GUIDE: Setting up Transmission with OpenVPN and PIA

[Supa]

can't get it working anymore :{

 

[MaIakai]

Fun times, I connect, but fail to create tun correctly.

Jun 26 23:28:34 transmission_1 openvpn[99896]: OPTIONS IMPORT: timers and/or timeouts modified
Jun 26 23:28:34 transmission_1 openvpn[99896]: OPTIONS IMPORT: --ifconfig/up options modified
Jun 26 23:28:34 transmission_1 openvpn[99896]: OPTIONS IMPORT: route options modified
Jun 26 23:28:34 transmission_1 openvpn[99896]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jun 26 23:28:34 transmission_1 openvpn[99896]: ROUTE_GATEWAY 10.1.1.1
Jun 26 23:28:34 transmission_1 openvpn[99896]: TUN/TAP device /dev/tun0 opened
Jun 26 23:28:34 transmission_1 openvpn[99896]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Jun 26 23:28:34 transmission_1 openvpn[99896]: /sbin/ifconfig tun0 10.10.2.54 10.10.2.53 mtu 1500 netmask 255.255.255.255 up
Jun 26 23:28:34 transmission_1 openvpn[99896]: FreeBSD ifconfig failed: external program exited with error status: 1
Jun 26 23:28:34 transmission_1 openvpn[99896]: Exiting due to fatal error


Key lines of my openvpn.conf

auth-user-pass pass.txt
client
redirect-gateway
remote-cert-tls server
cipher AES-256-CBC
dev tun
keepalive 10 120
nobind
persist-key
persist-tun

 

[Supa]

for those of you on PIA + Transmission... Whenever I change my server to a 2 word one.. I get this error: Options error: --ca fails with '/ usr/local/etc/openvpn//usr/local/etc/openvpn/ca.crt': No such file or directory Options error: --crl-verify fails with '/usr/local/etc/openvpn//usr/local/etc/openvpn/crl.pem': No such file or directory

while if I keep it on like Switzerland/Mexico... any server with 1 word it works just fine. Any ideas?

 

[carleycr]

Would it be recommended to install OpenVPN into it's own jail? I have plex, transmission, couchpotato, sickrage, and sabnzbd all in one jail so they can play nice together. The main reason I want OpenVPN is just for connecting to home network when away. I may want to connect transmission and/or sabnzbd down the road however.

 

[Rilo Ravestein]

Do you have the option of setting up VPN in your router? Or flashing dd-wrt to your router and then setup VPN?

 

[carleycr]

Do you have the option of setting up VPN in your router? Or flashing dd-wrt to your router and then setup VPN?

Unfortunately, not right now. That would be the ideal situation though. I have a Linkskys WRT1900AC and I purchased it with the intention of flashing. The latest I've seen online was that dd-wrt is still in the works for this router. So i figure, I have FreeNAS, why not try that.

 

[Rilo Ravestein]

Unfortunately, not right now. That would be the ideal situation though. I have a Linkskys WRT1900AC and I purchased it with the intention of flashing. The latest I've seen online was that dd-wrt is still in the works for this router. So i figure, I have FreeNAS, why not try that.

That's going to take a while. If ever. My next router won't be a linksys anymore (I have an EA6500). Too many promises, too little support.

 

[cyberjock]

Yeah.. I gotta LOL at the suckers that bought that WRT1900AC.

I read about that and the first thing I thought was "I'll believe it when I see ROMs for it". So far its 18+ months old and *still* has jack and sh*t for support. Damn hilarious if you are the Linksys guys since they conned the buyers and got away with it. Damn sad if you are an owner because you expected so much more and will never see it. :/

I'm figuring that by the time it is well supported (if it ever is), 802.11ac will be old and obsolete and nobody will want it anyway. :P

Words of advice.. don't buy hardware or software on promises. Make them provide what you want.

 

[Ramapo]

Yeah.. I gotta LOL at the suckers that bought that WRT1900AC.

I read about that and the first thing I thought was "I'll believe it when I see ROMs for it". So far its 18+ months old and *still* has jack and sh*t for support. Damn hilarious if you are the Linksys guys since they conned the buyers and got away with it. Damn sad if you are an owner because you expected so much more and will never see it. :/

I'm figuring that by the time it is well supported (if it ever is), 802.11ac will be old and obsolete and nobody will want it anyway. :p

Words of advice.. don't buy hardware or software on promises. Make them provide what you want.

It might be a bit late at this point but OpenWRT seems to be implementing support for it.

http://wiki.openwrt.org/toh/linksys/wrt1900ac

 

[Rilo Ravestein]

Yeah. And with the pace they're usually going with new hardware, and the linksys support (sorry, nothing than bad experience on that part here), we'll have a stable version (all functionality being stable that is) in about a year (or two) from now.

 

[cyberjock]

It might be a bit late at this point but OpenWRT seems to be implementing support for it.

That's the problem... implement-ing.. not implemented.

It's been 18 months. How much longer will it take to be implemented? Too long, whatever it is.

 

[Ramapo]

Yeah. And with the pace they're usually going with new hardware, and the linksys support (sorry, nothing than bad experience on that part here), we'll have a stable version (all functionality being stable that is) in about a year (or two) from now.

That's definitely possibly likely.

That's the problem... implement-ing.. not implemented.

It's been 18 months. How much longer will it take to be implemented? Too long, whatever it is.

I say implementing but they do have it *working*, but as Rilo pointed out it still looks more beta. Just wanted to be clear for anyone finding these posts looking for info about this router.

I completely agree with you about how long it has taken. I actually remember when this router was released and the fanfare around being able to use alternative software. While I'm sure that huge marketing ploy helped them sell a few routers their failure to deliver what they advertised has certainly put me off as a consumer.

 

[cyberjock]

I completely agree with you about how long it has taken. I actually remember when this router was released and the fanfare around being able to use alternative software. While I'm sure that huge marketing ploy helped them sell a few routers their failure to deliver what they advertised has certainly put me off as a consumer.

I remember reading reviews about the router when it first came out. The stuff I remember:

1. Performance was "good". Not great, but "good". It was expected that if Linksys took things seriously it could go from "good" to "great" with future firmware revisions.
2. Cost was a bit high when considering what you were getting. Not what was promised, but what you were getting the day you bought it.
3. There was serious, serious concerns that support from Linksys would range from poor to virtually non-existent. Quite a few people, before the product was released, were asking about obtaining additional information on making firmware for Linksys, and even at that time the emails were going totally unanswered. There's a difference between "please wait, we're still trying to iron out these details" and flat out being unresponsive.
4. Quite a few people said that based on prior history with Linksys they likely wouldn't provide particularly useful information on the router until it was already discontinued and replaced with something new.

For me, when comparing those factors it was a non-starter with regards to buying one. I never owned the old WRT54G. I haven't had much faith in Linksys for quite some time, and just by going from the talking points above, it doesn't make me feel particularly confident that it was going to go anywhere fast, if anywhere at all.

I asked my friend that bought one of those WRT1900AC devices when it came out, then tried to convince me that if I didn't buy one I'd be left behind. Of course, my setup is far superior to his (it was before he bought his setup) and he's really feeling duped. He said that while the OpenWRT is at release candidate 3, it still has lots of issues and is usable only in the most basic of sense. Lots of advanced features don't really work properly, or create other problems that break things. He said definitely good enough for a mom-and-pop setup, but the people that bought the WRT1900AC didn't buy it to be your generic basic router. They were power users that know about the history with the WRT54G and were wanting an updated version of that. He said that on a scale of 1-10, 10 being awesome, he'd only rank it a 4 or 5. He said it works, even with the factory firmware, but it isn't the amazing ball buster that the WRT54G was in its day. He said it has potential to be a 7 or 8, but at the rate it is going by the time it is that good there will possibly be a successor to 802.11ac and then this device won't be the cream of the crop it was supposed to be. He said it will never be the "great" successor to the WRT54G that the media outlets claimed it would be.

I'm plenty happy with my pfsense box and ubiquiti wifi hotspot and have no reason to consider anything else, except maybe wifi hardware that supports a mesh network. ;)

 

[llygoden]

I've used jafrey's script to install OpenVPN with the PIA configuration files, but when I try and start the service I get the following error message:

root@sabnzbd_1:/ # /usr/sbin/service openvpn start
openvpn does not exist in /etc/rc.d or the local startup
directories (/usr/local/etc/rc.d)
​

I imagine that somewhere along the lines Unix permissions have caused this issue to rear it's head but I'm unable to figure out where. Any help would be most appreciated.

Thanks for any help

 

[UK_Dave]

Hi all,

wondering if someone might be able to give me some pointers where to look at fixing my openvpn issues.

output from /var/log/messages

Code:

Aug 25 00:40:55 transmission_1 openvpn[37067]: OpenVPN 2.3.8 amd64-portbld-freebsd9.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 25 2015
Aug 25 00:40:55 transmission_1 openvpn[37067]: library versions: OpenSSL 0.9.8za-freebsd 5 Jun 2014, LZO 2.09
Aug 25 00:40:55 transmission_1 openvpn[37067]: WARNING: file '/usr/local/etc/openvpn/pass.txt' is group or others accessible
Aug 25 00:40:56 transmission_1 openvpn[37068]: UDPv4 link local: [undef]
Aug 25 00:40:56 transmission_1 openvpn[37068]: UDPv4 link remote: [AF_INET]179.43.176.162:1194
Aug 25 00:40:56 transmission_1 openvpn[37068]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Aug 25 00:40:56 transmission_1 openvpn[37068]: [Private Internet Access] Peer Connection Initiated with [AF_INET]179.43.176.162:1194
Aug 25 00:40:58 transmission_1 openvpn[37068]: TUN/TAP device /dev/tun0 opened
Aug 25 00:40:58 transmission_1 openvpn[37068]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Aug 25 00:40:58 transmission_1 openvpn[37068]: /sbin/ifconfig tun0 10.101.1.6 10.101.1.5 mtu 1500 netmask 255.255.255.255 up
Aug 25 00:40:58 transmission_1 openvpn[37068]: FreeBSD ifconfig failed: external program exited with error status: 1
Aug 25 00:40:58 transmission_1 openvpn[37068]: Exiting due to fatal error

I set it up the long manual way in the first post and it worked fine for a while and then after a reset it didn't. Now it won't work even if I create a new jail and try it in that, this time using the script.

I've set up another FreeNAS box just to try it out on a completely clean system and it works fine so I know my login details work and that the script works too.

Are there any other log files I can look up that may give an insight into what is going wrong?

As far as I'm aware I've not changed any network settings in my FreeNAS (FreeNAS-9.3-STABLE-201506292332) system but I'm not going to rule it out. Both network interface and plugin / jail settings of the FreeNAS boxes match.

Thanks in advance,

Dave

31/08/15 Update:

Well I discovered that this issue was in fact of my own doing; I had been also trying to set up a VPN server on the same machine so I could log onto my network remotely following this guide fairly loosely. I'm still not sure what has caused the problem as even without the jail with the server running, my client wouldn't connect. I don't know enough yet to say why, I'm sure it's obvious to some people but if I do learn I'll try and update again for anyone else that stumbles upon this at a later date.

 

[Bashern]

Great post! There is a typo on line 9 in your first code box, tsch should read tcsh.

Drives newbies wild :)

 

[srwyss]

Hi all,

wondering if someone might be able to give me some pointers where to look at fixing my openvpn issues.

output from /var/log/messages

Code:

Aug 25 00:40:55 transmission_1 openvpn[37067]: OpenVPN 2.3.8 amd64-portbld-freebsd9.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 25 2015
Aug 25 00:40:55 transmission_1 openvpn[37067]: library versions: OpenSSL 0.9.8za-freebsd 5 Jun 2014, LZO 2.09
Aug 25 00:40:55 transmission_1 openvpn[37067]: WARNING: file '/usr/local/etc/openvpn/pass.txt' is group or others accessible
Aug 25 00:40:56 transmission_1 openvpn[37068]: UDPv4 link local: [undef]
Aug 25 00:40:56 transmission_1 openvpn[37068]: UDPv4 link remote: [AF_INET]179.43.176.162:1194
Aug 25 00:40:56 transmission_1 openvpn[37068]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Aug 25 00:40:56 transmission_1 openvpn[37068]: [Private Internet Access] Peer Connection Initiated with [AF_INET]179.43.176.162:1194
Aug 25 00:40:58 transmission_1 openvpn[37068]: TUN/TAP device /dev/tun0 opened
Aug 25 00:40:58 transmission_1 openvpn[37068]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Aug 25 00:40:58 transmission_1 openvpn[37068]: /sbin/ifconfig tun0 10.101.1.6 10.101.1.5 mtu 1500 netmask 255.255.255.255 up
Aug 25 00:40:58 transmission_1 openvpn[37068]: FreeBSD ifconfig failed: external program exited with error status: 1
Aug 25 00:40:58 transmission_1 openvpn[37068]: Exiting due to fatal error

I set it up the long manual way in the first post and it worked fine for a while and then after a reset it didn't. Now it won't work even if I create a new jail and try it in that, this time using the script.

I've set up another FreeNAS box just to try it out on a completely clean system and it works fine so I know my login details work and that the script works too.

Are there any other log files I can look up that may give an insight into what is going wrong?

As far as I'm aware I've not changed any network settings in my FreeNAS (FreeNAS-9.3-STABLE-201506292332) system but I'm not going to rule it out. Both network interface and plugin / jail settings of the FreeNAS boxes match.

Thanks in advance,

Dave

31/08/15 Update:

Well I discovered that this issue was in fact of my own doing; I had been also trying to set up a VPN server on the same machine so I could log onto my network remotely following this guide fairly loosely. I'm still not sure what has caused the problem as even without the jail with the server running, my client wouldn't connect. I don't know enough yet to say why, I'm sure it's obvious to some people but if I do learn I'll try and update again for anyone else that stumbles upon this at a later date.

Hi UK_Dave,

I am having exactly the same issue with FreeBSD ifconfig failed as shown in your post. And I also had tried to install a VPN on my freenas to allow me VPN access from outside. What did you do to solve the issue? I have deleted and recreated a jail multiple times gone through the whole process only to find the identical issue at the end.

Thanks in Advance
Steve

 

[tobylh]

Hey...

So I've used this a bunch of times to get OpenVPN working inside various jails, and it's worked like a charm.
I've been using the pia.sh script with no worries at all.

I've tried again today with a new jail, but for some reason I can't get it to work properly.
Here's the output of /var/log/messages

Code:

Sep 11 18:30:09 couchpotato_2 openvpn[73881]: OpenVPN 2.3.8 amd64-portbld-freebsd9.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Sep 11 2015
Sep 11 18:30:09 couchpotato_2 openvpn[73881]: library versions: OpenSSL 0.9.8za-freebsd 5 Jun 2014, LZO 2.09
Sep 11 18:30:09 couchpotato_2 openvpn[73881]: WARNING: file '/usr/local/etc/openvpn/pass.txt' is group or others accessible
Sep 11 18:30:09 couchpotato_2 openvpn[73882]: UDPv4 link local: [undef]
Sep 11 18:30:09 couchpotato_2 openvpn[73882]: UDPv4 link remote: [AF_INET]179.43.155.226:119
Sep 11 18:30:09 couchpotato_2 openvpn[73882]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sep 11 18:30:10 couchpotato_2 openvpn[73882]: [Private Internet Access] Peer Connection Initiated with [AF_INET]179.43.155.226:1194
Sep 11 18:30:12 couchpotato_2 openvpn[73882]: TUN/TAP device /dev/tun0 opened
Sep 11 18:30:12 couchpotato_2 openvpn[73882]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sep 11 18:30:12 couchpotato_2 openvpn[73882]: /sbin/ifconfig tun0 10.193.1.6 10.193.1.5 mtu 1500 netmask 255.255.255.255 up
Sep 11 18:30:12 couchpotato_2 openvpn[73882]: FreeBSD ifconfig failed: external program exited with error status: 1
Sep 11 18:30:12 couchpotato_2 openvpn[73882]: Exiting due to fatal error

Seems to try to create the interface tun0, but I'm guessing when the /sbin/ifconfig command runs, it can't find tun0, so it fails.

I haz confusion.

Anyone got any ideas?

Thanks

 

[tobylh]

Oh. I see others have been having this issue. Guess I should read the whole thread...;)

 

[tobylh]

OK, so I've been having more of a look at this.
What seems weird is that within jails that I've already setup that I know OpenVPN is working, /var/log/messages is still chucking out the same error message.
So in my SickRage jail for example,

Code:

service openvpn status

says

Code:

openvpn is not running.

However, if I ping an IP that I know is blocked by my ISP, it works. The fact that SickRage is able to do it's thing also shows that it must be working.

I've tried pulling some bits out of the pia.sh script, namely these bits:

Code:

# Get initial IP address.
if ( -x "/usr/local/bin/wget" ) then
set IP0=`wget -qO- http://wtfismyip.com/text`
else if ( -x "/usr/local/bin/curl" ) then
set IP0=`curl http://wtfismyip.com/text`
else
return 0
exit 0
endif

# Start OpenVPN
/usr/sbin/service openvpn start
echo "Waiting 10 seconds for OpenVPN to spin up"
sleep 10

# Get the new IP address.
if ( -x "/usr/local/bin/wget" ) then
set IP1=`wget -qO- http://wtfismyip.com/text`
else if ( -x "/usr/local/bin/curl" ) then
set IP1=`curl http://wtfismyip.com/text`
else
return 0
exit 0
endif

# Compare and Contrast.
echo "If these are different, OpenVPN is working"
echo "Old IP: $IP0"
echo "New IP: $IP1"

If I save that as a new script and run it, it gives me the same two IP addresses, my public IP, which should mean that OpenVPN is not working. Still able to ping blocked IPs though.

What the actual fuck?