FreeNAS 11.2 ~ Plex, Transmission (with PIA), Medusa, Couchpotato

By Zack - November 24, 2019


Common Commands:

  • To enter jail/iocage:
    • iocage console rclone or 'jls' then jexec # tcsh 
  • To change user/group of a folder/file
    • chown -R user:user */file of folder/
  • Stripping Windows ACL's from folders (recursively) This is necessary if plugins like Medusa/Sonarr/Radarr, etc can't see your /media/tv or /media/downloads folders.)
    • find /mnt/path/to/dataset -type d -exec setfacl -m everyone@:rxaRc:fd:allow {} \;
    • find . -type d -exec setfacl -b {} \;
  • To change permissions of a folder/file
    • chmod -R 777 */file or folder/
Plugin Permissions (do this for each plugin that needs access):
  1. Check UID in accounts--Users--> Edit User
  2. pw useradd -n plexuser -u 972 -d /nonexistent -s /usr/sbin/nologin 
  3. service PLUGIN onestop 
  4. chown -R plexuser:plexuser /var/db/ 
  5. sysrc 'PLUGIN_user=plexuser' 
  6. service PLUGIN start 
Transmission will need an edit to settings.json to set unmask = 0

Medusa :

  • Create a jail for your medusa in Gui
  • Enter shell for medusa 
  • pkg update && pkg upgrade 
  • pkg install -y python36 py36-openssl py36-pip py36-lxml py36-sqlite3 unrar git nano 
  • pkg install -y python3 
  • git clone https://github.com/pymedusa/Medusa.git /usr/local/medusa 
  • cp /usr/local/medusa/runscripts/init.freebsd /usr/local/etc/rc.d/medusa 
  • sysrc medusa_enable=YES 
  • sysrc medusa_user=plexuser 
  • pkg install -y ffmpeg 
  • Make sure medusa user is listed and ruining in the jail. ~ ps aux 
Transmission (with ipfw rules / Private Internet Access VPN)
  • create a transmission jail
  • From FreeNAS OS Shell: 
    • iocage stop transmission
    • iocage set allow_tun=1 transmission
  • Stop the transmission jail
  • Add your mount points: https://i.imgur.com/K2oLMRG.png
  • Open Transmission Jail Shell
  • service transmission stop
  • edit /usr/local/etc/transmission/home.settings.json
    • Change rpc-host-whitelist-enabled: (change to false)
  • edit /usr/local/etc/pkg/repos/FreeBSD.conf
    • Replace no with yes 
    • ESC, then save and quit
  • pkg update
  • pkg upgrade
  • pkg install bash openvpn unzip curl wget\
  • edit /etc/rc.conf
    • Add to file:
      • openvpn_enable="YES"
      • openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
      • openvpn_if="tun"
      • firewall_enable="YES"
      • firewall_script="/etc/ipfw.rules"
      • Also you may want to change your transmissions default download directory, it also seems to be hardcoded in this file at the top.
      • ESC, then save and quit
  • mkdir /usr/local/etc/openvpn
  • cd /usr/local/etc/openvpn/
  • wget https://www.privateinternetaccess.com/openvpn/openvpn.zip --no-check-certificate
  • mkdir PIA
  • unzip openvpn.zip -d PIA
  • cd PIA
  • cp US\ California.ovpn ..
  • cd ..
  • mv US\ California.ovpn openvpn.conf
  • Create the username/password file
    • edit pass.txt
    • 1st line = username, 2nd line = password (for PIA)
  • edit openvpn.conf
    • auth-user-pass /usr/local/etc/openvpn/pass.txt
    • auth-nocache   (not sure what this does)
  • wget http://ipinfo.io/IP -qO -   (Shows your public IP address)
  • service start openvpn
  • wget http://ipinfo.io/IP -qO -   (Shows VPN's IP address)
  • ifconfig (should show a tun0 interface, which is the vpn tunnel)
  • edit /etc/ipfw.rules   (change to Default Routes IP which shows up on Dashboard of Freenas)
    • #!/bin/sh
    • ##
    • # OpenVPN Kill Switch Configuration.
    • #
    • # From:
    • # https://github.com/danjacques/freenasdocs
    • ##

    • . /etc/network.subr

    • RULE_NO=1000
    • fwcmd="/sbin/ipfw"
    • add_fw() {
    •   ${fwcmd} add ${RULE_NO} $*
    •   RULE_NO=$((${RULE_NO}+1))
    • }

    • # Flush all current rules before we start.
    • ${fwcmd} -f flush

    • # Enable loopback.
    • add_fw allow ip from any to any via lo0

    • # Enable VPN traffic.
    • add_fw allow ip from any to any via tun*

    • # Internal Routing
    • #
    • # Change these addresses accordingly for your internal network and netmask.
    • add_fw allow log ip from any to 192.168.1.0/24 keep-state

    • # Allow DNS traffic.
    • #
    • # OpenVPN configs may use host names, and we'll need to look these up.
    • # Default route.
    • add_fw allow log udp from any to any dst-port 53 keep-state

    • # Allow traffic on OpenVPN UDP port.
    • #
    • # If you're using TCP VPN and/or a different port, update accordingly. Consult
    • # your OpenVPN config for details.
    • add_fw allow log udp from any to any dst-port 1198 keep-state

    • # Cleanup rules.
    • RULE_NO=4000
    • add_fw allow ip from 127.0.0.1 to any

    • # VPN Network Access.
    • RULE_NO=5000
    • add_fw allow ip from 10.0.0.0/7 to any
    • add_fw allow ip from any to 10.0.0.0/7

    • # Block everything else.
    • RULE_NO=65534
    • add_fw deny log ip from any to any
  • Start Firewall
    • service ipfw start
    • ipfw list (make sure its listing the rules typed above)
  • Test Firewall
    • ping www.google.com (should be able to ping it as it's connected to the internet)
    • service openvpn stop
    • ping www.google.com (should not have internet and fail pinging it)
  • Finally, set your file permissions to be acceptably restrictive for OpenVPN.
    • chmod 0600 -R /usr/local/etc/openvpn/
  • Log file is found in /var/log/messages
If you have any issues make sure all your files are in the /usr/local/etc/openvpn directory that you reference in the .conf files. 

You can also check ip via: curl ifconfig.me



  • Share:

You Might Also Like

0 comments