Easy way to get Unraid on VPN via PIA?

moejama

By moejama
in Pre-Sales Support

Recommended Posts

moejama Noob

moejama

Posted
Posted

This is my first go at Unraid. I've managed to convert most of my Windows Plex/Sonarr/Couchpotato/Nzbget/rutorrent functionality to Unraid, but I'm still lacking a reasonably easy VPN solution. I'm also working full time and moving to Unraid has taken a lot of hours of work and I'm down to 6 days. Previously I just run PIA VPN client on my Windows install and it was as simple as running the software client and setting it to startup and autoconnect. The goal of VPN is have VPN on all the indexer traffic. I have no need to access Unraid from outside my network.

 

I've read several threads on OpenVPN on Unraid and most seem outdated/for older version of Unraid. I'd like someone to at least point me in the current right direction on VPN because on Unraid it seems like the most complicated part of the setup. I want a solution where my local network can still connect to all those wonderful web interfaces and all the Unraid traffic goes through PIA. I've read about the OpenVPN Client Plugin and I have that installed, but I couldn't find any instructions on how to set it up. I've read about using pfsense and routing all Unraid traffic through that, but again, the documentation seems limited/outdated or just a far over engineered solution for what I should need.

 

So far my only working solution is running PIA through my DDWRT router and using Policy Based Routing withing the DDWRT OpenVPN client to make it only route the Unraid IP, which was surprisingly easy to setup and I still can access Unraid just fine from the rest of the network. The problem is my single core 800 mhz router is maxing out around 6 mbps instead of 120 which it should hit. I don't need max WAN bandwidth on the Unraid server, but I need more than 6 mbps and I don't want a bunch of  potential lan latency from maxing out the router. To do that I will have to buy something like a WRT1200 for 140 dollars, which would still be underpowered to hit 100 mbps and I still have to buy the Unraid license. My Unraid experiment is getting a bit expensive. On the other hand a new router wouldn't be the worst thing since my WIFI is kind of weak, but it's not something I had planned to need. 

 

Obviously Unraid should just run OpenVPN somehow with all my wonderful Xeon CPU power and the simple policy based routing I used in DDWRT should be very simple to setup via Unraid and far easier to update. I think jumping into Unraid at 6.3 is only a semi ideal time, but a lot of the documentation and perhaps some features are not smoothed out yet.  Of course, as a total newbie to Unraid and the community I'm just guessing at that. I'm also considering just building a Linux mergerFS/Snap Raid solution which would give me more flexibility and security, but I like Unraid and if It meets my needs and isn't too much work I'm willing to buy it. Right now with my FCC run by crazy people who think the ISP service I PAY for should have the same 'rights' to spy on me as Google's free data mining fueled services really makes me require VPN. 

 

When you consider dockers vs VPN, I think VPN is more important than app compartmentalization. App compartmentalization is mostly a theoretical security measure, we don't really have reports of exploits accomplishing much via our apps, but we have PLENTY of reason to run VPN. ISPs spying and throttling are a known and real problem that impacts hundreds of thousands of people at least, so having an easy to setup VPN option should be a fairly top priority because it's the bigger likely threat. Many people, like me, only have one ISP choice. 

 

Is there an easy way to get VPN access to PIA working? I don't need any remote access or VPN access All I want is to hide IP endpoints from the ISP. The encryption isn't even what I'm concerned about. SSL is nice and all, but it does nothing to really hide where all that bandwidth is going. 

 

Thanks

 

 

Link to comment
moejama Noob

moejama

Posted
  • Author
Posted (edited)

Sweet! I had no idea I could route other apps through the built in VPNs of the dockers. I installed DelugeVPN and set Sonarr and Couchpotato to point to locahost:8118 using their WebGUI. That seems to be working in the sense that they can still grab files and pass to Nzbget though I can't really confirm they are going through VPN because I'm too newb at Linux.

 

A couple questions:

 

1) How would I get Nzbget or jacket through Privoxy. I don't see any proxy setting field?

 

2) Does Deluge require the proxy settings to the Privoxy or is that built into the VPN container?

 

3) If the VPN connection drops will apps routed through Privoxy just timeout or will they failover to normal non VPN operation? 

 

4) Is there anyway to check that the traffic is running through VPN or do I just check the log and assume it's working? 

 

Thanks again, that saved me tons of time. 

 

Here a bit of the log from the DelugeVPN docker. I think it's saying its routing traffic through 172.17.0.9. Is that correct? 

 


2017-05-10 09:07:30,295 DEBG 'start-script' stdout output:
default via 172.17.0.1 dev eth0
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.9
192.168.1.0/24 via 172.17.0.1 dev eth0

2017-05-10 09:07:30,295 DEBG 'start-script' stdout output:
--------------------

2017-05-10 09:07:30,299 DEBG 'start-script' stdout output:
[info] iptable_mangle support detected, adding fwmark for tables

2017-05-10 09:07:30,314 DEBG 'start-script' stdout output:
[info] Docker network defined as 172.17.0.0/16

2017-05-10 09:07:30,355 DEBG 'start-script' stdout output:
[info] iptables defined as follows...
--------------------

2017-05-10 09:07:30,356 DEBG 'start-script' stdout output:
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT DROP
-A INPUT -i tun0 -j ACCEPT
-A INPUT -s 172.17.0.0/16 -d 172.17.0.0/16 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 1198 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 8112 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 8112 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i eth0 -p tcp -m tcp --dport 58846 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -d 172.17.0.0/16 -i eth0 -p tcp -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
-A OUTPUT -s 172.17.0.0/16 -d 172.17.0.0/16 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --dport 1198 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 8112 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 8112 -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -o eth0 -p tcp -m tcp --sport 58846 -j ACCEPT
-A OUTPUT -s 172.17.0.0/16 -d 192.168.1.0/24 -o eth0 -p tcp -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
 

Edited by moejama
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing