GUIDE: Setting up Transmission with OpenVPN and PIA

Dudde

Explorer
Joined
Oct 5, 2015
Messages
77
It looks like you have a permission problem with your downloads folder. From what I can see

Try

chmod +x /media/Downloads and see if it fixes the problem.

From what I can see the scripts are working fine even if the port was not open it would still download.

Make sure you have the correct permission setup in transmission and the folders.



Sent from my iPhone using Tapatalk
Yes you were right, i was running transmission under wrong user. After i changed that it downloads as i should. But i do have a problem with my pia.py file. It doesnt update ipfw rules for me and if i stop openvpn the download just keeps on going.

Im running my jails under 10.0.0.x and here's my pia.py file:
Code:
#!/usr/local/bin/python2.7
import sys
import socket
import subprocess


url = 'sweden.privateinternetaccess.com'

try:
  # Raise if it can't ping the server or openvpn isn't running
  subprocess.check_output(['/usr/sbin/service', 'openvpn', 'status'])
  subprocess.check_output(['/sbin/ping', '-c', '1', url])
except subprocess.CalledProcessError:
  pass
else:
  sys.exit()


hostname, aliaslist, ipaddrlist = socket.gethostbyname_ex(url)

content = '''
add 01006 allow ip from 10.0.0.0/24 to 10.0.0.0/24 keep-state
'''

rule_number = 2001

for ip in ipaddrlist:
  content += '''
add {} allow ip from 10.0.0.0/24 to {} keep-state
add {} allow ip from {} to 10.0.0.0/24 keep-state
'''.format(rule_number, ip, rule_number + 1, ip)
  rule_number += 2

content += '''
add 04000 allow ip from 127.0.0.1 to any
add 05000 allow ip from 10.0.0.0/8 to any
add 05002 allow ip from any to 10.0.0.0/8
add 65534 deny ip from any to any
'''

# Stop ipfw
subprocess.call(['/usr/sbin/service', 'openvpn', 'stop'])
subprocess.call(['/usr/sbin/service', 'ipfw', 'stop'])

f = open('/etc/ipfw_rules', 'w')
f.write(content)
f.close()

# Start ipfw
subprocess.call(['/usr/sbin/service', 'ipfw', 'start'])

# Check if running
if 'ipfw' in subprocess.check_output(['/usr/sbin/service', '-e']):
  subprocess.call(['/usr/sbin/service', 'openvpn', 'start',])

sys.exit()


Running ipfw list gives me the following:
Code:
root@transmission_2:/etc # ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
65535 allow ip from any to any


/var/log/ipfw.log
shows the following:
python2.7: not found
 
Last edited:

denist

Contributor
Joined
Jan 28, 2013
Messages
188
Hi make sure in the cron job first line has the parameters otherwise it won't find the python also that the firewall is pointed at the script and that it is running


Sent from my iPhone using Tapatalk
 

denist

Contributor
Joined
Jan 28, 2013
Messages
188
I also had an issue running 10.0.0.0 it would lock up the firewall but give it a go.


Sent from my iPhone using Tapatalk
 

denist

Contributor
Joined
Jan 28, 2013
Messages
188
Also try running the script manually to make sure it works before you do the cron job.


Sent from my iPhone using Tapatalk
 

denist

Contributor
Joined
Jan 28, 2013
Messages
188
In this section

Code:
ee /etc/rc.conf

firewall_enable="YES"
firewall_type="/ipfw_rules"


That it is pointing to the ipfw script file.


Sent from my iPhone using Tapatalk
 

denist

Contributor
Joined
Jan 28, 2013
Messages
188
ee /etc/rc.conf

firewall_enable="YES"
firewall_type="/etc/ipfw_rules"


Sent from my iPhone using Tapatalk
 

denist

Contributor
Joined
Jan 28, 2013
Messages
188
Run the script manually should trigger the writing the rules then if you have edited the rc.conf file it should point to the file and load the rules otherwise it won't work. When running in cron the first line of the cron job has to have the paths otherwise you get the python not found and I also found I get python not found it I try to run at startup that is why the cron runs at every 5 mins.


Sent from my iPhone using Tapatalk
 

Dudde

Explorer
Joined
Oct 5, 2015
Messages
77
I've been trying to run the pia.py file with
Code:
python2.7 pia.py

I dont get any output at all from doing so. I removed the ipfw.log file in /var/log/ before running the file and it gets created after I've run pia.py but the ipfw_rules in /etc/ is not showing up. The file in pia.py is pointing to the /etc/ipfw_rules.
I did add the location for python in my rc.conf file and the "python2.7: not found" seems gone.

Might it be a problem running the script on 10.0.0.0/24?
Doe i did try some other script i found earlier and then the firewall rules worked as it should.

Ok i don't know what i did but now the firewall rules seems to be written. ipfw list show me the following:
Code:
root@transmission_2:/var/log # ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
01006 allow ip from 10.0.0.0/24 to 10.0.0.0/24 keep-state
02001 allow ip from 10.0.0.0/24 to 5.153.234.146 keep-state
02002 allow ip from 5.153.234.146 to 10.0.0.0/24 keep-state
02003 allow ip from 10.0.0.0/24 to 5.153.233.34 keep-state
02004 allow ip from 5.153.233.34 to 10.0.0.0/24 keep-state
02005 allow ip from 10.0.0.0/24 to 5.157.7.178 keep-state
02006 allow ip from 5.157.7.178 to 10.0.0.0/24 keep-state
02007 allow ip from 10.0.0.0/24 to 5.157.7.27 keep-state
02008 allow ip from 5.157.7.27 to 10.0.0.0/24 keep-state
02009 allow ip from 10.0.0.0/24 to 5.157.7.154 keep-state
02010 allow ip from 5.157.7.154 to 10.0.0.0/24 keep-state
02011 allow ip from 10.0.0.0/24 to 91.108.183.50 keep-state
02012 allow ip from 91.108.183.50 to 10.0.0.0/24 keep-state
02013 allow ip from 10.0.0.0/24 to 5.157.7.146 keep-state
02014 allow ip from 5.157.7.146 to 10.0.0.0/24 keep-state
02015 allow ip from 10.0.0.0/24 to 5.157.16.42 keep-state
02016 allow ip from 5.157.16.42 to 10.0.0.0/24 keep-state
02017 allow ip from 10.0.0.0/24 to 5.157.7.10 keep-state
02018 allow ip from 5.157.7.10 to 10.0.0.0/24 keep-state
02019 allow ip from 10.0.0.0/24 to 91.108.183.178 keep-state
02020 allow ip from 91.108.183.178 to 10.0.0.0/24 keep-state
02021 allow ip from 10.0.0.0/24 to 5.153.234.10 keep-state
02022 allow ip from 5.153.234.10 to 10.0.0.0/24 keep-state
02023 allow ip from 10.0.0.0/24 to 5.153.234.114 keep-state
02024 allow ip from 5.153.234.114 to 10.0.0.0/24 keep-state
02025 allow ip from 10.0.0.0/24 to 5.153.233.18 keep-state
02026 allow ip from 5.153.233.18 to 10.0.0.0/24 keep-state
04000 allow ip from 127.0.0.1 to any
05000 allow ip from 10.0.0.0/8 to any
05002 allow ip from any to 10.0.0.0/8
65534 deny ip from any to any
65535 allow ip from any to any


If i start a download in transmission and let it start downloading then type "service openvpn stop" the download halt for a few seconds. But then it start again.
I checked and im not connected to the VPN. So something must be wrong with my rules since it stops, but then resumes again without the VPN. Any ideas?
 
Last edited:

denist

Contributor
Joined
Jan 28, 2013
Messages
188
You noted above that in the rc.conf file u added the path to python that is incorrect the firewall type should be pointing to he ipfw_rules file if this is pointing to some thing else then the firewall is not using the rules you created. And makes sure in that same config that the firewall is set to yes.


Sent from my iPhone using Tapatalk
 

Dudde

Explorer
Joined
Oct 5, 2015
Messages
77
This is my rc.conf:
Code:
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/usr/local/etc/pia_openvpn/pia_vpn.conf"
firewall_enable="YES"
firewall_type="/etc/ipfw_rules"


This is my crontab
Code:
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
*/5 * * * * /usr/local/bin/python2.7 /usr/local/etc/pia_openvpn/pia.py >> /var/log/ipfw.log 2>&1

*/5 * * * * /usr/local/bin/bash /usr/local/etc/pia_openvpn/port_forward.sh >> /var/log/pia.log 2>&1
 

denist

Contributor
Joined
Jan 28, 2013
Messages
188
Looks all correct from looking at the above and if the script is working it should generate the rules and ipfw should block transmission when openvpn stops but if the script runs again as u have it in cron at 5min intervals. Transmission will start to download again even though you stopped openvpn as the script will start it again. Pinging google will still work with openvpn on or off. If you want to test you should delete the cron and run the pia script manually to write the rules then stop openvpn and see if this will halt the downloads.


Sent from my iPhone using Tapatalk
 

Dudde

Explorer
Joined
Oct 5, 2015
Messages
77
I did uncomment the two lines in crontab and restarted the jail. Then run pia.py and tried downloading a torrent but the result is still the same service openvpn stop halts the download for a second then resumes.
 

denist

Contributor
Joined
Jan 28, 2013
Messages
188
That is weird as the firewall should have blocked it. So I am at a list there must be something to do with the 10.0.0.0 numbers I also had an issue when I used a different port range say 192.168.0.0 that's the only thing that is different to mine. But for me the download stops until the von starts and new firewall rules are written.


Sent from my iPhone using Tapatalk
 

denist

Contributor
Joined
Jan 28, 2013
Messages
188
If you are there is another firewall guide that will use the uid of transmission and only use the tunnel and if the tunnel goes down transmission stops.


Sent from my iPhone using Tapatalk
 

Dudde

Explorer
Joined
Oct 5, 2015
Messages
77
Yes transmission is the only purpose of this jail.

Could the fact that I changed the user running transmission have any thing to do with this? I'm running it under the user media

I was also wondering about my last to ipfw rules:
Code:
65534 deny ip from any to any
65535 allow ip from any to any

Doesn't the last line overrule the first one?
 
Last edited:

Dudde

Explorer
Joined
Oct 5, 2015
Messages
77
That other firewall guide you mentioned, could you give me the link for it perhaps?
 
Top