

References

  1. openvpn issues in new jails after 11.1
  2. FreeNAS 11.2 + Transmission plugin + OpenVPN + AirVPN + IPFW Killswitch

Keep Reading

PreviousNext

11 thoughts on “FreeNAS 11.3 + Transmission plugin + OpenVPN + AirVPN + IPFW Killswitch

  1. Hi! thanks for the guide, unfortunately in freenas 11.3 even using your workaround as init command, and setting in the gui allow_tun when starting openvpn I get this error: ‘ Cannot allocate TUN/TAP dev dynamically ‘ any idea how to fix?

      1. I solved it in a ugly but working way, editing the openvpn conf changing the “dev tun” in “dev tun2”
        And then I added a line to manually create the tun interface (ifconfig tun2 create) in the starting script /usr/local/etc/rc.d/openvpn
        Hope this can help other people

  2. Hi,
    Great guide – many thanks, works great!
    I don’t know if it’s because my NICs are aggregated, but I found that when I stopped the VPN and restarted, the download did not recommence. It transpired that this was due to having the ‘default_vnet_interface’ set to ‘auto’ as opposed to selecting my lagg link specifically (which I’d assumed it would do).

  3. Bonjour.
    Merci pour cet article qui m’a enfin permit de configurer mon transmission via openvpn après une alerte Hadopi.

    Cependant je me demandais si il y avait un moyen pour ouvrir un port de partage ?
    J’ai ouvert un port dans airvpn puis dans transmission mais il reste “closed”.
    Je n’ai pas réussi malgré avoir suivi plusieurs tuto et j’ai peur de casser la sécurité du “killswitch”.

    Merci.

    Hello.
    Thank you for this article which finally allowed me to configure my transmission via openvpn after a Hadopi alert.

    However I was wondering if there was a way to open a share port?
    I opened a port in airvpn then in transmission but it remains “closed”.
    I did not succeed despite having followed several tutorials and I am afraid of breaking the security of the “killswitch”.

    Thank you.

  4. Hi, I’ve used your guide succesfully with PIA VPN instead of AirVPN. PIA now also supports the WireGuard protocol, which should work faster than OpenVPN. Is there any chance you could do a write-up on how to use WireGuard instead of OpenVPN?

Leave a Reply