How to use Openvpn & ipfw in a jail so it only connects to the VPN

[Glorious1]

There isn't a file that exists with this name :/

You're right. That must have been an old FreeNAS version. I apparently only edited /etc/rc.conf and it works.

major change I made was to use firewall_script="" instead of firewall_type, and I made a couple of modifications to my ip.fw file and now ipfw list gives me some good stuff, but the google ping test STILL does not work!!! can anyone please help shed some light on this?

If you're not using the same rules and setup as the original post, you can't expect that everything will behave the same, such as his ping test. The key thing is, does transmission stop communicating when the vpn is off -- that is the real test.

In my case, I can ping google (as root@transmission) with openvpn on or off, but when it's off, transmission loses connectivity. I test this by turning torrents off and then back on - they can't connect. Also when I test the port, I get "http error 0: no response".

 

[windyboi]

You're right. That must have been an old FreeNAS version. I apparently only edited /etc/rc.conf and it works.


If you're not using the same rules and setup as the original post, you can't expect that everything will behave the same, such as his ping test. The key thing is, does transmission stop communicating when the vpn is off -- that is the real test.

In my case, I can ping google (as root@transmission) with openvpn on or off, but when it's off, transmission loses connectivity. I test this by turning torrents off and then back on - they can't connect. Also when I test the port, I get "http error 0: no response".

Great!! I got it working :D Thanks!

Now... Anyone know how to get a little more advanced and use PIA's port forwarding feature? xD

 

[Glorious1]

Great!! I got it working :D Thanks!

Now... Anyone know how to get a little more advanced and use PIA's port forwarding feature? xD

Yes, it's thoroughly discussed in the other thread you've been posting in, but this is the key post on page 10 by @Nodja
https://forums.freenas.org/index.ph...ith-openvpn-and-pia.24566/page-10#post-248580

I hardcoded my PIA user, password, and client ID in the script, it makes it simpler.

 

[windyboi]

Yes, it's thoroughly discussed in the other thread you've been posting in, but this is the key post on page 10 by @Nodja
https://forums.freenas.org/index.ph...ith-openvpn-and-pia.24566/page-10#post-248580

I hardcoded my PIA user, password, and client ID in the script, it makes it simpler.

Awesome, thanks! :D

I've added it as a cronjob on crontab on the transmission jail itself. :

0,30 * * * * /scripts/vpnPort.sh

I noticed you discussing about running cron on the actual FreeNAS. Is it ok to do it either way?

 

[Glorious1]

Is it ok to do it either way?

I don't see why not. As long as it works. It's just easier to use the GUI for the cron-challenged like me.

 

[LudoB]

Hello,

I have set up openvpn and the firewall rules without much issue but now i am blocked.

The rules in the ipfw_rules file have been set up as defined below:

Code:

add 00010 allow ip from any to any via tun0

add 00101 allow ip from me to 192.168.0.0/24 uid transmission
add 00102 allow ip from 192.168.0.0/24 to me uid transmission
add 00103 deny ip from any to any uid transmission

add 65534 allow all from any to any

The rc.conf file has been edited and those lines have been added:

Code:

openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
cloned_interfaces="tun"
firewall_enable="YES"
firewall_type="/media/ipfw_rules"

And this is what is showing on my screen when i start openvpn and ipfw:

Code:

root@transmission_2:/ # /etc/rc.d/ipfw start
Flushed all rules.
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
00010 allow ip from any to any via tun0
00101 allow ip from me to 192.168.0.0/24 uid transmission
00102 allow ip from 192.168.0.0/24 to me uid transmission
00103 deny ip from any to any uid transmission
65534 allow ip from any to any
Firewall rules loaded.
root@transmission_2:/ # /usr/local/etc/rc.d/openvpn start
Starting openvpn.
root@transmission_2:/ # ping www.google.com
ping: cannot resolve www.google.com: Host name lookup failure
root@transmission_2:/ #

The ping is not resolved. When I add a torrent to transmission from the web UI, it can not connect to the tracker neither.

Did I miss anything in the firewall rules setup?
I have the latest stable version of Freenas: 9.3. The server has the following IP in my LAN: 192.168.0.33. The transmission jail: 192.168.0.101.
Should I write the actual tranmission uid (1006 in my case) instead of "me uid transmission"?

Thank you!
Ludo

 

[Glorious1]

I'm no expert, but . . . My rules are almost identical to yours, and the difference I don't think is important. But in rc.conf you have two lines I don't. I don't know what they do. I don't have openvpn_if="tun" or cloned_interfaces="tun". You might try commenting those out and restarting the jail.

But the question is, does transmission work through openvpn?

 

[adamgoldberg]

Why wouldn't it be enough to do something like

#allow anything via openvpn
add 01000 allow ip from any to any via tun0
# but deny anything from transmission that hasn't already been allowed (e.g., via tun0)
add 02000 deny ip from any to any uid transmission

?

 

[Glorious1]

Why wouldn't it be enough to do something like
#allow anything via openvpn
add 01000 allow ip from any to any via tun0
# but deny anything from transmission that hasn't already been allowed (e.g., via tun0)
add 02000 deny ip from any to any uid transmission
?

That's exactly what LudoB has. The additional 2 rules in between allow you to communicate with the jail on the local network.

 

[adamgoldberg]

That's exactly what LudoB has.

Well, ok, but I'd think that everything else is superfluous. What's important is to require that transmission only communicate via the tunnel, and anything else can do anything (65535 allow ip from any to any).

 

[Glorious1]

Well, ok, but I'd think that everything else is superfluous. What's important is to require that transmission only communicate via the tunnel, and anything else can do anything (65535 allow ip from any to any).

I could be wrong, but I don't think that would allow you to communicate with transmission if openvpn (and thus tun0) is down. Try it! I have the middle rules as follows, specifying epair*

Code:

add 00101 allow all from me to 192.168.0.0/24 via epair* uid tranny
add 00102 allow all from 192.168.0.0/24 to me via epair* uid tranny

 

[adamgoldberg]

I could be wrong, but I don't think that would allow you to communicate with transmission if openvpn (and thus tun0) is down. Try it! I have the middle rules as follows, specifying epair*

Ah, ok, I see what you're saying -- transmission DOES need to be able to communicate with other machines on your local network, not via tun0.

In which case, why do you need to limit it to epair*?

Code:

add 00101 allow all from me to 192.168.0.0/16
add 00102 allow all from 192.168.0.0/16 to me

 

[Glorious1]

Ah, ok, I see what you're saying -- transmission DOES need to be able to communicate with other machines on your local network, not via tun0.

In which case, why do you need to limit it to epair*?

Maybe that is unnecessary.

 

[LudoB]

I'm no expert, but . . . My rules are almost identical to yours, and the difference I don't think is important. But in rc.conf you have two lines I don't. I don't know what they do. I don't have openvpn_if="tun" or cloned_interfaces="tun". You might try commenting those out and restarting the jail.

But the question is, does transmission work through openvpn?

Thank you for your replies Glorious1 and adamgoldberg!

I added those 2 lines of text below otherwise tun0 will not be displayed when I launch the command ifconfig.

Code:

openvpn_if="tun"
cloned_interfaces="tun"

Now it is being displayed:

Code:

root@transmission_2:/ # ifconfig                                               
 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
      options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:3b:7f:00:09:0b
        inet 192.168.0.101 netmask 0xffffff00 broadcast 192.168.0.255
        nd6 options=9<PERFORMNUD,IFDISABLED>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
tun0: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        nd6 options=9<PERFORMNUD,IFDISABLED>

 

[LudoB]

adamgoldberg said: ↑
Ah, ok, I see what you're saying -- transmission DOES need to be able to communicate with other machines on your local network, not via tun0.

In which case, why do you need to limit it to epair*?
Maybe that is unnecessary.

I have updated the rules as follow:

Code:

add 00010 allow ip from any to any via tun0
add 00101 allow all from me to 192.168.0.0/24 via epair* uid transmission
add 00102 allow all from 192.168.0.0/24 to me via epair* uid transmission
add 00103 deny ip from any to any uid transmission
add 65535 allow all from any to any

and also without "via epair*".

But the result is very similar as what i had previsouly:

Code:

root@transmission_2:/media # /etc/rc.d/ipfw start
Flushed all rules.
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
00010 allow ip from any to any via tun0
00101 allow ip from me to 192.168.0.0/24 via epair* uid transmission
00102 allow ip from 192.168.0.0/24 to me via epair* uid transmission
00103 deny ip from any to any uid transmission
65534 allow ip from any to any
Firewall rules loaded.
root@transmission_2:/media # /usr/local/etc/rc.d/openvpn start
Starting openvpn.
root@transmission_2:/media # ping www.google.com
ping: cannot resolve www.google.com: Host name lookup failure

Actually i noticed even if I don't start ipfw but just the openvpn i have the same error: host name lookup failure.

I also noticed it has to do with the rights set up for this jail. When put the default user rights root:wheel it works as soon as I change it I can not ping google anymore.

Any ideas why?

 

[Glorious1]

I added those 2 lines of text below otherwise tun0 will not be displayed when I launch the command ifconfig.

Strange, my tun0 shows in the ifconfig output without adding those lines to rc.conf.

 

[Glorious1]

I have updated the rules as follow:
I also noticed it has to do with the rights set up for this jail. When put the default user rights root:wheel it works as soon as I change it I can not ping google anymore.

Any ideas why?

Not sure, but I think you're on the right track here. My transmission jail dataset is owned by root:wheel. I'm not sure why you want to change it, but I guess it has something to do with the storage issue - accessing the storage from both sides? If so, this is I think what I did. It basically gives the transmission user the same user ID (number) as your user in FreeNAS. That way there are no ownership problems. This is partly from https://forums.freenas.org/index.ph...plugins-write-permissions-to-your-data.27273/):

Code:

# In the jail, add a user with a matching UID as the owner of the 
# dataset/folders in the main FreeNAS.  I created a user in the jail named tranny
pw useradd -n tranny -u 1001 -d /nonexistent -s /usr/sbin/nologin

# In the jail, change the user the plugin runs as, and change ownership of the data-directory.
service transmission stop
chown -R tranny:tranny /usr/pbi/transmission-amd64/etc/transmission/home
sysrc 'transmission_user=tranny'
service transmission start

 

[LudoB]

Hi Glorious1,

I have delete my previous transmission user (uid 1006) and group (gid 1006) and created a new one with uid and guid equal to 921.
Then I launch the command:

Code:

chown -R transmission:transmission /usr/pbi/transmission-amd64/etc/transmission/home

I checked this folder is now owned by transmission user and group. I restarted the jail since the service did not want to stop and now I am getting a new error when starting openvpn:

Code:

root@transmission_2:/ # /usr/local/etc/rc.d/openvpn start
Starting openvpn.
Shared object "liblzo2.so.2" not found, required by "openvpn"

I think my issue is more linked to user rights than firewall rules or openvpn. Now also when adding a torrent i get a permission error. I will check again tonight and keep you posted.

 

[Glorious1]

Sorry, I don't know how changing the transmission userid would cause that error, and I hope someone who understands this stuff better will jump in to help. I'm not sure it made the difference, but in my case I left the original "transmission" user intact, and created a new one with a different name/number to own the transmission home (and also the /media folder by the way).

 

[adamgoldberg]

With ipfw and openvpn up & running, can you ping 8.8.8.8 (a google dns server)?

That is, is the problem related to dns lookup, or is it related to connectivity to the internet?

If you can ping 8.8.8.8, try 'traceroute 8.8.8.8' and see how you're getting there (via then openvpn tunnel, or outside of it)?