• How to set up and run NAS4Free’s BitTorrent client through Openvpn & Torguard ***UPDATED Nov. 2014***

    by  • February 18, 2013 • Computing • 32 Comments

    Nowadays, it is prudent to protect your privacy when downloading torrents on the net.  A few lawsuits have recently been brought against ISP’s by businesses seeking damages from users allegedly downloading illegal content. Many of these lawsuits have centered on trying to get the ISP’s to release lists of customer IP addresses along with their associated activity logs. Having used FreeNAS and more recently, NAS4Free‘s Bitorrent client, I thought it would be interesting to see if we could get OpenVPN installed and working though the NAS firewall to ensure only protected traffic is tunneled through our BT client.

    I am currently using Torguard for VPN and I can highly recommend them.  They offer many locations worldwide, are reasonably priced and have excellent customer service when you need it.  Here are the steps I followed to get VPN working on my NAS4Free server:

      1. You will need a VPN provider in order to get this going.  Click here to try Torguard.

     

      1. You will also need to know how to connect to your server using SSH (not covered in this guide).

     

      1. Prepare Environment: SSH in and create the following directories on one of your mounted NAS drives (/mnt/your drive). In this example I am using “Media2”.
        cd /mnt/Media2
        mkdir extensions
        cd extensions
        mkdir var
        mkdir usr
        mkdir tmp
        mount_unionfs -o w /mnt/Media2/extensions/usr/ /usr/
        umount -f /var
        mount_unionfs -o w /mnt/Media2/extensions/var/ /var/

     

      1. Create startup command for environment:
        In NAS4Free, navigate to: “System|Advanced|Command scripts” and insert the following start-up command:
        mount_unionfs -o w /mnt/Media/extensions/usr/ /usr/

        (be sure to replace “Media2” with your correct path)

     

      1. Install OpenVPN:
        setenv PKG_TMPDIR /mnt/Media2/extensions/tmp/
        setenv PACKAGESITE "setenv PACKAGESITE ftp://ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/amd64/9.1-RELEASE/packages/Latest/"
        "
        pkg_add -rv openvpn

        (if you are installing onto a 32 bit system change “amd64” to “i386”)

     

      1. Install Certificates and .ovpn files.
        Create the directory: mkdir /mnt/Media2/extensions/usr/local/etc/openvpn
        Go to Torguard and get the zipped certificates and .ovpn files so you can securely connect to the Torguard network. Unpack the OpenVPN config files (Manual Install) in your OpenVpn folder you just created above.
        Pick one of the *.ovpn files and change it to: “openvpn.conf”
        (though later on you can use the *.ovpn files directly by specifying them in the autosignon script if you want)

     

      1. Test out our setup so far:
        #Start VPN
        /usr/local/etc/rc.d/openvpn start /usr/local/etc/openvpn/openvpn.conf
        (enter your Torguard username and password)
        #Test the VPN
        ifconfig tun0
        (you should see something like this: $ ifconfig tun0 tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500 options=80000<LINKSTATE> inet6 fe80::216:76ff:fedb:b529%tun0 prefixlen 64 scopeid 0xc inet 10.8.0.26 –> 10.8.0.25 netmask 0xffffffff nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> Opened by PID 2991)
        That means the tunnel is up and working!

     

      1. Configure firewall rules to ensure all WAN traffic goes through the VPN. ***UPDATED***
        If you are using the NAS for other purposes WAN-wise, remember that there is no way to only send BT traffic through the VPN. In this configuration, ALL WAN bound traffic will use the VPN tunnel.
        Click here to download these handy firewall rules. Navigate to “Network|Firewall” and import the rules and enable.
        Remember to modify the destination subnet to jive with your VPN provider’s network (Torguard’s is 10.8.0.54/24).

        • Torguard is growing and so are their subnets apparently and the original subnet listed above is not the only one they use now.  If you are having a problem with the BT client not finding peers and  a ping test through the ssl login reveals ‘request timed out’ messages AND you checked your >Advanced > Command window with the command: ifconfig tun0 and received a:
          $ ifconfig tun0
          tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
          	options=80000<LINKSTATE>
          	inet6 fe80::216:76ff:fedb:b529%tun0 prefixlen 64 scopeid 0xa 
          	inet 10.9.0.58 --> 10.9.0.57 netmask 0xffffffff 
          	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
          	Opened by PID 4776


          Then you know you are good to go as far as the TG VPN connection is concerned. The problem lies in the firewall configuration. You simply need to add a new subnet to the firewall config like so:
          new-fw

          Just look above for the output of ifconfig tun0 for the subnet info and add it to your FW config (highlighted in red above). Restart your BT client and it should now work as advertised.

           

     

      1. Now we need to automate this sucker to survive reboots.
        We need to install “expect”.
        pkg_add -r expect

     

      1. Create an autosignon file in your OpenVPN directory and add the following code:
        #!/usr/local/bin/expect -f
        set force_conservative 0
        if {$force_conservative} {
        set send_slow {1 .1}
        proc send {ignore arg} {
        sleep .1
        exp_send -s -- $arg
        }
        }spawn openvpn openvpn.conf
        match_max 100000
        expect -exact "Enter Auth Username:"
        send -- "YOUR_USERNAME_HERE\r"
        expect -exact "Enter Auth Password:"
        send -- "YOUR_PASSWORD_HERE\r"
        expect eof

     

      1. Add the “autosignon” script to the startup at “System|Advanced|Command scripts”:
        /mnt/Media2/extensions/usr/local/etc/openvpn/autosignon; ./autosignon &

     

      1. Test it out at: “Advanced|Execute command”
        Make sure OpenVPN is stopped (in case it is running from before): /usr/local/etc/rc.d/openvpn stop
        Start the autosignon script by running: /mnt/Media2/extensions/usr/local/etc/openvpn/autosignon; ./autosignon &
        Check it out by running: ifconfig tun0
        Check that you are seeing the same output from step 7 above.
        Try pinging google.com from the command window.

     

    That’s it you should be good to go!  If something is not working check out the log files from the server at: “Diagnostics|Log”.
    Here are a couple of quick OpenVPN commands for troubleshooting:

    • # stop all openvpn processes
      killall -TERM openvpn
    • #Check connection
      ifconfig tun0
    • #Stop openvpn
      /usr/local/etc/rc.d/openvpn stop

    How to Create a ‘Keepalive’ script so your Transmission/VPN never goes down

    Here is a useful script to keep the server running 24/7.

    Copy the following code into a file and call it ‘transmission-keepalive.sh’:

    #!/bin/sh
    HOSTS=”google.com”
    COUNT=2
    for myHost in $HOSTS
    do
    count=$(ping -c $COUNT $myHost | grep ‘received’ | awk -F’,’ ‘{ print $2 }’ | awk ‘{ print $1 }’)
    if [ $count -eq 0 ]; then
    # 100% failed so startup VPN
    killall -TERM openvpn
    /mnt/Mirror_2/Media2/extensions/usr/local/etc/openvpn/autosignon;
    cd /etc/rc.d/
    ./transmission restart
    fi
    done

    Change any path differences you may have regarding the location of your ‘/extensions/usr/local/etc/openvpn/’ directory and make it executable (chmod +x transmission-keepalive.sh). Then test the script by calling ‘transmission-keepalive.sh &’ (from wherever you saved it) from the command line. If you have no errors, create a cron job and call the script every 15 minutes.  The script will only act if your VPN is down – so the 15 minute interval should not significantly increase your server load. If you have any problems starting the server then you need to check out the troubleshooting section below as TG has most likely changed their settings.

    Troubleshooting and Updated Information (As of 11/22/2014)

    So you followed all the instructions and it’s not working. Well there are a few steps you can take to find out why.

    • Check the log files. Go to your Nas4Free: ‘Diagnostics>>Log’ menu and look at the log files and find out why your NAS won’t connect when the firewall is enabled.
      Post them here and we will try to walk you through it as every system is different and poses unique challenges. I have been using this method for years now and it DOES work as advertised.
    • What to do when everything WAS working fine and now for some reason it has stopped working all of a sudden. Start by running the ‘ifconfig tun0‘ command and if you are getting a message like: ‘root: /usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn’ message.Start by checking out your logs (see above). Looking at the logs we see something like the following:
      ‘openvpn[2902]: Cannot load CA certificate file globalca.crt path (null) (SSL_CTX_load_verify_locations): error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib’. Usually this means that Torguard has updated their configuration files and you need to replace your old files in the  ‘ /mnt/Media2/extensions/usr/local/etc/openvpn/‘ directory with updated ones from the Torguard site. In the case of the error above it is being generated due to the fact that TG has recently started using only one crt file which is now called ca.crt (formerly known as globalca.crt). Open openvpn.conf and change the ‘globalca.crt’  line to ‘ca.crt’, kill the process and restart autosignon and restart BT client and you should be in business.

    32 Responses to How to set up and run NAS4Free’s BitTorrent client through Openvpn & Torguard ***UPDATED Nov. 2014***

    1. February 18, 2013 at 16:58

      Great Post! Thanks for the contribution…

    2. German
      March 3, 2013 at 23:18

      Thanks for a nice detailed post but I am stuck on step 7 I get error “openvpn[4158]: ERROR: could not read Auth username from stdin” I tried adding user name and password in config file but still doesnt work. I am a newbie to the comand line so I may be missing something obvious. Thank you for any response you may give me.

    3. March 4, 2013 at 07:53

      Is the firewall blocking your VPN? Try turning off the firewall and logging in again. Check the log in your Free4Nas web gui for helpful error messages also.

    4. German
      March 5, 2013 at 22:37

      I know i am missing something obvious. I tried to insert my credentials in different ways with last attempt add a password.txt file but still failed. I don’t know how to enter my credentials and there lies my problem. I put nas on dmz briefly made sure no firewall was running and no luck. On your steps you indicated the following “(enter your Torguard username and password)” I am completely lost on that part. Thank you for your time

    5. German
      March 6, 2013 at 19:34

      I found my mistake I needed to run that command in ssh and I was doing it in the nas command page. Now seems to work but doesnt connect to torguard with the firewall in place. Sorry to bother you with this but seems like no one has done this with torguard. My ignorance in command line leaves me lost. I am so close though.

    6. March 6, 2013 at 19:50

      You CAN do it. I did! You need to log on to SSH and connect to OpenVPN and run: #Start VPN
      /usr/local/etc/rc.d/openvpn start /usr/local/etc/openvpn/openvpn.conf and enter you TG username and PW. and then check it in the N4F log.

    7. German
      March 10, 2013 at 17:41

      Success!! But up to connecting to torguard I cant for the life of me get the script to auto connect, I will continue to research it Also expect doesnt want to install or i should say it refuses to install. Is there a manual way of installing expect and how do I properly make the script. Any pointers would be appreciated. Thank you.

    8. German
      March 10, 2013 at 18:37

      I also am trying to forward port 9091 out of n4f to connect transdroid via ddns service used to work before but now I cant seem to open firewall for it.

      • March 10, 2013 at 19:30

        Why don’t you just edit my firewall rule that I used for Torguard. Just go to the firewall and click on the Torguard rule and edit it so the port is now 9091? You also need to install expect from the command line using the above instructions. When you installed it the first time did you get any errors?

    9. Matt
      April 22, 2013 at 19:30

      I’m getting stuck on Step 11. When I try to run the command from ssh I’m getting:

      /mnt/NAS/extensions/usr/local/etc/openvpn/: Permission denied

      I’m logged in as root and all the folder and file permissions are set correctly. Any thoughts?

      • April 22, 2013 at 19:37

        What permissions are set on that folder? What do you get when you run ls -l? My openvpn permissions are: -rw-rw-r–. Is the file executable?

        • Matt
          April 22, 2013 at 21:05

          ls -l on openvpn gives me

          drwxr-xr-x 2 root wheel

          I have no problems accessing the folder, I only get the error when I try to run execute the program. I’m not sure how to tell if the file is executable…

          • April 23, 2013 at 06:33

            Well your ‘autosignon’ file needs to have execute permissions to run. My autosignon file (extensions/usr/local/etc/openvpn/autosignon) has the permissions: -rwxr-xr-x. If you don’t have permission as root in ssh to access the openvpn folder you have a problem. You can use the GUI in Nas4Free’s ‘File Manager’ to check permissions also.

        • Matt
          April 22, 2013 at 22:45

          Update: I did make sure the file is executable. I’m still getting the permission denied.

        • Matt
          April 28, 2013 at 12:27

          I believe I’ve fixed the “permission denied” error by remounting the entire directory with exec permissions. Now, however, I’m getting “no such file or directory” when I try to execute the file. The file exists (obviously), folder and file execute permissions are set correctly…any idea why it would say there’s no such file or directory? Could it be a library issue (i.e. are there any libraries I should have installed to get autosignon to execute?)?

          • April 28, 2013 at 19:37

            Did you install expect (pkg_add -r expect)? What does the log say in Free 4 NAS? You will need to to debug your problem using the logfiles.

            • Matt
              April 28, 2013 at 23:01

              Yes, expect is installed. The N4F log files don’t show anything, which makes sense since nothing is executing within N4F. I think it has something to do with the first line of the script, but I don’t know enough about writing scripts to fix it. If you have any other suggestions let me know.

    10. April 29, 2013 at 20:01

      I am thinking that something didn’t go right when you created the environment (Step 3). That could be why none of the files will execute properly. I am the kind of person that just refuses to give up no matter what! So if it was me, I would redo the instructions again from scratch. All I can tell you is that it works for me on my F4N box and theoretically, it should work for you too.

    11. Chris
      February 16, 2014 at 10:35

      Hi,

      This is a great guide but doesn’t seem to work in freenas 9.2.1. I cannot get it to install openvpn at all. I have no programming experience what so ever and would really appreciate a step by step guide that would enable me to setup torguard on my freenas server.

      Thanks in advance.

    12. March 7, 2014 at 13:50

      I am having major issue getting the autosignon script to work, any suggestions? If I reboot my NAS it just sits waiting on the username and password, if I run the command from the web ui it works…

    13. March 7, 2014 at 15:57

      Don’t worry, I worked it out.

      “Moving openvpn file so it does not get executed every time when system is being started, otherwise your boot process will get stopped and you will be asked for a username/password (it took me a while to figure it out…),it seems like NAS4Free executes all the files inside “rc.d” folder on startup (handy knowledge), in SSH type in :
      mv /usr/local/etc/rc.d/openvpn /extensions/usr/local/etc/openvpn/”

      from…http://forums.nas4free.org/viewtopic.php?f=47&t=3872

    14. March 7, 2014 at 16:08

      I have one general question regarding firewall setup here. For me it appears as though you are providing VPN traffic on the IP address of the tunneling interface, and not your external WAN – which makes sense to me.

      However, since the IP address you will be assigned from the VPN service will be private, arent you better off doing a broader subnet mask – such as 10.0.0.0/8?

      also, you need to indicate that openvpn should be moved out of rc.d folder, otherwise it will autostart before you can use your autosignon script. Something like the following:

      mv /usr/local/etc/rc.d/openvpn /usr/local/etc/openvpn/

      I’d appreciate more details on the firewall issue for sure.

      • August 8, 2014 at 19:16

        Yes, you are right. You should be putting in the entire subnet for good measure (i.e. 10.9.0.0/24). I have updated the post with the new information. If you can’t get this to work it is most likely a firewall issue (see above).

    15. Ricardo
      March 24, 2015 at 09:16

      For some reason now, I can’t connect to any peers. I’m getting the openvpn[872]: Authenticate/Decrypt packet error: cipher final failed error. I’ve changed my firewall rules etc to the broader subnet mask but nothing is happening still. Any thoughts?

      • March 24, 2015 at 09:38

        What happens when you disconnect the firewall? Can you ping google? Also, what do your logfiles say when you try to connect (click: Diagnostics > log)?

    16. jason
      July 12, 2015 at 16:55

      mount_unionfs -o w /mnt/”videos/extensions/usr/ /usr/ kills the network connection to my server. Why is this? I have been looking for the answer but can’t figure it out anywhere. I can’t finish setting up Openvpn if I cant get this command to work the way it should.

      Im running N4F 9.3 embedded if that helps any. Also does it matter that there doesnt appear to be 9.3 packages in freebsd repository? can i just use 9.2 packages?

      • July 12, 2015 at 19:46

        In the string mount_unionfs -o w /mnt/"videos/extensions/usr/ /usr/ you have a ” before videos. Is this a typo?

        • jason
          July 12, 2015 at 20:14

          yes it is. but i did not actually enter that as part of the command just to be clear

          • July 13, 2015 at 07:03

            I ran in to the same problem and I pinned it down to the fact that N4F is out of date when it comes to FreeBSD libraries. Combine this with the almost complete lack of support for old versions on FreeBSD and it gets hard to keep your older systems running effectively. I could not make this process work with N4F in version 10 at all. In fact, I have switched back to Free Nas which has come a long way since I last used it. I will post a new how-to soon on how to set up VPN in Free Nas jails. Using the Sick Rage, transmission and Couch Potato plugins my system is better that it has ever been!

            • jason
              July 13, 2015 at 08:38

              I have almost 35tb worth of storage on my server (spread over 10 drives) and only 2gb of ram. I’d say it typically handles light to moderate reading/writing.

              I feel like this means I am stuck with NAS4Free since based on what I have read I dont have nearly enough RAM. I know this might seem like a waste of time but is there anyway to get openvpn working on N4F since I guess I am stuck with it?

              All I want is a server I can use to safely store my tons of games and use sickrage/transmission/sabnzbd.

              Thank you by the way. You are the first person to get back to me and I have been lurking multiple forums for several days.

    17. Pingback: Set up VPN for Transmission on Freenas 9.2 | Rick's Technical Education Resource

    18. July 13, 2015 at 21:06

      I feel your pain. I switched back to FreeNas – check out my post on how to configure VPN for Transmission using jails.http://tblog.myriad.ca/?p=179

    Leave a Reply

    Your email address will not be published. Required fields are marked *