How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT

[JJT211]

Just FYI, Robles hasnt replied to this thread in quite some time.

See my posts around page 8 or 9 up through now. Those should get you up and running.

 

[JJT211]

I don't see maintenance mentioned in your updated post.

I'm sure this just reflects my ignorance of Jails, but …

As FreeNAS is upgraded from 9.3 to 9.4, etc., how do we upgrade the Jail? This thread seems to indicate that there may be more to it than just running pkg update.

You're prob batter off by just deleting and reinstalling the jail. Setup and configuration is pretty quick once you've been through it a few times.

 

[nello]

I made a dirty workaround for this, here's my ipwf.rules that automatically grabs the first epair interface it finds and uses that to relay all traffic through it:

Code:

#!/bin/sh
EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}

Hope this helps!

I presume this code goes in the file /usr/local/etc/ipfw.rules

Is there some reason that you haven't updated the tutorial to incorporate this script?

 

[nello]

You're gonna have to rename tun everytine you restart service.

I added the following lines of code to the bottom of /usr/local/etc/ipfw.rules

Code:

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0

Now when the service (re)starts, the static route always uses the correct epair and there is always always a tun0.

 

[JJT211]

Nice! Ill have to give it a shot next time.

 

[ric]

"Add storage so we can keep our keys in a secure place. I'll mount my storage in /mnt/openvpn inside the jail."

So far, I'm stuck on this step, adding & mounting storage inside jail for storing keys.

Can someone PLEASE provide a step-by-step instruction on how to create this directory or folder (/mnt/openvpn/keys)?

My current configuration under Jail as follow:

Jails>>Configuration:
Jail Root: /mnt/tank/pluginjails

Jails>>Storage:
(List of installed Jails)


Your help would be greatly appreciated. Thanks.

 

[nello]

Can someone PLEASE provide a step-by-step instruction on how to create this directory or folder (/mnt/openvpn/keys)?

The instructions for creating the directory are shown just prior to the section titled OpenVPN Configuration:

Code:

[root@openvpn /usr/local/share/easy-rsa]# mkdir /mnt/openvpn/keys

Can you be more specific about what it is that you don't understand?

 

[JJT211]

Yea, i think youre getting confused with how you normally add storage using the GUI. At this point you are completely finished with the GU( except when you need to restart the jail).

In this instance, you are actually just creating a new directory/folder inside the openvpn storage you already created and you can do so from the command line in putty using the command Nello mentioned above.

 

[ric]

Thanks. I figured it out..

I have another question for you here..

In the purple network, can you explain more in details on how to build or add a virtual remote client in the OpenVPNJail.

What type of virtual remote client (VMware, Xenserver, Linux, MS windows)?


Thanks.

 

[djdwosk97]

If I want to add storage, what should the source/destination be? (see screenshots for jails/configs)


For lines 8, 10, and 11 what should the IP's be?
Should I replace the ip in line 8 with the internal IP of the server? The IP in line 11 with the IP of the openvpn jail? And line 10 with?

Code:

port 10011
proto udp
dev tun
ca /mnt/openvpn/keys/ca.crt
cert /mnt/openvpn/keys/openvpn-server.crt
key /mnt/openvpn/keys/openvpn-server.key
dh /mnt/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.255.255.0" #Yellow network
route 10.0.0.14 255.255.255.0 10.8.0.1 #Routes traffic from the Yellow network side (10.0.0.14/24)
                                       to the Purple network side (10.8.0.1/24)
#tls-auth /mnt/openvpn/keys/auth.key 0
#crl-verify /mnt/openvpn/keys/crl.pem
keepalive 10 120
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3

 

[anakin827]

Been following this thread for a while and thank everyone for their input, since my VPN is working great!

Question I have is, has anyone also tried encapsulating IPv6 traffic through this VPN tunnel as well? If so, how did you do it?

Thanks.

 

[nanopete]

Hi I just reinstalled Freenas 9.3 and wanted to setup OpenVPN in a jail by this post. I remember last time (also 9.3) I had a lot of trouble with epairX names and some other things.
I'm trying to read through what is in the thread here, but if some enlightened person would be so kind as to sum up solutions to what has been found since robles last edited the guide I think that would help a lot of people.
Kind regards Peter

 

[adrianwi]

If you think everything is set-up correctly, and it's still not working, my advice would be to reboot you FreeNAS box and try it again.

That's worked for me a couple of times when I was starting to tug on hair :D

 

[nanopete]

I'm on FreeNAS-9.3-STABLE-201506292130 and at least one thing will not let you go through the guide as described. Openvpn seems to have switch to have 2048 as a standard instead of 1024. Therefore just before you run "source ./vars" as per the guide, you should edit the vars file and change the line export KEY_SIZE=2048 to export KEY_SIZE=1024 (the comment for the line doesn't seem to have been updated, it still says "Increase this to 2048 if you are paranoid", I guess they are paranoid by default now.)
It's still not working for me though, I can't connect, I'm trying to figure it out with my newbie skillz-set.
Has anyone had luck doing the guide or similar with a recent FreeNAS? With 1024 or 2048 key sizes.

 

[nanopete]

Going through the guide I got VPN working on my iphone with two modifications from the guide on FreeNAS-9.3-STABLE-201506292130
1) I apparently can not create a new standard jail without manual first creating a standard jail template from http://download.freenas.org/latest/RELEASE/x64/jails/ and using that. See https://forums.freenas.org/index.ph...on-unable-to-find-template.35232/#post-214149
2) Edit the keysize in the vars file to 1024 as explained in post above.

 

[robles]

Hi I just reinstalled Freenas 9.3 and wanted to setup OpenVPN in a jail by this post. I remember last time (also 9.3) I had a lot of trouble with epairX names and some other things.
I'm trying to read through what is in the thread here, but if some enlightened person would be so kind as to sum up solutions to what has been found since robles last edited the guide I think that would help a lot of people.
Kind regards Peter

I'll update the guide as soon as I catch up on the last 5 pages.

 

[robles]

I presume this code goes in the file /usr/local/etc/ipfw.rules

Is there some reason that you haven't updated the tutorial to incorporate this script?

Yes it goes inside your ipfw.rules. I'm not sure if this is the most correct way to do it, as I just "patched" this through a script.
Nevertheless, after almost a year it seems to still be working, so it may be safe to include it in the guide.

I'll also update the screenshots for FreeNAS 9.3.
If somebody finds anything important to update, please do tell so I can change the tutorial accordingly.

 

[nanopete]

Thanks again for the guide robles, I wouldn't have VPN working without it.

 

[Scareh]

After following the guide for the xx"th time, after pulling about half my hair, i'd figured comming over here:

first something to add to the guide: the "/mnt/openvpn/openvpn.conf" file needs to be adapted, more speficly in this line:

Code:

dh /mnt/openvpn/keys/dh2048.pem

that instead of the dh1024.pem

now my error:

Code:

root@openvpn:/ # openvpn --config /mnt/openvpn/openvpn.conf
Tue Jul 21 19:34:05 2015 us=894515 Current Parameter Settings:
Tue Jul 21 19:34:05 2015 us=894749   config = '/mnt/openvpn/openvpn.conf'
Tue Jul 21 19:34:05 2015 us=894756   mode = 1
Tue Jul 21 19:34:05 2015 us=894763   show_ciphers = DISABLED
Tue Jul 21 19:34:05 2015 us=894768   show_digests = DISABLED
Tue Jul 21 19:34:05 2015 us=894774   show_engines = DISABLED
Tue Jul 21 19:34:05 2015 us=894780   genkey = DISABLED
Tue Jul 21 19:34:05 2015 us=894786   key_pass_file = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=894792   show_tls_ciphers = DISABLED
Tue Jul 21 19:34:05 2015 us=894798 Connection profiles [default]:
Tue Jul 21 19:34:05 2015 us=894804   proto = udp
Tue Jul 21 19:34:05 2015 us=894810   local = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=894816   local_port = 10011
Tue Jul 21 19:34:05 2015 us=894822   remote = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=894828   remote_port = 10011
Tue Jul 21 19:34:05 2015 us=894834   remote_float = DISABLED
Tue Jul 21 19:34:05 2015 us=894840   bind_defined = DISABLED
Tue Jul 21 19:34:05 2015 us=894845   bind_local = ENABLED
Tue Jul 21 19:34:05 2015 us=894851   connect_retry_seconds = 5
Tue Jul 21 19:34:05 2015 us=894857   connect_timeout = 10
Tue Jul 21 19:34:05 2015 us=894863   connect_retry_max = 0
Tue Jul 21 19:34:05 2015 us=894869   socks_proxy_server = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=894875   socks_proxy_port = 0
Tue Jul 21 19:34:05 2015 us=894881   socks_proxy_retry = DISABLED
Tue Jul 21 19:34:05 2015 us=894887   tun_mtu = 1500
Tue Jul 21 19:34:05 2015 us=894902   tun_mtu_defined = ENABLED
Tue Jul 21 19:34:05 2015 us=894909   link_mtu = 1500
Tue Jul 21 19:34:05 2015 us=894915   link_mtu_defined = DISABLED
Tue Jul 21 19:34:05 2015 us=894921   tun_mtu_extra = 0
Tue Jul 21 19:34:05 2015 us=894927   tun_mtu_extra_defined = DISABLED
Tue Jul 21 19:34:05 2015 us=894933   mtu_discover_type = -1
Tue Jul 21 19:34:05 2015 us=894939   fragment = 0
Tue Jul 21 19:34:05 2015 us=894945   mssfix = 1450
Tue Jul 21 19:34:05 2015 us=894951   explicit_exit_notification = 0
Tue Jul 21 19:34:05 2015 us=894957 Connection profiles END
Tue Jul 21 19:34:05 2015 us=894962   remote_random = DISABLED
Tue Jul 21 19:34:05 2015 us=894968   ipchange = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=894974   dev = 'tun'
Tue Jul 21 19:34:05 2015 us=894980   dev_type = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=894986   dev_node = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=894992   lladdr = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=894998   topology = 1
Tue Jul 21 19:34:05 2015 us=895004   tun_ipv6 = DISABLED
Tue Jul 21 19:34:05 2015 us=895010   ifconfig_local = '10.8.0.1'
Tue Jul 21 19:34:05 2015 us=895016   ifconfig_remote_netmask = '10.8.0.2'
Tue Jul 21 19:34:05 2015 us=895040   ifconfig_noexec = DISABLED
Tue Jul 21 19:34:05 2015 us=895047   ifconfig_nowarn = DISABLED
Tue Jul 21 19:34:05 2015 us=895053   ifconfig_ipv6_local = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=895059   ifconfig_ipv6_netbits = 0
Tue Jul 21 19:34:05 2015 us=895065   ifconfig_ipv6_remote = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=895071   shaper = 0
Tue Jul 21 19:34:05 2015 us=895077   mtu_test = 0
Tue Jul 21 19:34:05 2015 us=895083   mlock = DISABLED
Tue Jul 21 19:34:05 2015 us=895089   keepalive_ping = 10
Tue Jul 21 19:34:05 2015 us=895095   keepalive_timeout = 120
Tue Jul 21 19:34:05 2015 us=895101   inactivity_timeout = 0
Tue Jul 21 19:34:05 2015 us=895114   ping_send_timeout = 10
Tue Jul 21 19:34:05 2015 us=895120   ping_rec_timeout = 240
Tue Jul 21 19:34:05 2015 us=895126   ping_rec_timeout_action = 2
Tue Jul 21 19:34:05 2015 us=895132   ping_timer_remote = DISABLED
Tue Jul 21 19:34:05 2015 us=895138   remap_sigusr1 = 0
Tue Jul 21 19:34:05 2015 us=895151   persist_tun = ENABLED
Tue Jul 21 19:34:05 2015 us=895158   persist_local_ip = DISABLED
Tue Jul 21 19:34:05 2015 us=895164   persist_remote_ip = DISABLED
Tue Jul 21 19:34:05 2015 us=895170   persist_key = ENABLED
Tue Jul 21 19:34:05 2015 us=895175   passtos = DISABLED
Tue Jul 21 19:34:05 2015 us=895181   resolve_retry_seconds = 1000000000
Tue Jul 21 19:34:05 2015 us=895188   username = 'nobody'
Tue Jul 21 19:34:05 2015 us=895193   groupname = 'nobody'
Tue Jul 21 19:34:05 2015 us=895199   chroot_dir = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=895206   cd_dir = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=895212   writepid = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=895218   up_script = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=895224   down_script = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=895230   down_pre = DISABLED
Tue Jul 21 19:34:05 2015 us=895235   up_restart = DISABLED
Tue Jul 21 19:34:05 2015 us=895241   up_delay = DISABLED
Tue Jul 21 19:34:05 2015 us=895247   daemon = DISABLED
Tue Jul 21 19:34:05 2015 us=895253   inetd = 0
Tue Jul 21 19:34:05 2015 us=895259   log = DISABLED
Tue Jul 21 19:34:05 2015 us=895265   suppress_timestamps = DISABLED
Tue Jul 21 19:34:05 2015 us=895278   nice = 0
Tue Jul 21 19:34:05 2015 us=895285   verbosity = 10
Tue Jul 21 19:34:05 2015 us=895291   mute = 0
Tue Jul 21 19:34:05 2015 us=895297   gremlin = 0
Tue Jul 21 19:34:05 2015 us=895302   status_file = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=895308   status_file_version = 1
Tue Jul 21 19:34:05 2015 us=895314   status_file_update_freq = 60
Tue Jul 21 19:34:05 2015 us=895320   occ = ENABLED
Tue Jul 21 19:34:05 2015 us=895326   rcvbuf = 65536
Tue Jul 21 19:34:05 2015 us=895332   sndbuf = 65536
Tue Jul 21 19:34:05 2015 us=895337   sockflags = 0
Tue Jul 21 19:34:05 2015 us=895343   fast_io = DISABLED
Tue Jul 21 19:34:05 2015 us=895349   lzo = 7
Tue Jul 21 19:34:05 2015 us=895355   route_script = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=895361   route_default_gateway = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=895367   route_default_metric = 0
Tue Jul 21 19:34:05 2015 us=895373   route_noexec = DISABLED
Tue Jul 21 19:34:05 2015 us=895378   route_delay = 0
Tue Jul 21 19:34:05 2015 us=895384   route_delay_window = 30
Tue Jul 21 19:34:05 2015 us=895390   route_delay_defined = DISABLED
Tue Jul 21 19:34:05 2015 us=895404   route_nopull = DISABLED
Tue Jul 21 19:34:05 2015 us=895410   route_gateway_via_dhcp = DISABLED
Tue Jul 21 19:34:05 2015 us=895417   max_routes = 100
Tue Jul 21 19:34:05 2015 us=895423   allow_pull_fqdn = DISABLED
Tue Jul 21 19:34:05 2015 us=895429   route 192.168.0.180/255.255.255.0/10.8.0.1
Tue Jul 21 19:34:05 2015 us=895436   route 10.8.0.0/255.255.255.0/nil/nil
Tue Jul 21 19:34:05 2015 us=895442   management_addr = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=895448   management_port = 0
Tue Jul 21 19:34:05 2015 us=895454   management_user_pass = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=895460   management_log_history_cache = 250
Tue Jul 21 19:34:05 2015 us=895466   management_echo_buffer_size = 100
Tue Jul 21 19:34:05 2015 us=895472   management_write_peer_info_file = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=895478   management_client_user = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=895484   management_client_group = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=895490   management_flags = 0
Tue Jul 21 19:34:05 2015 us=895496   shared_secret_file = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=895501   key_direction = 0
Tue Jul 21 19:34:05 2015 us=895507   ciphername_defined = ENABLED
Tue Jul 21 19:34:05 2015 us=895513   ciphername = 'BF-CBC'
Tue Jul 21 19:34:05 2015 us=895526   authname_defined = ENABLED
Tue Jul 21 19:34:05 2015 us=895533   authname = 'SHA1'
Tue Jul 21 19:34:05 2015 us=895540   prng_hash = 'SHA1'
Tue Jul 21 19:34:05 2015 us=895546   prng_nonce_secret_len = 16
Tue Jul 21 19:34:05 2015 us=895551   keysize = 0
Tue Jul 21 19:34:05 2015 us=895557   engine = DISABLED
Tue Jul 21 19:34:05 2015 us=895563   replay = ENABLED
Tue Jul 21 19:34:05 2015 us=895569   mute_replay_warnings = DISABLED
Tue Jul 21 19:34:05 2015 us=895575   replay_window = 64
Tue Jul 21 19:34:05 2015 us=895581   replay_time = 15
Tue Jul 21 19:34:05 2015 us=895587   packet_id_file = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=895593   use_iv = ENABLED
Tue Jul 21 19:34:05 2015 us=895599   test_crypto = DISABLED
Tue Jul 21 19:34:05 2015 us=895605   tls_server = ENABLED
Tue Jul 21 19:34:05 2015 us=895611   tls_client = DISABLED
Tue Jul 21 19:34:05 2015 us=895616   key_method = 2
Tue Jul 21 19:34:05 2015 us=895622   ca_file = '/mnt/openvpn/keys/ca.crt'
Tue Jul 21 19:34:05 2015 us=895628   ca_path = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=895634   dh_file = '/mnt/openvpn/keys/dh2048.pem'
Tue Jul 21 19:34:05 2015 us=895640   cert_file = '/mnt/openvpn/keys/openvpn-server.crt'
Tue Jul 21 19:34:05 2015 us=895661   priv_key_file = '/mnt/openvpn/keys/openvpn-server.key'
Tue Jul 21 19:34:05 2015 us=895668   pkcs12_file = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=895674   cipher_list = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=895680   tls_verify = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=895686   tls_export_cert = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=895692   verify_x509_type = 0
Tue Jul 21 19:34:05 2015 us=895698   verify_x509_name = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=895704   crl_file = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=895709   ns_cert_type = 0
Tue Jul 21 19:34:05 2015 us=895715   remote_cert_ku = 0
Tue Jul 21 19:34:05 2015 us=895721   remote_cert_ku = 0
Tue Jul 21 19:34:05 2015 us=895727   remote_cert_ku = 0
Tue Jul 21 19:34:05 2015 us=895733   remote_cert_ku = 0
Tue Jul 21 19:34:05 2015 us=895738   remote_cert_ku = 0
Tue Jul 21 19:34:05 2015 us=895744   remote_cert_ku = 0
Tue Jul 21 19:34:05 2015 us=895750   remote_cert_ku = 0
Tue Jul 21 19:34:05 2015 us=895756   remote_cert_ku = 0
Tue Jul 21 19:34:05 2015 us=895761   remote_cert_ku = 0
Tue Jul 21 19:34:05 2015 us=895774   remote_cert_ku = 0
Tue Jul 21 19:34:05 2015 us=895782   remote_cert_ku = 0
Tue Jul 21 19:34:05 2015 us=895787   remote_cert_ku = 0
Tue Jul 21 19:34:05 2015 us=895793   remote_cert_ku = 0
Tue Jul 21 19:34:05 2015 us=895799   remote_cert_ku = 0
Tue Jul 21 19:34:05 2015 us=895805   remote_cert_ku = 0
Tue Jul 21 19:34:05 2015 us=895811   remote_cert_ku = 0
Tue Jul 21 19:34:05 2015 us=895816   remote_cert_eku = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=895822   ssl_flags = 0
Tue Jul 21 19:34:05 2015 us=895828   tls_timeout = 2
Tue Jul 21 19:34:05 2015 us=895834   renegotiate_bytes = 0
Tue Jul 21 19:34:05 2015 us=895840   renegotiate_packets = 0
Tue Jul 21 19:34:05 2015 us=895846   renegotiate_seconds = 3600
Tue Jul 21 19:34:05 2015 us=895852   handshake_window = 60
Tue Jul 21 19:34:05 2015 us=895858   transition_window = 3600
Tue Jul 21 19:34:05 2015 us=895863   single_session = DISABLED
Tue Jul 21 19:34:05 2015 us=895869   push_peer_info = DISABLED
Tue Jul 21 19:34:05 2015 us=895875   tls_exit = DISABLED
Tue Jul 21 19:34:05 2015 us=895881   tls_auth_file = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=895888   server_network = 10.8.0.0
Tue Jul 21 19:34:05 2015 us=895903   server_netmask = 255.255.255.0
Tue Jul 21 19:34:05 2015 us=895912   server_network_ipv6 = ::
Tue Jul 21 19:34:05 2015 us=895918   server_netbits_ipv6 = 0
Tue Jul 21 19:34:05 2015 us=895925   server_bridge_ip = 0.0.0.0
Tue Jul 21 19:34:05 2015 us=895932   server_bridge_netmask = 0.0.0.0
Tue Jul 21 19:34:05 2015 us=895939   server_bridge_pool_start = 0.0.0.0
Tue Jul 21 19:34:05 2015 us=895945   server_bridge_pool_end = 0.0.0.0
Tue Jul 21 19:34:05 2015 us=895951   push_entry = 'route 192.168.0.0 255.255.255.0'
Tue Jul 21 19:34:05 2015 us=895958   push_entry = 'route 10.8.0.1'
Tue Jul 21 19:34:05 2015 us=895963   push_entry = 'topology net30'
Tue Jul 21 19:34:05 2015 us=895969   push_entry = 'ping 10'
Tue Jul 21 19:34:05 2015 us=895975   push_entry = 'ping-restart 120'
Tue Jul 21 19:34:05 2015 us=895981   ifconfig_pool_defined = ENABLED
Tue Jul 21 19:34:05 2015 us=895988   ifconfig_pool_start = 10.8.0.4
Tue Jul 21 19:34:05 2015 us=895995   ifconfig_pool_end = 10.8.0.251
Tue Jul 21 19:34:05 2015 us=896002   ifconfig_pool_netmask = 0.0.0.0
Tue Jul 21 19:34:05 2015 us=896008   ifconfig_pool_persist_filename = 'ipp.txt'
Tue Jul 21 19:34:05 2015 us=896014   ifconfig_pool_persist_refresh_freq = 600
Tue Jul 21 19:34:05 2015 us=896027   ifconfig_ipv6_pool_defined = DISABLED
Tue Jul 21 19:34:05 2015 us=896034   ifconfig_ipv6_pool_base = ::
Tue Jul 21 19:34:05 2015 us=896040   ifconfig_ipv6_pool_netbits = 0
Tue Jul 21 19:34:05 2015 us=896046   n_bcast_buf = 256
Tue Jul 21 19:34:05 2015 us=896052   tcp_queue_limit = 64
Tue Jul 21 19:34:05 2015 us=896058   real_hash_size = 256
Tue Jul 21 19:34:05 2015 us=896064   virtual_hash_size = 256
Tue Jul 21 19:34:05 2015 us=896070   client_connect_script = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=896076   learn_address_script = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=896082   client_disconnect_script = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=896088   client_config_dir = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=896094   ccd_exclusive = DISABLED
Tue Jul 21 19:34:05 2015 us=896100   tmp_dir = '/tmp'
Tue Jul 21 19:34:05 2015 us=896111   push_ifconfig_defined = DISABLED
Tue Jul 21 19:34:05 2015 us=896119   push_ifconfig_local = 0.0.0.0
Tue Jul 21 19:34:05 2015 us=896126   push_ifconfig_remote_netmask = 0.0.0.0
Tue Jul 21 19:34:05 2015 us=896132   push_ifconfig_ipv6_defined = DISABLED
Tue Jul 21 19:34:05 2015 us=896139   push_ifconfig_ipv6_local = ::/0
Tue Jul 21 19:34:05 2015 us=896160   push_ifconfig_ipv6_remote = ::
Tue Jul 21 19:34:05 2015 us=896167   enable_c2c = DISABLED
Tue Jul 21 19:34:05 2015 us=896173   duplicate_cn = DISABLED
Tue Jul 21 19:34:05 2015 us=896179   cf_max = 0
Tue Jul 21 19:34:05 2015 us=896185   cf_per = 0
Tue Jul 21 19:34:05 2015 us=896191   max_clients = 1024
Tue Jul 21 19:34:05 2015 us=896197   max_routes_per_client = 256
Tue Jul 21 19:34:05 2015 us=896203   auth_user_pass_verify_script = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=896209   auth_user_pass_verify_script_via_file = DISABLED
Tue Jul 21 19:34:05 2015 us=896215   port_share_host = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=896221   port_share_port = 0
Tue Jul 21 19:34:05 2015 us=896227   client = DISABLED
Tue Jul 21 19:34:05 2015 us=896233   pull = DISABLED
Tue Jul 21 19:34:05 2015 us=896239   auth_user_pass_file = '[UNDEF]'
Tue Jul 21 19:34:05 2015 us=896249 OpenVPN 2.3.7 amd64-portbld-freebsd9.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jul  9 2015
Tue Jul 21 19:34:05 2015 us=896259 library versions: OpenSSL 0.9.8za-freebsd 5 Jun 2014, LZO 2.09
Tue Jul 21 19:34:05 2015 us=909446 Diffie-Hellman initialized with 2048 bit key
Tue Jul 21 19:34:05 2015 us=909806 PRNG init md=SHA1 size=36
Tue Jul 21 19:34:05 2015 us=909824 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Tue Jul 21 19:34:05 2015 us=909833 MTU DYNAMIC mtu=0, flags=1, 0 -> 138
Tue Jul 21 19:34:05 2015 us=909841 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0ET:0 EL:3 ]
Tue Jul 21 19:34:05 2015 us=909848 MTU DYNAMIC mtu=1450, flags=2, 1542 -> 1450
Tue Jul 21 19:34:05 2015 us=909864 Socket Buffers: R=[42080->65536] S=[9216->65536]
Tue Jul 21 19:34:05 2015 us=909907 ROUTE_GATEWAY 192.168.0.1
Tue Jul 21 19:34:05 2015 us=909964 TUN/TAP device /dev/tun0 opened
Tue Jul 21 19:34:05 2015 us=909977 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv 6_setup=0
Tue Jul 21 19:34:05 2015 us=909995 /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
Tue Jul 21 19:34:05 2015 us=911374 /sbin/route add -net 192.168.0.180 10.8.0.1 255.255.255.0
route: writing to routing socket: File exists
add net 192.168.0.180: gateway 10.8.0.1 fib 0: route already in table
Tue Jul 21 19:34:05 2015 us=912276 ERROR: FreeBSD route add command failed: external program exited with error status: 1
Tue Jul 21 19:34:05 2015 us=912312 /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0
add net 10.8.0.0: gateway 10.8.0.2
Tue Jul 21 19:34:05 2015 us=913149 Data Channel MTU parms [ L:1542 D:1450 EF:42EB:143 ET:0 EL:3 AF:3/1 ]
Tue Jul 21 19:34:05 2015 us=913736 GID set to nobody
Tue Jul 21 19:34:05 2015 us=913751 UID set to nobody
Tue Jul 21 19:34:05 2015 us=913761 UDPv4 link local (bound): [undef]
Tue Jul 21 19:34:05 2015 us=913767 UDPv4 link remote: [undef]
Tue Jul 21 19:34:05 2015 us=913779 MULTI: multi_init called, r=256 v=256
Tue Jul 21 19:34:05 2015 us=913810 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Tue Jul 21 19:34:05 2015 us=913822 IFCONFIG POOL LIST
Tue Jul 21 19:34:05 2015 us=913834 PO_INIT maxevents=4 flags=0x00000002
Tue Jul 21 19:34:05 2015 us=913850 Initialization Sequence Completed
Tue Jul 21 19:34:05 2015 us=913856 SCHEDULE: schedule_find_least NULL
Tue Jul 21 19:34:05 2015 us=913864 PO_CTL rwflags=0x0001 ev=5 arg=0x00692618
Tue Jul 21 19:34:05 2015 us=913870 PO_CTL rwflags=0x0001 ev=6 arg=0x00691468
Tue Jul 21 19:34:05 2015 us=913880 I/O WAIT TR|Tw|SR|Sw [10/0]
^CTue Jul 21 19:34:08 2015 us=395590  event_wait returned -1
Tue Jul 21 19:34:08 2015 us=395632 event_wait : Interrupted system call (code=4)
Tue Jul 21 19:34:08 2015 us=395642 I/O WAIT status=0x0010
Tue Jul 21 19:34:08 2015 us=395697 MULTI: REAP range 0 -> 256
Tue Jul 21 19:34:08 2015 us=395829 TCP/UDP: Closing socket
Tue Jul 21 19:34:08 2015 us=395869 /sbin/route delete -net 10.8.0.0 10.8.0.2 255.255.255.0
route: must be root to alter routing table
Tue Jul 21 19:34:08 2015 us=396949 ERROR: FreeBSD route delete command failed: external program exited with error status: 77
Tue Jul 21 19:34:08 2015 us=396975 Closing TUN/TAP interface
Tue Jul 21 19:34:08 2015 us=397009 /sbin/ifconfig tun0 destroy
ifconfig: SIOCIFDESTROY: Operation not permitted
Tue Jul 21 19:34:08 2015 us=398277 FreeBSD 'destroy tun interface' failed (non-critical): external program exited with error status: 1
Tue Jul 21 19:34:08 2015 us=398312 PID packet_id_free
Tue Jul 21 19:34:08 2015 us=398333 SIGINT[hard,] received, process exiting

some additional info:

192.168.0.180 is the jail's ip
10.8.0.0 is the other side of the jail's entrance



so in short, i don't manage to start the openvpn service.
some extra info:

ifconfig:

Code:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair5b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:65:2a:00:13:0b
        inet 192.168.0.180 netmask 0xffffff00 broadcast 192.168.0.255
        nd6 options=9<PERFORMNUD,IFDISABLED>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
        nd6 options=9<PERFORMNUD,IFDISABLED>

ipfw list:

Code:

root@openvpn:/ # ipfw list
00100 nat 1 ip from 10.8.0.0/24 to any out via epair5b
00200 nat 1 ip from any to any in via epair5b
65535 allow ip from any to any

openvpn.conf

Code:

port 10011
proto udp
dev tun
ca /mnt/openvpn/keys/ca.crt
cert /mnt/openvpn/keys/openvpn-server.crt
key /mnt/openvpn/keys/openvpn-server.key
dh /mnt/openvpn/keys/dh2048.pem
server 10.8.0.0 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0" #Yellow network
route 192.168.0.180 255.255.255.0 10.8.0.1
#tls-auth /mnt/openvpn/keys/auth.key 0
#crl-verify /mnt/openvpn/keys/crl.pem
keepalive 10 120
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 10

so any questions or hints are more then welcome, I know robles doesn't particularly read this anymore, but i'm hoping that anyone else who got it working can point out my mistake.
Atm it doesn't even matter much that the ip adresses aren't exactly right, i just don't even get to start the service.
thanks allready

 

[navleen]

I have given up. I am running 9.3 FreeNAS. I have went though this tutorial about I don't know how many time. I always get the same error, which is:

Code:

Starting openvpn.
/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn

I know some one asked this question and no one answered his question. So can some one please help me. I would be sooooooooo happy. Thanks