TrueNAS: Add VPN Connection to a Jail

TrueNAS Install Setup VPN in Jail

Adding a Virtual Private Network (VPN) connection to any system, including a TrueNAS jail, is critically important to protect your privacy. This is even more important if you plan to be downloading media (movies, TV shows, music, books, etc.) from torrents or newsgroups as content providers are frequently searching for individuals and groups circulating their intellectual property. This article will show you how to download, install the OpenVPN software, configure the software for the VPN location you desire, setup the proper network connections, and then test to ensure the connection is working all within a FreeNAS jail. In this case, the article will be using Private Internet Access (PIA) as an example VPN provider, however you should be able to follow the same process for other providers. There is also an option to install a VPN kill switch (shuts down network traffic if you disconnect from the VPN). This article assumes that you already have a FreeNAS system up and running and have already setup the FreeNAS jail in which you want to include an OpenVPN connection.

This is part of my ongoing series of TrueNAS and FreeNAS setup, configuration and install articles.

An updated version of this article is posted on the NEW digiMoot website at:

Install OpenVPN

To install the OpenVPN software, which is the type of connection you will have to your VPN, you will need to get to the command prompt for your jail. First we will install a couple of programs we will need – nano, a text editor, and wget to download the necessary config files and to test the connection. You can install these programs with the following command:
pkg install nano wget

Now we will need to ensure we are using the latest package distribution to ensure we are getting OpenVPN v2.5.0 (or later). We will need to edit your pkg config file with the following command:
nano /etc/pkg/FreeBSD.conf

you will see a line in the file that looks like this:

url: “pkg+http://pkg.FreeBSD.org/$(ABI)/quarterly”,

and you will need to replace the word “quarterly” with “latest” so that the line looks like this:

url: “pkg+http://pkg.FreeBSD.org/$(ABI)/latest”,

Save the file and exit and then we will now install OpenVPN with the following commmand:
pkg install openvpn

If for some reason you get a message like: “No Packages Available to Install Have Been Found in the Repositories”, you can read this article for instructions on how to move past it: FreeNAS: No Packages Available to Install Have Been Found in the Repositories

Setup OpenVPN

As noted, this article will use Private Internet Access (PIA) as an example for configuration, but you can use the same process for other VPN providers, just download their OpenVPN files instead.

Lets start by creating a directory for the OpenVPN software:

mkdir /usr/local/etc/openvpn

Next we will need to create a file to store our login credentials for the VPN provider. The following command will open the nano text editor for a blank file in which you should put your VPN username on the first line and your VPN password on the second line:

nano /usr/local/etc/openvpn/auth.txt

Alternatively you can create this file with the following two commands where [username] and [password] are your VPN username and password respectively:

echo [username] > /usr/local/etc/openvpn/auth.txt
echo [password] >> /usr/local/etc/openvpn/auth.txt

As this file contains your username and password, we will next need to change the security on it to make it only accessible to those that need it with the following command:

chmod 0600 /usr/local/etc/openvpn/auth.txt

Now we create a temporary directory to download all the VPN information into with the following command:

mkdir /usr/local/etc/openvpn/download

And then we will download the VPN configuration files (in this case for PIA) with the following commands:

cd /usr/local/etc/openvpn/download
wget https://www.privateinternetaccess.com/openvpn/openvpn.zip
unzip openvpn.zip

Now if you do an ls in this directory you will see a bunch of files with different country, city and region names. This is the OpenVPN connection information for servers in those countries. Select which city or region you want to connect to and copy that file to the OpenVPN directory as the default config file (this example uses Denmark):

cp Denmark.ovpn /usr/local/etc/openvpn/openvpn.conf

You will now need to add the following lines to the bottom of the files you just copied in order to have the VPN connection start automatically when the jail boots.

# Automatic login (PIA credentials)
auth-user-pass /usr/local/etc/openvpn/auth.txt
auth-nocache

Use the nano text editor with the following command: nano /usr/local/etc/openvpn/openvpn.conf.

Enable OpenVPN

Now that everything is configured, we can enable OpenVPN and begin to use the VPN connection.

Set OpenVPN to start automatically by using the following commands:
sysrc openvpn_enable="YES"
sysrc openvpn_if="tun"

If you want to manually start your VPN instead, you can use /usr/local/etc/rc.d/openvpn start.

There is one last step however before the VPN is ready to run. Quit the jail shell. Shut down the jail. Go to the overall TrueNAS shell (for the whole TrueNas system, accessed from the menu in the web interface on the left hand side) and enter the following, where [jailname] is the name of the jail in which you have just installed and configured OpenVPN:

iocage set allow_tun=1 [jailname]

Now, you will need to reboot the entire TrueNAS server. Yes, the whole physical machine. Yes, this is a real pain.

Testing the VPN Connection

Once the TrueNAS server comes back up after its reboot, enter your jail with and test to see if the VPN connection is working by using the following command:

wget -qO - http://wtfismyip.com/text

If the result of this command in an IP address different from your ISP’s IP, then you are good and the VPN is working!

So that’s it. Your VPN in your jail should be up and running.

Login Script on Enter Jail Shell

I setup a quick script to show my public IP every time I log into the shell so that I can be sure my VPN is still connected. It’s a simple process I’ve described in my TrueNAS: Run Script on Startup Run MOTD script article.

VPN Kill Switch

I have not yet tested this out, but you can add a VPN kill switch which would disconnect you from the internet if your VPN disconnects and is no longer protecting you. The following link contains directions for this kill switch (as well as much of the content for the creation of this article):

https://github.com/danjacques/freenasdocs/blob/master/guides/vpn-client-jail.md

Shout out to all those who have provided helpful comments on my previous article (FreeNAS: Add VPN Connection to a Jail) which were really helpful in creating this new version for TrueNAS.

Happy VPNin’!

~Raze42

Updated: Jan 18, 2021


46 thoughts on “TrueNAS: Add VPN Connection to a Jail

  1. I get my public IP address when I test it. I am attempting to do this with TORguard and the configurations file they have you download. Any help?

    Like

  2. I’m a bit of an amateur, however, I have a questions:
    Does this protect my entire server and all internet access with the vpn connection? Or does it just protect the jail with a vpn connection? For example: Say I have multiple plugins installed in separate jails, one with transmission, one with sonarr, one with qbitorrent, one with nextcloud, and a virtual machine. Do I need to install openvpn in each jail as its own instance or can I install openvpn as it’s own jail and funnel the server’s entire traffic through it?
    I hope that made sense. If the answer is yes then I am happy. If the answer is no, then it suggests I may have to install all those plugins manually in a single jail in order to get VPN protection yeah?
    Thank you for your guides!

    Like

      1. Sweet, that explains a lot! Do you have Organizr and Jackett in that same single jail also? Lastly, does the order you install these matter?

        Like

      2. I have organizr in a separate jail. I don’t think order will matter much. Only hiccup I can think of is the version of mono. Also if you stay tuned for a couple days I have a post I’m working on with the updated version of sonarr (v3)

        Like

      3. Is there a specific reason why you have organizr in a separate jail?

        And I will definitely stay tuned for the sonarr (v3). Finding your site is a treasure mine for me, because I have been wanting to VPN my jail in order to use transmission, sonarr, radarr, etc. The lack of knowledge on that has stopped me from setting those apps up until now.

        Like

  3. Also, would love to see you make a thorough installation guide on NextCloud! Would you recommend installing that in the same jail as the other applications to be protected through a vpn?

    Like

  4. You’re the man. One more thing I think you should fast track on your site for the less experienced is, how to create jails manually from the start. What settings are recommended, etc.

    I am going to give it a shot, all I’ve ever done is install apps via plug-ins but I love how you consolidated everything in basically one jail.

    Like

  5. Would you be so kind as to go over that briefly what settings you would use on creating the jail that would contain all your apps like openvpn, transmission, qbitorrent, jackett, sonarr, radarr, etc? A screenshot would suffice!

    Merry Christmas!

    Like

  6. I’ve got your WordPress site bookmarked now, your guides are really useful thanks. Question about this one – I followed the guide and got OpenVPN up and successfully connected, but all my DNS queries are still going through my ISP. I had to fix this with an ‘up’ and ‘down’ script to edit resolv.conf (I found a guide to help me with this). Not sure if I made a mistake in following your guide? It’s obviously important to ensure all traffic and DNS queries are routed through the VPN. But thanks again for all the work, it’s helped a lot.

    Like

  7. Hi Raze!
    Thanks for the guide, it seems to be working for me 🙂
    One question though: you said at the beginning of the article that “There is also an option to install a VPN kill switch (shuts down network traffic if you disconnect from the VPN).”
    However, there is no mention of how to set this up in the guide – unless that “allow_tun=1” sets the network in a way that it will only connect through the VPN and nothing else?
    Do you mind elaborating how the VPN killswitch is implemented, or how to implement it? 🙂
    Best Regards,
    Stefano

    Like

  8. I created a new jail and then followed all of the steps exactly as described here. Double-checked everything. Rebooted my TrueNAS CORE server. Reentered the jail shell. Ran:

    wget -qO – http://wtfismyip.com/text

    It flashes at me for a minute or so, returns nothing, and then I can type again as if I entered nothing at all.

    Any suggestions?

    Like

      1. Having the same problem but when I run ‘nano etc/resolv.conf’ nano opens with a red error ‘[Directory ‘etc’ does not exist]. I ran the shell from within the jail and entered the command at the root, should I be somewhere else?

        Like

      1. It let me download it but for whatever reason I can’t get openvpn to connect to my nordvpn. I will have to do some more digging to see what’s up with it. Thanks again.

        Like

  9. thanks for the guide raze42, so easy to follow.
    Just wondering what setup you use when creating your jails.
    I have had trouble accessing radarr from within the same jail (with vpn & sabnzbd)
    any tips would be appreciated

    Like

    1. I’m not sure exactly what you’re asking. I have all my collection managers (radarr, sonarr, etc) and qbittorrent in a single jail which is using a VPN. I don’t use newsgroups, just torrents. It might help if you use 127.0.0.1 as the ip address (which is the localhost) to connect between services within the same jail.

      Like

  10. Your guides have been great. Thank you. I see that you haven’t tested out the kill switch. Everything else I have installed with your guides has worked perfectly, but, the kill switch cuts off web access to the jail. Everything works find with VPN. The kill switch itself tests out fine. But when the kill switch is on, I can no longer reach the jail via it’s url. This has been the case each time, including multiple installations of sonarr and one of nzbget. If you still haven’t tested this out, I’m wondering if you still might have some troubleshooting suggestions, or maybe soneome else who has experienced this. Thanks!!

    Like

    1. I just figured it out. I was careless and didn’t notice that I needed to update the kill switch script with my gateway and mask. You are welcome to delete the post. Everything works as advertised. Thanks.

      Like

  11. Your guides are incredible! I don’t know what I’d do without your indirect assistance.
    With that said, I’m running into an error when trying to run manually start OpenVPN. This is the code I get:
    “/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn”
    Any insight would be greatly appreciated!

    Like

  12. 2 questions:
    1) how do i keep the /etc/resolv.conf file static to the external ip addresses when using dhcp in my jail?
    2) I’m unable to access any ports from the lan on this jail. I need to access my torrent client and/or flood (to manage), but the VPN is blocking.
    Thank you

    Like

  13. noticed after doing this. If i reboot the Jail. On coming backup while i can get outside access through my VPN. My client seem to have no access (Deluge states no external ip). As such trying to add anything is pointless. However if I reboot the how server all is good aagin. (Note i did intially reboot the whole server as required. Everytime i do reboot the jail, rebooting the server brings everything back ok. But occassionally had to resolve faults with jammed files that require a reboot. just annoying.

    Like

  14. Hi.

    Love this guide.

    Im using PrivateVPN, and so far all in this guide seems to work just fine for me. I have an issue with the last command, where I should check If the VPN is working correctly.

    wget -qO – http://wtfismyip.com/text

    This command gives me this result.

    wget: Command not found

    Im using shell through the qbittorrent jail

    Like

      1. Thanx for the information. It was installed but in another version. I updated it and then it worked. Sadly the VPN is not working, so I’m doing something wrong. I think it might be the steps about the auth. Im not sure I did that part correctly.
        # Automatic login (PIA credentials)
        auth-user-pass /usr/local/etc/openvpn/auth.txt
        auth-nocache

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s