digiMoot:

TrueNAS: Add VPN Connection to a Jail

Adding a Virtual Private Network (VPN) connection to any system, including a TrueNAS jail, is critically important to protect your privacy.  A VPN will mask your identify and location from those on the internet by ‘faking’ your location elsewhere. This This TrueNAS: Add VPN Connection to a Jail article will show you how to download, install the OpenVPN software, configure the software for the VPN location you desire, setup the proper network connections, and then test to ensure the connection is working all within a TrueNAS jail. In this case, the article will be using Private Internet Access (PIA) as an example VPN provider, however you should be able to follow the same process for other providers. There is also an option to install a VPN kill switch (shuts down network traffic if you disconnect from the VPN). This article assumes that you already have a TrueNAS system up and running and have already setup the TrueNAS jail in which you want to include an OpenVPN connection.

This is part of my ongoing series of TrueNAS and FreeNAS setup, configuration and install articles.

Install OpenVPN

To start this TrueNAS: Add VPN Connection to a Jail article, we need to install the OpenVPN software, which is the type of connection you will have to your VPN . You will need to get to the command prompt for your jail. First we will install a couple of programs we will need – nano, a text editor, and wget to download the necessary config files and to test the connection. You can install these programs with the following command:
pkg install nano wget

Now we will need to ensure we are using the latest package distribution to ensure we are getting OpenVPN v2.5.0 (or later). We will need to edit your pkg config file with the following command:
nano /etc/pkg/FreeBSD.conf

you will see a line in the file that looks like this:

url: “pkg+http://pkg.FreeBSD.org/$(ABI)/quarterly”,

and you will need to replace the word “quarterly” with “latest” so that the line looks like this:

url: “pkg+http://pkg.FreeBSD.org/$(ABI)/latest”,

Save the file and exit and then we will now install OpenVPN with the following command:
pkg install openvpn

If for some reason you get a message like: “No Packages Available to Install Have Been Found in the Repositories”, you can read this article for instructions on how to move past it: FreeNAS: No Packages Available to Install Have Been Found in the Repositories

Setup OpenVPN

As noted, this article will use Private Internet Access (PIA) as an example for configuration, but you can use the same process for other VPN providers, just download their OpenVPN files instead.

Lets start by creating a directory for the OpenVPN software:

mkdir /usr/local/etc/openvpn

Next we will need to create a file to store our login credentials for the VPN provider. The following command will open the nano text editor for a blank file in which you should put your VPN username on the first line and your VPN password on the second line:

nano /usr/local/etc/openvpn/auth.txt

Alternatively you can create this file with the following two commands where [username] and [password] are your VPN username and password respectively:

echo [username] > /usr/local/etc/openvpn/auth.txt
echo [password] >> /usr/local/etc/openvpn/auth.txt

As this file contains your username and password, we will next need to change the security on it to make it only accessible to those that need it with the following command:

chmod 0600 /usr/local/etc/openvpn/auth.txt

Now we create a temporary directory to download all the VPN information into with the following command:

mkdir /usr/local/etc/openvpn/download

And then we will download the VPN configuration files (in this case for PIA) with the following commands:

cd /usr/local/etc/openvpn/download
wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
unzip openvpn.zip

Now if you do an ls in this directory you will see a bunch of files with different country, city and region names. This is the OpenVPN connection information for servers in those countries. Select which city or region you want to connect to and copy that file to the OpenVPN directory as the default config file (this example uses Denmark):

cp Denmark.ovpn /usr/local/etc/openvpn/openvpn.conf

You will now need to add the following lines to the bottom of the files you just copied in order to have the VPN connection start automatically when the jail boots.

# Automatic login (PIA credentials)
auth-user-pass /usr/local/etc/openvpn/auth.txt
auth-nocache

Use the nano text editor with the following command: nano /usr/local/etc/openvpn/openvpn.conf.

Enable OpenVPN

Now that everything is configured, we can enable OpenVPN and begin to use the VPN connection.

Set OpenVPN to start automatically by using the following commands:
sysrc openvpn_enable="YES"
sysrc openvpn_if="tun"

If you want to manually start your VPN instead, you can use /usr/local/etc/rc.d/openvpn start.

There is one last step however before the VPN is ready to run. Quit the jail shell. Shut down the jail. Go to the overall TrueNAS shell (for the whole TrueNas system, accessed from the menu in the web interface on the left hand side) and enter the following, where [jailname] is the name of the jail in which you have just installed and configured OpenVPN:

iocage set allow_tun=1 [jailname]

Now, you will need to reboot the entire TrueNAS server. Yes, the whole physical machine. Yes, this is a real pain.

Testing the VPN Connection

Once the TrueNAS server comes back up after its reboot, enter your jail with and test to see if the VPN connection is working by using the following command:

wget -qO - http://wtfismyip.com/text

If the result of this command in an IP address different from your ISP’s IP, then you are good and the VPN is working!

So that’s it, you’ve completed this TrueNAS: Add VPN Connection to a Jail article and your VPN in your jail should be up and running!

Login Script on Enter Jail Shell

I setup a quick script to show my public IP every time I log into the shell so that I can be sure my VPN is still connected. It’s a simple process I’ve described in my TrueNAS: Run Script on Startup Run MOTD script article.

VPN Kill Switch

I have not yet tested this out, but you can add a VPN kill switch which would disconnect you from the internet if your VPN disconnects and is no longer protecting you. The following link contains directions for this kill switch (as well as much of the content for the creation of this article):

https://github.com/danjacques/freenasdocs/blob/master/guides/vpn-client-jail.md

Happy VPNin’!

~digiMoot

Liked it? Take a second to support digiMoot on Patreon!

56 thoughts on “TrueNAS: Add VPN Connection to a Jail

  1. I get my public IP address when I test it. I am attempting to do this with TORguard and the configurations file they have you download. Any help?

  2. I’m a bit of an amateur, however, I have a questions:
    Does this protect my entire server and all internet access with the vpn connection? Or does it just protect the jail with a vpn connection? For example: Say I have multiple plugins installed in separate jails, one with transmission, one with sonarr, one with qbitorrent, one with nextcloud, and a virtual machine. Do I need to install openvpn in each jail as its own instance or can I install openvpn as it’s own jail and funnel the server’s entire traffic through it?
    I hope that made sense. If the answer is yes then I am happy. If the answer is no, then it suggests I may have to install all those plugins manually in a single jail in order to get VPN protection yeah?
    Thank you for your guides!

      1. Sweet, that explains a lot! Do you have Organizr and Jackett in that same single jail also? Lastly, does the order you install these matter?

      2. I have organizr in a separate jail. I don’t think order will matter much. Only hiccup I can think of is the version of mono. Also if you stay tuned for a couple days I have a post I’m working on with the updated version of sonarr (v3)

      3. Is there a specific reason why you have organizr in a separate jail?

        And I will definitely stay tuned for the sonarr (v3). Finding your site is a treasure mine for me, because I have been wanting to VPN my jail in order to use transmission, sonarr, radarr, etc. The lack of knowledge on that has stopped me from setting those apps up until now.

  3. Also, would love to see you make a thorough installation guide on NextCloud! Would you recommend installing that in the same jail as the other applications to be protected through a vpn?

  4. You’re the man. One more thing I think you should fast track on your site for the less experienced is, how to create jails manually from the start. What settings are recommended, etc.

    I am going to give it a shot, all I’ve ever done is install apps via plug-ins but I love how you consolidated everything in basically one jail.

  5. Would you be so kind as to go over that briefly what settings you would use on creating the jail that would contain all your apps like openvpn, transmission, qbitorrent, jackett, sonarr, radarr, etc? A screenshot would suffice!

    Merry Christmas!

  6. I’ve got your WordPress site bookmarked now, your guides are really useful thanks. Question about this one – I followed the guide and got OpenVPN up and successfully connected, but all my DNS queries are still going through my ISP. I had to fix this with an ‘up’ and ‘down’ script to edit resolv.conf (I found a guide to help me with this). Not sure if I made a mistake in following your guide? It’s obviously important to ensure all traffic and DNS queries are routed through the VPN. But thanks again for all the work, it’s helped a lot.

  7. Hi Raze!
    Thanks for the guide, it seems to be working for me 🙂
    One question though: you said at the beginning of the article that “There is also an option to install a VPN kill switch (shuts down network traffic if you disconnect from the VPN).”
    However, there is no mention of how to set this up in the guide – unless that “allow_tun=1” sets the network in a way that it will only connect through the VPN and nothing else?
    Do you mind elaborating how the VPN killswitch is implemented, or how to implement it? 🙂
    Best Regards,
    Stefano

  8. I created a new jail and then followed all of the steps exactly as described here. Double-checked everything. Rebooted my TrueNAS CORE server. Reentered the jail shell. Ran:

    wget -qO – http://wtfismyip.com/text

    It flashes at me for a minute or so, returns nothing, and then I can type again as if I entered nothing at all.

    Any suggestions?

      1. Thanks for this comment, I had the same problem for days change the nameservers and now work like a charm.

      2. Having the same problem but when I run ‘nano etc/resolv.conf’ nano opens with a red error ‘[Directory ‘etc’ does not exist]. I ran the shell from within the jail and entered the command at the root, should I be somewhere else?

      1. It let me download it but for whatever reason I can’t get openvpn to connect to my nordvpn. I will have to do some more digging to see what’s up with it. Thanks again.

  9. thanks for the guide raze42, so easy to follow.
    Just wondering what setup you use when creating your jails.
    I have had trouble accessing radarr from within the same jail (with vpn & sabnzbd)
    any tips would be appreciated

    1. I’m not sure exactly what you’re asking. I have all my collection managers (radarr, sonarr, etc) and qbittorrent in a single jail which is using a VPN. I don’t use newsgroups, just torrents. It might help if you use 127.0.0.1 as the ip address (which is the localhost) to connect between services within the same jail.

  10. Your guides have been great. Thank you. I see that you haven’t tested out the kill switch. Everything else I have installed with your guides has worked perfectly, but, the kill switch cuts off web access to the jail. Everything works find with VPN. The kill switch itself tests out fine. But when the kill switch is on, I can no longer reach the jail via it’s url. This has been the case each time, including multiple installations of sonarr and one of nzbget. If you still haven’t tested this out, I’m wondering if you still might have some troubleshooting suggestions, or maybe soneome else who has experienced this. Thanks!!

    1. I just figured it out. I was careless and didn’t notice that I needed to update the kill switch script with my gateway and mask. You are welcome to delete the post. Everything works as advertised. Thanks.

  11. Your guides are incredible! I don’t know what I’d do without your indirect assistance.
    With that said, I’m running into an error when trying to run manually start OpenVPN. This is the code I get:
    “/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn”
    Any insight would be greatly appreciated!

  12. 2 questions:
    1) how do i keep the /etc/resolv.conf file static to the external ip addresses when using dhcp in my jail?
    2) I’m unable to access any ports from the lan on this jail. I need to access my torrent client and/or flood (to manage), but the VPN is blocking.
    Thank you

  13. noticed after doing this. If i reboot the Jail. On coming backup while i can get outside access through my VPN. My client seem to have no access (Deluge states no external ip). As such trying to add anything is pointless. However if I reboot the how server all is good aagin. (Note i did intially reboot the whole server as required. Everytime i do reboot the jail, rebooting the server brings everything back ok. But occassionally had to resolve faults with jammed files that require a reboot. just annoying.

  14. Hi.

    Love this guide.

    Im using PrivateVPN, and so far all in this guide seems to work just fine for me. I have an issue with the last command, where I should check If the VPN is working correctly.

    wget -qO – http://wtfismyip.com/text

    This command gives me this result.

    wget: Command not found

    Im using shell through the qbittorrent jail

      1. Thanx for the information. It was installed but in another version. I updated it and then it worked. Sadly the VPN is not working, so I’m doing something wrong. I think it might be the steps about the auth. Im not sure I did that part correctly.
        # Automatic login (PIA credentials)
        auth-user-pass /usr/local/etc/openvpn/auth.txt
        auth-nocache

  15. So I’ve followed this guide to the letter and rechecked about 15 times, but the VPN still is not working (using PIA). I don’t see any obvious errors in messages but I do see this:
    UDP link local: (not bound)
    I’m fairly new to the FreeBSD/Linux world so I’m not sure if this is really an issue. I’ve changed the contents of auth.txt to invalid values and I do get a message saying auth failed so I think it’s reading the credentials correctly. And I appear to be getting an IP from PIA because I get this message (actual values hidden):
    Peer Connection Initiated with [AF_INET]xxx.xx.xxx.xxx:xxxx
    But if the VPN is running then any shell command to get outside (ping, wget, traceroute, etc) just “hangs” and the apps running in the jail cannot connect to the world. If I stop the VPN then those commands will work and the apps can connect. Any help/ideas would be appreciated!

  16. After following these steps, with openvpn running, it fails to look up host names. Goes back to working if I stop openvpn. Any ideas?

    1. Seems that access to local network no longer works when connected to OpenVPN. I’m new to Truenas so if anyone has any information to get it working will be much appreciated!

      1. After fiddling with all sorts of settings, the problem could be easily solved by not allowing Deluge jail to automatically use set the IPv4 because somehow it will set something like 172.x.x.x. Untick NAT and manually configure the IPv4 to your subnet, e.g. 192.168.1.x where x is an unused IP.

        That will allow Deluge or any other jail local network access and thus the webgui too. Hope this helps anyone in the same situation.

  17. so how to VPN killswitch truenas12 core i cant find a tutorial that actually works on my c ase. i got everything running including vpn 0 issues but no killswitch for the vpn.
    im running qbittorent plugin on jail with openvpn inside as well but ipfw its been a pita to configure no luck

    1. figure it out was the lines on the fules..
      this is TRUENAS 12.2-release-p11

      short and simple
      epair0b

      -=ipfw_rules=-
      ipfw -q -f flush

      CMD=”ipfw -q add”
      VPN=”tun0″

      # allow all local traffic on the loopback interface
      $CMD 00001 allow all from any to any via lo0

      # allow any connection to/from VPN interface
      $CMD 00010 allow all from any to any via $VPN

      # allow connection to/from LAN by qbittorent
      $CMD 00101 allow all from me to 10.0.2.0/24
      $CMD 00102 allow all from 10.0.2.0/24 to me

      # deny any qbittorent connection outside LAN that does not use VPN
      $CMD 00105 allow all from any to any 1198 out via epair0b
      $CMD 00106 deny all from any to any out via epair0b

  18. btw vpn works but trackers dont i can ping out with vpn active and not with vpn stop.. so i have some conflicts somewhere else :/

    1. ok, it was a mistake on my end code above works wonderful
      as i have a second sub domain i had to manually add that to truenas global configuration manually including the dns and default gateway in my case 10.0.2.1

Leave a Reply

Your email address will not be published. Required fields are marked *