Transmission + OpenVPN Unable to Access WebGUI

Software & Operating Systems BSD
1

Hey everyone,

I’ve installed transmission in TrueNAS Core using their plugin page. It created a jail for it, and in that jail I installed OpenVPN and set it up to connect to a NordVPN server using my subscription. However when I enable the OpenVPN service, it connects and works, but I can no longer access the transmission WebGUI by navigating to [TrueNAS_IP]:9091

I know it’s not the safest but I don’t really know much about networking so I’ve copied ipfw.rules scripts from guides online trying to do the same thing. When I stop the openvpn service I can access the GUI just fine by navigating to [TrueNAS_IP]:9091.

I keep seeing things online about port forwarding or reverse proxies or something, however I’m not sure what I’d be forwarding to/from in this case. The jail’s get their own IP range, the OpenVPN connection seems to have it’s own IP range, and the TrueNAS server itself is on my LAN IP range. Any suggestions?

2

Do you have all of your traffic for that jail being routed through openvpn? Is there a traffic option to allow lan traffic?

1 Like
3

I believe the way OpenVPN works is all the traffic to and from the jail goes through the OpenVPN tunnel

2 Likes
4

If that is the case. You should somehow enable lan traffic to the jail. due to it all going through the vpn by default?

5

Yep that’s what I’ve been trying to do with the ipfw rules scripts but nothing has worked. One moment and I’ll post the rules script I’m currently using.

1 Like
6

you need to configure the container or jail that you are using to allow LAN connections even when the openvpn connection is instantiated. Basically you need to configure openVPN so it does not block local resources.

Im not clear on any specifics. But this is where I would start

I use that container on Arch Linux as a seed box

image
image1918×1082 65.6 KB

1 Like
7

This is the ipfw.rules file currently being run on startup.

#!/bin/bash
# Flush out the list before we begin
ipfw -q -f flush

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0

# Set rules command prefix
cmd="ipfw -q add"
vpn="tun0"

# allow all local traffic on the loopback interface
$cmd 00001 allow all from any to any via lo0

# allow any connection to/from VPN interface
$cmd 00010 allow all from any to any via $vpn

# allow connection to/from LAN by Transmission
$cmd 00101 allow all from me to 192.168.1.0/24 uid transmission
$cmd 00102 allow all from 192.168.1.0/24 to me uid transmission

# deny any Transmission connection outside LAN that does not use VPN
$cmd 00103 deny all from any to any uid transmission

Here is the openvpn.conf file being used:

client
dev tun
proto tcp
remote 217.138.206.51 443
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no

remote-cert-tls server

auth-user-pass /usr/local/etc/openvpn/auth.txt
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
<ca>
-----BEGIN CERTIFICATE-----
CA
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
KEY
-----END OpenVPN Static key V1-----
</tls-auth>

And this is the settings.json file for Transmission

{
    "alt-speed-down": 50,
    "alt-speed-enabled": false,
    "alt-speed-time-begin": 540,
    "alt-speed-time-day": 127,
    "alt-speed-time-enabled": false,
    "alt-speed-time-end": 1020,
    "alt-speed-up": 50,
    "bind-address-ipv4": "0.0.0.0",
    "bind-address-ipv6": "::",
    "blocklist-enabled": false,
    "blocklist-url": "http://www.example.com/blocklist",
    "cache-size-mb": 4,
    "dht-enabled": true,
    "download-dir": "/usr/local/etc/transmission/home/Downloads",
    "download-queue-enabled": true,
    "download-queue-size": 5,
    "encryption": 1,
    "idle-seeding-limit": 30,
    "idle-seeding-limit-enabled": false,
    "incomplete-dir": "//Downloads",
    "incomplete-dir-enabled": false,
    "lpd-enabled": false,
    "message-level": 2,
    "peer-congestion-algorithm": "",
    "peer-id-ttl-hours": 6,
    "peer-limit-global": 200,
    "peer-limit-per-torrent": 50,
    "peer-port": 51413,
    "peer-port-random-high": 65535,
    "peer-port-random-low": 49152,
    "peer-port-random-on-start": false,
    "peer-socket-tos": "default",
    "pex-enabled": true,
    "pidfile": "/var/run/transmission/daemon.pid",
    "port-forwarding-enabled": true,
    "preallocation": 1,
    "prefetch-enabled": true,
    "queue-stalled-enabled": true,
    "queue-stalled-minutes": 30,
    "ratio-limit": 2,
    "ratio-limit-enabled": false,
    "rename-partial-files": true,
    "rpc-authentication-required": false,
    "rpc-bind-address": "0.0.0.0",
    "rpc-enabled": true,
    "rpc-host-whitelist": "",
    "rpc-host-whitelist-enabled": true,
    "rpc-password": "blah blah blah",
    "rpc-port": 9091,
    "rpc-url": "/transmission/",
    "rpc-username": "",
    "rpc-whitelist": "127.0.0.1,::1,192.168.1.*",
    "rpc-whitelist-enabled": false,
    "scrape-paused-torrents-enabled": true,
    "script-torrent-done-enabled": false,
    "script-torrent-done-filename": "",
    "seed-queue-enabled": false,
    "seed-queue-size": 10,
    "speed-limit-down": 100,
    "speed-limit-down-enabled": false,
    "speed-limit-up": 100,
    "speed-limit-up-enabled": false,
    "start-added-torrents": true,
    "trash-original-torrent-files": false,
    "umask": 18,
    "upload-slots-per-torrent": 14,
    "utp-enabled": true
}
8

i didnt see in the transmission config anything about the web interface server settings. is there a separate config for it? maybe its only bound to the lan interface and is getting dropped as the traffic is originating from the vpn interface

edit, internal server… try changing the rpc bind address from 0.0.0.0 to the local ip of the machine its running on. locally a request for 0.0.0.0 will probably just get broadcast and the local server will respond . going through a vpn and firewall you’re gonna get something actually looking at the to/from on the header and a request/target for 0.0.0.0 will probably get dropped before it ever leaves the remote machine.

9

I was using NAT/VNET configuration for the jail. I switched to using a static IP and I set it to one in the range of my LAN, and I can now access the transmission GUI locally with openVPN running and connected by navigating to the static IP I set. I’m not sure if this is necessarily safe though. The “killswitch” I have setup to cut traffic to/from transmission if the VPN goes down works though.