How to use Openvpn & ipfw in a jail so it only connects to the VPN

Status
Not open for further replies.

LudoB

Dabbler
Joined
Nov 8, 2015
Messages
13
Hi Glorious1 and adamgoldberg! Thank you for sharing advices.

Glorious, actually i did not have any transmission user set up. At least I did not see any on the Admin UI.

At the moment openvpn is not starting as I have the following error: Shared object "liblzo2.so.2" not found, required by "openvpn". So I have tried to ping 8.8.8.8 without ipfw and openvpn running and it works fine.

I found this post in which a freenas user was having the same error. As recommended, I set up access rights 777 for the folder /usr/local/lib but I still get the error now and also entered ldconfig but I still get the same error when starting openvpn. I restarted the jail and still the same error again.

I am thinking to delete the jail and start over with the installation of transmission and openvpn...
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
I am thinking to delete the jail and start over with the installation of transmission and openvpn...
Exactly what I was thinking when I was reading your message. Something got mysteriously borked. Let us know how it goes.
 

LudoB

Dabbler
Joined
Nov 8, 2015
Messages
13
hi Glorious,

I deleted the jail and configuration associated to transmission and restarted freenas server. Then I installed again transmission via the Web UI (plugins), added the storage and IP configuration and go over the tutorial page 1 of this thread. Everything went smooth.
I can ping google.com with openvpn and... also after stopping it! (the later worries me a bit).

Even so when I add a torrent on the Transmission Web UI, it seems it can not connect to the tracker:
Code:
udp://tracker.openbittorrent.com:80
Announce error: Could not connect to tracker - Today 05:04:20 PM
Next announce in 4 minutes

(when adding the same torrent to a torrent client on my desktop it starts to download it)

Also when I check the connection I do not have tun0:
Code:
[root@transmission_1 /]# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair1b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:e8:af:00:0a:0b
        inet 192.168.0.101 netmask 0xffffff00 broadcast 192.168.0.255
        nd6 options=9<PERFORMNUD,IFDISABLED>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active


My ipfw rules are:
Code:
add 00010 allow ip from any to any via tun0
add 00101 allow ip from me to 192.168.0.0/24 uid transmission
add 00102 allow ip from 192.168.0.0/24 to me uid transmission
add 00103 deny ip from any to any uid transmission
add 65534 allow all from any to any


and i have only added those lines below to the rc.conf file:
Code:
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
firewall_enable="YES"
firewall_type="/media/ipfw_rules"


Do you have any ideas why there are no tun0 connection?
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
I can ping google.com with openvpn and... also after stopping it! (the later worries me a bit).
I think turning ipfw off and on, not openvpn, might switch whether you can ping out. But in my case, as I recall, I can ping either way. I'm not concerned because I know transmission can't communicate when openvpn stops.
Do you have any ideas why there are no tun0 connection?
No I don't. Maybe a more knowledgable person can help out here. But if you turn off ipfw and openvpn
Code:
service ipfw stop
service openvpn stop

then turn the torrent off and back on again, does it work? If you then turn openvpn on (service openvpn start) but leave ipfw off, and restart the torrent, does it work then?
 

windyboi

Explorer
Joined
Jan 7, 2016
Messages
79
Got some issues now for some reason, I cannot get out to the internet:

[root@transmission_1 /]# service transmission status
transmission is running as pid 99231.
[root@transmission_1 /]# service openvpn status
openvpn is running as pid 97569.
[root@transmission_1 /]# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: No buffer space available
^C
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss
[root@transmission_1 /]# ping google.com
ping: cannot resolve google.com: Host name lookup failure
[root@transmission_1 /]#

I've tried ipfw stop and start, as well as restarting transmission and openvpn.. Any idea what may be the problem? This is a little beyond my technical ability now unfortunately
 

LudoB

Dabbler
Joined
Nov 8, 2015
Messages
13
Thank you for your advice Glorious1!
I changed the user settings on the transmission jail as previously explained in your post on top of page 11 and also the steps in the post above and as soon as adding the torrent it just worked! I let it download a bit and deleted it.
I then wanted to know if it was really going through the vpn so i loaded a torrent from ipmagnet => http://ipmagnet.services.cbcdn.com/ but it's showing my French IP instead of the one in Russia for example....
Maybe I need to set up somewhere that I want to connect to the Russia VPN server for example among all other ones available...
 

LudoB

Dabbler
Joined
Nov 8, 2015
Messages
13
[root@transmission_1 /]# ping google.com
ping: cannot resolve google.com: Host name lookup failure
[root@transmission_1 /]#

I had the same error in my first attempt to set up transmission jail with VPN. So I started setting up everything again after deleting the previous jail and restarting the freenas server and it worked!
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
I then wanted to know if it was really going through the vpn so i loaded a torrent from ipmagnet => http://ipmagnet.services.cbcdn.com/ but it's showing my French IP instead of the one in Russia for example....
Maybe I need to set up somewhere that I want to connect to the Russia VPN server for example among all other ones available...
Well, that's a problem if you're running openvpn and the special torrent is showing your own public IP. Did you do the steps about editing the configuration file for the server you want to use (as I recall it is just adding the name of the file containing your openvpn username and password), then renaming it as (again from memory) openvpn.conf?
 

windyboi

Explorer
Joined
Jan 7, 2016
Messages
79

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
I rebooted FreeNAS and it solved the problem. weird. Will keep an eye on it, thanks
I think you can accomplish the same thing by using the Restart button on the Jails tab in the WebGUI. If I'm not mistaken this basically reboots the jail.
 

windyboi

Explorer
Joined
Jan 7, 2016
Messages
79
It happened again.. went on today and no internet access and same messages when trying to reach out :S Restarting the jail through the GUI resolved the problem though but I can't keep doing this every day. Anyone ever seen this before?
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
What do you mean? -
. . . same messages when trying to reach out :S . . .
Do you mean transmission couldn't access the internet? What messages?
 

windyboi

Explorer
Joined
Jan 7, 2016
Messages
79
What do you mean? -
Do you mean transmission couldn't access the internet? What messages?

The messages I wrote about in my post on Tuesdsay 12:02PM. ping: sendto: No buffer space available on ping 8.8.8.8 and Host lookup failure on pinging a DNS name.
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
I don't understand why people focus on pinging from their transmission jail. That has no usefulness that I'm aware of. The only thing that matters to me is, can transmission access the internet.

If not, I guess you would have to start determining if openvpn is going belly up, so the firewall is preventing access. Maybe there is a problem with a particular openvpn server, and you should try another one.

I suppose there could be things inside the jail that cause instability too, but I can't imagine what that might be. If you struggle and the problem persists, there is always the option to nuke the jail and start over with the better knowledge you've gained in the last setup.
 

windyboi

Explorer
Joined
Jan 7, 2016
Messages
79
I don't understand why people focus on pinging from their transmission jail. That has no usefulness that I'm aware of. The only thing that matters to me is, can transmission access the internet.

If not, I guess you would have to start determining if openvpn is going belly up, so the firewall is preventing access. Maybe there is a problem with a particular openvpn server, and you should try another one.

I suppose there could be things inside the jail that cause instability too, but I can't imagine what that might be. If you struggle and the problem persists, there is always the option to nuke the jail and start over with the better knowledge you've gained in the last setup.

I thought that it means that the jail can access the internet? isn't that the whole point of the "ping google.com and kill VPN" test which proves whether or not the firewall rules are working? Anyway, I thnk I may do as you suggest and nuke the jail. Do you know where the torrent files and settings location are? I have around 1,000 torrents all with different files to download or not download etc which I'd like to preserve.

Thank you
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,210
I thought that it means that the jail can access the internet? isn't that the whole point of the "ping google.com and kill VPN" test which proves whether or not the firewall rules are working? Anyway, I thnk I may do as you suggest and nuke the jail. Do you know where the torrent files and settings location are? I have around 1,000 torrents all with different files to download or not download etc which I'd like to preserve.

Thank you
I didn't always see a correlation between pinging and transmission working. Why not just see if torrents are connecting?

Settings and torrents are in folders here in my jail:
/usr/pbi/transmission-amd64/etc/transmission/home
As I recall (but don't quote me), you could copy them to the /media folder that you have connected to storage outside the jail, and it will survive the nuking there.
 

windyboi

Explorer
Joined
Jan 7, 2016
Messages
79
I didn't always see a correlation between pinging and transmission working. Why not just see if torrents are connecting?

Settings and torrents are in folders here in my jail:
/usr/pbi/transmission-amd64/etc/transmission/home
As I recall (but don't quote me), you could copy them to the /media folder that you have connected to storage outside the jail, and it will survive the nuking there.

Yeah the torrents weren't connecting :(. Funny thing actually, I changed the IP address of the jail and now I cannot access the web gui. (it's listening on 9091, I can ping my laptop from within the jail etc) but that's something for another thread.

Thanks, will look at doing that then today.
 
Status
Not open for further replies.
Top