Differences

This shows you the differences between two versions of the page.

--- torrenting-with-thick-vnet-jail-on-freebsd [2026-02-23 08:12:41] – created hyperreal
+++ torrenting-with-thick-vnet-jail-on-freebsd [2026-03-14 20:20:27] (current) – removed hyperreal
@@ Line 1: / Line 1: @@
-====== Setup a thick VNET jail on FreeBSD ======
-===== Setup the VNET bridge =====
-Create the bridge.
-<code bash>
-ifconfig bridge create
-</code>
-Attach the bridge to the main network interface. ''%%igc0%%'' in this case. For some reason, the resulting bridge device is named ''%%igb0bridge%%'', rather than ''%%bridge0%%''.
-<code bash>
-ifconfig igb0bridge addm igc0
-</code>
-To make this persistent across reboots, add the following to ''%%/etc/rc.conf%%''.
-<code bash>
-defaultrouter="10.0.0.1"
-cloned_interfaces="igb0bridge"
-ifconfig_igc0bridge="inet 10.0.0.8/24 addm igc0 up"
-</code>
-===== Create the classic (thick) jail =====
-Create the ZFS datasets for the jails. We’ll use ''%%basejail%%'' as a template for subsequent jails.
-<code bash>
-zfs create -o mountpoint=/jails naspool/jails
-zfs create naspool/jails/basejail
-</code>
-Use the ''%%bsdinstall%%'' utility to bootstrap the base system to the ''%%basejail%%''.
-<code bash>
-export DISTRIBUTIONS="base.txz"
-export BSDINSTALL_DISTSITE=https://download.freebsd.org/ftp/releases/amd64/14.2-RELEASE/
-bsdinstall jail /jails/basejail
-</code>
-Run ''%%freebsd-update%%'' to update the base jail.
-<code bash>
-freebsd-update -b /jails/basejail fetch install
-freebsd-update -b /jails/basejail IDS
-</code>
-We now snapshot the ''%%basejail%%'' and create a clone of this snapshot for the ''%%torrenting%%'' jail that we will use for Anna’s Archive.
-<code bash>
-zfs snapshot naspool/jails/basejail@`freebsd-version`
-zfs clone naspool/jails/basejail@`freebsd-version` naspool/jails/torrenting
-</code>
-We now use the following configuration for ''%%/etc/jail.conf%%''.
-<code bash>
-torrenting {
-    exec.consolelog = "/var/log/jail_console_${name}.log";
-    allow.raw_sockets;
-    exec.clean;
-    mount.devfs;
-    devfs_ruleset = 11;
-    path = "/jails/${name}";
-    host.hostname = "${name}";
-    vnet;
-    vnet.interface = "${epair}b";
-    $id = "127";
-    $ip = "10.0.0.${id}/24";
-    $gateway = "10.0.0.1";
-    $bridge = "igb0bridge";
-    $epair = "epair${id}";
-    exec.prestart = "/sbin/ifconfig ${epair} create up";
-    exec.prestart += "/sbin/ifconfig ${epair}a up descr jail:${name}";
-    exec.prestart += "/sbin/ifconfig ${bridge} addm ${epair}a up";
-    exec.start += "/sbin/ifconfig ${epair}b ${ip} up";
-    exec.start += "/sbin/route add default ${gateway}";
-    exec.start += "/bin/sh /etc/rc";
-    exec.stop = "/bin/sh /etc/rc.shutdown";
-    exec.poststop = "/sbin/ifconfig ${bridge} deletem ${epair}a";
-    exec.poststop += "/sbin/ifconfig ${epair}a destroy";
-}
-</code>
-Now we create the devfs ruleset to enable access to devices under ''%%/dev%%'' inside the jail. Add the following to ''%%/etc/devfs.rules%%''.
-<code bash>
-[devfsrules_jail_vnet=11]
-add include $devfsrules_hide_all
-add include $devfsrules_unhide_basic
-add include $devfsrules_unhide_login
-add include $devfsrules_jail
-add path 'tun*' unhide
-add path 'bpf*' unhide
-</code>
-Enable the ''%%jail%%'' utility in ''%%/etc/rc.conf%%''.
-<code bash>
-sysrc jail_enable="YES"
-sysrc jail_parallel_start="YES"
-</code>
-Start the jail service for torrenting jail.
-<code bash>
-service jail start torrenting
-</code>
-===== Setting up Wireguard inside the jail =====
-Since we have the ''%%/dev/tun*%%'' devfs rule, we now need to install Wireguard inside the jail.
-<code bash>
-jexec -u root torrenting
-pkg install wireguard-tools wireguard-go
-</code>
-Download a Wireguard configuration for ProtonVPN, and save it to ''%%/usr/local/etc/wireguard/wg0.conf%%''.
-Enable Wireguard to run when the jail boots up.
-<code bash>
-sysrc wireguard_enable="YES"
-sysrc wireguard_interfaces="wg0"
-</code>
-Start the Wireguard daemon and make sure you are connected to it properly.
-<code bash>
-service wireguard start
-curl ipinfo.io
-</code>
-The curl command should display the IP address of the Wireguard server defined in ''%%/usr/local/etc/wireguard/wg0.conf%%''.
-===== Setting up qBittorrent inside the jail =====
-Install the qbittorrent-nox package.
-<code bash>
-pkg install -y qbittorrent-nox
-</code>
-Before running the daemon from ''%%/usr/local/etc/rc.d/qbittorrent%%'', we must run the qbittorrent command from the shell so that we can see the default password generated for the web UI. For some reason it is not shown in any logs, and the qbittorrent nox manpage wrongly says the password is “adminadmin”.
-<code bash>
-pkg install -y sudo
-sudo -u qbittorrent qbittorrent-nox --profile=/var/db/qbittorrent/conf --save-path=/var/db/qbittorrent/Downloads --confirm-legal-notice
-</code>
-Copy the password displayed after running the command. Login to the qBittorrent web UI at http://10.0.0.127:8080 with login ''%%admin%%'' and the password you copied. In the web UI, open the options menu and go over to the Web UI tab. Change the login password to your own. Save the options to close the menu.
-Now press ''%%CTRL-c%%'' to stop the qbittorrent-nox process. Make the following changes to the torrenting jail’s ''%%/etc/rc.conf%%''.
-<code bash>
-sysrc qbittorrent_enable="YES"
-sysrc qbittorrent_flags="--confirm-legal-notice"
-</code>
-Enable the qBittorrent daemon.
-<code bash>
-service qbittorrent start
-</code>
-Go back to the web UI at http://10.0.0.127:8080. Go to the options menu and go over to the Advanced tab, which is the very last tab. Change the network interface to ''%%wg0%%''.
-===== Finding the forwarded port that the ProtonVPN server is using =====
-Install the libnatpmp package.
-Make sure that port forwarding is allowed on the server you’re connected to, which it should be if you enabled it while creating the Wireguard configuration on the ProtonVPN website. Run the ''%%natpmpc%%'' command against the ProtonVPN Wireguard gateway.
-<code bash>
-natpmpc -g 10.2.0.1
-</code>
-If the output looks like the following, you’re good.
-<code bash>
-initnatpmp() returned 0 (SUCCESS)
-using gateway : 10.2.0.1
-sendpublicaddressrequest returned 2 (SUCCESS)
-readnatpmpresponseorretry returned 0 (OK)
-Public IP address : 62.112.9.165
-epoch = 58081
-closenatpmp() returned 0 (SUCCESS)
-</code>
-Now create the UDP and TCP port mappings, then loop natpmpc so that it doesn’t expire.
-<code bash>
-while true ; do date ; natpmpc -a 1 0 udp 60 -g 10.2.0.1 && natpmpc -a 1 0 tcp 60 -g 10.2.0.1 || { echo -e "ERROR with natpmpc command \a" ; break ; } ; sleep 45 ; done
-</code>
-The port allocated for this server is shown on the line that says “Mapped public port XXXXX protocol UDP to local port 0 lifetime 60”. Port forwarding is now activated. Copy this port number and, in the qBittorrent web UI options menu, go to the Connections tab and enter it into the “Port used for incoming connections” box. Make sure to uncheck the “Use UPnP/NAT-PMP port forwarding from my router” box.
-If the loop terminates, you’ll need to re-run this loop script each time you start a new port forwarding session or the port will only stay open for 60 seconds.
-===== P2P NAT port forwarding script with supervisord =====
-Install supervisord.
-<code bash>
-sudo pkg install -y py311-supervisor
-</code>
-Enable the supervisord service.
-<code bash>
-sudo sysrc supervisord_enable="YES"
-</code>
-Edit ''%%/usr/local/etc/supervisord.conf%%'', and add the following to the bottom of the file.
-<code bash>
-[program:natpmpcd]
-command=/usr/local/bin/natpmpcd
-autostart=true
-</code>
-Add the following contents to a file at ''%%/usr/local/bin/natpmpcd%%''.
-<code bash>
-#!/bin/sh
-port=$(/usr/local/bin/natpmpc -a 1 0 udp 60 -g 10.2.0.1 | grep "Mapped public port" | awk '{print $4}')
-echo $port | tee /usr/local/etc/natvpn_port.txt
-while true; do
-    date
-    if ! /usr/local/bin/natpmpc -a 1 0 udp 60 -g 10.2.0.1 && /usr/local/bin/natpmpc -a 1 0 tcp 60 -g 10.2.0.1; then
-        echo "error Failure natpmpc $(date)"
-        break
-    fi
-    sleep 45
-done
-</code>
-Ensure the script is executable with ''%%chmod +x /usr/local/bin/natpmpcd%%''.
-supervisord will start the above shell script automatically. Ensure supervisord service is started.
-<code bash>
-sudo service supervisord start
-</code>
-The script will print out the forwarded port number at ''%%/usr/local/etc/natvpn_port.txt%%''.
-<code bash>
-cat /usr/local/etc/natvpn_port.txt
-</code>