FreeNAS – Transmission jail with OpenVPN

I was running Transmission on a virtual machine, but that VM decided to stop working, so I decided it was time to move to something a little more isolated, and easier to rebuild if/when the time comes.

Doing some research, aka, poking around the internet using The Google, I found a decent guide, which I modified a bit, to meet my needs.

Rather than running a VM, and installing Transmission and a VPN, I moved to installing Transmission in a FreeNAS jail.

I also liked the idea of a kill switch when/if the VPN drops, or isn't connected, because some ISPs take a dim view of any torrent activity, even if completely legitimate. I'd rather not have to deal with the headache of trying to explain I'm downloading a Linux ISO, not some pirate movie.


  1. Expose tun devices

    This is the first gotcha. By default, FreeNAS 11.3 limits the devices jails can access in the host system. To allow jails to access tun devices, include the following pre-init task and reboot the server to allow the rule to take effect.

    Tasks ⇒ Init/Shutdown Scripts ⇒ Add

    devfs rule -s 4 add path 'tun*’ unhide

    Display of init command

  2. Install the Transmission plugin:

    Plugins ⇒ Transmission ⇒ Install

    The screen below will appear. Give the jail a name and accept the defaults for the moment. Click Save to continue.

    Creation of Transmission plugin

    On completion of the installation of the Transmission plugin, a dialogue box similar to the one below will be displayed.<

    Output after plugin creation

  3. Configure the jail to use a static IP.

    This is highly recommended, as this will be a headless box, and having the same IP to connect to via the web interfaces will make your life easier.

    To modify the jail properties, the jail has to be stopped first.

    Jails ⇒ transmission ⇒ Stop

    Edit its properties.

    Jails ⇒ transmission ⇒ Edit

    Uncheck NAT.

    Choose a unique IPv4 Address for the Transmission jail, specify your network IPv4 Netmask and your IPv4 Default Router. An example is shown below.

    Static IP configuration

  4. Allow the jail to create tun devices.

    From the same page as above, click on Custom Properties

    OpenVPN uses a tun device by default to make a virtual network. Check allow_tun and then click Save.

    Jail modification

  5. Set up additional storage

    The Transmission jail is given access to storage outside the jail on the FreeNAS system. This allows Transmission to save data to a storage area outside the jail so that the data is accessible to the FreeNAS system (and elsewhere).

    Additional storage is set up using mount points:

    Jails ⇒ transmission ⇒ Mount points ⇒ Actions ⇒ Add

    An example mapping is shown below.<

    Transmission mount points

    1. Restart the jail with the new settings

    Plugins ⇒ transmission ⇒ Start

  6. Install required packages into the Transmission jail

    Shell into the jail:

    Jails ⇒ transmission ⇒ Shell

    pkg update
    pkg upgrade
    pkg install bash openvpn wget vim
  7. Configure OpenVPN

    Using vi, append the following lines to /etc/rc.conf so that OpenVPN and the IP Firewall (IPFW) start when the jail starts, and configure the default torrent download directory


    Create the directory for OpenVPN configuration file:

    mkdir /usr/local/etc/openvpn

    Get the necessary OpenVPN config files from Private Internet Access:

    cd /tmp
    cp us_denver.ovpn /usr/local/etc/openvpn/openvpn.ovpn

    Create the pass.txt file, that contains your PIA username and password in it:

    cat /usr/local/etc/openvpn/pass.txt

    Edit the /usr/local/etc/openvpn/openvpn.conf file and add pass.txt to the end of the line reading auth-user-pass

    grep auth-user /usr/local/etc/openvpn/openvpn.ovpn
    auth-user-pass pass.txt

    Test the before and after enabling the VPN:

    /usr/local/etc/rc.d/openvpn start

    If not, stop the openvpn service, then run it manually:

    openvpn stop
    openvpn --config /usr/local/etc/openvpn start

    Troubleshoot any issues and re-test.

  8. Configure the IPFW killswitch:

    Run the following command:

    ifconfig | grep "tun.:"
    tun0: flags=8051&lt;UP,POINTTOPOINT,RUNNING,MULTICAST&gt; metric 0 mtu 1500

    It should show a tun device, which is the VPN tunnel. Take note of the device id (tun0 in this example).

    Contents of the /usr/local/etc/ipfw.rules file:

    ipfw -q -f flush
    cmd="ipfw -q add"
    $cmd 00001 allow all from any to any via lo0
    $cmd 00010 allow all from any to any via $vpn
    $cmd 00101 allow all from me to uid transmission
    $cmd 00102 allow all from to me uid transmission
    $cmd 00103 deny all from any to any uid transmission

    If your device id is different than tun0, change the parameter vpn to use the the correct device id.

    Change the to whatever your personal network is set up to.

  9. Test the IPFW killswitch

    Start the firewall:

    service ipfw start

    Check the make sure the firewall rule list from step #9 loaded:

    ipfw list

    Restart the Transmission plugin:

    Plugins ⇒ transmission ⇒ Restart

    Shell back into the Transmission jail:

    Jails ⇒ transmission ⇒ Shell

    Test the firewall by downloading a large torrent file (I used a torrent of an Ubuntu ISO), and stopping the OpenVPN service during the download.

    service openvpn stop

    If the firewall is working, downloading should stop.

    Once it does, start OpenVPN again and downloading should resume.

    service openvpn start


Basil's Tech Diary - FreeNAS 11.3 + Transmission plugin + OpenVPN + AirVPN + IPFW Killswitch

TrueNAS forums - openvpn issues in new jails after 11.1

Private Internet Access - Linux - Installing OpenVPN through the Terminal