FreeNAS: Add VPN Connection to a Jail

Install OpenVPN in FreeNAS

Adding a Virtual Private Network (VPN) connection to any system, including a FreeNAS jail, is critically important to protect your privacy. This is even more important if you plan to be downloading media (movies, TV shows, music, books, etc.) from torrents or newsgroups as content providers are frequently searching for individuals and groups circulating their intellectual property. This article will show you how to download, install the OpenVPN software, configure the software for the VPN location you dessire, setup the proper network connections, and then test to ensure the connection is working all within a FreeNAS jail. In this case, the article will be using Private Internet Access (PIA) as an example VPN provider, however you should be able to follow the same process for other providers. There is also an option to install a VPN kill switch (shuts down network traffic if you disconnect from the VPN). This article assumes that you already have a FreeNAS system up and running and have already setup the FreeNAS jail in which you want to include an OpenVPN connection.

This article is part of my series of FreeNas setup, configuration and install articles.

UPDATE: I have updated this article for TrueNAS and you can read the update version on the new digiMoot website here: TrueNAS: Add VPN Connection to a Jail.

Install OpenVPN

To install the OpenVPN software, which is the type of connection you will have to your VPN, you will need to get to the command prompt for your jail and enter the following command:

pkg install openvpn

If for some reason you get a message like: “No Packages Available to Install Have Been Found in the Repositories”, you can read this article for instructions on how to move past it: FreeNAS: No Packages Available to Install Have Been Found in the Repositories

We will also need nano, a text editor, and wget to download the necessary config files and to test the connection. You can install these programs with the following commands:

pkg install nano
pkg install wget

Setup OpenVPN

As noted, this article will use Private Internet Access (PIA) as an example for configuration, but you can use the same process for other VPN providers.

Lets start by creating a directory for the OpenVPN software:

mkdir /usr/local/etc/openvpn

Next we will need to create a file to store our login credentials for the VPN provider. The following command will open the nano text editor for a blank file in which you should put your VPN username on the first line and your VPN password on the second line:

nano /usr/local/etc/openvpn/auth.txt

Alternatively you can create this file with the following two commands where [username] and [password] are your VPN username and password respectively:

echo "${USERNAME}" > /usr/local/etc/openvpn/auth.txt
echo "${PASSWORD}" >> /usr/local/etc/openvpn/auth.txt

As this file contains your username and password, we will next need to change the security on it to make it only accessible to those that need it with the following command:

chmod 0600 /usr/local/etc/openvpn/auth.txt

Now we create a temporary directory to download all the VPN information into with the following command:

mkdir /usr/local/etc/openvpn/download

And then we will download the VPN configuration files (in this case for PIA) with the following commands:

cd /usr/local/etc/openvpn/download
wget --no-check-certificate

Now if you do an ls in this directory you will see a bunch of files with different country, city and region names. This is the OpenVPN connection information for servers in those countries. Select which city or region you want to connect to and copy that file to the OpenVPN directory as the default config file (this example uses Denmark):

cp Denmark.ovpn /usr/local/etc/openvpn/openvpn.conf

You will now need to add the following lines to the bottom of the files you just copied in order to have the VPN connection start automatically when the jail boots.

# Automatic login (PIA credentials)
auth-user-pass /usr/local/etc/openvpn/auth.txt

Use the nano text editor with the following command: nano /usr/local/etc/openvpn/openvpn.conf.

Enable OpenVPN

Now that everything is configured, we can enable OpenVPN and begin to use the VPN connection.

Edit the system config file with nano using the following command:

nano /etc/rc.conf

and add the following to the bottom of the file:

# Enable OpenVPN

Alternatively, instead of editing the file you can also use the following commands:
sysrc openvpn_enable="YES"
sysrc openvpn_if="tun"

You can now manually start your VPN with /usr/local/etc/rc.d/openvpn start. However before you do, there is one more thing you need to do. Quit the jail shell. Shut down the jail. Go to the overall FreeNAS shell (for the whole FreeNas system, accessed from the menu in the web interface on the left hand side) and enter the following, where [jailname] is the name of the jail in which you have just installed and configured OpenVPN:

iocage set allow_tun=1 [jailname]

Now, you will need to reboot the entire FreeNAS server. Yes, the whole physical machine. Yes, this is a real pain.

Testing the VPN Connection

Once the server comes back up after its reboot, enter your jail with and test to see if the VPN connection is working by using the following command:

wget -qO -

If the result of this command in an IP address different from your ISP’s IP, then you are good and the VPN is working!

VPN Kill Switch

I have not yet tested this out, but you can add a VPN kill switch which would disconnect you from the internet if your VPN disconnects and is no longer protecting you. The following link contains directions for this kill switch (as well as much of the content for the creation of this article):

Happy VPNin’!


Updated: April 17, 2020

45 thoughts on “FreeNAS: Add VPN Connection to a Jail

  1. i created a new jail and did everyting

    when i finish rebooting my freenas i turned on the jail and looked on the wget website and my normal ip was showing

    i tried starting the openvpn by the command /usr/local/etc/rc.d/openvpn start and then it showed this

    /usr/local/etc/rc.d/openvpn: WARNING: $openvpn_enable is not set properly – see rc.conf(5).
    Cannot ‘start’ openvpn. Set openvpn_enable to YES in /etc/rc.conf or use ‘onestart’ instead of ‘start’.

    tried doing onestart

    kldload: can’t load if_”tun”: Operation not permitted
    /usr/local/etc/rc.d/openvpn: WARNING: Unable to load kernel module if_”tun”
    /usr/local/etc/rc.d/openvpn: WARNING: failed precmd routine for openvpn

    im using freenas 11.3 is that the problem maybe?


      1. Yes like the ssh itself was telling me to go check the rc.config and enable the openbpn_enable=”Yes”
        I did that and the command was already inside the rc.config.
        Also i think the “tun” part is not working for me
        I stoped the jail/went to the ssh of freenas/typed the last command and rebooted the machine but still didnt work, if you have a solution i would like a help
        I was thinking of using my raspberry pi and making a openvpn there if there is no solution in the freenas


      2. Yes, i run the iocage command on the freenas shell with my vpnjail already closed.

        Sorry for the trouble, I really liked your others guide from like how to install radarr,sonarr,jackett,qbittorrent and every one of those worked perfectly Thank you very much for that

        back in the issue, if this thing doesn’t work i think i will do a OpenVPN on my Pi and connect it to the freenas.
        Do you have an ideia if this will work? im still learning to do those things and i would like a suggestion if you don’t mind 🙂


    1. get rid of the quotations marks on yes and tun and also make sure you rename the config file “openvpn.config”


  2. After following the guide and resetting the server I ran the “wget -qO –” command and get the same IP as I did before, I then I ran the “usr/local/etc/rc.d/openvpn start” command and got “usr/local/etc/rc.d/openvpn: Command not found.” Do you know where I am going wrong?


    1. Nevermind I tried again and got the same “/usr/local/etc/rc.d/openvpn: WARNING: $openvpn_enable is not set properly – see rc.conf(5).
      Cannot ‘start’ openvpn. Set openvpn_enable to YES in /etc/rc.conf or use ‘onestart’ instead of ‘start’.” as the guy above.


  3. I had the same issue. However, this is because I copied the lines from this website instead of typing it. When you look really closely in your own rc.conf file you see that the quotation marks (“) are different. Adjust them and then it should work.


    1. Thanks Etienne – seems like you may have discovered the root of the problems people are having.

      For those having issues with the rc.conf file it seems there may be a copy and paste problem and something to do with the quotation marks. I’ve included alternate instructions above using the sysrc command. You will need to remove the lines from your rc.conf file and then run the two commands. Hopefully that resolves the issues people are having.



      Liked by 1 person

  4. it still shows my own IP
    I checked the quotation marks, also tried removing it through the nano editor and using the sysrc commands, but still it shows my own IP address. What else could I be doing wrong?


  5. ok after choosing another server from the list I now have another problem, when I try to do the command to check my ip it just hangs, no response. I tried pinging, no response… do I have some network settings to configure in the jail?


  6. This tutorial was very helpful. I, too, was burned by copy and paste in the

    # Enable OpenVPN

    step of the install. The “WARNING: $openvpn_enable is not set properly – see rc.conf(5).” was fixed by replacing the quotation marks in the pasted text with those resident in the editor.

    A second problem was the instruction “You can now manually start your VPN with /usr/local/etc/rc.d/openvpn start.” This is the only place in the instructions where a prior step is given after (“However before you do, there is one more thing you need to do…”). I had become complacent and wasn’t reading ahead, but I did eventually notice this.

    My third problem was that I mistyped my password in the auth.txt file. I had no idea which of the many steps I had messed up. I looked around for a log file, then I Googled around looking for a way to enable a log file, then I decided to retrace every step line by line. My girlfriend actually noticed my typo, I was seeing what I wanted to see.

    So thank you again – I have posted this feedback in case it helps someone else!



  7. Hey guys, can anyone help with a small problem I have? My username is my email address and I don’t think it likes the @ symbol because when I put in

    echo “${}” > /usr/local/etc/openvpn/auth.txt

    I get

    Missing ‘}’.

    Is there an escape character or something I should use instead?

    Any help appreciated!


    1. Forget this, I was being overly strict on the instructions. I just put the username and password in teh file on separate lines, and restarted the jail.
      Someone also mentioned to run nano etc/resolv.conf and changed nameserver to and and it started working again.
      It should be nano /etc/resolv.conf and changed nameserver to and and it started working again. TINY difference meant a world of difference as his instructions only worked if you was in the root directory.
      Thanks for the tutorial though!!!


  8. Just ahead of actually installing this on my server, will this automatically run when the server boots say after a power failure and also what settings do you have for the newly created jail ie. DHCP and all that..
    Thanks in advance.


    1. When you create the jail you can set it to run on startup and configure for dhcp and it should startup and run on its own when the server comes on after power failure.


  9. Freenas noob here, how would I find an open port through PIA to forward? My listening IP through transmission keeps showing as closed


  10. Hi there, Great tutorial. I am having an issue where in the jail cell, it appears the VPN is working because the Wget command spits out the VPN IP. However when I go into the deluge program (which is the same jail) the icon in the bottom right hand corner is still showing my public IP and when I put a torrent in, it says no route to host. Any idea why the VPN appears to be working in the shell and not in the plugin?


  11. Right so in the less than 2 minutes that I wrote that, I changed the resolv.conf to and its now working. However deluge is still displaying my public IP in the bottom right hand corner but the shell says my IP is still the VPN IP. Not sure whats going on here


    1. Thx mate. I just ran trough this again a couple weeks ago and the openvpn files I linked worked. I have to do another run through to update these instructions for truenas and will look at these files then (couple weeks).


  12. Looking forward to an updated version of this post that supports Truenas. Your blogs are really helpful! Unfortunately I am having issues with openvpn. With nano /var/log/messages I can see the log file of openvpn inside my jail. This error is the culprit: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) TLS Error: TLS handshake failed. Any ideas on how to fix this?


      1. Right on. Thanks for sharing the solution. I’m in the process of rebuiling my jail with 12.2 and this will be the next article I update. Your experiences will help prepare that.


  13. I have managed (following your tutorial- thanks) to configure the PIA VPN correctly, as I can check using the following commands.

    root@JailTransmission:/ # wget -qO –
    root@JailTransmission:/ # /usr/local/etc/rc.d/openvpn start
    Starting openvpn.
    root@JailTransmission:/ # wget -qO –

    But once I start the VPN, Transmission stop connecting (web interfaces unreachable also)
    Any ideas on that???


    BTW, is there any fix for the resol.conf updating automatically


  14. Your guides are incredible! I don’t know what I’d do without your indirect assistance.
    With that said, I’m running into an error when trying to run manually start OpenVPN. This is the code I get:
    “/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn”
    Any insight would be greatly appreciated!


    1. Joshua,
      Try an experiment before you commit to VPN in a jail:
      1: Go to the command line of your jail.
      2: Install, say, “nano” and “wget”.
      3: Verify that the apps work.
      4: Update the jail.
      5: Go back to 3.
      I think you will find that, when the jail is updated, the apps are wiped back to only what was installed by creating the jail. I have numerous threats from ny ISP, which is how I learned about this after using this technique for months.
      As for your question, try typing cat /var/log/messages and see what it has to say. You can edit the VPN config file to increase the debug logging level if you are still stuck.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s