GUIDE: Setting up Transmission with OpenVPN and PIA

[dgibson1]

Thanks for posting this. I got mine set up and working, and I was able to verify it was using a completely different IP than my home external IP. But a side effect I didn't think about is I'm no longer able to access transmission remotely using the remote GUI set to my home DDNS address. Is there a workaround for this?

Sounds like this is an asymmetric routing issue. Your packets flow in via what I assume is the external IP of your home router (associated with your DDNS mapping) and they get to your transmission machine just fine. When transmission attempts to reply and establish the TCP connection it does so through the VPN tunnel, since the remote destination IP is not on your local home network. This is because the default route in the routing table of your transmission host is going to be pointing toward the tunnel interface. Most likely the seq number is also being randomized along the way back through your VPN provider and when/if the packet makes it back to your local machine it gets dropped since it's out of sequence.

A solution would be to use the Internet facing IP provided by your VPN provider as the destination for your transmission gui session along with port forwarding through your VPN provider OR I guess if you are always going to be accessing the transmission gui from the same remote location (doubtful) you could add a static route to that network pointing toward the local home network interface.

 

[jwdicki]

I've got my GUI up and running, am just unable to seed or figure out which port to open. Any ideas?

 

[SpaceAvenger69]

This script worked great for me as well, however, I've got a couple questions. First, I've set my rc.conf to use PIA's US-California vpn file however the IP that shows is from Texas. No problem there, just seems weird.
Second, and more importantly, how do I set up port forwarding for this setup? Specifically, if Transmission is listening to port 51413 is this the port number that I forward to the jail IP (I've tried this and it's not working.) Do I forward this port number to the VPN IP? Is there a different port number involved. Bottom line, I'm just trying to open a port for Transmission to listen on. I've tested Transmission without the PIA VPN and port 51413 is open and it's working great. Through the VPN is working however REALLY slow and it's showing the port it needs to listen on is closed.

 

[mjws00]

Only a few of the PIA servers will forward ports. There is a list on their site. Switzerland, a couple in Canada etc. There is a script earlier in this thread that supposedly works. You'll need to use the right server (not California) and run the script.

Good luck.

 

[SpaceAvenger69]

Yeah, I'm an idiot. I went through this entire thread but somehow totally missed the script for finding the forwarding port. After I found that I finally got it to work successfully. I appreciate all the work you guys have done to get Transmission working in this capacity. This community is so awesome!

 

[Bageland2000]

Any idea why when I try to enter bash it says Shared object "libiconv.so.2" not found, required by "bash"?

edit: I'm still learning this stuff, but i followed a guide to make a clean install of libiconv:

1. # cd /usr/ports/converters/libiconv/
2. # make clean deinstall
3. # make clean install

worked like a charm...

 

[marcFL]

I have a qn. I had all this working great last year, then my server died a while back, and I'm busy setting everything up again.

I used Jaffrey's script, instead of the manual steps. It works, but I'm getting constant messages on the console (perhaps every 5 - 10 mins):

Authenticate/Decrypt packet error: packet HMAC authentication failed

and

Authenticate/Decrypt packet error: bad packet ID (may be a replay)

The connection is working (I have Transmission in the same jail). I connect to the US Florida server. Any ideas what might be causing this. Either openvpn is a different version, or the ovpn file changed a little since I last had it working about a month back (no such errors). I'm on Freenas 9.3.

As an aside, I tied both my "regular" PIA credentials and my PPTP/IPSEC credentials. In both cases I see these console messages.

Any ideas what's going on? Do I just ignore the errors?

Lastly - to answer your qn Bageland200 - you can just do a pkg install libiconv before you install bash. That fixes whatever is messed up in the plugin jail in 9.3.

 

[jimmmy]

Thanks a lot for the script! I was pulling out my hair trying to get it to work!
When I finish the process, my IP is still the same as my old IP. I have just done a fresh Transmission jail install with no luck. Everything seems to have worked except the IP addresses are the same.
Any hints?
I am on FreeNas9.3.

 

[jimmmy]

No, when I do "/usr/local/etc/rc.d/openvpn start" it says:

Starting openvpn.
/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn

Any ideas?

I ran the script multiple times as I had my user / pwd wrong initially (hadn't generated them on the PIA page yet)... could that be a problem?

 

[jimmmy]

It's all good - I removed the jail and added it all again fresh, used putty to get in and it seemed to work! Thanks :D

 

[lirtle]

I am interested in using the port forward feature of PIA. I hacked together this script starting from the PIA script, and it seems to work (forwards port to Transmission). I am still learning FreeNAS and scripting so if anyone has a more elegant solution I would be interested.

(this runs inside the jail with OpenVPN and Transmission)

Code:

#! /usr/local/bin/bash
#
# Enable port forwarding
#
# Requirements:
#   your Private Internet Access user and password as arguments
#
# Usage:
#  ./port_forward.sh <user> <password>

error( )
{
  echo "$@" 1>&2
  exit 1
}

error_and_usage( )
{
  echo "$@" 1>&2
  usage_and_exit 1
}

usage( )
{
  echo "Usage: `dirname $0`/$PROGRAM <user> <password>"
}

usage_and_exit( )
{
  usage
  exit $1
}

version( )
{
  echo "$PROGRAM version $VERSION"
}


port_forward_assignment( )
{
  echo 'Loading port forward assignment information..'
  if [ "$(uname)" == "Linux" ]; then
    local_ip=`ifconfig tun0|grep -oE "inet addr: *10\.[0-9]+\.[0-9]+\.[0-9]+"|tr -d "a-z :"|tee /tmp/vpn_ip`
    client_id=`head -n 100 /dev/urandom | md5sum | tr -d " -"`
  fi
  if [ "$(uname)" == "FreeBSD" ]; then
    local_ip=`ifconfig tun0 | grep "inet " | cut -d\  -f2|tee /tmp/vpn_ip`
    client_id=`head -n 100 /dev/urandom | md5 -r | tr -d " -"`
  fi
  json=`wget --no-check-certificate -q --post-data="user=$USER&pass=$PASSWORD&client_id=$client_id&local_ip=$local_ip" -O - 'https://www.privateinternetaccess.com/vpninfo/port_forward_assignment' | head -1`
  echo $json
  PORTNUM=`echo $json | grep -oE "[0-9]+"`
}

EXITCODE=0
PROGRAM=`basename $0`
VERSION=1.0
USER=$1
PASSWORD=$2

while test $# -lt 2
do
  case $1 in
  --usage | --help | -h )
    usage_and_exit 0
    ;;
  --version | -v )
    version
    exit 0
    ;;
  *)
    error_and_usage "Unrecognized option: $1"
    ;;
  esac
  shift
done

port_forward_assignment

transmission-remote -p $PORTNUM

exit 0

Thanks for this dude. Worked perfectly!

 

[Nystro0m]

I can't find any crl.pem from my VPN provider.
Is it anyway to modify or make a own clr.pem file?

Im using PureVPN if its by any help.

 

[Rilo Ravestein]

No, when I do "/usr/local/etc/rc.d/openvpn start" it says:

Starting openvpn.
/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn

Any ideas?

I ran the script multiple times as I had my user / pwd wrong initially (hadn't generated them on the PIA page yet)... could that be a problem?

After trying to start OpenVPN, check the logs for clues

Code:

tail /var/log/messages

 

[Rilo Ravestein]

I can't find any crl.pem from my VPN provider.
Is it anyway to modify or make a own clr.pem file?

Im using PureVPN if its by any help.

What files DO you have?

 

[Nystro0m]

What files DO you have?

I do have the ca.crt, the .ovpn and a "wdc.key"

 

[jwdicki]

Which login and password are you using? I got "failed to start" when using my own credentials for PIA, but got it to work when I used the one PIA gave me for proxy use.

 

[tastemaker chuck]

Thank you for the great guide!

One quick question: will this have to be manually started every time FreeNAS or the plugin/jail reboots? If so, where can I set it to automatically start whenever the plugin/jail starts?

 

[tastemaker chuck]

OK, sorry, I answered my own question. It does restart automatically on reboot.

 

[dgibson1]

The past several days I've been getting the following openvpn error during use of the tunnel:

Authenticate/Decrypt packet error: bad packet ID (may be a replay)

Eventually I start getting TLS handshake failure. My tunnel has been working fine for several weeks, so I can't help but thing that one of my freenas updates is to blame. I'm currently on FreeNAS-9.3-STABLE-201503200528. Has anyone else experienced this same behavior recently?

 

[Carolina]

The past several days I've been getting the following openvpn error during use of the tunnel:

Authenticate/Decrypt packet error: bad packet ID (may be a replay)

Eventually I start getting TLS handshake failure. My tunnel has been working fine for several weeks, so I can't help but thing that one of my freenas updates is to blame. I'm currently on FreeNAS-9.3-STABLE-201503200528. Has anyone else experienced this same behavior recently?

After working fine for the last few months, I'm now getting the same errors.

Mar 25 08:02:58 freenas kernel: <118>Mar 25 08:02:58 freenas smbd[20981]: STATUS=daemon 'smbd' finished starting up and ready to serve connectionsmatchname: host name/name mismatch: 192.168.1.9 != (NULL)
Mar 25 08:02:58 freenas kernel: <118>Mar 25 08:02:58 freenas smbd[20981]: [2015/03/25 08:02:58.167318, 0] ../source3/lib/util_sock.c:1199(get_remote_hostname)
Mar 25 08:02:58 freenas kernel: <118>Mar 25 08:02:58 freenas smbd[20981]: matchname failed on 192.168.1.9
Mar 25 08:03:15 freenas kernel: <118>Mar 25 08:03:15 transmission_1 openvpn[68333]: Authenticate/Decrypt packet error: packet HMAC authentication failed