Turn Your FreeNAS Box Into The Ultimate Anonymous Downloading Machine

A low-powered home server is one of the best ways to download files using BitTorrent and Usenet, but if you want to minimise legal hassles you need to anonymise your traffic. Here's how to turn your FreeNAS box into the ultimate downloading machine so you can download safely and monitor its activity from anywhere.

Reminder: downloading and sharing material you don't own the copyright to is illegal. The decision on whether you do that is entirely up to you.

We've shown you how to turn an old computer into a networked backup, streaming and torrenting machine with FreeNAS. We've also shown you how to take that macjine to the next level by installing Usenet and media management programs on it. But even with all that power, our downloading machine is missing a few things:

  • A VPN service that can anonymise all our traffic to keep it safe from prying eyes;
  • A method of monitoring our system from the internet, so you can keep track from another machine or a mobile phone.

In this guide, we'll show you how to add both of these features, turning your home server into the ultimate anonymous downloading machine.

Note: If you're just starting out, we recommend checking out our other FreeNAS guides first. Our original guide will show you how to set up FreeNAS 7, while our second guide will show you how to install programs manually, using Usenet as an example. Keep in mind that, while we're still referring to it as FreeNAS to keep some consistency with earlier guides, these guides use the FreeNAS 7 project, now known as NAS4Free, instead of the more recent FreeNAS 8. This guide should work whether you have an old FreeNAS 7 box or a new NAS4Free box — they're essentially the same piece of software.

Set Up A VPN For Anonymous Downloading

We've said it before, and we'll say it again: the only way to stay anonymous is by using a proxy or VPN service. Yes, that costs money — typically around $US10 a month or so — but these days, you shouldn't download without one. Unfortunately, FreeNAS doesn't come with a VPN, so you'll need to set it up from scratch. Fortunately, that isn't too hard — you just need to find a VPN service that works for you.

What You Should Look For In A VPN

There are a lot of fine VPN services out there, and everyone has different needs, so you'll want to find one that works for you. Here are potential features to look for:

  • OpenVPN support without plain-text authentication. Most VPNs support OpenVPN — which is what we'll be using on our NAS — but many of them require you to store your username and password in a plain text file. Not only is this insecure, it requires additional features make the installation more complicated. If you're considering a VPN service, check its guides on how OpenVPN operates. There won't usually be any guides for FreeBSD, but the Linux guide should be a good example. If the service requires some sort of password.txt file rather than a .key file, you'll want to look elsewhere.
  • Support for port forwarding is essential for monitoring your machine from other devices. Without this option, you won't be able to specify which ports on the VPN go to your NAS. Check your VPN's FAQ to see if it supports port forwarding if you want to use Dynamic DNS (and note that this is different from the port forwarding on your router — it's a built-in feature of the VPN service itself).
  • BitTorrent support. Some privacy servers have clauses against using their services for BitTorrent. If you're using BitTorrent on your NAS, you obviously want to make sure your VPN allows it.
  • Other privacy features depending on your needs. If you're aiming for anonymity, you should obviously look for a VPN client that doesn't log activity, but you may also want one that accepts Bitcoin payments or is routed through a specific country to enable access to content from that country.

In this guide, we'll be using a VPN service called Mullvad as an example. It works well, but I strongly recommend you research other VPN services that fit your specific needs. Photo by Pavel Ignatov (Shutterstock).

Step One: Set Up A Jail For Installing New Programs

We'll need to install OpenVPN from the FreeBSD command line, in the same way we did with SABnzbd and Sick Beard in our previous guide. Before you do this, you'll need to set up a "jail" on your system, which allows you to install programs on one of your NAS' drives (since our FreeNAS installation resides on a flash drive).

If you followed our guide to setting up SABnzbd and Sick Beard, you can skip this step and move on to step two of this guide, since you've already done all of this.

First, SSH into your NAS. Windows users should download PuTTY, and type in the IP address of your NAS on the main page. You'll want to log in as root and type in the password you created for yourself when you set up the NAS. If you're on OS X, type this command into the Terminal and press Enter.

ssh -l root

In this example, should be changed the IP address of your NAS.

Once you've logged in as root, you'll need to create a few folders and mount them, using the following commands. Replace SEAGATE with the drive on your NAS where you'll store the programs.

cd /mnt/SEAGATE

mkdir extensions

cd extensions

mkdir var

mkdir usr

mkdir tmp

mount_unionfs -o w /mnt/SEAGATE/extensions/usr/ /usr/

umount -f /var

mount_unionfs -o w /mnt/SEAGATE/extensions/var/ /var/

This puts your usr, var and tmp folders on an actual hard drive where you'll be allowed to install programs that don't come with your NAS. You'll want to run a few of these every time you start up your NAS from now on, so head to your NAS' web interface and go to System > Advanced > Command Scripts and add the following command to the list as a PostInit script:

mount_unionfs -o w /mnt/Media/extensions/usr/ /usr/

When you're done, head to step two.

Step Two: Install OpenVPN

We're going to use OpenVPN to connect to our VPN service. Assuming you're running the newest version of NAS4Free, which is based on FreeBSD 9, run the following commands:

setenv PKG_TMPDIR /mnt/SEAGATE/extensions/tmp/

setenv PACKAGESITE "ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-9-current/Latest/"

pkg_add -rv openvpn

If you're using an older version of FreeNAS, check which version of FreeBSD it's based on from the home page of the Web interface. The chances are good that it's FreeBSD 7.3, in which case you'll want to install OpenVPN with the following commands instead:

setenv PKG_TMPDIR /mnt/SEAGATE/extensions/tmp/

setenv PACKAGESITE "http://ftp6.us.freebsd.org/pub/FreeBSD-Archive/ports/i386/packages-7.3-release/Latest/"

pkg_add -rv openvpn

NAS configurations often differ, so make sure you're installing the correct package for your NAS' software. You'll also want to replace i386 with amd64 if your NAS is 64-bit.

Step Three: Set Up OpenVPN With Your VPN Service

This is the trickiest part. For this step, you need to head to your VPN provider's web site and look up its OpenVPN guide. It should have a ZIP file you can download with a config file and some certificates inside. With Mullvad, for example, you get a ZIP with a config file for Windows and Linux, as well as a .key file and a few .crt files.

First, we're going to edit our config file. Open it up in your favourite text editor (the Linux one is best, if it exists) and take a peek inside. It should look something like this:


dev tun

proto udp

remote openvpn.mullvad.net 1194

resolv-retry infinite




ca master.mullvad.net.crt

cert mullvad.crt

key mullvad.key

remote-cert-tls server


verb 3

ping-restart 120

ping 10

Usually it will have some instructions inside, too, so you know what each setting does. Most of the defaults should be fine, but if you have any trouble, try some of the above settings and see if they work (obviously using your VPN's server under remote and the correct file names under ca, cert and or key.

When you're done, SSH back into your NAS and run the following command:

mkdir /mnt/SEAGATE/extensions/usr/local/etc/openvpn

Rename your configuration file to openvpn.conf and drag it into your newly-created folder, along with any .crt and .key files that came with it. You may need to drag them to /mnt/SEAGATE first, then use the FreeNAS File Manager (Advanced > File Manager from the Web interface) to copy them to /mnt/SEAGATE/extensions/usr/local/etc/openvpn.

Lastly, open up your NAS' web interface and head to System > Advanced > rc.conf and add the following variables:

openvpn_enable with a value of YES

openvon_if with a value of tun

Once you've saved those variables, continue to the next step to try running OpenVPN for the first time.

Step Four: Start OpenVPN

Once all your config files are in place and your ports are forwarded, it's time to try running OpenVPN for the first time. Open up your NAS' web interface and go to Advanced > Command. Type the following command into the "Command" box and press Execute:

/usr/local/etc/rc.d/openvpn start /usr/local/etc/openvpn/openvpn.conf

Then, head to Diagnostics > Log to see if your VPN works properly. You should see a big wall of text, ending with something like openvpn[1234]: Initialization Sequence Completed. (You may need to refresh your log a few times before it shows up, as it will take a few seconds for the VPN to start). If everything looks OK, SSH back into your NAS and try ping www.google.com again. If it works, you've successfully set up a VPN on your NAS!

If it didn't work, you may need to change some settings in your config file. Look for any errors you see in your log and try it again. If OpenVPN is running but you can't connect, you'll need to go to Advanced > Command and run kill 1234 before trying again, where 1234 is the process ID of OpenVPN. You'll see this in the log; note it will change every time you restart OpenVPN.

This is the hardest part of the process, and troubleshooting the problem will require different steps depending on your VPN service and the other software you have running on your NAS. Don't give up, and make sure to follow all the instructions from your provider to the letter to get everything working. If you're using BitTorrent, now would be a good time to check your torrent client's IP using CheckMyTorrentIP.com, as described in step three of our BitTorrent anonymisation guide. If you get your VPN's IP, then you've successfully set up an anonymous downloading NAS!

Step Five: Set Up Your Firewall

The last thing you should do, once your VPN is up and running, is set up a firewall on your NAS that blocks all traffic except your VPN connection. That way, if your VPN goes down, your NAS won't fall back on your regular connection, which can expose your actual IP and destroy any anonymity you may have had.

In your NAS' web interface, go to Network > Firewall. Firewall settings vary, but here's a template you can use to create your rules:

Click on the image for a closer look. Going number by number in the image, here's what each set of rules does:

  1. This rule allows all local traffic on your network. That way, no matter what happens, you can still access your NAS and its web interface from your other computers.
  2. These two rules enable your DNS connection, which usually travels along port 53.
  3. These two rules allow your VPN to establish a connection. The rule in the screenshot assumes your VPN uses port 1194 to do so. If you use a different port in your OpenVPN config file, use that here instead.
  4. These rules allow any traffic that travels over the VPN, such as your downloading. These may be different depending on your VPN service you use. Look in the log when you connect and see what IP addresses it uses in its routes. For example, mine uses addresses like, so I added to my firewall to allow any connections from that range of IP addresses.
  5. These rules allow multicast connections, which your NAS will need if it uses services like Bonjour to connect to other computers on your home network. Not everyone needs these open, but you may — if you don't add these rules, you'll generally just see a few minor errors in your log from time to time.
  6. These two rules allow DHCP, if your NAS uses it. If you have a static IP, you don't need this rule.
  7. Lastly, this rule denies all other traffic that doesn't match the above rules. For our purposes, this basically means all traffic that doesn't go through the VPN. If your VPN goes down, your NAS won't be able to access the internet, and everyone trying to peep on your downloading will not be able to see who you are.

Again, your firewall may differ in some of the details, but this is a good place to start. Click the Plus sign to add each individual rule, and when you're done, check the Enable box and click "Save and Restart" in the bottom left corner. Head back to your SSH window and try to ping www.google.com again, first with OpenVPN running, and then after you've killed OpenVPN as described in step four. The ping should work correctly when OpenVPN is running, and return errors when OpenVPN isn't running. Again, if it doesn't work correctly, you may have to fiddle with some settings until you get it right.

Once everything's working properly, give yourself a pat on the back, because you've now anonymised all the traffic coming in and out of your NAS! It's not an easy process, especially because it's a little different for everyone, but it can be done.

Monitor Your Downloads With Dynamic DNS

So you've got yourself a kickass downloading machine, but what happens when you're out and about and come across a file you'd like to download? Or maybe you want to check in on your server and see what TV shows you've downloaded or ripped to your home theatre PC? By default, you can't access your NAS from outside your home network, but a few tweaks make that possible.

Step One: Sign Up For A Dynamic DNS Service

We've talked about how to do this before, and the process is pretty similar with your NAS. To start, you'll want to sign up for a service such as DynDNS or No IP, which will give your home network an easy-to-remember domain name like myawesomenas.dynalias.org. This makes your NAS easier to connect to from the outside world, and ensure you don't need to memorize a bunch of different IP addresses. Most of these services are free, though you can pay a fee for more advanced features.

Before you sign up, check your router's admin page to see which services your router supports. Mine only supports DynDNS, for example, so that was the one I had to use. Other routers may support different services, so check the Dynamic DNS settings of your router for more info.

Step Two: Set Up Dynamic DNS on Your Router and NAS

Once you've signed up for your service of choice, head back to your router's admin page and type your credentials and domain name into the provided boxes. This will be different for every router, but you should find it in your router's settings under "Dynamic DNS", "DDNS" or something similar.

Next, do the same thing on your NAS. Open up your NAS' web interface and go to Services > Dynamic DNS. Pick your provider, type in your domain name and credentials, then check the Enable box in the upper-right corner. Click the Save and Restart button to start the service.

Step Three: Forward Any Necessary Ports

Lastly, you'll probably need to forward a few ports on your router so your NAS is accessible from the outside world. Once again, we've talked about this before, so check our guide to port forwarding if this is the first time you've done it.

If you're using a VPN, all you need to do is forward the port that your VPN uses to connect. In our case, that's port 1194, as shown in our VPN config file. So, head to your router's configuration page and find the section for port forwarding, then forward port 1194 over the UDP protocol.

You'll also need to set up port forwarding from your VPN service's web site. Otherwise, your VPN won't know who you are when you try to connect from the outside world (since a number of other users are using the same VPN as you). Head to your VPN's home page, log in, and look for the section on port forwarding. (If you're using Mullvad, it's on the main page after you log in). Click the New button to add a new port. Your VPN service usually dictates how many you're allowed to have.

You don't get to choose which ports your VPN gives you, so after it has assigned a few ports to your account, you'll need to assign them to the services on your NAS. For example, if your VPN assigns you port 12345 after clicking "New", and you want to access your BitTorrent downloads from afar, you'll need to go into your BitTorrent settings on your NAS (Services > BitTorrent) and change the web UI's port number to 12345. If you're running other web-based services, such as Sabnzbd or Sick Beard, you'll need to assign them each their own port as well, as provided to you by your VPN service. Note that you won't be able to access your NAS' web interface from afar, since you can't customise what port it uses, but you can access everything else. Be sure to update your bookmarks with the new port numbers, too!

Step Four: Try Accessing Your NAS From Elsewhere

Lastly, try to access one of your web interfaces using your new hostname. For example, if your hostname is myawesomenas.dynalias.org and your newly-assigned BitTorrent port is 12345, you would type the following into your address bar to access it:


Again, repeat this process for any other services you have running such as SABnzbd or Sick Beard. If everything works, then congratulations! Now you can monitor your downloads, add new downloads, and otherwise keep track of your NAS from anywhere on any device.

It isn't a simple process, and it can be a little different for everyone, but all the setup is well worth it. When you're done, you'll have a quiet, low-powered machine that stays on 24/7 and downloads all your files for you, completely anonymously, with easy access from wherever you are. If you run into any problems during setup, be sure to check out the NAS4Free forums, the OpenVPN forums, the FreeBSD forums, or the comments of this post. Good luck!


    Depends how you want to expose services but I personally have ALL my web-enabled services behind a proxy running on port 80 and only this, SSH and my VPN ports are open on my router.

    I access my services by proxying on unique subdomains but you can also do it based on the path in your URL. You can even set authentication up at the proxy level - far better than exposing the ports of open-source products who may or may not have exploits in them. I'd trust Apache or nginx security over that baked into random bits of software such as Transmission, SABnzbd, Sickbeard etc. any day of the week. You're asking for trouble exposing ports of various products who's security may not be the most robust.

    I completely agree Johann. I access my SABNZBD+, Sickbeard, and Transmission through an SSL secured Apache reverse proxy with only port 443 open on my router, accessed by the path in URL method you mentioned above.

    If I need to access any other services running on my home machine I create an SSH tunnel using Back To My Mac (as explained previously on Lifehacker), which does not require any additional ports to be open on my router.

Join the discussion!

Trending Stories Right Now