GUIDE: Setting up Transmission with OpenVPN and PIA

Scharbag

Guru
Joined
Feb 1, 2012
Messages
620
Just wondering if anyone has had any luck with this? This is the only thing that is keeping me from upgrading to FreeNAS 11.2.
 

AfroUSA

Dabbler
Joined
Mar 27, 2017
Messages
28
Just wondering if anyone has had any luck with this? This is the only thing that is keeping me from upgrading to FreeNAS 11.2.

For this problem "How do you install sha256sum and shasum on iocage jail?"
Answer is
Code:
pkg install -y p5-Digest-SHA
"

For port forwarding I have changed in my portforward.sh
Code:
tunnel_adapter=`ifconfig | grep "tun" | cut -d ":" -f1`

to
Code:
tunnel_adapter=`ifconfig | grep "tun0" | cut -d ":" -f1`


As per advice of nathank1989, I have chosen PIA VPN Server with ability of providing port forwarding [you need to try which one will work for you].
 
Last edited:

drinking12many

Contributor
Joined
Apr 8, 2012
Messages
148
I got mine working with PIA and Openvpn on a transmission jail. It took some experimentation using mostly the 11.1 guide but I got it.

IPFW List file

Code:
#!/bin/bash
# Flush out the list before we begin
ipfw -q -f flush

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun1

# Set rules command prefix
cmd="ipfw -q add"
vpn="tun1"

# allow all local traffic on the loopback interface
$cmd 00001 allow all from any to any via lo0

# allow any connection to/from VPN interface
$cmd 00010 allow all from any to any via $vpn

# allow connection to/from LAN by Transmission
$cmd 00101 allow all from me to 192.168.1.0/24 uid transmission
$cmd 00102 allow all from 192.168.1.0/24 to me uid transmission

# deny any Transmission connection outside LAN that does not use VPN
$cmd 00103 deny all from any to any uid transmission


Openvpn.conf

Code:
client
dev tun
proto udp
remote us-east.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-nocache
auth-user-pass /usr/local/etc/openvpn/pass.txt
ca /usr/local/etc/openvpn/ca.crt
crl-verify /usr/local/etc/openvpn.crl.pem

compress
verb 1
reneg-sec 0
<crl-verify>
-----BEGIN X509 CRL-----
CRL
-----END X509 CRL-----
</crl-verify>

<ca>
-----BEGIN CERTIFICATE-----
CA CERT
-----END CERTIFICATE-----
</ca>

disable-occ


and I used the guide for 11.1 as a baseline for it all. I enabled the TUN inside the GUI interface and rebooted as instructed as well.
 

Bageland2000

Dabbler
Joined
Aug 24, 2014
Messages
48
I got mine working with PIA and Openvpn on a transmission jail. It took some experimentation using mostly the 11.1 guide but I got it.

IPFW List file

Code:
#!/bin/bash
# Flush out the list before we begin
ipfw -q -f flush

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun1

# Set rules command prefix
cmd="ipfw -q add"
vpn="tun1"

# allow all local traffic on the loopback interface
$cmd 00001 allow all from any to any via lo0

# allow any connection to/from VPN interface
$cmd 00010 allow all from any to any via $vpn

# allow connection to/from LAN by Transmission
$cmd 00101 allow all from me to 192.168.1.0/24 uid transmission
$cmd 00102 allow all from 192.168.1.0/24 to me uid transmission

# deny any Transmission connection outside LAN that does not use VPN
$cmd 00103 deny all from any to any uid transmission


Openvpn.conf

Code:
client
dev tun
proto udp
remote us-east.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-nocache
auth-user-pass /usr/local/etc/openvpn/pass.txt
ca /usr/local/etc/openvpn/ca.crt
crl-verify /usr/local/etc/openvpn.crl.pem

compress
verb 1
reneg-sec 0
<crl-verify>
-----BEGIN X509 CRL-----
CRL
-----END X509 CRL-----
</crl-verify>

<ca>
-----BEGIN CERTIFICATE-----
CA CERT
-----END CERTIFICATE-----
</ca>

disable-occ


and I used the guide for 11.1 as a baseline for it all. I enabled the TUN inside the GUI interface and rebooted as instructed as well.
Cool, thanks, I'll take a look at this. Going to use this as an opportunity to learn, but I think it might be a bit above my level.
 

Mara

Dabbler
Joined
Jan 14, 2017
Messages
48
Hi,

How can I set can I configure if I have another provider than "privateinternetaccess"? I have privatevpn


thx
 

Brad1976

Dabbler
Joined
Mar 31, 2015
Messages
40
As there have been no responses as of yet, I am updating this post with some progress that I've made today...


My success so far:

- I am currently running FreeNAS 11.2-U6 and the jail is an iocage 11.2-RELEASE.
- All packages are the latest as per pkg update and upgrade, and the FreeBSD.conf file is set for the "latest" (not quarterly or annually or whatever the heck the default was...)
- Transmission is running great through PIA & openvpn and using the Switzerland 2048 crt and pem files for the installation
- Using ipMagnet I can confirm that the IP address is different that my ISP's WAN address.
- Using my ipfw rules I can confirm that when I manually stop the openvpn service, Transmission slowly dies down (over about two or three minutes) and no further data flows until I restart the openvpn service.
- When I remote into my backup server (which just happens to be a Windows 10 OS) I am able to successfully fire up the Transmission Remote GUI, so I know it successfully connects on the local LAN.
- My transmission-port-forward.sh script properly creates the port and updates the transmission-remote. I have also got it writing the openvpn WAN IP (the address for the tun0 device) into a log file every time it runs and updates the transmission-remote. (Instead of filling up my jail with useless data, it only writes to the file when it updated the transmission-remote file.

Here are the source code files I'm working with:

transmission-port-forward.sh:
Code:
#!/usr/bin/env bash
#
# Enable port forwarding when using Private Internet Access
# install the following in order to run
#  - pkg install curl
#  - pkg install bash
#  - pkg install jq
#  - pkg install -y p5-Digest-SHA
# 
# Usage:
#  ./usr/local/etc/openvpn/transmission-port-forward.sh

#Declare the variables for the script
TRANSUSER=myuserid
TRANSPASS=mypassword
TRANSHOST=192.168.2.xxx

error( )
{
  echo "$@" 1>&2
  exit 1
}

error_and_usage( )
{
  echo "$@" 1>&2
  usage_and_exit 1
}

usage( )
{
  echo "Usage: `dirname $0`/$PROGRAM"
}

usage_and_exit( )
{
  usage
  exit $1
}

version( )
{
  echo "$PROGRAM version $VERSION"
}


port_forward_assignment( )
{
  #Loading port forward assignment information
  if [ "$(uname)" == "Linux" ]; then
    client_id=`head -n 100 /dev/urandom | sha256sum | tr -d " -"`
  fi
  if [ "$(uname)" == "FreeBSD" ]; then
       client_id=`head -n 100 /dev/urandom | shasum -a 256 | tr -d " -"`
  fi

  #Retreive port information
  json=`curl "http://209.222.18.222:2000/?client_id=$client_id" 2>/dev/null`
  
  #What to do if port forward is already active or if connection has failed
  if [ "$json" == "" ]; then
    
    #Write to the log file as follows
    #Uncomment this line for troubleshooting while working on stuff as needed.....
    #echo As of $(date) port forwarding is already activated on the connection or has expired. Restart the jail... >> /usr/local/etc/openvpn/transmission-port-forward.log 2>&1
    
    exit 0
  fi

  #Show the returned port number
  echo server returned "$json"
 
   #trim VPN forwarded port from JSON
    PORT=$(echo $json | awk 'BEGIN{r=1;FS="[{}\":]+"} /port/{r=0; print $3} END{exit r}')
    echo if successful, trimmed port is:"$PORT"

    #Get the openvpn WAN IP Address
    OPENVPNIP=`curl "ifconfig.me" 2>/dev/null`
    #json=`curl "http://209.222.18.222:2000/?client_id=$client_id" 2>/dev/null`

    #write the port number to a log file
    echo As of $(date) the transmission-remote access is "$OPENVPNIP:$PORT" >> /usr/local/etc/openvpn/transmission-port-forward.log 2>&1
    
    #change transmission port on the fly
    transmission-remote $TRANSHOST --auth $TRANSUSER:$TRANSPASS -p "$PORT"
    echo remember to run no longer than 2 mins after reconnecting/connecting to vpn server.
}

EXITCODE=0
PROGRAM=`basename $0`
VERSION=2.1

while test $# -gt 0
do
  case $1 in
  --usage | --help | -h )
    usage_and_exit 0
    ;;
  --version | -v )
    version
    exit 0
    ;;
  *)
    error_and_usage "Unrecognized option: $1"
    ;;
  esac
  shift
done

port_forward_assignment

exit 0


ipfw.rules
Code:
#####################################################################################
#   Enter the following rules, replacing "tun0" with your VPN tunnel. Also replace
#   "192.168.1.0/24" with your LAN network and subnet
######################################################################################
#!/bin/bash
# Flush out the list before we begin
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
vpn="tun0"

# allow all local traffic on the loopback interface
$cmd 00001 allow all from any to any via lo0

# allow any connection to/from VPN interface
$cmd 00010 allow all from any to any via $vpn

# allow connection to/from LAN by Transmission
$cmd 00101 allow all from me to 192.168.2.1/24 uid transmission
$cmd 00102 allow all from 192.168.2.1/24 to me uid transmission

# deny any Transmission connection outside LAN that does not use VPN
$cmd 00103 deny all from any to any uid transmission


rc.conf
Code:
host_hostname="Transmission"
cron_flags="$cron_flags -J 15"

# Disable Sendmail by default
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

# Run secure syslog
syslogd_flags="-c -ss"

# Enable IPv6
ipv6_activate_all_interfaces="YES"
transmission_enable="YES"

#OpenVPN enable an configuration
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"

# Firewall
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"


crontab:
Code:
# /etc/crontab - root's crontab for FreeBSD
#
# $FreeBSD: releng/11.2/etc/crontab 194170 2009-06-14 06:37:19Z brian $
#
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
#
#minute    hour    mday    month    wday    who    command
#
*/5    *    *    *    *    root    /usr/libexec/atrun
#
# Save some entropy so that /dev/random can re-seed on boot.
*/11    *    *    *    *    operator /usr/libexec/save-entropy
#
# Rotate log files every hour, if necessary.
0    *    *    *    *    root    newsyslog
#
# Perform daily/weekly/monthly maintenance.
1    3    *    *    *    root    periodic daily
15    4    *    *    6    root    periodic weekly
30    5    1    *    *    root    periodic monthly
#
# Adjust the time zone if the CMOS clock keeps local time, as opposed to
# UTC time.  See adjkerntz(8) for details.
1,31    0-5    *    *    *    root    adjkerntz -a
#
# Generate the port forward for openvpn and update Transmission Remote
*/2    *    *    *    *    root    /usr/local/bin/bash /usr/local/etc/openvpn/transmission-port-forward.sh >> /usr/local/etc/openvpn/transmission-port-forward-cron.log 2>&1


transmission's settings.json file:
Code:
{
    "alt-speed-down": 50,
    "alt-speed-enabled": false,
    "alt-speed-time-begin": 540,
    "alt-speed-time-day": 127,
    "alt-speed-time-enabled": false,
    "alt-speed-time-end": 1020,
    "alt-speed-up": 50,
    "bind-address-ipv4": "0.0.0.0",
    "bind-address-ipv6": "::",
    "blocklist-enabled": false,
    "blocklist-url": "http://www.example.com/blocklist",
    "cache-size-mb": 4,
    "dht-enabled": true,
    "download-dir": "/media/Downloads/03 - Completed",
    "download-queue-enabled": true,
    "download-queue-size": 20,
    "encryption": 1,
    "idle-seeding-limit": 5,
    "idle-seeding-limit-enabled": true,
    "incomplete-dir": "/media/Downloads/02 - In Progress",
    "incomplete-dir-enabled": true,
    "lpd-enabled": false,
    "message-level": 2,
    "peer-congestion-algorithm": "",
    "peer-id-ttl-hours": 6,
    "peer-limit-global": 200,
    "peer-limit-per-torrent": 50,
    "peer-port": 26916,
    "peer-port-random-high": 65535,
    "peer-port-random-low": 49152,
    "peer-port-random-on-start": false,
    "peer-socket-tos": "default",
    "pex-enabled": true,
    "pidfile": "/var/run/transmission/daemon.pid",
    "port-forwarding-enabled": true,
    "preallocation": 1,
    "prefetch-enabled": true,
    "queue-stalled-enabled": true,
    "queue-stalled-minutes": 30,
    "ratio-limit": 0,
    "ratio-limit-enabled": true,
    "rename-partial-files": true,
    "rpc-authentication-required": true,
    "rpc-bind-address": "0.0.0.0",
    "rpc-enabled": true,
    "rpc-host-whitelist": "",
    "rpc-host-whitelist-enabled": false,
    "rpc-password": "mypassword",
    "rpc-port": 9091,
    "rpc-url": "/transmission/",
    "rpc-username": "transmission",
    "rpc-whitelist": "127.0.0.1",
    "rpc-whitelist-enabled": false,
    "scrape-paused-torrents-enabled": true,
    "script-torrent-done-enabled": false,
    "script-torrent-done-filename": "",
    "seed-queue-enabled": false,
    "seed-queue-size": 10,
    "speed-limit-down": 100,
    "speed-limit-down-enabled": false,
    "speed-limit-up": 1,
    "speed-limit-up-enabled": true,
    "start-added-torrents": true,
    "trash-original-torrent-files": false,
    "umask": 18,
    "upload-slots-per-torrent": 14,
    "utp-enabled": true,
    "watch-dir": "/media/Downloads/01 - Manual",
    "watch-dir-enabled": true
}


And getting to the point...

Problem 1 - Port Forwarding Script Writing To A Log: -> SOLVED

Problem 2 - Port number log... can it be done? -> SOLVED

Problem 3 - Transmission Remote GUI not connecting from outside my local LAN

When not at home, I use Transmission Remote GUI on my laptop. When I check out my log for the latest tun0 IP address and port number and use them within the Transmission Remote GUI, I am getting the message "Unexpected Server Response" message returned and I am not able to connect. Also, when I remote into another Windoze 10 computer on my LAN, I am able to run the Transmission Remote GUI on that computer, which connects to transmission with no issues at all, using the local LAN IP for my transmission iocage jail.

1. Can someone please confirm if I'm supposed to be using the PIA WAN IP and the script generated port, or should I still be using something else?
2. Since I am using the PIA 2048 encryption crt and pem files, do I somehow need to add a certificate to my Windows 10 laptop, or Transmission Remote GUI configuration somewhere, in order for it to connect through the VPN port?
3. Or as an alternate all together, would it be better to just setup another reverse proxy jail, run something like nginx combines with a no-ip service and see if I can somehow get my laptop to communicate to my transmission jail as if if was on the local network? *shrug*
4. Or, if the problem more simple and located within the ipfw.rules file? (Truthfully, this is where my gut says it is, but I'm not experienced enough with firewall configurations to know...)


If interested, once done I will gladly post my installation procedure from start to finish in s very organized and concise way that will be for the latest FreeNAS 11.2-U# at the time... Thanks again in advance for everyone here!!!!! :)
 
Last edited:

Supa

Patron
Joined
Jan 10, 2014
Messages
204
fixed
 

Attachments

  • 1575596085983.png
    1575596085983.png
    13.2 KB · Views: 884
Last edited:

Aizawa

Cadet
Joined
Jul 20, 2016
Messages
6
Following these guides:

- https://www.ixsystems.com/community...-transmission-openvpn-pia-ipfw-tvnamer.72523/
- https://github.com/danjacques/freenasdocs/blob/master/guides/vpn-client-jail.md

Pretty much got all the way through with the first one but openvpn won't start. (says .conf file is not readable)

View attachment 34347

RC.conf file:


openvpn.conf file

https://i.imgur.com/hyP46un.png (I put my username/pass in pass.txt)

/usr/local/etc --> https://i.imgur.com/nT9SvOG.png
Looks like openvpn.conf is in the wrong directory. Create openvpn in etc and move the conf to there.
 

Supa

Patron
Joined
Jan 10, 2014
Messages
204
Looks like openvpn.conf is in the wrong directory. Create openvpn in etc and move the conf to there.

yeah sorry i fixed it.

It's working but downloads are REALLY slow. Is it because the TCP port is closed? Torrent is downloading at less than 30kb/sec.

How to your forward the port needed for transmission through the VPN (PIA?)
 
Last edited:

pclausen

Patron
Joined
Apr 19, 2015
Messages
267
Does this work if your service provider is using Carrier-Grade NAT?
 

alwu

Dabbler
Joined
Jan 24, 2018
Messages
36
i finally upgraded from 11.1-U6 to 11.2-U7 and this guide still works. however, i did a few minor things differently.

when installing the transmission plugin, i enabled these advanced options: auto start(optional), allow_raw_sockets, and allow_tun. allow_tun is needed in order for openvpn to create a tunnel interface. i don't know if allow_raw_sockets is really needed.

instead of sshing into freenas and jexecing into the jail, you need to open up a jail shell via the gui or ssh into the jail.

before running the pkg commands, the freebsd pkg repo needs to be enabled. details here.

instead of creating /etc/rc.conf.d/openvpn, i used sysrc commands to add the openvpn enable and configfile lines to /etc/rc.conf. either way works.

instead of downloading openvpn.zip from private internet access, i downloaded openvpn-strong.zip. the difference is openvpn-strong uses 256bit encryption. more details here. the ca.rsa and crl.rsa files in that zip have 4096 in the name instead of 2048.

since pass.txt stores user and password information in plain text, i made it owner read-only. it's not much of a security measure, but hey, why not? i also added these lines to /usr/local/etc/openvpn.conf. more details here and here.

Code:
auth-nocache
pull-filter ignore "auth-token"

ipfw.rules is a bash script, but bash might not be installed in the transmission plugin jail. to check, in a jail shell, type "which bash". if it returns a path, check to make sure it matches the path for bash in the first line of the script. #!/bin/bash. if it doesn't match, change the first line of the script to the correct location for bash. if bash, isn't installed, then you need to do "pkg install bash" to get it. then do a "which bash" to see where bash got installed and update ipfw.rules accordingly.

everything else in the guide still works.

also, this guide works for the qbittorrent plugin too. the only thing to do differently is to replace transmission with qbittorrent in /etc/ipfw.rules. i imagine the same will apply to deluge, but i haven't tried it.
 
Last edited:

ghostwolf59

Contributor
Joined
Mar 2, 2013
Messages
165
Hi,
I still struggle with transmission and port forwarding being closed :(
Successfully used brad1976 transmission-port-forward.sh that successfully pics up the port and updated transmission
But port still remain closed :(
Using PIA and my vpn is configured on router level.
Tunnel is up and connected to one of PIA servers supporting port forwarding.

Do I need to configure the port reported back by the shell script on the router as well or...?

Cant get my head around this and it starting to annoy me.
 

emk2203

Guru
Joined
Nov 11, 2012
Messages
573
Using PIA and my vpn is configured on router level.
Tunnel is up and connected to one of PIA servers supporting port forwarding.

Do I need to configure the port reported back by the shell script on the router as well or...?
Yes. You need to forward this port on the router. You can either forward this port to the same port on FreeNAS or forward the port to the standard Transmission peer port, which is 51413, and keep the port always the same on FreeNAS and Transmission.
 

ghostwolf59

Contributor
Joined
Mar 2, 2013
Messages
165
Yes. You need to forward this port on the router. You can either forward this port to the same port on FreeNAS or forward the port to the standard Transmission peer port, which is 51413, and keep the port always the same on FreeNAS and Transmission.

Hey,
The way PIA works does not really allow me to nominate the open port on the router. Each port change on router level results in a reset of the service, that now returns a new random port from PIA via the port polling script.

So finally decided to revert to jail controlled VPN that in combination of dynamically picking up PIA's open port in between connections works perfectly.
Used this setup *apart from the port script*, but then reverted to controlling this on the router, that clearly creates another layer that breaks the idea.

Ok with this, but makes it sort of more difficult to change tunnel

But solved and happy with transmission

Havent noticed any other similar issues with Jackett, Radarr or Sonarr though *other than some RSS feeds throws the dummy - in particular KickAssTorrent that throw errors percistantly :(
 

matclou

Dabbler
Joined
Feb 15, 2020
Messages
33
Hello! I just tried to follow this instruction (https://blog.shines.me.uk/freenas-11-3-setting-openvpn-server-jail/) but failed with creating a GoogleAuth Token. The command is:

root@openvpn_jail: / # su -m gauth -c "google-authenticator -t -d -r3 -R30 -f -s /usr/local/etc/openvpn/google-authenticator/<userid> -l \"OpenVPN Login\" "

It just says "Unmatched '"' -any ideas? In the instruction it is noted that there might be problems with quotes, but there is no solution to handle it. Also it says I have to be sure that "ensure that the /usr/local/etc/openvpn/google-authenticate has r-x for your root id to be able to write. " - how can I do that?

Sorry, these are surely beginners questions - but I guess following these instructions without any deeper knowledge just following them step-by-step is quite sensitve to errors :confused:
 
Top