Adding a Virtual Private Network (VPN) connection to any system, including a FreeNAS jail, is critically important to protect your privacy. This is even more important if you plan to be downloading media (movies, TV shows, music, books, etc.) from torrents or newsgroups as content providers are frequently searching for individuals and groups circulating their intellectual property. This article will show you how to download, install the OpenVPN software, configure the software for the VPN location you dessire, setup the proper network connections, and then test to ensure the connection is working all within a FreeNAS jail. In this case, the article will be using Private Internet Access (PIA) as an example VPN provider, however you should be able to follow the same process for other providers. There is also an option to install a VPN kill switch (shuts down network traffic if you disconnect from the VPN). This article assumes that you already have a FreeNAS system up and running and have already setup the FreeNAS jail in which you want to include an OpenVPN connection.
This article is part of my series of FreeNas setup, configuration and install articles.
An updated version of this article is posted on the NEW digiMoot website at:
digiMoot: 
forgot to include to run pkg install openvpn
LikeLiked by 1 person
Thanks for the comment. It’s under the heading “Install OpenVPN”.
LikeLike
Thanks. I’m blind
LikeLike
wget -qO – http://wtfismyip.com/text would lag and fail. Turned out that dns wasn’t working. ran nano etc/resolv.conf and changed nameserver to 8.8.8.8 and 8.8.4.4 and it started working again.
LikeLiked by 1 person
i created a new jail and did everyting
when i finish rebooting my freenas i turned on the jail and looked on the wget website and my normal ip was showing
i tried starting the openvpn by the command /usr/local/etc/rc.d/openvpn start and then it showed this
/usr/local/etc/rc.d/openvpn: WARNING: $openvpn_enable is not set properly – see rc.conf(5).
Cannot ‘start’ openvpn. Set openvpn_enable to YES in /etc/rc.conf or use ‘onestart’ instead of ‘start’.
tried doing onestart
kldload: can’t load if_”tun”: Operation not permitted
/usr/local/etc/rc.d/openvpn: WARNING: Unable to load kernel module if_”tun”
/usr/local/etc/rc.d/openvpn: WARNING: failed precmd routine for openvpn
im using freenas 11.3 is that the problem maybe?
LikeLike
My guess is there is a typo in rc.conf. I would suggest going back to that step and checking.
LikeLike
Yes like the ssh itself was telling me to go check the rc.config and enable the openbpn_enable=”Yes”
I did that and the command was already inside the rc.config.
Also i think the “tun” part is not working for me
I stoped the jail/went to the ssh of freenas/typed the last command and rebooted the machine but still didnt work, if you have a solution i would like a help
I was thinking of using my raspberry pi and making a openvpn there if there is no solution in the freenas
LikeLike
Did you run ‘iocage set allow_tun=1 [jailname]’ from the freenas (not jail) shell?
LikeLike
Yes, i run the iocage command on the freenas shell with my vpnjail already closed.
Sorry for the trouble, I really liked your others guide from like how to install radarr,sonarr,jackett,qbittorrent and every one of those worked perfectly Thank you very much for that
back in the issue, if this thing doesn’t work i think i will do a OpenVPN on my Pi and connect it to the freenas.
Do you have an ideia if this will work? im still learning to do those things and i would like a suggestion if you don’t mind 🙂
LikeLike
get rid of the quotations marks on yes and tun and also make sure you rename the config file “openvpn.config”
LikeLike
After following the guide and resetting the server I ran the “wget -qO – http://wtfismyip.com/text” command and get the same IP as I did before, I then I ran the “usr/local/etc/rc.d/openvpn start” command and got “usr/local/etc/rc.d/openvpn: Command not found.” Do you know where I am going wrong?
LikeLike
Nevermind I tried again and got the same “/usr/local/etc/rc.d/openvpn: WARNING: $openvpn_enable is not set properly – see rc.conf(5).
Cannot ‘start’ openvpn. Set openvpn_enable to YES in /etc/rc.conf or use ‘onestart’ instead of ‘start’.” as the guy above.
LikeLike
I had the same issue. However, this is because I copied the lines from this website instead of typing it. When you look really closely in your own rc.conf file you see that the quotation marks (“) are different. Adjust them and then it should work.
LikeLike
Thanks Etienne – seems like you may have discovered the root of the problems people are having.
For those having issues with the rc.conf file it seems there may be a copy and paste problem and something to do with the quotation marks. I’ve included alternate instructions above using the
sysrccommand. You will need to remove the lines from your rc.conf file and then run the two commands. Hopefully that resolves the issues people are having.LMK.
~Raze
LikeLiked by 1 person
it still shows my own IP
I checked the quotation marks, also tried removing it through the nano editor and using the sysrc commands, but still it shows my own IP address. What else could I be doing wrong?
LikeLike
ok after choosing another server from the list I now have another problem, when I try to do the command to check my ip it just hangs, no response. I tried pinging, no response… do I have some network settings to configure in the jail?
LikeLike
This tutorial was very helpful. I, too, was burned by copy and paste in the
# Enable OpenVPN
openvpn_enable=”YES”
openvpn_if=”tun”
step of the install. The “WARNING: $openvpn_enable is not set properly – see rc.conf(5).” was fixed by replacing the quotation marks in the pasted text with those resident in the editor.
A second problem was the instruction “You can now manually start your VPN with /usr/local/etc/rc.d/openvpn start.” This is the only place in the instructions where a prior step is given after (“However before you do, there is one more thing you need to do…”). I had become complacent and wasn’t reading ahead, but I did eventually notice this.
My third problem was that I mistyped my password in the auth.txt file. I had no idea which of the many steps I had messed up. I looked around for a log file, then I Googled around looking for a way to enable a log file, then I decided to retrace every step line by line. My girlfriend actually noticed my typo, I was seeing what I wanted to see.
So thank you again – I have posted this feedback in case it helps someone else!
-Evan
LikeLike
Hey guys, can anyone help with a small problem I have? My username is my email address and I don’t think it likes the @ symbol because when I put in
echo “${x@y.com}” > /usr/local/etc/openvpn/auth.txt
I get
Missing ‘}’.
Is there an escape character or something I should use instead?
Any help appreciated!
LikeLike
Forget this, I was being overly strict on the instructions. I just put the username and password in teh file on separate lines, and restarted the jail.
Someone also mentioned to run nano etc/resolv.conf and changed nameserver to 8.8.8.8 and 8.8.4.4 and it started working again.
It should be nano /etc/resolv.conf and changed nameserver to 8.8.8.8 and 8.8.4.4 and it started working again. TINY difference meant a world of difference as his instructions only worked if you was in the root directory.
Thanks for the tutorial though!!!
LikeLike
Just ahead of actually installing this on my server, will this automatically run when the server boots say after a power failure and also what settings do you have for the newly created jail ie. DHCP and all that..
Thanks in advance.
LikeLike
When you create the jail you can set it to run on startup and configure for dhcp and it should startup and run on its own when the server comes on after power failure.
LikeLike
Freenas noob here, how would I find an open port through PIA to forward? My listening IP through transmission keeps showing as closed
LikeLike
echo “${USERNAME}” > /usr/local/etc/openvpn/auth.txt
I get undefined variable. Is that correct?
LikeLike
Echo “raze” > /usr/local/etc/openvpn/auth.txt
LikeLike
But replace raze with your username
LikeLike
Ok, so no $ or curly brackets. Quick question, why did you include them?
LikeLike
Hi there, Great tutorial. I am having an issue where in the jail cell, it appears the VPN is working because the Wget command spits out the VPN IP. However when I go into the deluge program (which is the same jail) the icon in the bottom right hand corner is still showing my public IP and when I put a torrent in, it says no route to host. Any idea why the VPN appears to be working in the shell and not in the plugin?
LikeLike
Right so in the less than 2 minutes that I wrote that, I changed the resolv.conf to 8.8.8.8 and its now working. However deluge is still displaying my public IP in the bottom right hand corner but the shell says my IP is still the VPN IP. Not sure whats going on here
LikeLike
Great tutorial. Was not successful on first try, but… worked! For Transmission. Thanks a lot!
LikeLike
As of Mid November, 2020 and openvpn v 2.5), you now have to get the FOURTH generation openvpn files from https://www.privateinternetaccess.com/openvpn/openvpn-nextgen.zip.
For future releases, this is the helpful link:https://www.privateinternetaccess.com/helpdesk/kb/articles/where-can-i-find-your-ovpn-files
LikeLike
Thx mate. I just ran trough this again a couple weeks ago and the openvpn files I linked worked. I have to do another run through to update these instructions for truenas and will look at these files then (couple weeks).
LikeLike
Looking forward to an updated version of this post that supports Truenas. Your blogs are really helpful! Unfortunately I am having issues with openvpn. With nano /var/log/messages I can see the log file of openvpn inside my jail. This error is the culprit: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) TLS Error: TLS handshake failed. Any ideas on how to fix this?
LikeLike
okay. Fixed it. I started over with a new iocage jail. had to change the package release link to “latest” with
nano /etc/pkg/FreeBSD.conf to get openvpn v2.5.0. Second thing was the tip from G Greene to change the link to get the FOURTH generation openvpn files from https://www.privateinternetaccess.com/openvpn/openvpn-nextgen.zip.
LikeLike
Right on. Thanks for sharing the solution. I’m in the process of rebuiling my jail with 12.2 and this will be the next article I update. Your experiences will help prepare that.
LikeLike
I have managed (following your tutorial- thanks) to configure the PIA VPN correctly, as I can check using the following commands.
root@JailTransmission:/ # wget -qO – http://wtfismyip.com/text
87.222.XXX.XX
root@JailTransmission:/ # /usr/local/etc/rc.d/openvpn start
Starting openvpn.
root@JailTransmission:/ # wget -qO – http://wtfismyip.com/text
212.102.XX.XX
But once I start the VPN, Transmission stop connecting (web interfaces unreachable also)
Any ideas on that???
Thanks!!!
BTW, is there any fix for the resol.conf updating automatically
LikeLike
Your guides are incredible! I don’t know what I’d do without your indirect assistance.
With that said, I’m running into an error when trying to run manually start OpenVPN. This is the code I get:
“/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn”
Any insight would be greatly appreciated!
LikeLike
Joshua,
Try an experiment before you commit to VPN in a jail:
1: Go to the command line of your jail.
2: Install, say, “nano” and “wget”.
3: Verify that the apps work.
4: Update the jail.
5: Go back to 3.
I think you will find that, when the jail is updated, the apps are wiped back to only what was installed by creating the jail. I have numerous threats from ny ISP, which is how I learned about this after using this technique for months.
As for your question, try typing cat /var/log/messages and see what it has to say. You can edit the VPN config file to increase the debug logging level if you are still stuck.
-Evan
LikeLike
Thank you so much for this guide. I managed to set this up in TrueNas for my jails with NordVPN.
Here is what I did, following your guide, hoping that this will help a newbie if they have NordVPN.
1)pkg install openvpn
2)pkg install nano
3)pkg install wget
4)create a file to store NordVPN login credentials
mkdir /usr/local/etc/openvpn
nano /usr/local/etc/openvpn/auth.txt
nordusername
nordpassword
chmod 0600 /usr/local/etc/openvpn/auth.txt
5) create a download folder
mkdir /usr/local/etc/openvpn/download
cd /usr/local/etc/openvpn/download
6) download openvpn config files from Nord for the server you want to use
wget “link to nordvpn udp configuration file you want to use” –no-check-certificate
example:
wget https://downloads.nordcdn.com/configs/files/ovpn_legacy/servers/au648.nordvpn.com.udp1194.ovpn –no-check-certificate
7) replace config file with the new downloaded vpn file
cp “name of the file”.ovpn /usr/local/etc/openvpn/openvpn.conf
example:
cp au648.nordvpn.com.udp1194.ovpn /usr/local/etc/openvpn/openvpn.conf
8) add login credentials to auto login with openvpn
nano /usr/local/etc/openvpn/openvpn.conf
8.1) add this to the bottom of the file
# Automatic login (NordVPN credentials)
auth-user-pass /usr/local/etc/openvpn/auth.txt
auth-nocache
9) enable openvpn to start
nano /etc/rc.conf
9.1) add this to the bottom of the file ** important note ** remove ” quotes ” depending on version
# Enable OpenVPN
openvpn_enable=”YES”
openvpn_if=”tun”
10) you need to exit the jail shell and go to the main TrueNas shell – allow tun in mainshell – replace jailname with your jails name
iocage set allow_tun=1 [jailname]
11) reboot TrueNas server
12) once rebooted, open the jail shell again
13) Start OpenVPN by the following command
/usr/local/etc/rc.d/openvpn start
14) Test the openvpn is working – your IP address should now be protected by VPN and different to your normal IP
wget -qO – http://wtfismyip.com/text
LikeLike
Hi there. This site has now moved over to http://www.digimoot.com and you can access these articles, ask questions and leave comments there now. Thanks!
LikeLike