LarsCarlsson
Cadet
- Joined
- Feb 21, 2016
- Messages
- 4
Hi,
I am trying set up a OpenVPN-Server on my FreeNAS within a jail to allow off-site clients access the storage over the internet. I like to set it up so that only traffic from the client that are towards the FreeNAS are routed to the VPN-connection, nothing more and not the general internet traffic.
I have been following this guide to the best of my ability.
10.0.0.0 /24 is my regular home network
10.0.0.1 /24 is my router
10.0.0.100 /24 is my FreeNAS
10.0.0.103 /24 is my OpenVPN-jail
10.0.1.0 /24 is the network where the VPN-clients will end up
Port 1194 is forwarded on my router towards 10.0.0.103.
Clients can connect to the VPN-server from any off-site location without any problem. From this I draw the conclusion that my keys, certificates and port forwarding are working correct. But nothing else work. Clients can’t access any of the services running on my FreeNAS. They can neither ping any nodes on the 10.0.0.0 /24 network nor can they ping 10.0.1.1 witch’s supposed to be the VPN-server address within the 10.0.1.0 /24-network.
I suspect that I have got something wrong in my configuration, but to figure out what exceeds my ability. I someone had the time to look in to it I would be grateful. Maybe it is something really simple.
My server configuration file looks like this:
openvpn.config
And the clients configuration file:
client.ovpn
The file “/etc/rc.conf” looks like this:
The file “/usr/local/etc/ipfw.rules” is set up like the following:
When a client connects the following output writes in to openvpn.log:
I am trying set up a OpenVPN-Server on my FreeNAS within a jail to allow off-site clients access the storage over the internet. I like to set it up so that only traffic from the client that are towards the FreeNAS are routed to the VPN-connection, nothing more and not the general internet traffic.
I have been following this guide to the best of my ability.
10.0.0.0 /24 is my regular home network
10.0.0.1 /24 is my router
10.0.0.100 /24 is my FreeNAS
10.0.0.103 /24 is my OpenVPN-jail
10.0.1.0 /24 is the network where the VPN-clients will end up
Port 1194 is forwarded on my router towards 10.0.0.103.
Clients can connect to the VPN-server from any off-site location without any problem. From this I draw the conclusion that my keys, certificates and port forwarding are working correct. But nothing else work. Clients can’t access any of the services running on my FreeNAS. They can neither ping any nodes on the 10.0.0.0 /24 network nor can they ping 10.0.1.1 witch’s supposed to be the VPN-server address within the 10.0.1.0 /24-network.
I suspect that I have got something wrong in my configuration, but to figure out what exceeds my ability. I someone had the time to look in to it I would be grateful. Maybe it is something really simple.
My server configuration file looks like this:
openvpn.config
Code:
port 1194 proto udp dev tun ca /mnt/openvpn/keys/ca.crt cert /mnt/openvpn/keys/server.crt key /mnt/openvpn/keys/server.key dh /mnt/openvpn/keys/dh1024.pem server 10.0.1.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 10.0.0.0 255.255.255.0" route 10.0.0.103 255.255.255.0 10.0.1.1 keepalive 10 120 group nobody user nobody comp-lzo persist-key persist-tun status openvpn-status.log log openvpn.log verb 3
And the clients configuration file:
client.ovpn
Code:
remote [my-dyndns-addres] 1194 client remote-cert-tls server dev tun proto udp resolv-retry infinite nobind persist-key persist-tun float ca ca.crt cert [client-name].crt key [client-name].key
The file “/etc/rc.conf” looks like this:
Code:
portmap_enable="NO" sshd_enable="YES" sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" hostname="OpenVPN" devfs_enable="YES" devfs_system_ruleset="devfsrules_common" inet6_enable="YES" ip6addrctl_enable="YES" openvpn_enable="YES" openvpn_if="tun" openvpn_configfile="/mnt/openvpn/openvpn.conf" openvpn_dir="/mnt/openvpn" cloned_interfaces="tun" gateway_enable="YES" firewall_enable="YES" firewall_script="/usr/local/etc/ipfw.rules"
The file “/usr/local/etc/ipfw.rules” is set up like the following:
Code:
#!/bin/sh EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair) ipfw -q -f flush ipfw -q nat 1 config if ${EPAIR} ipfw -q add nat 1 all from 10.0.1.0/24 to any out via ${EPAIR} ipfw -q add nat 1 all from any to any in via ${EPAIR} TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun) ifconfig ${TUN} name tun0
When a client connects the following output writes in to openvpn.log:
Code:
Sat Apr 2 17:28:43 2016 [client-internet-ip]:[client-port] TLS: Initial packet from [AF_INET][client-internet-ip]:[client-port], sid=6226da1c 57c47941 Sat Apr 2 17:28:43 2016 [client-internet-ip]:[client-port] VERIFY OK: depth=1, C=[contry], ST=[state], L=[city], O=[organisation], CN=[client-name], emailAddress= Sat Apr 2 17:28:43 2016 [client-internet-ip]:[client-port] VERIFY OK: depth=0, C=[contry], ST=[state], O=[organisation], CN=[client-namn], emailAddress=[email] Sat Apr 2 17:28:43 2016 [client-internet-ip]:[client-port] WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1541' Sat Apr 2 17:28:43 2016 [client-internet-ip]:[client-port] WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo' Sat Apr 2 17:28:43 2016 [client-internet-ip]:[client-port] Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Sat Apr 2 17:28:43 2016 [client-internet-ip]:[client-port] Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sat Apr 2 17:28:43 2016 [client-internet-ip]:[client-port] Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Sat Apr 2 17:28:43 2016 [client-internet-ip]:[client-port] Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sat Apr 2 17:28:43 2016 [client-internet-ip]:[client-port] Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA Sat Apr 2 17:28:43 2016 [client-internet-ip]:[client-port] [[client-namn]] Peer Connection Initiated with [AF_INET][client-internet-ip]:[client-port] Sat Apr 2 17:28:43 2016 [client-namn]/[client-internet-ip]:[client-port] MULTI_sva: pool returned IPv4=10.0.1.6, IPv6=(Not enabled) Sat Apr 2 17:28:43 2016 [client-namn]/[client-internet-ip]:[client-port] MULTI: Learn: 10.0.1.6 -> [client-namn]/[client-internet-ip]:[client-port] Sat Apr 2 17:28:43 2016 [client-namn]/[client-internet-ip]:[client-port] MULTI: primary virtual IP for [client-namn]/[client-internet-ip]:[client-port]: 10.0.1.6 Sat Apr 2 17:28:46 2016 [client-namn]/[client-internet-ip]:[client-port] PUSH: Received control message: 'PUSH_REQUEST' Sat Apr 2 17:28:46 2016 [client-namn]/[client-internet-ip]:[client-port] send_push_reply(): safe_cap=940 Sat Apr 2 17:28:46 2016 [client-namn]/[client-internet-ip]:[client-port] SENT CONTROL [[client-namn]]: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,route 10.0.1.1,topology net30,ping 10,ping-restart 120,ifconfig 10.0.1.6 10.0.1.5' (status=1) Sat Apr 2 17:28:56 2016 [client-namn]/[client-internet-ip]:[client-port] Bad LZO decompression header byte: 42 Sat Apr 2 17:29:07 2016 [client-namn]/[client-internet-ip]:[client-port] Bad LZO decompression header byte: 42 Sat Apr 2 17:29:21 2016 [client-namn]/[client-internet-ip]:[client-port] Bad LZO decompression header byte: 42 Sat Apr 2 17:29:21 2016 [client-namn]/[client-internet-ip]:[client-port] Bad LZO decompression header byte: 69 Sat Apr 2 17:29:23 2016 [client-namn]/[client-internet-ip]:[client-port] Bad LZO decompression header byte: 69 Sat Apr 2 17:29:24 2016 [client-namn]/[client-internet-ip]:[client-port] Bad LZO decompression header byte: 69 Sat Apr 2 17:29:24 2016 [client-namn]/[client-internet-ip]:[client-port] Bad LZO decompression header byte: 69 Sat Apr 2 17:29:27 2016 [client-namn]/[client-internet-ip]:[client-port] Bad LZO decompression header byte: 69 Sat Apr 2 17:29:28 2016 [client-namn]/[client-internet-ip]:[client-port] Bad LZO decompression header byte: 69 Sat Apr 2 17:29:34 2016 [client-namn]/[client-internet-ip]:[client-port] Bad LZO decompression header byte: 69 Sat Apr 2 17:29:34 2016 [client-namn]/[client-internet-ip]:[client-port] Bad LZO decompression header byte: 69 Sat Apr 2 17:29:44 2016 [client-namn]/[client-internet-ip]:[client-port] Bad LZO decompression header byte: 42 Sat Apr 2 17:29:45 2016 [client-namn]/[client-internet-ip]:[client-port] Bad LZO decompression header byte: 69 Sat Apr 2 17:29:48 2016 [client-namn]/[client-internet-ip]:[client-port] Bad LZO decompression header byte: 69 Sat Apr 2 17:29:52 2016 [client-namn]/[client-internet-ip]:[client-port] Bad LZO decompression header byte: 69 Sat Apr 2 17:29:52 2016 [client-namn]/[client-internet-ip]:[client-port] Bad LZO decompression header byte: 69 Sat Apr 2 17:29:54 2016 [client-namn]/[client-internet-ip]:[client-port] Bad LZO decompression header byte: 69 Sat Apr 2 17:29:55 2016 [client-namn]/[client-internet-ip]:[client-port] Bad LZO decompression header byte: 69 Sat Apr 2 17:29:55 2016 [client-namn]/[client-internet-ip]:[client-port] Bad LZO decompression header byte: 69 Sat Apr 2 17:30:01 2016 [client-namn]/[client-internet-ip]:[client-port] Bad LZO decompression header byte: 69 Sat Apr 2 17:30:02 2016 [client-namn]/[client-internet-ip]:[client-port] Bad LZO decompression header byte: 69 Sat Apr 2 17:30:12 2016 [client-namn]/[client-internet-ip]:[client-port] Bad LZO decompression header byte: 42[/CODE] //LarsCarlsson
Last edited: