Intended Audience
This post may be of interest if you are setting up Transmission, not using the supplied plugin, but in a jail under FreeNAS 11.3.
Assumptions
- The reader has a working knowledge of FreeNAS.
- AirVPN is the reader’s VPN service provider.
Background
There are several limitations of setting up Transmission using the plugin:
- Plugin jails are not designed to be tampered with, so OpenVPN and the IPFW killswitch are likely to break whenever the plugin is updated.
- Certain directories of interest that contain torrent and configuration files are stored within the plugin jail. It would be better to have these stored outside the jail. This makes it easier to restore Transmission in the event the jail is hosed.
- Upgrading a Transmission plugin jail with OpenVPN included is not straightforward. In an iocage jail, upgrading the packages is relatively straightforward.
At the time of writing this, I am working with FreeNAS 11.3-U1 and Transmission 2.94_3.
Overview
The approach I’ve adopted is to do as many of the steps through the GUI and jail Shell rather than use iocage commands. The former approach is more visual, while the latter approach is quicker if you’re comfortable using the command line.
The key steps for the set-up are:
- Expose tun devices
- Create and configure the Transmission jail
- Install required packages in the jail
- Set up additional storage points.
- Configure jail startup
- Configure and test Transmission
- Configure and test OpenVPN
- Configure and test the IPFW killswitch
- Housekeeping
Step 1: Expose tun devices
This is the first gotcha. By default, FreeNAS 11.3 limits the devices jails can access in the host system. To allow jails to access tun devices, include the following pre-init task and reboot the server to allow the rule to take effect.
Tasks ⇒ Init/Shutdown Scripts ⇒ Add
devfs rule -s 4 add path 'tun*' unhide
Step 2: Create and configure the Transmission jail.
Edit the jail after it’s created and make sure to check the following items:
Under Basic Properties:
Under Custom Properties:
Don’t forget to save these settings, then start the jail.
Jails ⇒ transmission ⇒ Start
Step 3: Install required packages in the jail
I’ll be installing the following packages in the Transmission jail.
- Transmission – My preferred BitTorrent client.
- OpenVPN – As a client to my VPN service provider AirVPN.
- Bash – As the preferred command shell.
- Nano – As my preferred text editor.
- Wget – Used for testing the VPN.
Shell into the jail:
Jails ⇒ transmission ⇒ Shell
Next, install the required packages:
pkg install transmission openvpn bash nano wget
Step 4: Set up additional storage points.
I’ve chosen to give the Transmission jail access to two areas outside the jail in the FreeNAS system. These areas are for:
- Downloaded files; and
- Configuration files
Create the configuration directory.
mkdir /config
I’ve chosen to place downloaded files in /media.
Next, we have to map these directories to locations outside the jail. Stop the jail first:
Jails ⇒ transmission ⇒ Stop
Additional storage outside the jail is set up using mount points:
Jails ⇒ transmission ⇒ Mount points ⇒ Actions ⇒ Add
An example mapping is shown below.
TIP: When setting up the external locations, make sure that Transmission (UID/GID 921) is the owner of the nested datasets (first two lines in the image above).
Note (in the third line) that I’ve also given the Transmission jail temporary access to the location where my AirVPN configuration files are kept.
Having set up the mount points, start the jail again.
Jails ⇒ transmission ⇒ Start
Shell into the jail:
Jails ⇒ transmission ⇒ Shell
Create the Transmission configuration directory.
mkdir /config/transmission-home
Step 5: Configure jail startup
Edit the jail startup file.
nano /etc/rc.conf
Add the following lines so OpenVPN and the IP FireWall (IPFW) start, and use the /config directory when the jail starts.
openvpn_enable="YES" openvpn_dir="/config" openvpn_configfile="/config/openvpn/openvpn.conf" firewall_enable="YES" firewall_script="/config/ipfw.rules"
Next, add the following lines for Transmission. Recall, I’ve chosen to place the Transmission configuration and torrent files in /mnt, and downloaded files in /media.
transmission_enable="YES" transmission_conf_dir="/config/transmission-home" transmission_download_dir="/media"
Save and exit the editor to return to the command prompt.
Step 6: Configure and test Transmission
Start Transmission.
service transmission start
From a new browser window, attempt to access Transmission at <jail_IP>:9091. You should see the following error.
Stop Transmission.
service transmission stop
Exit the Transmission settings file.
nano /config/transmission-home/settings.json
Update rpc-whitelist to include the address of clients that should have access to the admin portal. I was happy for all clients on my local network to have access to the portal so this is what the amended entry looked like for me.
"rpc-whitelist": "127.0.0.1, 10.1.1.*",
Now save your changes and exit the editor.
Restart Transmission.
service transmission start
You should now be able to access Transmission from a browser window.
Step 7: Configure and test OpenVPN
Next, create the directories for the OpenVPN configuration file, certificates and keys.
mkdir -p /config/openvpn/keys
The example directory listing below is for the temporary net mount point that contains stored AirVPN files and IPFW firewall rules. The next few commands reference these locations and files. You will need to adapt these to your specific setup.
Copy across the AirVPN configuration file making sure to rename it openvpn.conf. For example:
cp /mnt/AirVPN/AirVPN_Europe_UDP-443.ovpn /config/openvpn/openvpn.conf
Next, copy over the AirVPN certificates and keys. For example:
cp /mnt/AirVPN/keys/*.* /config/openvpn/keys
Now, edit openvpn.conf.
nano /config/openvpn/openvpn.conf
Make sure the paths to the certificates and keys are correct. For example:
ca "/config/openvpn/keys/ca.crt" cert "/config/openvpn/keys/user.crt" key "/config/openvpn/keys/user.key" tls-auth "/config/openvpn/keys/ta.key" 1
Save and exit the editor to return to the command prompt.
Step 6: Test OpenVPN
Check that the wget command below returns your internet gateway’s external IP address:
wget http://ipinfo.io/IP -qO -
Start OpenVPN:
service openvpn start
Wait a minute or so (don’t be impatient!) and then repeat the wget command. Confirm that it now returns your VPN IP.
Step 8: Configure and test the IPFW killswitch
Execute the command below.
ifconfig
It should show a tun device, which is the VPN tunnel. Make a note of the device id.
Copy across the file with the firewall rules. For example:
cp /mnt/ipfw.rules /config
The contents of ipfw.rules:
#!/bin/bash ipfw -q -f flush cmd="ipfw -q add" vpn="tun2" $cmd 00001 allow all from any to any via lo0 $cmd 00010 allow all from any to any via $vpn $cmd 00101 allow all from me to 10.1.1.0/24 uid transmission $cmd 00102 allow all from 10.1.1.0/24 to me uid transmission $cmd 00103 deny all from any to any uid transmission
Change the parameter vpn to use the device id you made a note of. Change the 10.1.1.0/24 to whatever your personal network is set up to.
Start the firewall:
service ipfw start
Make sure the firewall has loaded the firewall rules above.
ipfw list
Test the firewall by running a large torrent file (I used ubuntu torrent), and stopping the OpenVPN service during the download.
service openvpn stop
If the firewall is working, downloading should stop. Once it does, start OpenVPN again and downloading should resume.
service openvpn start
Step 9: Housekeeping
Stop the jail.
Jails ⇒ transmission ⇒ Stop
Remove the temporary mount point
Jails ⇒ transmission ⇒ Mount Points
Restart the jail.
Jails ⇒ transmission ⇒ Start
Happy torrenting!
References
Quick one, when you say “Change the 10.1.1.0/24 to whatever your personal network is set up to.” what ip is this set to, the jail or freenas?
Neither. .0 refers to your network address; .255 refers to your network broadcast address. So, for instance, if your PC IP address is 192.168.1.123, your network address is 192.168.1.0. That refers to the network your LAN devices reside in.
I have tried setting the ip to the same as that of transmission including port, but no matter what when I start the ipfw service after a while transmission is not available, however there is no issue when ipfw is stopped. Any ideas?
See the previous comment.