FreeNAS: Add VPN Connection to a Jail

Install OpenVPN in FreeNAS
Adding a Virtual Private Network (VPN) connection to any system, including a FreeNAS jail, is critically important to protect your privacy. This is even more important if you plan to be downloading media (movies, TV shows, music, books, etc.) from torrents or newsgroups as content providers are frequently searching for individuals and groups circulating their intellectual property. This article will show you how to download, install the OpenVPN software, configure the software for the VPN location you dessire, setup the proper network connections, and then test to ensure the connection is working all within a FreeNAS jail. In this case, the article will be using Private Internet Access (PIA) as an example VPN provider, however you should be able to follow the same process for other providers. There is also an option to install a VPN kill switch (shuts down network traffic if you disconnect from the VPN). This article assumes that you already have a FreeNAS system up and running and have already setup the FreeNAS jail in which you want to include an OpenVPN connection.

This article is part of my series of FreeNas setup, configuration and install articles.

Install OpenVPN

To install the OpenVPN software, which is the type of connection you will have to your VPN, you will need to get to the command prompt for your jail and enter the following command:

pkg install openvpn

If for some reason you get a message like: “No Packages Available to Install Have Been Found in the Repositories”, you can read this article for instructions on how to move past it: FreeNAS: No Packages Available to Install Have Been Found in the Repositories

We will also need nano, a text editor, and wget to download the necessary config files and to test the connection. You can install these programs with the following commands:

pkg install nano
pkg install wget

Setup OpenVPN

As noted, this article will use Private Internet Access (PIA) as an example for configuration, but you can use the same process for other VPN providers.

Lets start by creating a directory for the OpenVPN software:

mkdir /usr/local/etc/openvpn

Next we will need to create a file to store our login credentials for the VPN provider. The following command will open the nano text editor for a blank file in which you should put your VPN username on the first line and your VPN password on the second line:

nano /usr/local/etc/openvpn/auth.txt

Alternatively you can create this file with the following two commands where [username] and [password] are your VPN username and password respectively:

echo "${USERNAME}" > /usr/local/etc/openvpn/auth.txt
echo "${PASSWORD}" >> /usr/local/etc/openvpn/auth.txt

As this file contains your username and password, we will next need to change the security on it to make it only accessible to those that need it with the following command:

chmod 0600 /usr/local/etc/openvpn/auth.txt

Now we create a temporary directory to download all the VPN information into with the following command:

mkdir /usr/local/etc/openvpn/download

And then we will download the VPN configuration files (in this case for PIA) with the following commands:

cd /usr/local/etc/openvpn/download
wget https://www.privateinternetaccess.com/openvpn/openvpn.zip --no-check-certificate
unzip openvpn.zip

Now if you do an ls in this directory you will see a bunch of files with different country, city and region names. This is the OpenVPN connection information for servers in those countries. Select which city or region you want to connect to and copy that file to the OpenVPN directory as the default config file (this example uses Denmark):

cp Denmark.ovpn /usr/local/etc/openvpn/openvpn.conf

You will now need to add the following lines to the bottom of the files you just copied in order to have the VPN connection start automatically when the jail boots.

# Automatic login (PIA credentials)
auth-user-pass /usr/local/etc/openvpn/auth.txt
auth-nocache

Use the nano text editor with the following command: nano /usr/local/etc/openvpn/openvpn.conf.

Enable OpenVPN

Now that everything is configured, we can enable OpenVPN and begin to use the VPN connection.

Edit the system config file with nano using the following command:

nano /etc/rc.conf

and add the following to the bottom of the file:

# Enable OpenVPN
openvpn_enable=”YES”
openvpn_if=”tun”

Alternatively, instead of editing the file you can also use the following commands:
sysrc openvpn_enable="YES"
sysrc openvpn_if="tun"

You can now manually start your VPN with /usr/local/etc/rc.d/openvpn start. However before you do, there is one more thing you need to do. Quit the jail shell. Shut down the jail. Go to the overall FreeNAS shell (for the whole FreeNas system, accessed from the menu in the web interface on the left hand side) and enter the following, where [jailname] is the name of the jail in which you have just installed and configured OpenVPN:

iocage set allow_tun=1 [jailname]

Now, you will need to reboot the entire FreeNAS server. Yes, the whole physical machine. Yes, this is a real pain.

Testing the VPN Connection

Once the server comes back up after its reboot, enter your jail with and test to see if the VPN connection is working by using the following command:

wget -qO - http://wtfismyip.com/text

If the result of this command in an IP address different from your ISP’s IP, then you are good and the VPN is working!

VPN Kill Switch

I have not yet tested this out, but you can add a VPN kill switch which would disconnect you from the internet if your VPN disconnects and is no longer protecting you. The following link contains directions for this kill switch (as well as much of the content for the creation of this article):

https://github.com/danjacques/freenasdocs/blob/master/guides/vpn-client-jail.md

Happy VPNin’!

~Raze42

Updated: April 17, 2020


34 thoughts on “FreeNAS: Add VPN Connection to a Jail

  1. i created a new jail and did everyting

    when i finish rebooting my freenas i turned on the jail and looked on the wget website and my normal ip was showing

    i tried starting the openvpn by the command /usr/local/etc/rc.d/openvpn start and then it showed this

    /usr/local/etc/rc.d/openvpn: WARNING: $openvpn_enable is not set properly – see rc.conf(5).
    Cannot ‘start’ openvpn. Set openvpn_enable to YES in /etc/rc.conf or use ‘onestart’ instead of ‘start’.

    tried doing onestart

    kldload: can’t load if_”tun”: Operation not permitted
    /usr/local/etc/rc.d/openvpn: WARNING: Unable to load kernel module if_”tun”
    /usr/local/etc/rc.d/openvpn: WARNING: failed precmd routine for openvpn

    im using freenas 11.3 is that the problem maybe?

    Like

      1. Yes like the ssh itself was telling me to go check the rc.config and enable the openbpn_enable=”Yes”
        I did that and the command was already inside the rc.config.
        Also i think the “tun” part is not working for me
        I stoped the jail/went to the ssh of freenas/typed the last command and rebooted the machine but still didnt work, if you have a solution i would like a help
        I was thinking of using my raspberry pi and making a openvpn there if there is no solution in the freenas

        Like

      2. Yes, i run the iocage command on the freenas shell with my vpnjail already closed.

        Sorry for the trouble, I really liked your others guide from like how to install radarr,sonarr,jackett,qbittorrent and every one of those worked perfectly Thank you very much for that

        back in the issue, if this thing doesn’t work i think i will do a OpenVPN on my Pi and connect it to the freenas.
        Do you have an ideia if this will work? im still learning to do those things and i would like a suggestion if you don’t mind 🙂

        Like

  2. After following the guide and resetting the server I ran the “wget -qO – http://wtfismyip.com/text” command and get the same IP as I did before, I then I ran the “usr/local/etc/rc.d/openvpn start” command and got “usr/local/etc/rc.d/openvpn: Command not found.” Do you know where I am going wrong?

    Like

    1. Nevermind I tried again and got the same “/usr/local/etc/rc.d/openvpn: WARNING: $openvpn_enable is not set properly – see rc.conf(5).
      Cannot ‘start’ openvpn. Set openvpn_enable to YES in /etc/rc.conf or use ‘onestart’ instead of ‘start’.” as the guy above.

      Like

  3. I had the same issue. However, this is because I copied the lines from this website instead of typing it. When you look really closely in your own rc.conf file you see that the quotation marks (“) are different. Adjust them and then it should work.

    Like

    1. Thanks Etienne – seems like you may have discovered the root of the problems people are having.

      For those having issues with the rc.conf file it seems there may be a copy and paste problem and something to do with the quotation marks. I’ve included alternate instructions above using the sysrc command. You will need to remove the lines from your rc.conf file and then run the two commands. Hopefully that resolves the issues people are having.

      LMK.

      ~Raze

      Liked by 1 person

  4. it still shows my own IP
    I checked the quotation marks, also tried removing it through the nano editor and using the sysrc commands, but still it shows my own IP address. What else could I be doing wrong?

    Like

  5. ok after choosing another server from the list I now have another problem, when I try to do the command to check my ip it just hangs, no response. I tried pinging, no response… do I have some network settings to configure in the jail?

    Like

  6. This tutorial was very helpful. I, too, was burned by copy and paste in the

    # Enable OpenVPN
    openvpn_enable=”YES”
    openvpn_if=”tun”

    step of the install. The “WARNING: $openvpn_enable is not set properly – see rc.conf(5).” was fixed by replacing the quotation marks in the pasted text with those resident in the editor.

    A second problem was the instruction “You can now manually start your VPN with /usr/local/etc/rc.d/openvpn start.” This is the only place in the instructions where a prior step is given after (“However before you do, there is one more thing you need to do…”). I had become complacent and wasn’t reading ahead, but I did eventually notice this.

    My third problem was that I mistyped my password in the auth.txt file. I had no idea which of the many steps I had messed up. I looked around for a log file, then I Googled around looking for a way to enable a log file, then I decided to retrace every step line by line. My girlfriend actually noticed my typo, I was seeing what I wanted to see.

    So thank you again – I have posted this feedback in case it helps someone else!

    -Evan

    Like

  7. Hey guys, can anyone help with a small problem I have? My username is my email address and I don’t think it likes the @ symbol because when I put in

    echo “${x@y.com}” > /usr/local/etc/openvpn/auth.txt

    I get

    Missing ‘}’.

    Is there an escape character or something I should use instead?

    Any help appreciated!

    Like

    1. Forget this, I was being overly strict on the instructions. I just put the username and password in teh file on separate lines, and restarted the jail.
      Someone also mentioned to run nano etc/resolv.conf and changed nameserver to 8.8.8.8 and 8.8.4.4 and it started working again.
      It should be nano /etc/resolv.conf and changed nameserver to 8.8.8.8 and 8.8.4.4 and it started working again. TINY difference meant a world of difference as his instructions only worked if you was in the root directory.
      Thanks for the tutorial though!!!

      Like

  8. Just ahead of actually installing this on my server, will this automatically run when the server boots say after a power failure and also what settings do you have for the newly created jail ie. DHCP and all that..
    Thanks in advance.

    Like

    1. When you create the jail you can set it to run on startup and configure for dhcp and it should startup and run on its own when the server comes on after power failure.

      Like

  9. Freenas noob here, how would I find an open port through PIA to forward? My listening IP through transmission keeps showing as closed

    Like

  10. Hi there, Great tutorial. I am having an issue where in the jail cell, it appears the VPN is working because the Wget command spits out the VPN IP. However when I go into the deluge program (which is the same jail) the icon in the bottom right hand corner is still showing my public IP and when I put a torrent in, it says no route to host. Any idea why the VPN appears to be working in the shell and not in the plugin?

    Like

  11. Right so in the less than 2 minutes that I wrote that, I changed the resolv.conf to 8.8.8.8 and its now working. However deluge is still displaying my public IP in the bottom right hand corner but the shell says my IP is still the VPN IP. Not sure whats going on here

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s