GUIDE: Setting up Transmission with OpenVPN and PIA

[Wisdom]

That's good to hear. Try using where bash to see where it is located.

Code:

root@transmission_1:/ # where bash
/usr/local/bin/bash
/usr/local/bin/bash
root@transmission_1:/ #

No rush - I appreciate that you're helping, let alone so quickly.

 

[denist]

I have ran my script for port forward and seems to be fine not sure exactly why yours is not working still looking anyone else have an idea of his error


Sent from my iPhone using Tapatalk

 

[denist]

Try running it via bash /port_forward.sh


Sent from my iPhone using Tapatalk

 

[denist]

Sometimes it would give me and error running it via ./


Sent from my iPhone using Tapatalk

 

[denist]

Code:

root@transmission_1:/ # where bash
/usr/local/bin/bash
/usr/local/bin/bash
root@transmission_1:/ #

No rush - I appreciate that you're helping, let alone so quickly.

Try this script first to see if it will port forward. save as port_forward.sh

Code:

#! /usr/local/bin/bash
#
# Enable port forwarding
#
# Requirements:
# your Private Internet Access user and password as arguments
#
# Usage:
# ./port_forward.sh <user> <password>

error( )
{
 echo "$@" 1>&2
 exit 1
}

error_and_usage( )
{
 echo "$@" 1>&2
 usage_and_exit 1
}

usage( )
{
 echo "Usage: `dirname $0`/$PROGRAM <user> <password>"
}

usage_and_exit( )
{
 usage
 exit $1
}

version( )
{
 echo "$PROGRAM version $VERSION"
}


port_forward_assignment( )
{
 echo 'Loading port forward assignment information..'
 if [ "$(uname)" == "Linux" ]; then
	local_ip=`ifconfig tun0|grep -oE "inet addr: *10\.[0-9]+\.[0-9]+\.[0-9]+"|tr -d "a-z :"|tee /tmp/vpn_ip`
	client_id=`head -n 100 /dev/urandom | md5sum | tr -d " -"`
 fi
 if [ "$(uname)" == "FreeBSD" ]; then
	local_ip=`ifconfig tun0 | grep "inet " | cut -d\ -f2|tee /tmp/vpn_ip`
	client_id=`head -n 100 /dev/urandom | md5 -r | tr -d " -"`
 fi
 json=`wget --no-check-certificate -q --post-data="user=$USER&pass=$PASSWORD&client_id=$client_id&local_ip=$local_ip" -O - 'https://www.privateinternetaccess.com/vpninfo/port_forward_assignment' | head -1`
 echo $json
 PORTNUM=`echo $json | grep -oE "[0-9]+"`
}

EXITCODE=0
PROGRAM=`basename $0`
VERSION=1.0
USER=$1
PASSWORD=$2

while test $# -lt 2
do
 case $1 in
 --usage | --help | -h )
	usage_and_exit 0
	;;
 --version | -v )
	version
	exit 0
	;;
 *)
	error_and_usage "Unrecognized option: $1"
	;;
 esac
 shift
done

port_forward_assignment

transmission-remote -p $PORTNUM

exit 0

Then run the chmod

Code:

chmod +x port_forward.sh

Now run it with the below command to see if it will forward this is how i tested first before i went with the other script.

Code:

./port_forward.sh <user> <password>

The user and pasword needs to be the PIA ones so like this

./port_forward.sh p123456 1234560

 

[Wisdom]

I seem to be moving backwards a little.

After starting off with

Code:

bash /port_forward.sh

I was getting

Code:

root@transmission_1:/ # bash /port_forward.sh
Transmission Port Forward 2017-01-20-13:25:02
nc: getaddrinfo: hostname nor servname provided, or not known
VPN connection down. Exiting.
root@transmission_1:/ #

Poking through the logs in the GUI, I found an event that happened just before I started trying to work on this, two lines as follows:

Code:

kernel: tun0: link state changed to DOWN
kernel: tun0: link state changed to DOWN

I've searched around the forum and haven't encountered a way to kick start the link. From what testing I have done, I can ping some domains from FreeNAS (google.com works fine, but something like https://www.google.com does not), and I cannot ping _anything_ from inside the transmission jail.

Code:

root@transmission_1:/ # ping google.com
ping: cannot resolve google.com: Host name lookup failure
root@transmission_1:/ #

Code:

root@transmission_1:/ # ifconfig tun0
ifconfig: interface tun0 does not exist
root@transmission_1:/ #

So yeah. I would love to run the script that you provided, but it doesn't seem like it will do much since I can't reach the outside internet at all right now. The CheckMyIP torrent can't reach it's trackers or anything, so as far as I can tell everything has ground to a halt.

 

[denist]

I seem to be moving backwards a little.

After starting off with

Code:

bash /port_forward.sh

I was getting

Code:

root@transmission_1:/ # bash /port_forward.sh
Transmission Port Forward 2017-01-20-13:25:02
nc: getaddrinfo: hostname nor servname provided, or not known
VPN connection down. Exiting.
root@transmission_1:/ #

Poking through the logs in the GUI, I found an event that happened just before I started trying to work on this, two lines as follows:

Code:

kernel: tun0: link state changed to DOWN
kernel: tun0: link state changed to DOWN

I've searched around the forum and haven't encountered a way to kick start the link. From what testing I have done, I can ping some domains from FreeNAS (google.com works fine, but something like https://www.google.com does not), and I cannot ping _anything_ from inside the transmission jail.

Code:

root@transmission_1:/ # ping google.com
ping: cannot resolve google.com: Host name lookup failure
root@transmission_1:/ #

Code:

root@transmission_1:/ # ifconfig tun0
ifconfig: interface tun0 does not exist
root@transmission_1:/ #

So yeah. I would love to run the script that you provided, but it doesn't seem like it will do much since I can't reach the outside internet at all right now. The CheckMyIP torrent can't reach it's trackers or anything, so as far as I can tell everything has ground to a halt.

It looks like either tun0 which is openvpn is down or the firewall is blocking everything. First i think you need to remove the cron pia.py script from run.

shut down ipfw with

Code:

service ipfw stop

then i would shut down openvpn and restart with

Code:

service openvpn stop
service openvpn start

and see if you can access the internet.

 

[Wisdom]

It looks like either tun0 which is openvpn is down or the firewall is blocking everything. First i think you need to remove the cron pia.py script from run.

shut down ipfw with

Code:

service ipfw stop

then i would shut down openvpn and restart with

Code:

service openvpn stop
service openvpn start

and see if you can access the internet.

#Stop cron pia.py: check
#Stop ipfw: check
#stop openvpn: check
#start openvpn:

Code:

root@transmission_1:/ # service openvpn start
/usr/local/etc/rc.d/openvpn: WARNING: /usr/local/etc/openvpn/openvpn.conf is not readable.
/usr/local/etc/rc.d/openvpn: WARNING: failed precmd routine for openvpn
root@transmission_1:/ #

Hmm. Well that's not right.
So when I check inside etc/rc.conf I see this (snippet):

Code:

openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/Switzerland.ovpn"
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"

Does this need to be in there twice? I don't know. In the very original version of rc.conf, the first opencpn_configfile pointed to openvpn.conf, rather than Switzerland.ovpn. I had switched them, under the impression that perhaps only the first configfile was being referenced, but that is not the case. If I check inside /usr/local/etc/openvpn/, I get the following:

Code:

root@transmission_1:/usr/local/etc/openvpn # ls
AU_Melbourne.ovpn  Italy.ovpn  US_California.ovpn
AU_Sydney.ovpn  Japan.ovpn  US_Chicago.ovpn
Brazil.ovpn  Mexico.ovpn  US_East.ovpn
CA_Montreal.ovpn  Netherlands.ovpn  US_Florida.ovpn
CA_Toronto.ovpn  New_Zealand.ovpn  US_Midwest.ovpn
Denmark.ovpn  Norway.ovpn  US_New_York_City.ovpn
Finland.ovpn  Romania.ovpn  US_Seattle.ovpn
France.ovpn  Singapore.ovpn  US_Silicon_Valley.ovpn
Germany.ovpn  Sweden.ovpn  US_Texas.ovpn
Hong_Kong.ovpn  Switzerland.ovpn  US_West.ovpn
India.ovpn  Turkey.ovpn  ca.rsa.2048.crt
Ireland.ovpn  UK_London.ovpn  crl.rsa.2048.pem
Israel.ovpn  UK_Southampton.ovpn  pass.txt
root@transmission_1:/usr/local/etc/openvpn #

openvpn.conf is notoriously absent. I poked around a little, particularly in the documentation you made available a couple of pages ago, and the only references I found in there indicated that openvpn.conf should be a duplicated version of whatever service I want to tunnel through (in this case, Switzerland.ovpn).

Since it _seems_ like these two things are supposed to be duplicates of each other, I went ahead and removed the latter set of commands (those which point to the mission openvpn.conf file). Running through the checklist again, I get the following:

Code:

root@transmission_1:/ # service openvpn start
Starting openvpn.

So it seems like everything is okay. I was able to ping out to google. However, it seems like (unless I'm missing something), I've basically pulled down my firewall in order to do it - which seems like something I would like to avoid. Is this the case, or does restarting openvpn also pull up the firewall along the way? As I recall, there is a bit in rc.conf about specifying the firewall rules, but I'm not sure if that actually restarts ipfw all the way or not, definitely a lack of understanding on my part.

EDIT:
I take it back, I'm now able to get through. Still curious about the ipfw situation, but at least things work: I'm getting through to the larger internet through PIA, just like before. I'll restart the cron job and see what happens.

Previously: Either way, I'm able to ping out, but CheckMyIp via transmission still isn't able to see out to the larger internet. So my torrents have stalled out completely.

 

[denist]

There should only be one instance of the rc.conf


Sent from my iPhone using Tapatalk

 

[denist]

Restarting openvpn will not start the firewall but it will start if you do a reboot as in the rc.conf file it is enable and is pointing to the ipfw file. So you might want to change it to no for the ipfw in The config file. There is something wrong with the pia.py script as it seems to be writing the file but u r not getting access once it writes the file. Can I see the file to see what is wrong. I will compare to mine.


Sent from my iPhone using Tapatalk

 

[Wisdom]

There should only be one instance of the rc.conf

I only have one rc.conf. Within rc.conf I have two sections to specify a path to openvpn. I'm going to assume that's what you were getting at (and apologize for misunderstanding). I'm inclined to believe the path to Switzerland.ovpn is the one to keep.

There is something wrong with the pia.py script as it seems to be writing the file but u r not getting access once it writes the file. Can I see the file to see what is wrong. I will compare to mine.

pia.py:

Code:

#!/usr/local/bin/python2.7
import sys
import socket
import subprocess


url = 'swiss.privateinternetaccess.com'

try:
  # Raise if it can't ping the server or openvpn isn't running
  subprocess.check_output(['service', 'openvpn', 'status'])
  subprocess.check_output(['ping', '-c', '1', url])
except subprocess.CalledProcessError:
  pass
else:
  sys.exit()


hostname, aliaslist, ipaddrlist = socket.gethostbyname_ex(url)

content = '''
add 01006 allow ip from 192.168.0.0/24 to 192.168.0.0/24 keep-state
'''

rule_number = 2001

for ip in ipaddrlist:
  content += '''
add {} allow ip from 192.168.0.0/24 to {} keep-state
add {} allow ip from {} to 192.168.0.0/24 keep-state
'''.format(rule_number, ip, rule_number + 1, ip)
  rule_number += 2

content += '''
add 04000 allow ip from 127.0.0.1 to any
add 05000 allow ip from 10.0.0.0/8 to any
add 05002 allow ip from any to 10.0.0.0/8
add 65534 deny ip from any to any
'''

# Stop ipfw
subprocess.call(['service', 'openvpn', 'stop'])
subprocess.call(['service', 'ipfw', 'stop'])

f = open('/etc/ipfw_rules', 'w')
f.write(content)
f.close()

# Start ipfw
subprocess.call(['service', 'ipfw', 'start'])

# Check if running
if 'ipfw' in subprocess.check_output(['service', '-e']):
  subprocess.call(['service', 'openvpn', 'start'])

sys.exit()

For reference, my jail is located at 192.168.0.141, which is why I changed rule 1006, as specified in your guide.

It's the same as what you provided in your comprehensive download I was talking about earlier, I just fixed the line breaks I had issues with after copying the code over. I may have missed something, but I was able to run it just fine without it throwing errors once it was all put together (I think). Let me know if you can see something that's off!

 

[denist]

I only have one rc.conf. Within rc.conf I have two sections to specify a path to openvpn. I'm going to assume that's what you were getting at (and apologize for misunderstanding). I'm inclined to believe the path to Switzerland.ovpn is the one to keep.



pia.py:

Code:

#!/usr/local/bin/python2.7
import sys
import socket
import subprocess


url = 'swiss.privateinternetaccess.com'

try:
  # Raise if it can't ping the server or openvpn isn't running
  subprocess.check_output(['service', 'openvpn', 'status'])
  subprocess.check_output(['ping', '-c', '1', url])
except subprocess.CalledProcessError:
  pass
else:
  sys.exit()


hostname, aliaslist, ipaddrlist = socket.gethostbyname_ex(url)

content = '''
add 01006 allow ip from 192.168.0.0/24 to 192.168.0.0/24 keep-state
'''

rule_number = 2001

for ip in ipaddrlist:
  content += '''
add {} allow ip from 192.168.0.0/24 to {} keep-state
add {} allow ip from {} to 192.168.0.0/24 keep-state
'''.format(rule_number, ip, rule_number + 1, ip)
  rule_number += 2

content += '''
add 04000 allow ip from 127.0.0.1 to any
add 05000 allow ip from 10.0.0.0/8 to any
add 05002 allow ip from any to 10.0.0.0/8
add 65534 deny ip from any to any
'''

# Stop ipfw
subprocess.call(['service', 'openvpn', 'stop'])
subprocess.call(['service', 'ipfw', 'stop'])

f = open('/etc/ipfw_rules', 'w')
f.write(content)
f.close()

# Start ipfw
subprocess.call(['service', 'ipfw', 'start'])

# Check if running
if 'ipfw' in subprocess.check_output(['service', '-e']):
  subprocess.call(['service', 'openvpn', 'start'])

sys.exit()

For reference, my jail is located at 192.168.0.141, which is why I changed rule 1006, as specified in your guide.

It's the same as what you provided in your comprehensive download I was talking about earlier, I just fixed the line breaks I had issues with after copying the code over. I may have missed something, but I was able to run it just fine without it throwing errors once it was all put together (I think). Let me know if you can see something that's off!

Ok i have tested your script and at first it locked me out of everyhting just as you described. So i made a change you need to add a number to the ip address 192.168.0.0 my network is 192.168.2.0. Once you do that the script will work. look below.

Code:

#!/usr/local/bin/python2.7
import sys
import socket
import subprocess


url = 'swiss.privateinternetaccess.com'

try:
  # Raise if it can't ping the server or openvpn isn't running
  subprocess.check_output(['service', 'openvpn', 'status'])
  subprocess.check_output(['ping', '-c', '1', url])
except subprocess.CalledProcessError:
  pass
else:
  sys.exit()


hostname, aliaslist, ipaddrlist = socket.gethostbyname_ex(url)

content = '''
add 01006 allow ip from 192.168.2.0/24 to 192.168.2.0/24 keep-state
'''

rule_number = 2001

for ip in ipaddrlist:
  content += '''
add {} allow ip from 192.168.2.0/24 to {} keep-state
add {} allow ip from {} to 192.168.2.0/24 keep-state
'''.format(rule_number, ip, rule_number + 1, ip)
  rule_number += 2

content += '''
add 04000 allow ip from 127.0.0.1 to any
add 05000 allow ip from 10.0.0.0/8 to any
add 05002 allow ip from any to 10.0.0.0/8
add 65534 deny ip from any to any
'''

# Stop ipfw
subprocess.call(['service', 'openvpn', 'stop'])
subprocess.call(['service', 'ipfw', 'stop'])

f = open('/etc/ipfw_rules', 'w')
f.write(content)
f.close()

# Start ipfw
subprocess.call(['service', 'ipfw', 'start'])

# Check if running
if 'ipfw' in subprocess.check_output(['service', '-e']):
  subprocess.call(['service', 'openvpn', 'start'])

sys.exit()

 

[denist]

I have update my scripts with some changes download here.

Changes are, port_forwarding script now dynamically figures out your tunnel adapter thanx to scharbag for providing the code.
Pia.py script now can be run in cron figured out how to get it to run.


Enjoy

 

[denist]

I tried to run both scripts @Reboot sleep 10, tried 20,30 and so forth, keep getting python2.7 not found/bash not found. So i left it at 5 min interval for each. Anyone can shed light on why the script when run @Reboot that it cannot find the commands.
I will then update accordingly.

Thanx again to everyone.

 

[Wisdom]

I have update my scripts with some changes download here.

Changes are, port_forwarding script now dynamically figures out your tunnel adapter thanx to scharbag for providing the code.
Pia.py script now can be run in cron figured out how to get it to run.

Thanks for the updates!

Using your updated port_forward.sh gave me the following, just like before:

Code:

root@transmission_1:/ # ./port_forward.sh
Transmission Port Forward 2017-01-24-22:11:16
Connection to google.com 80 port [tcp/http] succeeded!
VPN connection up
Closed port detected
cut: bad delimiter
Garbled data: null
root@transmission_1:/ #

Just as an update, I wanted to let you know - at this point I'm not broken up about being unable to get an open, forwarded port. I can download stuff through my VPN, and that's effective enough for now.

As you indicated, I left the ips for pia.py at 192.168.2.0, despite the ips of my jails/FreeNAS being in the 192.168.0.X range. After restarting the cron job that uses pia.py, I immediately got another notification, just like before:

Code:

ping: cannot resolve swiss.privateinternetaccess.com: Host name lookup failure
Traceback (most recent call last):
  File "/etc/pia.py", line 19, in <module>
	hostname, aliaslist, ipaddrlist = socket.gethostbyname_ex(url)
socket.gaierror: [Errno 8] hostname nor servname provided, or not known

I did manually start ipfw, just to see what was happening, and it gave me a pretty lengthy list. However, it did indicate (I think) that there is a healthy connection between the ip of my jail and the ip of my vpn. Despite this, my downloads immediately tanked and I'm in the process of getting things running again.

 

[denist]

Have you tried running it as bash port_forward.sh


Sent from my iPhone using Tapatalk

 

[denist]

So you are saying your network is say 192.168.0.253 and your jail ip is 192.168.0.250 don't worry the 253,250. As when I used the 0 it tank the whole freenas network and blocked access to Sab transmission couch and sick and the internet. Until I put the 2 where the 0 was as my network is 192.168.2.X.


Sent from my iPhone using Tapatalk

 

[Wisdom]

Have you tried running it as bash port_forward.sh

Same result as

Code:

./port_forward.sh

So you are saying your network is say 192.168.0.253 and your jail ip is 192.168.0.250 don't worry the 253,250. As when I used the 0 it tank the whole freenas network and blocked access to Sab transmission couch and sick and the internet. Until I put the 2 where the 0 was as my network is 192.168.2.X.

This was why I changed my pia.py to 192.168.0.0 initially. My jails are located in the 192.168.0.140-192.168.0.200 range, so I changed pia.py to 192.168.0.0.

I changed it again (I had moved things back to 192.168.2.0 at your suggestion earlier), to reflect your most recent post. I'll update it I get a whole flood of emails from cron again.

 

[Dudde]

I have update my scripts with some changes download here.

Changes are, port_forwarding script now dynamically figures out your tunnel adapter thanx to scharbag for providing the code.
Pia.py script now can be run in cron figured out how to get it to run.


Enjoy

I have used your script and everything seems right, i get the correct VPN ip. But when i try downloading something true transmission i get the message:

Code:

Permission denied (/media/Downloads/ubuntu-16.10-desktop-amd64.iso)

It stopes at around 1-2% downloaded.

Running ./port_forward gives me the following:

Code:

Transmission Port Forward 2017-03-05-18:56:59
Connection to google.com 80 port [tcp/http] succeeded!
VPN connection up
Open port detected

Checking open ports in transmission tells me the ports are open.
What am Im doing wrong here?

 

[denist]

It looks like you have a permission problem with your downloads folder. From what I can see

Try

chmod +x /media/Downloads and see if it fixes the problem.

From what I can see the scripts are working fine even if the port was not open it would still download.

Make sure you have the correct permission setup in transmission and the folders.



Sent from my iPhone using Tapatalk