Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

(Tutorial) 11.1 warden jail to 11.2 iocage jail - Plex migration and rebuild of transmission + openvpn (pia) + ipfw + tvnamer

sanoshin

Newbie
Joined
Jan 2, 2019
Messages
2
Specifically I changed my train from 11.1-U6.3 to 11.2-RELEASE-U1, and although my plex and transmission jails were still working in the old no longer supported warden jails, i decided to try to get them working in the new iocage jails. I was able to get all this working the way I used to have it, grabbing from 10 or so different posts and bugcheck tickets, so i figured as a service i'd share my notes if anyone else finds value out of it. I built a plex pass server using the default 11.2 plugin , and same for the transmission plugin. The goal for my transmission jail was to also have openvpn (i use private internet access, so this is for PIA specifically) and have the firewall stop transmission in case the vpn dies or stops for some reason, and to later rename and move files to where I want them for plex. If you don't know how to use vi, substitute ee or nano for your editor in any of the commands below.

Plex migration
FreeNAS 11.2 GUI, click to install plex plugin
once installed, stop the new plex plugin and also stop the old one (you will need to go into the legacy web interface to turn it off if not using CLI)

Then I copied the old plex's jail contents to the new iocage plex jail structure, run this from the freenas OS main shell, in the left column of the new gui:
cp -Ripv -f /mnt/pool_1/jails/plexmediaserver_1/var/db/plexdata/Plex\ Media\ Server/ /mnt/pool_1/iocage/jails/plex/root/Plex\ Media\ Server/

After that, make sure to add the storage mounts the same as you had setup in the old system or it won't find the media when you try to click on the movies/music (storage add for the jail is under the 3 dots under the new jail page).
I actually started the new plex plugin and went back into the web interface for plex and edited the media locations to double check how i had named the folders for them, then just stop the plex plugin and add those storage mounts, start it up again, and it should work normal with all your cached thumbnails/view or unviewed/ downloaded posters etc. Haven't notice any bugs with it yet, just made sure to use the same IP in dhcp on the router so that i could pass through the DMZ for remote sharing.

Transmission jail
FreeNAS 11.2 GUI, click to install the transmission plugin

FreeNAS OS shell:
iocage stop transmission
iocage set allow_tun=1 transmission

reboot the freenas, after reboot open the Transmission Jail shell, which is under the 3 dots in the jail page
modify repo so that we can install normal freebsd packages:
vi /usr/local/etc/pkg/repos/FreeBSD.conf
replace the no with yes, save and quit.

pkg update
pkg upgrade
pkg install bash openvpn unzip curl wget


change settings and add startups:
vi /etc/rc.conf

Add into the file:
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"

Also you may want to change your transmissions default download directory, it also seems to be hardcoded in this file at the top.
Save and quit.

Run these to install and setup openvpn, i'm using private internet access so it uses their config, i'm also in texas so i'm using the "US Texas" file, use what you like.
mkdir /usr/local/etc/openvpn
cd /usr/local/etc/openvpn/
wget https://www.privateinternetaccess.com/openvpn/openvpn.zip --no-check-certificate
mkdir PIA
unzip openvpn.zip -d PIA/
cd PIA/
cp US\ Texas.ovpn ..
cd ..
mv US\ Texas.ovpn openvpn.conf


Create the password file, the first line is your username, the second line is your password, save the file
vi pass.txt

vi openvpn.conf
change the line so that it uses your pass.txt, should look like below:
auth-user-pass /usr/local/etc/openvpn/pass.txt

wget http://ipinfo.io/ip -qO -
(should show your IP)

service openvpn start

wget http://ipinfo.io/ip -qO -
(should show your VPN IP)

ifconfig
(should show a tun0 interface, which is the vpn tunnel)

vi /etc/ipfw.rules
Type the below into the file and save it, change the 192.168.1.0/24 to whatever your personal network is setup as:

#!/bin/bash
ipfw -q -f flush
cmd="ipfw -q add"
vpn="tun0"
$cmd 00001 allow all from any to any via lo0
$cmd 00010 allow all from any to any via $vpn
$cmd 00101 allow all from me to 192.168.1.0/24 uid transmission
$cmd 00102 allow all from 192.168.1.0/24 to me uid transmission
$cmd 00103 deny all from any to any uid transmission


Then start the firewall:
service ipfw start
ipfw list (make sure its listing the rules typed above)

test the firewall by running a large torrent file (I used ubuntu torrent), and stopping the openvpn service mid download.
If the firewall is working, the download should stop downloading. Once it does, start openvpn again and it should resume download.

service openvpn stop

service openvpn start


For the video renaming/moving i'm using the tvnamer project inside the transmission jail:
https://github.com/dbr/tvnamer

I installed with
pkg install py27-tvnamer databases/py-sqlite3

then just run it with
tvnamer /path/to/file/whatever/name_of_file.mp4

I personally use recursive batch mode and give it a destination folder to move them, then i run it from crontab every 5 minutes to just pickup whatever comes along.
tvnamer -r -b /mnt/downloads/data -m --movedestination "/mnt/downloads/done"

There's tons of different options, so look through their documentation.

That's all folks!
 
Last edited:

onthax

Member
Joined
Jan 31, 2012
Messages
64
was following this.
had issues installing the openvpn package

resolved with

pkg update -f

then tried pkg install openvpn

works now.

Thanks for the article.
 

ViciousXUSMC

Member
Joined
May 12, 2014
Messages
47
Just running the migration script took care of both my Transmission Jails and Plex jail without issues.
Still though thanks for this, just incase I feel like rebuilding them.

Actually making a VM for Plex now since for some reason my Plex jail does not like my 10gb ethernet.
 

sanoshin

Newbie
Joined
Jan 2, 2019
Messages
2
Had to rebuild my transmission jail, found that the IPFW stopped working.
Deleted the jail and reinstalled the plugin, but made sure to click advanced and enabled the "allow_tun" under custom properties, and "allow_raw_sockets" under jail properties.... then i didn't need to run the "iocage set allow_tun=1 transmission " anymore, followed the rest of the guide and got it working again.
 

Supa

Member
Joined
Jan 10, 2014
Messages
204
Few problems after setting it up:

downloads are REALLY slow. Is it because the TCP port is closed? Torrent is downloading at less than 30kb/sec. I've forwarded 51413 with the transmission IP but it still just shows closed.

1575602949713.png



Here's my notes from when I got it working... used your guide in combo with another. If it helps anyone let me know.

Transmission (with ipfw rules / Private Internet Access VPN)
  • create a transmission jail
  • From FreeNAS OS Shell:
    • iocage stop transmission
    • iocage set allow_tun=1 transmission
  • Reboot FreeNAS
  • Open Tranmission Jail Shell
  • edit /usr/local/etc/pkg/repos/FreeBSD.conf
    • Replace no with yes
    • ESC, then save and quit
  • pkg update
  • pkg upgrade
  • pkg install bash openvpn unzip curl wget\
  • edit /etc/rc.conf
    • Add to file:
      • openvpn_enable="YES"
      • openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
      • firewall_enable="YES"
      • firewall_script="/etc/ipfw.rules"
      • Also you may want to change your transmissions default download directory, it also seems to be hardcoded in this file at the top.
      • ESC, then save and quit
  • mkdir /usr/local/etc/openvpn
  • cd /usr/local/etc/openvpn/
  • wget https://www.privateinternetaccess.com/openvpn/openvpn.zip --no-check-certificate
  • mkdir PIA
  • unzip openvpn.zip -d PIA
  • cd PIA
  • cp US\ California.ovpn ..
  • cd ..
  • mv US\ California.ovpn openvpn.conf
  • Create the username/password file
    • edit pass.txt
    • 1st line = username, 2nd line = password (for PIA)
  • edit openvpn.conf
    • auth-user-pass /usr/local/etc/openvpn/pass.txt

    • auth-nocache (not sure what this does)
    • wget http://ipinfo.io/IP -qO - (Shows your IP address)
  • service start openvpn
  • wget http://ipinfo.io/IP -qO - (Shows VPN's IP address)
  • ifconfig (should show a tun0 interface, which is the vpn tunnel)
  • edit /etc/ipfw.rules (change to Default Routes IP which shows up on Dashboard of Freenas)

    • #!/bin/sh
    • ##
    • # OpenVPN Kill Switch Configuration.
    • #
    • # From:
    • # https://github.com/danjacques/freenasdocs
    • ##

    • . /etc/network.subr

    • RULE_NO=1000
    • fwcmd="/sbin/ipfw"
    • add_fw() {
    • ${fwcmd} add ${RULE_NO} $*
    • RULE_NO=$((${RULE_NO}+1))
    • }

    • # Flush all current rules before we start.
    • ${fwcmd} -f flush

    • # Enable loopback.
    • add_fw allow ip from any to any via lo0

    • # Enable VPN traffic.
    • add_fw allow ip from any to any via tun*

    • # Internal Routing
    • #
    • # Change these addresses accordingly for your internal network and netmask.
    • add_fw allow log ip from any to 192.168.1.0/24 keep-state

    • # Allow DNS traffic.
    • #
    • # OpenVPN configs may use host names, and we'll need to look these up.
    • # Default route.
    • add_fw allow log udp from any to any dst-port 53 keep-state

    • # Allow traffic on OpenVPN UDP port.
    • #
    • # If you're using TCP VPN and/or a different port, update accordingly. Consult
    • # your OpenVPN config for details.
    • add_fw allow log udp from any to any dst-port 1198 keep-state

    • # Cleanup rules.
    • RULE_NO=4000
    • add_fw allow ip from 127.0.0.1 to any

    • # VPN Network Access.
    • RULE_NO=5000
    • add_fw allow ip from 10.0.0.0/7 to any
    • add_fw allow ip from any to 10.0.0.0/7

    • # Block everything else.
    • RULE_NO=65534
    • add_fw deny log ip from any to any
  • Start Firewall
    • service ipfw start
    • ipfw list (make sure its listing the rules typed above)
  • Test Firewall
    • ping www.google.com (should be able to ping it as it's connected to the internet)
    • service openvpn stop
    • ping www.google.com (should not have internet and fail pinging it)
  • Finally, set your file permissions to be acceptably restrictive for OpenVPN.
    • chmod 0600 -R /usr/local/etc/openvpn/
  • Log file is found in /var/log/messages
If you have any issues make sure all your files are in the /usr/local/etc/openvpn directory that you reference in the .conf files.

You can also check ip via: curl ifconfig.me

Sources: https://github.com/danjacques/freenasdocs/blob/master/guides/vpn-client-jail.md
and https://www.ixsystems.com/community...-transmission-openvpn-pia-ipfw-tvnamer.72523/
 

Attachments

Last edited:
Top