Configuring transmission plugin too run through OpenVPN using PIA with username and password auth

[Craig LaBruno]

I've read a few posts on how to configure just the transmission plug-in to run through VPN using OpenVPN. There are a couple that get into a detailed description on how to do this, most notably these 2 posts:

1. http://forums.freenas.org/index.php...-a-jail-so-it-only-connects-to-the-vpn.18669/

2. http://joepaetzel.com/2013/09/22/openvpn-on-freenas-9-1/

But neither of them solve my the issue of configuring OpenVPN using a service like Private Internet acces where you are given a username and password instead of files for Server Key, DH.perm, etc. for the OpenVPN conf. Quite a few people have this same issue but nobody from what I can tell has posted a solution. Has anyone found a way to do this? I'd really like to set this up but don't have the know how to come up with a solution myself.

 

[mjws00]

PIA can definitely be done using files and openvpn. Unfortunately I set mine up via pfsense so have no idea how to help you with jails etc. Hopefully someone can give you some answers long before I could. OpenVPN has a pretty steep learning curve. I'll check and see how applicable my install notes are.

 

[mjws00]

EDIT: Heh. linked to your info thread.

The only gotcha I can see is that you have to build openvpn yourself with the save password option enabled. I pretty much treat FreeNAS as a NAS and use a VM to do PIA, sickbeard etc... this is so easy on windows (3 clicks?). ;) Maybe the hardcore jail and plugin guys will pop in. But I think the challenge is that this is so easy to screw up that attempts at HOWTO's largely fail.

I'll take a quick whack at it when I get a chance and document as I go... but there are better bsd gurus.

 

[Craig LaBruno]

PIA can definitely be done using files and openvpn. Unfortunately I set mine up via pfsense so have no idea how to help you with jails etc. Hopefully someone can give you some answers long before I could. OpenVPN has a pretty steep learning curve. I'll check and see how applicable my install notes are.

Thanks for replying. I get the basic idea of how to configure transmission to work in this matter, I just get stuck when I get to the part where you have to configure the Openvpn.conf file. PIA gives out a username and password which I'm guessing is not how most of the other VPN services operate because every tutorial I read involves obtaining a .key file and a .cert file from their respective VPN service. PIA does not provide its subscribers these files but instead offers a username & password so there is like 1 particular step that is done differently. I know it's possible though because there have been quite a few people in the forums that mention that they have their transmission plug-in set up this way but nobody explains how it's done. Hopefully one of them stumbles across this post.

 

[mjws00]

I'm writing it up now. There are a couple gotchas, but it isn't bad.

 

[Craig LaBruno]

EDIT: Heh. linked to your info thread.

The only gotcha I can see is that you have to build openvpn yourself with the save password option enabled. I pretty much treat FreeNAS as a NAS and use a VM to do PIA, sickbeard etc... this is so easy on windows (3 clicks?). ;) Maybe the hardcore jail and plugin guys will pop in. But I think the challenge is that this is so easy to screw up that attempts at HOWTO's largely fail.

I'll take a quick whack at it when I get a chance and document as I go... but there are better bsd gurus.

Thanks for the reply and if you do get the time it would be much appreciated. I do have one windows machine in my house with VirtualBox installed on it so maybe you can explain a little more how you have your setup configured for your downloading and such using Sickbeard, PIA, etc. and your VM.

Basically I just want to be able to download and seed my torrents safely using my VPN service while the rest of my FreeNAS is still running normally using my local internet. This way I can have transmission running all day and I can access it from outside my home network whenever I need to.

 

[mjws00]

I'm gonna set up OpenVPN only. Specifically for Private Internet Access (which uses user/pass auth).

Transmission is a plug-in there are lots of threads on it.

Lets get started:

I created a dataset for my jail. Named openvpn.
I shared it just to make things dead simple.

Configure jails: point to your dataset. /mnt/tank/openvpn

I added a jail named 'openvpn'. All defaults except uncheck vanilla.
I set the IP to 192.168.1.180, but use whatever works on your local subnet.

Now we need to jump into the jail and get started. ssh to your freenas box.

Grab a list of your jails.

Code:

Welcome to FreeNAS
[root@freenas] ~# jls

Get a command prompt from your jail (N) is the JID of your jail:

Code:

[root@freenas] ~# jexec (N) tcsh

We'll install bash and nano to keep things dead simple.

Code:

root@openvpn:/ # pkg install bash
root@openvpn:/ # pkg install nano
root@openvpn:/ # bash

Now comes the work. We need to get and update ports in our jail. These can take a while.

Code:

[root@openvpn /]# portsnap fetch
[root@openvpn /]# portsnap extract

First gotcha: We need to update pkg, force the delete, make clean pkg-1.3.8 or openvpn build will fail. Be patient there is lots of work going on here.

Code:

[root@openvpn /]# pkg delete -f pkg
[root@openvpn /]# cd /usr/ports/ports-mgmt/pkg
[root@openvpn /]# make clean install

On to compiling openvpn with our PW_SAVE flag. Let it work.

Code:

[root@openvpn /]# cd /usr/ports/security/openvpn
[root@openvpn /]# make clean install

** Select PW_SAVE option. Click OK / Enter.

We are now fully installed and just need to configure openvpn to use PIA.

Edit /etc/rc.conf to include (or used attached rc.conf):

Code:

[root@openvpn /]# nano /etc/rc.conf

** add**
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"

Build our directory and add the certificates, conf, and password file.

Code:

[root@openvpn /]# mkdir /usr/local/etc/openvpn

Extract the contents of pia_ovpn.zip to /usr/local/etc/openvpn
You will have 6 files: ca.crt, crl.pem, openvpn.conf, pswd.txt, rc.conf, README.txt
If you cheated like me. You can just drag and drop to the share. ;)

YOU MUST ADD YOUR OWN USER NAME AND PASSWORD IN THE 'pswd.txt' file.

Code:

[root@openvpn /]# nano /usr/local/etc/openvpn/pswd.txt

That's it. You are ready to start the service. Or reboot the jail.

Code:

[root@openvpn /]# /usr/local/etc/rc.d/openvpn start

Lets test:

Code:

[root@openvpn /etc]# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:8c:75:00:06:0b
        inet 192.168.1.180 netmask 0xffffff00 broadcast 192.168.1.255
        nd6 options=9<PERFORMNUD,IFDISABLED>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet 10.150.1.6 --> 10.150.1.5 netmask 0xffffffff
        nd6 options=1<PERFORMNUD>
        Opened by PID 40682

You should have a tun0 interface with a valid internal PIA IP address.
Confirm your vpn is working correctly by hitting a site that will echo your ip back.

Code:

[root@openvpn /etc]# wget http://smart-ip.net/myip -O - -q ; echo
50.23.131.244

If it looks anything like this you have done it!
Set up your firewall rules if you need a killswitch and/or transmission. User/pass auth is kind of poor security at the end of day... but it is what we get. You can encrypt and worry about that on your own.
You can select your server by changing 'remote us-seattle.privateinternetaccess.com 1194'
in /usr/local/etc/openvpn/openvpn.conf

Good luck. This is really derivative of other works around here. I just navigated a few new hurdles. Enjoy.

 

[mjws00]

Craig,

My setup is pretty much the anti-freenas version. I use freenas/zfs for storage only. I have a pfsense box that filters and bridges xbox traffic over the vpn. My download workstation is a super lean win7 box that runs sickbeard and utorrent and the pia client. It downloads to my main workstation and post-processes to the plex server. So I have a fast local copy and library, that then gets synced to the freenas box.

I am an esxi guy, and run a pretty decent lab at home. So virtualization is second nature. Polluting bsd/zfs with a bunch of packages, jails, and vms isn't my cup of tea. I'd rather keep it clean... but I also like to play. ;)

 

[Craig LaBruno]

I'm gonna set up OpenVPN only. Specifically for Private Internet Access (which uses user/pass auth).

Transmission is a plug-in there are lots of threads on it.

Lets get started:

I created a dataset for my jail. Named openvpn.
I shared it just to make things dead simple.

Configure jails: point to your dataset. /mnt/tank/openvpn

I added a jail named 'openvpn'. All defaults except uncheck vanilla.
I set the IP to 192.168.1.180, but use whatever works on your local subnet.

View attachment 5045

View attachment 5046

Now we need to jump into the jail and get started. ssh to your freenas box.

Grab a list of your jails.

Code:

Welcome to FreeNAS
[root@freenas] ~# jls

Get a command prompt from your jail (N) is the JID of your jail:

Code:

[root@freenas] ~# jexec (N) tcsh

We'll install bash and nano to keep things dead simple.

Code:

root@openvpn:/ # pkg install bash
root@openvpn:/ # pkg install nano
root@openvpn:/ # bash

Now comes the work. We need to get and update ports in our jail. These can take a while.

Code:

[root@openvpn /]# portsnap fetch
[root@openvpn /]# portsnap extract

First gotcha: We need to update pkg, force the delete, make clean pkg-1.3.8 or openvpn build will fail. Be patient there is lots of work going on here.

Code:

[root@openvpn /]# pkg delete -f pkg
[root@openvpn /]# cd /usr/ports/ports-mgmt/pkg
[root@openvpn /]# make clean install

On to compiling openvpn with our PW_SAVE flag. Let it work.

Code:

[root@openvpn /]# cd /usr/ports/security/openvpn
[root@openvpn /]# make clean install

** Select PW_SAVE option. Click OK / Enter.

We are now fully installed and just need to configure openvpn to use PIA.

Edit /etc/rc.conf to include (or used attached rc.conf):

Code:

[root@openvpn /]# nano /etc/rc.conf

** add**
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"

Build our directory and add the certificates, conf, and password file.

Code:

[root@openvpn /]# mkdir /usr/local/etc/openvpn

Extract the contents of pia_ovpn.zip to /usr/local/etc/openvpn
You will have 6 files: ca.crt, crl.pem, openvpn.conf, pswd.txt, rc.conf, README.txt
If you cheated like me. You can just drag and drop to the share. ;)

YOU MUST ADD YOUR OWN USER NAME AND PASSWORD IN THE 'pswd.txt' file.

Code:

[root@openvpn /]# nano /usr/local/etc/openvpn/pswd.txt

That's it. You are ready to start the service. Or reboot the jail.

Code:

[root@openvpn /]# /usr/local/etc/rc.d/openvpn start

Lets test:

Code:

[root@openvpn /etc]# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:8c:75:00:06:0b
        inet 192.168.1.180 netmask 0xffffff00 broadcast 192.168.1.255
        nd6 options=9<PERFORMNUD,IFDISABLED>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet 10.150.1.6 --> 10.150.1.5 netmask 0xffffffff
        nd6 options=1<PERFORMNUD>
        Opened by PID 40682

You should have a tun0 interface with a valid internal PIA IP address.
Confirm your vpn is working correctly by hitting a site that will echo your ip back.

Code:

[root@openvpn /etc]# wget http://smart-ip.net/myip -O - -q ; echo
50.23.131.244

If it looks anything like this you have done it!
Set up your firewall rules if you need a killswitch and/or transmission. User/pass auth is kind of poor security at the end of day... but it is what we get. You can encrypt and worry about that on your own.
You can select your server by changing 'remote us-seattle.privateinternetaccess.com 1194'
in /usr/local/etc/openvpn/openvpn.conf

Good luck. This is really derivative of other works around here. I just navigated a few new hurdles. Enjoy.

 

[Craig LaBruno]

Mjsw00,

Thank you very much for taking the time to post this tutorial. I am going to give it a go and I will report back with results. Thank you again

 

[Craig LaBruno]

Craig,

My setup is pretty much the anti-freenas version. I use freenas/zfs for storage only. I have a pfsense box that filters and bridges xbox traffic over the vpn. My download workstation is a super lean win7 box that runs sickbeard and utorrent and the pia client. It downloads to my main workstation and post-processes to the plex server. So I have a fast local copy and library, that then gets synced to the freenas box.

I am an esxi guy, and run a pretty decent lab at home. So virtualization is second nature. Polluting bsd/zfs with a bunch of packages, jails, and vms isn't my cup of tea. I'd rather keep it clean... but I also like to play. ;)

 

[Craig LaBruno]

That sounds like quite the home lab you have there very impressed with setup.

 

[Craig LaBruno]

To be perfectly honest I am pretty new to installing and configuring NAS devices so I did a little research last week and decided to take down a slightly older P.C. out of the attic and give FreeNAS a try mainly for learning purposes since it seemed like a pretty easy installation and the gui didn't seem to be too confusing. I am very impressed with the many different thing you can do with the FreeNAS plugins. As you can tell from the original post, I am already playing around with quite a few of them and learning how to re-configure them to work optimally. But, in the back of my mind, I have wondered this whole time how safe and healthy it is to be utilizing all of these plugins on the NAS device at the same time. Your home lab setup sounds very impressive. I like to keep things clean myself but can't resist a little fun from time to time . But safety and the health of my network is A1. At the very least, this whole experience thus far has really opened my eyes to a lot of awesome different things that can be accomplished though. It really appeals to my obsessive compulsive home network/computing addiction . I'll be sure to keep in touch and bounce some ideas off of you from time to time if you don't mind.

 

[mjws00]

You can learn on anything. But take the advice on ECC, min ram, and good hardware to heart if you ever move real data. The hardware advice on this forum is superb. Most of the time it is cheaper than "prosumer" gear any way. BSD/ZFS is a crazy good platform but has a steep learning curve.

Enjoy your stay. This is a pretty decent crew with some very knowledgeable folks.

 

[Craig LaBruno]

This is probably a really stupid question but I just want to be 100% sure so I don't screw anything up. Since I want OpenVPN working from within my transmission plug-in I just basically follow these steps but in the beginning I do not need to create the jails since I already set that all set up when I installed transmission. So, I just need to enter my transmission jail via SSH and then follow the steps from there, correct?

 

[mjws00]

Yep.

 

[unca_NAS]

With 3rd try, I managed to install OpenVPN to sama jail with Transmission

However I'm unable to access Transmission. I have port forwarded ports
1194
9091
51413
... to my transmission-vpn-jail ip, no success. I can ping other jails and www-sites from within this jail, not vice versa. Transmission log shows that service is started but no torrent can connect to tracker.

What steps do I have to take in order to access Transmission with webgui or remote-GUI and get downloads working? Additional routing?

EDIT:
Enabling firewall and adding the following firewall-rule + restarting the jail did the trick

1. add 01001 allow ip from 192.168.0.0/24 to 192.168.0.0/24 keep-state

Torrents are downloading, webgui works, good.

Another problem:

I have a leased domain-name from DynDNS. When using it with my ISP's static ip, it worked (obviously) just fine. Now PIA provides an ip that changes every time I restart the jail. Furthermore, attempting to pair the current ip with domain-name results "forbidden, spam-IP"

Since I have very limited understanding on these things, is there a way to continue to use http://domainname:9091 or should I seed another options on remote-controlling the Transmission?

 

[mjws00]

Excellent. Glad to see you making progress. This stuff can be tricky. :)

 

[Ozland]

I'm gonna set up OpenVPN only. Specifically for Private Internet Access (which uses user/pass auth).

Transmission is a plug-in there are lots of threads on it.

Lets get started:

I created a dataset for my jail. Named openvpn.
I shared it just to make things dead simple.

Configure jails: point to your dataset. /mnt/tank/openvpn

I added a jail named 'openvpn'. All defaults except uncheck vanilla.
I set the IP to 192.168.1.180, but use whatever works on your local subnet.

View attachment 5045

View attachment 5046

Now we need to jump into the jail and get started. ssh to your freenas box.

Grab a list of your jails.

Code:

Welcome to FreeNAS
[root@freenas] ~# jls

Get a command prompt from your jail (N) is the JID of your jail:

Code:

[root@freenas] ~# jexec (N) tcsh

We'll install bash and nano to keep things dead simple.

Code:

root@openvpn:/ # pkg install bash
root@openvpn:/ # pkg install nano
root@openvpn:/ # bash

Now comes the work. We need to get and update ports in our jail. These can take a while.

Code:

[root@openvpn /]# portsnap fetch
[root@openvpn /]# portsnap extract

First gotcha: We need to update pkg, force the delete, make clean pkg-1.3.8 or openvpn build will fail. Be patient there is lots of work going on here.

Code:

[root@openvpn /]# pkg delete -f pkg
[root@openvpn /]# cd /usr/ports/ports-mgmt/pkg
[root@openvpn /]# make clean install

On to compiling openvpn with our PW_SAVE flag. Let it work.

Code:

[root@openvpn /]# cd /usr/ports/security/openvpn
[root@openvpn /]# make clean install

** Select PW_SAVE option. Click OK / Enter.

We are now fully installed and just need to configure openvpn to use PIA.

Edit /etc/rc.conf to include (or used attached rc.conf):

Code:

[root@openvpn /]# nano /etc/rc.conf

** add**
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"

Build our directory and add the certificates, conf, and password file.

Code:

[root@openvpn /]# mkdir /usr/local/etc/openvpn

Extract the contents of pia_ovpn.zip to /usr/local/etc/openvpn
You will have 6 files: ca.crt, crl.pem, openvpn.conf, pswd.txt, rc.conf, README.txt
If you cheated like me. You can just drag and drop to the share. ;)

YOU MUST ADD YOUR OWN USER NAME AND PASSWORD IN THE 'pswd.txt' file.

Code:

[root@openvpn /]# nano /usr/local/etc/openvpn/pswd.txt

That's it. You are ready to start the service. Or reboot the jail.

Code:

[root@openvpn /]# /usr/local/etc/rc.d/openvpn start

Lets test:

Code:

[root@openvpn /etc]# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:8c:75:00:06:0b
        inet 192.168.1.180 netmask 0xffffff00 broadcast 192.168.1.255
        nd6 options=9<PERFORMNUD,IFDISABLED>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet 10.150.1.6 --> 10.150.1.5 netmask 0xffffffff
        nd6 options=1<PERFORMNUD>
        Opened by PID 40682

You should have a tun0 interface with a valid internal PIA IP address.
Confirm your vpn is working correctly by hitting a site that will echo your ip back.

Code:

[root@openvpn /etc]# wget http://smart-ip.net/myip -O - -q ; echo
50.23.131.244

If it looks anything like this you have done it!
Set up your firewall rules if you need a killswitch and/or transmission. User/pass auth is kind of poor security at the end of day... but it is what we get. You can encrypt and worry about that on your own.
You can select your server by changing 'remote us-seattle.privateinternetaccess.com 1194'
in /usr/local/etc/openvpn/openvpn.conf

Good luck. This is really derivative of other works around here. I just navigated a few new hurdles. Enjoy.

Hello,

I followed this "by the book", except for the Jail part, which I used my transmission one instead since it's the only one I'll use OpenVPN on.

So, I'm trying to launch "OpenVPN", I copied the files (The PIA archive you gave in your post, and I changed my username/password) in the correct folder but everytime I try to launch the process it says "Starting openvpn", but then I get nothing when I check the process lists...

I tried rebooting the jail and it didn't work.

Any pointers?

Thanks!

EDIT, here's some logs after a jail reboot :

Code:

[root@freenas] ~# jexec 7 tcsh
root@transmission_1:/ # ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:3a:d2:00:0b:0b
        inet 192.168.2.3 netmask 0xffffff00 broadcast 192.168.2.255
        nd6 options=9<PERFORMNUD,IFDISABLED>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
root@transmission_1:/ # /usr/local/etc/rc.d/openvpn start
Starting openvpn.
root@transmission_1:/ # ps aux | less
USER   PID %CPU %MEM    VSZ   RSS TT  STAT STARTED    TIME COMMAND
root 47232  0.0  0.0  12088  1688 ??  SsJ  11:00PM 0:00.00 /usr/sbin/syslogd -s
root 47292  0.0  0.0  14180  1676 ??  IsJ  11:00PM 0:00.00 /usr/sbin/cron -s
root 47496  0.0  0.2 140672 28472 ??  IJ   11:00PM 0:00.23 /usr/pbi/transmissio
root 49366  0.0  0.0  17568  3324  0  DJ   11:00PM 0:00.01 tcsh
root 49380  0.0  0.0  14224  1636  0  R+J  11:01PM 0:00.00 ps aux
root 49381  0.0  0.0  17568  3324  0  DV+J 11:01PM 0:00.00 tcsh
(END)

EDIT2
Fixed my issue, it was pretty silly, but I had something wrong in the pswd.txt file. Now it connects and my IP is now showing as the VPN one. Thanks for the awesome guide!

 

[mjws00]

Glad you got it working.