Intended Audience
This post may be of interest if you are setting up the Transmission plugin under FreeNAS 11.3. If you’re still on FreeNAS 11.2 refer to the post here instead.
Edit (22/03/2020): There are a number of advantages to installing Transmission in and iocage jail rather than use a plugin. To find out more, refer to the post FreeNAS 11.3 + Transmission Jail + OpenVPN + AirVPN + IPFW Killswitch
Assumptions
- The reader has a working knowledge of FreeNAS.
- AirVPN is the reader’s VPN service provider.
Background
At the time of writing this, I am working with FreeNAS 11.3 and Transmission plugin 2.94_3. There are also quite a lot of navigational changes in the UI, which, in part, prompted this revised post.
The Transmission plugin on FreeNAS 11.3 also appears to be packaged slightly differently. The more obvious changes are:
- The rpc_whitelist is actually disabled, which makes setting up Transmission easier than it was under FreeNAS 11.2; and
- The package has been set up to use NAT addressing by default. However, in this mode Transmission broke when I tried to integrate OpenVPN in the plugin jail, Reverting back to using a static IP got me around this issue.
Overview
The key steps for the set-up are:
- Expose tun devices
- Install the Transmission plugin
- Modify the Transmission jail properties
- Install required packages in the jail
- Configure OpenVPN
- Test OpenVPN
- Configure the IPFW killswitch
- Test the IPFW killswitch
- Housekeeping
Step 1: Expose tun devices
This is the first gotcha. By default, FreeNAS 11.3 limits the devices jails can access in the host system. To allow jails to access tun devices, include the following pre-init task and reboot the server to allow the rule to take effect.
Tasks ⇒ Init/Shutdown Scripts ⇒ Add
devfs rule -s 4 add path 'tun*' unhide
Step 2: Install the Transmission plugin
Plugins ⇒ Transmission ⇒ Install
The screen below will appear. Give the jail a name and accept the defaults for the moment. Click Save to continue.
On completion of the installation of the Transmission plugin, a dialogue box similar to the one below will be displayed. Of particular note is the highlighted text.
You should now be able to access Transmission from the UI:
Plugins ⇒ transmission ⇒ Manage
Step 3: Modify the Transmission jail properties
There are three objectives here:
- Give the jail a static IP address;
- Allow the jail to create tun devices; and
- Set up additional storage.
A: Give the jail a static IP address
To modify the jail properties, the jail has to be stopped first.
Jails ⇒ transmission ⇒ Stop
Edit its properties.
Jails ⇒ transmission ⇒ Edit
Uncheck NAT. Choose a unique IPv4 Address for the Transmission jail, specify your network IPv4 Netmask and your IPv4 Default Router. An example is shown below.
Once you’ve configured the Basic Properties, click on Custom Properties.
B: Allow the jail to create tun devices
OpenVPN uses a tun device by default to make a virtual network. Check allow_tun and then click Save.
C: Set up additional storage
The Transmission jail is given access to two areas outside the jail on the FreeNAS system. The first allows Transmission to save data to a storage area outside the jail so that the data is accessible to the FreeNAS system. The second is where AirVPN configuration files are kept.
Additional storage is set up using mount points:
Jails ⇒ transmission ⇒ Mount points ⇒ Actions ⇒ Add
An example mapping is shown below.
Having set up the mount points, start the jail again before proceeding to the next step.
Plugins ⇒ transmission ⇒ Start
Step 4: Install required packages in the jail
I’ll be installing the following packages in the Transmission jail.
- OpenVPN – As a client to my VPN service provider AirVPN.
- Bash – As the preferred command shell.
- Nano – As my preferred text editor.
- Wget – Used for testing the VPN.
Shell into the jail:
Jails ⇒ transmission ⇒ Shell
We now hit our second stumbling block. When attempting to install a package (see below), nothing happens.
From a UI shell (make sure you exit the jail shell), trace the location of the FreeBSD.conf file in the transmission jail. The image below shows the path to this file on my system. The path will be similar, but not necessarily the same for you.
Edit the file using your favourite editor. There’s only one entry in the file. Enable the flag to allow FreeBSD packages to be installed in the jail.
FreeBSD: { enabled: yes }
Save your changes and exit the editor. Return to the jail shell:
Jails ⇒ transmission ⋮ Shell
Run the following commands from the shell to update the package repository and upgrade any installed packages:
pkg update pkg upgrade
Next, install the required packages:
pkg install bash openvpn wget nano
Step 5: Configure OpenVPN
Using an editor, append the following lines to /etc/rc.conf so that OpenVPN and the IP FireWall (IPFW) start when the jail starts.
openvpn_enable="YES" openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf" firewall_enable="YES" firewall_script="/usr/local/etc/ipfw.rules"
Note that firewall_script tells IPFW where the rules are to be loaded so make sure to change the path to reflect where you are storing the file with the rules.
Now amend the parameter transmission_download_dir to point to the media mount point.
transmission_download_dir="/media"
Save and exit the editor to return to the command prompt.
Next, create the directories for the OpenVPN configuration file, certificates and keys.
mkdir /usr/local/etc/openvpn mkdir /usr/local/etc/openvpn/keys
The example directory listing below is for the mnt mount point that contains stored AirVPN files and IPFW firewall rules. The next few commands reference these locations and files. You will need to adapt these to your specific setup.
Copy across the AirVPN configuration file making sure to rename it openvpn.conf. For example:
cp /mnt/scripts/AirVPN/AirVPN_Europe_UDP-443.ovpn /usr/local/etc/openvpn/openvpn.conf
Next, copy over the AirVPN certificates and keys. For example:
cp /mnt/scripts/AirVPN/keys/*.* /usr/local/etc/openvpn/keys
Now edit openvpn.conf and make sure the paths to the certificates and keys are correct. For example:
ca "/usr/local/etc/openvpn/keys/ca.crt" cert "/usr/local/etc/openvpn/keys/user.crt" key "/usr/local/etc/openvpn/keys/user.key" tls-auth "/usr/local/etc/openvpn/keys/ta.key" 1
Save and exit the editor to return to the command prompt.
Step 6: Test OpenVPN
Check that the wget command below returns your internet gateway’s external IP address:
wget http://ipinfo.io/IP -qO -
Start OpenVPN:
service openvpn start
Wait a minute or so (don’t be impatient!) and then repeat the wget command. Confirm that it now returns your VPN IP.
Step 7: Configure the IPFW killswitch
Execute the command below.
ifconfig
It should show a tun device, which is the VPN tunnel. Make a note of the device id.
Copy across the file with the firewall rules. For example:
cp /mnt/scripts/ipfw.rules /usr/local/etc
The contents of ipfw.rules:
#!/bin/bash ipfw -q -f flush cmd="ipfw -q add" vpn="tun2" $cmd 00001 allow all from any to any via lo0 $cmd 00010 allow all from any to any via $vpn $cmd 00101 allow all from me to 10.1.1.0/24 uid transmission $cmd 00102 allow all from 10.1.1.0/24 to me uid transmission $cmd 00103 deny all from any to any uid transmission
Change the parameter vpn to use the device id you made a note of. Change the 10.1.1.0/24 to whatever your personal network is set up to.
Step 8: Test the IPFW killswitch
Start the firewall:
service ipfw start
Make sure the firewall has loaded the firewall rules above.
ipfw list
Restart the Transmission plug-in.
Plugins ⇒ transmission ⇒ Restart
Shell back into the Transmission jail:
Jails ⇒ transmission ⇒ Shell
Test the firewall by running a large torrent file (I used ubuntu torrent), and stopping the OpenVPN service during the download.
service openvpn stop
If the firewall is working, downloading should stop. Once it does, start OpenVPN again and downloading should resume.
service openvpn start
Step 9: Housekeeping
At some point, after you’re satisfied that Transmission is operating correctly under the modern UI, remember to delete the legacy Transmission plugin.
References
Hi! thanks for the guide, unfortunately in freenas 11.3 even using your workaround as init command, and setting in the gui allow_tun when starting openvpn I get this error: ‘ Cannot allocate TUN/TAP dev dynamically ‘ any idea how to fix?
There are several possible reasons for this. The blog isn’t really an appropriate medium for interactive debugging. Please post your issue on the FreeNAS Community Forum https://www.ixsystems.com/community/. Forum members, including myself, will be happy to help you out there.
I solved it in a ugly but working way, editing the openvpn conf changing the “dev tun” in “dev tun2”
And then I added a line to manually create the tun interface (ifconfig tun2 create) in the starting script /usr/local/etc/rc.d/openvpn
Hope this can help other people
To check the public IP address, using “curl ifconfig.io” has the simpler syntax than “wget http://ipinfo.io/IP -qO -”
Thanks for this blog and these instructions.
I appreciate the feedback Omid. Great suggestion! I’ll got it on my to-do list to update the post and include it.
Hi,
Great guide – many thanks, works great!
I don’t know if it’s because my NICs are aggregated, but I found that when I stopped the VPN and restarted, the download did not recommence. It transpired that this was due to having the ‘default_vnet_interface’ set to ‘auto’ as opposed to selecting my lagg link specifically (which I’d assumed it would do).
Bonjour.
Merci pour cet article qui m’a enfin permit de configurer mon transmission via openvpn après une alerte Hadopi.
Cependant je me demandais si il y avait un moyen pour ouvrir un port de partage ?
J’ai ouvert un port dans airvpn puis dans transmission mais il reste “closed”.
Je n’ai pas réussi malgré avoir suivi plusieurs tuto et j’ai peur de casser la sécurité du “killswitch”.
Merci.
Hello.
Thank you for this article which finally allowed me to configure my transmission via openvpn after a Hadopi alert.
However I was wondering if there was a way to open a share port?
I opened a port in airvpn then in transmission but it remains “closed”.
I did not succeed despite having followed several tutorials and I am afraid of breaking the security of the “killswitch”.
Thank you.
Sorry, I don’t quite understand what you mean by a ‘share port’? Can you explain what it is you’re trying to achieve?
Hi, I’ve used your guide succesfully with PIA VPN instead of AirVPN. PIA now also supports the WireGuard protocol, which should work faster than OpenVPN. Is there any chance you could do a write-up on how to use WireGuard instead of OpenVPN?
Thank Bert. WireGuard is on my to do list.