FreeNAS 11.3 + Transmission Jail + OpenVPN + AirVPN + IPFW Killswitch

Intended Audience

This post may be of interest if you are setting up Transmission, not using the supplied plugin, but in a jail under FreeNAS 11.3.

Assumptions

1. The reader has a working knowledge of FreeNAS.
2. AirVPN is the reader’s VPN service provider.

Background

There are several limitations of setting up Transmission using the plugin:

1. Plugin jails are not designed to be tampered with, so OpenVPN and the IPFW killswitch are likely to break whenever the plugin is updated.
2. Certain directories of interest that contain torrent and configuration files are stored within the plugin jail. It would be better to have these stored outside the jail. This makes it easier to restore Transmission in the event the jail is hosed.
3. Upgrading a Transmission plugin jail with OpenVPN included is not straightforward. In an iocage jail, upgrading the packages is relatively straightforward.

At the time of writing this, I am working with FreeNAS 11.3-U1 and Transmission 2.94_3.

Overview

The approach I’ve adopted is to do as many of the steps through the GUI and jail Shell rather than use iocage commands. The former approach is more visual, while the latter approach is quicker if you’re comfortable using the command line.

The key steps for the set-up  are:

1. Expose tun devices
2. Create and configure the Transmission jail
3. Install required packages in the jail
4. Set up additional storage points.
5. Configure jail startup
6. Configure and test Transmission
7. Configure and test OpenVPN
8. Configure and test the IPFW killswitch
9. Housekeeping

Step 1: Expose tun devices

This is the first gotcha. By default, FreeNAS 11.3 limits the devices jails can access in the host system. To allow jails to access tun devices, include the following pre-init task and reboot the server to allow the rule to take effect.

Tasks ⇒ Init/Shutdown Scripts ⇒ Add

devfs rule -s 4 add path 'tun*' unhide

Step 2: Create and configure the Transmission jail.

Edit the jail after it’s created and make sure to check the following items:

Under Basic Properties:

Under Custom Properties:

Don’t forget to save these settings, then start the jail.

Jails ⇒ transmission ⇒ Start

Step 3: Install required packages in the jail

I’ll be installing the following packages in the Transmission jail.

1. Transmission – My preferred BitTorrent client.
2. OpenVPN – As a client to my VPN service provider AirVPN.
3. Bash – As the preferred command shell.
4. Nano – As my preferred text editor.
5. Wget – Used for testing the VPN.

Shell into the jail:

Jails ⇒ transmission ⇒ Shell

Next, install the required packages:

pkg install transmission openvpn bash nano wget

Step 4: Set up additional storage points.

I’ve chosen to give the Transmission jail access to two areas outside the jail in the FreeNAS system. These areas are for:

1. Downloaded files; and
2. Configuration files

Create the configuration directory.

mkdir /config

I’ve chosen to place downloaded files in /media.

Next, we have to map these directories to locations outside the jail. Stop the jail first:

Jails ⇒ transmission  ⇒ Stop

Additional storage outside the jail is set up using mount points:

Jails ⇒ transmission  ⇒ Mount points ⇒ Actions ⇒ Add

An example mapping is shown below.

TIP: When setting up the external locations, make sure that Transmission (UID/GID 921) is the owner of the nested datasets (first two lines in the image above).

Note (in the third line) that I’ve also given the Transmission jail temporary access to the location where my AirVPN configuration files are kept.

Having set up the mount points, start the jail again.

Jails ⇒ transmission  ⇒ Start

Shell into the jail:

Jails ⇒ transmission ⇒ Shell

Create the Transmission configuration directory.

mkdir /config/transmission-home

Step 5: Configure jail startup

Edit the jail startup file.

nano /etc/rc.conf

Add the following lines so OpenVPN and the IP FireWall (IPFW) start, and use the /config directory when the jail starts.

openvpn_enable="YES"
openvpn_dir="/config"
openvpn_configfile="/config/openvpn/openvpn.conf"
firewall_enable="YES"
firewall_script="/config/ipfw.rules"

Next, add the following lines for Transmission. Recall, I’ve chosen to place the Transmission configuration and torrent files in /mnt, and downloaded files in /media.

transmission_enable="YES"
transmission_conf_dir="/config/transmission-home"
transmission_download_dir="/media"

Save and exit the editor to return to the command prompt.

Step 6: Configure and test Transmission

Start Transmission.

service transmission start

From a new browser window, attempt to access Transmission at <jail_IP>:9091. You should see the following error.

Stop Transmission.

service transmission stop

Exit the Transmission settings file.

nano /config/transmission-home/settings.json

Update rpc-whitelist to include the address of clients that should have access to the admin portal. I was happy for all clients on my local network to have access to the portal so this is what the amended entry looked like for me.

"rpc-whitelist": "127.0.0.1, 10.1.1.*",

Now save your changes and exit the editor.

Restart Transmission.

service transmission start

You should now be able to access Transmission from a browser window.

Step 7: Configure and test OpenVPN

Next, create the directories for the OpenVPN configuration file, certificates and keys.

mkdir -p /config/openvpn/keys

The example directory listing below is for the temporary net mount point that contains stored AirVPN files and IPFW firewall rules. The next few commands reference these locations and files. You will need to adapt these to your specific setup.

Copy across the AirVPN configuration file making sure to rename it openvpn.conf. For example:

cp /mnt/AirVPN/AirVPN_Europe_UDP-443.ovpn /config/openvpn/openvpn.conf

Next, copy over the AirVPN certificates and keys. For example:

cp /mnt/AirVPN/keys/*.* /config/openvpn/keys

Now, edit openvpn.conf.

nano /config/openvpn/openvpn.conf

Make sure the paths to the certificates and keys are correct. For example:

ca "/config/openvpn/keys/ca.crt"
cert "/config/openvpn/keys/user.crt"
key "/config/openvpn/keys/user.key"
tls-auth "/config/openvpn/keys/ta.key" 1

Save and exit the editor to return to the command prompt.

Step 6: Test OpenVPN

Check that the wget command below returns your internet gateway’s external IP address:

wget http://ipinfo.io/IP -qO -

Start OpenVPN:

service openvpn start

Wait a minute or so (don’t be impatient!) and then repeat the wget command.  Confirm that it now returns your VPN IP.

Step 8: Configure and test the IPFW killswitch

Execute the command below.

ifconfig

It should show a tun device, which is the VPN tunnel. Make a note of the device id.

Copy across the file with the firewall rules. For example:

cp /mnt/ipfw.rules /config

The contents of ipfw.rules:

#!/bin/bash
ipfw -q -f flush
cmd="ipfw -q add"
vpn="tun2"
$cmd 00001 allow all from any to any via lo0
$cmd 00010 allow all from any to any via $vpn
$cmd 00101 allow all from me to 10.1.1.0/24 uid transmission
$cmd 00102 allow all from 10.1.1.0/24 to me uid transmission
$cmd 00103 deny all from any to any uid transmission

Change the parameter vpn to use the device id you made a note of. Change the 10.1.1.0/24 to whatever your personal network is set up to.

Start the firewall:

service ipfw start

Make sure the firewall has loaded the firewall rules above.

ipfw list

Test the firewall by running a large torrent file (I used ubuntu torrent), and stopping the OpenVPN service during the download.

service openvpn stop

If the firewall is working, downloading should stop. Once it does, start OpenVPN again and downloading should resume.

service openvpn start

Step 9: Housekeeping

Stop the jail.

Jails ⇒ transmission  ⇒ Stop

Remove the temporary mount point

Jails ⇒ transmission  ⇒ Mount Points

Restart the jail.

Jails ⇒ transmission  ⇒ Start

Happy torrenting!

References

1. FN11.3 iocage jails – Plex, Tautulli, Sonarr, Radarr, Lidarr, Jackett, Transmission, Organizr
2. openvpn issues in new jails after 11.1
3. iocage jail type: base jail vs clone. Which to choose?
4. FreeNAS 11.3 + Transmission plugin + OpenVPN + AirVPN + IPFW Killswitch