Transmission won't run after IPTABLE VPN kill switch reset

Hello, I had my RPI3 with OSMC set up with SickRage, CouchPotato, Transmissiona and a OPENVPN. IT was working perfectly. I then used these instructions to set up a IPTABLES based VPN Kill switch to address challenges I was having with my IP leaking. How To Create A VPN Killswitch Using Iptables on Linux - LinuxConfig.org After that, I could not get Transmission to start again.

To trouble shoot I reset my IPTABLES back to “Allow all” and still could not get Transmission to restart. The last change I made was to turn re-enable IPV6 by commenting out the 4 lines disabling IPV6 in the /etc/sysctl.d/99-sysctl.conf file. Still no luck, I don’t know what to do next but still feel that starting from scratch and rebuilding the OSMC unit is a bit extreme. I’m hoping there is some noob thing I might be missing here.

Here is the log report after the last failed event: $ sudo service transmission start Job for transmission.service failed because a timeout was exceeded. See “systemctl status transmission.service” and “journalctl -xe” for details. osmc@osmc:~$ journalctl -xe Jul 13 19:09:18 osmc sudo[2146]: pam_unix(sudo:session): session closed for user root Jul 13 19:09:22 osmc sudo[2149]: osmc : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/pidof openvpn Jul 13 19:09:22 osmc sudo[2149]: pam_unix(sudo:session): session opened for user root by (uid=0) Jul 13 19:09:22 osmc systemd[1]: transmission.service: State ‘stop-final-sigterm’ timed out. Killing. Jul 13 19:09:22 osmc systemd[1]: transmission.service: Killing process 1798 (transmission-da) with signal SIGKILL. Jul 13 19:09:22 osmc mediacenter[747]: 1386 Jul 13 19:09:22 osmc sudo[2149]: pam_unix(sudo:session): session closed for user root Jul 13 19:09:22 osmc systemd[1]: transmission.service: Main process exited, code=killed, status=9/KILL Jul 13 19:09:22 osmc systemd[1]: Failed to start Transmission BitTorrent Daemon. – Subject: Unit transmission.service has failed – Defined-By: systemd – Support: Debian -- Support – -- Unit transmission.service has failed.

Any help would be appreciated.

Hi,

I can confirm the VPN kill switch from these instructions works:

I would clear all the iptables rules and just look at the section for the vpn kill switch, you will need to change eth0 for the network interface on the pi and also change the the network (192.168.1.0/24) on line 3 to match your lan’s network. So for example these are the rules on my debian vm:

sudo iptables -A OUTPUT -o tun0 -m comment --comment "vpn" -j ACCEPT
sudo iptables -A OUTPUT -o ens3 -p icmp -m comment --comment "icmp" -j ACCEPT
sudo iptables -A OUTPUT -d 192.168.1.0/24 -o ens3 -m comment --comment "lan" -j ACCEPT
sudo iptables -A OUTPUT -o ens3 -p udp -m udp --dport 1198 -m comment --comment "openvpn" -j ACCEPT
sudo iptables -A OUTPUT -o ens3 -p tcp -m tcp --sport 22 -m comment --comment "ssh" -j ACCEPT
sudo iptables -A OUTPUT -o ens3 -p udp -m udp --dport 123 -m comment --comment "ntp" -j ACCEPT
sudo iptables -A OUTPUT -o ens3 -p udp -m udp --dport 53 -m comment --comment "dns" -j ACCEPT
sudo iptables -A OUTPUT -o ens3 -p tcp -m tcp --dport 53 -m comment --comment "dns" -j ACCEPT
sudo iptables -A OUTPUT -o ens3 -j DROP

"Then, create a script to load those rule when your computer boots up.

#! /bin/bash

iptables-restore < /etc/iptables/iptables.rules;
ip6tables-restore < /etc/iptables/ip6tables.rules;"

Remove these scripts and just run:

sudo netfilter-persistent save
sudo systemctl enable netfilter-persistent

At this point I would reboot and then confirm the iptables are in place:

sudo iptables -S

If transmission still won’t start it, try running manually:

/usr/bin/transmission-daemon -f

and post the output here.

Thanks Tom.

1 Like

Thank you for the help Tom. I’m still struggling please forgive any noob mistakes that are in here.

First: the VPN kill switch instructions are great, I followed them verbatim and believe I have it working. I did have some trouble in handling spaces in the name of of my US California.conf file but think I worked that out using openvpn@USx20California or etc/openvpn/US\ California.conf).

Here are the outputs of
sudo iptables -S

osmc@osmc:~$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tun0 -j ACCEPT
-A OUTPUT -o tun0 -m comment --comment vpn -j ACCEPT
-A OUTPUT -o eth0 -p icmp -m comment --comment icmp -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -o eth0 -m comment --comment lan -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 1198 -m comment --comment openvpn -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m comment --comment ssh -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 123 -m comment --comment ntp -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -m comment --comment dns -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -m comment --comment dns -j ACCEPT
-A OUTPUT -o eth0 -j DROP

Then I ran

/usr/bin/transmission-daemon -f

and my terminal froze…

if I run the the transmission status here is what I get:
sudo service transmission status
● transmission.service - Transmission BitTorrent Daemon
Loaded: loaded (/lib/systemd/system/transmission.service; enabled; vendor pre
Active: failed (Result: timeout) since Sun 2018-07-15 22:14:36 PDT; 15min ago
Process: 777 ExecStart=/usr/bin/transmission-daemon -f --log-error --allowed *
Process: 345 ExecStartPre=/bin/sleep 10 (code=exited, status=0/SUCCESS)
Main PID: 777 (code=killed, signal=KILL)

    Jul 15 11:00:26 osmc systemd[1]: Starting Transmission BitTorrent Daemon...
    Jul 15 22:13:06 osmc systemd[1]: transmission.service: Start operation timed out
    Jul 15 22:14:36 osmc systemd[1]: transmission.service: State 'stop-final-sigterm
    Jul 15 22:14:36 osmc systemd[1]: transmission.service: Killing process 777 (tran
    Jul 15 22:14:36 osmc systemd[1]: transmission.service: Main process exited, code
    Jul 15 22:14:36 osmc systemd[1]: Failed to start Transmission BitTorrent Daemon.
    Jul 15 22:14:36 osmc systemd[1]: transmission.service: Unit entered failed state
    Jul 15 22:14:36 osmc systemd[1]: transmission.service: Failed with result 'timeo
    lines 1-15/15 (END)

are there other logs that would help with trouble shooting. pleae remember I’m very new to this, so there could easily be something obvious and simple that I’m missing.

Hi,

Please upload logs using myosmc or issue grab-logs -A from the commandline and post the give link here. It will give us more of an idea of whats going on with your system.

Thanks Tom.

Hi Tom,

I checked my IPTABLES again using
sudo iptables -S

since it has been overnight.

I then ran transmision:

sudo /usr/bin/transmission-daemon -f

Output was:
[2018-07-16 21:30:26.498] Transmission 2.93 (3c5870d4f5) started (session.c:740)
[2018-07-16 21:30:26.498] RPC Server Adding address to whitelist: 127.0.0.1 (rpc-server.c:971)
[2018-07-16 21:30:26.498] RPC Server Serving RPC and Web requests on port 127.0.0.1:9091/transmission/ (rpc-server.c:1213)
[2018-07-16 21:30:26.498] RPC Server Whitelist enabled (rpc-server.c:1217)
[2018-07-16 21:30:26.498] Couldn’t bind port 51413 on 0.0.0.0: Address already in use (Is another copy of Transmission already running?) (net.c:380)
[2018-07-16 21:30:26.498] Couldn’t bind port 51413 on ::: Address already in use (Is another copy of Transmission already running?) (net.c:380)
[2018-07-16 21:30:26.498] UDP Couldn’t bind IPv4 socket (tr-udp.c:271)
[2018-07-16 21:30:26.498] UDP Couldn’t rebind IPv6 socket (tr-udp.c:189)
[2018-07-16 21:30:26.498] DHT Generating new id (tr-dht.c:311)
[2018-07-16 21:30:26.499] Using settings from “/root/.config/transmission-daemon” (daemon.c:528)
[2018-07-16 21:30:26.499] Saved “/root/.config/transmission-daemon/settings.json” (variant.c:1266)
[2018-07-16 21:30:26.499] Port Forwarding (NAT-PMP) initnatpmp succeeded (0) (natpmp.c:70)
[2018-07-16 21:30:26.499] Port Forwarding (NAT-PMP) sendpublicaddressrequest succeeded (2) (natpmp.c:70)

[2018-07-16 21:30:34.498] Port Forwarding Starting (port-forwarding.c:92)


[2018-07-16 21:32:19.498] RPC Server Unable to bind to 0.0.0.0:9091 after 10 attempts, giving up (rpc-server.c:846)
[2018-07-16 21:32:34.498] Port Forwarding Starting (port-forwarding.c:92)

Here are the logs:

https://paste.osmc.tv/ujuyehatep

*Sorry that my terminal outputs aren’t formating well…I’ll try to figure out how to fix that.

Hi,

Jul 16 16:51:46 osmc NetworkManager[419]: <info>  [1531785106.4085] device (wlan0): set-hw-addr: set MAC address to DE:6E:9C:2C:51:8A (scanning)

Heres the problem NetworkManager has borked your setup, its incompatible with OSMC.

I’d recommend backing up your settings and starting with a fresh install.

Do you know at which point Network Manager was installed, was part of setting Openvpn?

Actually I can see from the log this is the the case:

/usr/bin/apt-get-real install network-manager-openvpn network-manager network-manager-gnome network-manager-openvpn-gnome

It may be enough to issue:

apt-get purge network-manager-openvpn network-manager network-manager-gnome network-manager-openvpn-gnome

Also see quite a lot strange packages dnsmasq (Are you trying to run pihole?) Also gnome packages, theres no x-windows, so I’m not sure what good these will do. As I said before I would back your kodi settings and do a fresh install.

Other than kodi, openvpn and transmission, what else are you trying to run through osmc? If its just SickRage & couch pototo, please search the discourse and you will find instructions on how to set these up osmc.

Who is your vpn provider? I should be able to provide instructions for setting up the vpn, without NetworkMananger.

Thanks Tom.

P.S

Moved your topic to help & support, rather than general discussion.

Thank you Tom!

I will try to purge network manager and see how that goes.

I am only running transmission, openvpn, sickrage couch potato and samba server.

All of the other packages were (failed) attempts to run a kill switch.

I’m using Private internet access as my VPN

Hi,

I would still recommend a fresh install.

Anyway instructions for setting up the vpn with PIA, can be found here:

Confusion over VPN client setup - #2 by Tom_Doyle

Linked topic contains a link to a site recommending installing network manager, follow these instructions instead:

sudo apt-get update
sudo apt-get install openvpn unzip

cd /etc/openvpn
sudo wget --no-check-certificate https://www.privateinternetaccess.com/openvpn/openvpn.zip
sudo unzip openvpn.zip
sudo nano /etc/openvpn/pass.txt

top line: pia username
2nd line: pia password

sudo cp “UK London.ovpn” vpn.conf (Replace with whichever vpn server you are connecting to.)
sudo nano /etc/openvpn/vpn.conf

locate line: auth-user-pass
and change to: auth-user-pass /etc/openvpn/pass.txt

sudo nano /etc/default/openvpn

update one of the AUTOSTART= lines to:

AUTOSTART=vpn

sudo systemctl enable openvpn.service
sudo systemctl start openvpn.service

check your public ip is not the one provided by ISP.

curl ipinfo.io/ip

Once You’ve confirmed the vpn is working, setup the vpn kill switch.

The post I’ve linked to gives a base configuration, if you read further down the topic there more options which can be added to the configuration.

Thanks Tom.

@JJS78

Edit:

The site that advised installing NetworkManager, has updated there instructions now and removed that advise. So you can find all you need to know about setting up PIA vpn on osmc here:

https://www.backtrails.net/2017/04/30/openvpn-setup-for-private-internet-access-pia-vpn-raspberry-pi-3-osmc/

1 Like

Tom,
I may have gotten this to work by adding an extra line to the IPTABLES
sudo iptables -A OUTPUT -o tun1 -m comment --comment “vpn” -j ACCEPT
**

I was able to put in a fresh OSMC install. I have openvpn configured, however now i’m having trouble with the kill switch.

I believe the issue might be with:

  1. identifying the correct network interface (ens3 or eth0) i’m not sure where I confirm my interface.
  2. I noticed when checking the status on the openvpn, it read back tun1 instead of tun0, does this impact my iptables rules?

Here is what the OpenVPN status reports back:

osmc@osmc:/etc/openvpn$ sudo openvpn --config /etc/openvpn/vpn.conf
Wed Jul 18 21:32:16 2018 WARNING: file '/etc/openvpn/login.conf' is group or others accessible
Wed Jul 18 21:32:16 2018 OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
Wed Jul 18 21:32:16 2018 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
Wed Jul 18 21:32:16 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]91.207.175.182:1198
Wed Jul 18 21:32:16 2018 UDP link local: (not bound)
Wed Jul 18 21:32:16 2018 UDP link remote: [AF_INET]91.207.175.182:1198
Wed Jul 18 21:32:16 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jul 18 21:32:17 2018 [36070b345c33c5afecc4846bba74289f] Peer Connection Initiated with [AF_INET]91.207.175.182:1198
Wed Jul 18 21:32:18 2018 TUN/TAP device tun1 opened
Wed Jul 18 21:32:18 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Jul 18 21:32:18 2018 /sbin/ip link set dev tun1 up mtu 1500
Wed Jul 18 21:32:18 2018 /sbin/ip addr add dev tun1 local 10.72.10.6 peer 10.72.10.5
Wed Jul 18 21:32:18 2018 Initialization Sequence Completed

I ran ifconfig witht the following result:

osmc@osmc:~$ ifconfig
eth0: flags=-28605<UP,BROADCAST,RUNNING,MULTICAST,DYNAMIC>  mtu 1500
        inet 192.168.1.100  netmask 255.255.255.0  broadcast 192.168.1.255
        ether b8:27:eb:48:22:d4  txqueuelen 1000  (Ethernet)
        RX packets 5875  bytes 2059739 (1.9 MiB)
        RX errors 0  dropped 120  overruns 0  frame 0
        TX packets 5491  bytes 1119040 (1.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 88  bytes 12482 (12.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 88  bytes 12482 (12.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.27.10.6  netmask 255.255.255.255  destination 10.27.10.5
        inet6 fe80::d213:1ecc:6ffa:9fa3  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 484  bytes 131387 (128.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 639  bytes 99608 (97.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.54.10.6  netmask 255.255.255.255  destination 10.54.10.5
        inet6 fe80::9196:5e5:ef8e:7f35  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5  bytes 240 (240.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

So if i’m reading that correctly I have an eth0 network interface and two active VPN tunnels. I’m wondering if when I reloaded my backed up settings the OSMC, OpenVPN manager I had installed from Zomboided repo reloaded.

Should I just modify the IPTABLE rules to add the TUN1 and TUN0 lines?d

It Works!!! the IPTABLES seem to be working and transmission definately works.

is there a way to test the killswitch by turning off the VPN?

the only “weird” message i received in the journctl -u openvpn@vpn was

ovpn-vpn[298]: RESOLVE: Cannot resolve host address: us-california.privateinternetaccess.com:1198
Jul 18 22:05:29 osmc ovpn-vpn[298]: RESOLVE: Cannot resolve host address: us-california.privateinternetaccess.com:1198
Jul 18 22:05:29 osmc ovpn-vpn[298]: Could not determine IPv4/IPv6 protocol

Hi,

You test the kill switch:

sudo systemctl stop openvpn
curl ipinfo.io/ip - you should now be seeing either the public IP from your ISP, or will timeout.
wget http://ipv4.download.thinkbroadband.com/20MB.zip - If it downloads the vpn kill switch isn’t working.

This is normal message, unless the vpn is failing at this point you can ignore it.

Thanks Tom.

looks like everything is working fine. thank you tom!

1 Like