How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT

[tstorm]

I did try a reboot and it didn't change the fact my epair changed. It works now after I updated the change of my epair in the ipfw.rules file. Just curious as to why it may have changed. No offense, as it says "newbie" under your name, you probably don't have the answer.

 

[tstorm]

.

 

[intelligence]

Trying to troubleshoot why I suddenly cannot ssh tunnel to my FreeNAS box anymore, tried to set up this yesterday, but wasn't able to actually connect with my Tunnelblick client. I was ssh'd in while setting it up obviously. But then shutdown the tunnel and now I cannot get access anymore. Simply get an "Operation timed out". It's remote so cannot actually access it without the ssh tunnel. Might be able to get someone to reset it physically later today, but just worried that my misconfig might have locked me out of ssh all in all.

Still get notifications via mail about cronjobs running, so it's alive..

 

[NerdWithNoLife]

Superb. The security concerns are clearly addressed, and it works great. I use it on a non-rooted android device. Port mapping with authentication is a nice touch, as port 443 is non-default, and unlikely to be blocked by a corporate firewall.

 

[Joe Fenton]

Hi Joe,

If you receive "65535 allow ip from any to any" just double check that your /etc/rc.conf is pointing to ipfw.rules and of course you have the ipfw.rules file already in place. Fix this and come back if something else is still broken.

Also try to quote your logs as CODE for more readable format. Thanks.

Hi,

This is the /etc/re.conf in the OpenVPN jail right? Mine looks like this:

Code:

portmap_enable="NO"
sshd_enable="NO"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
hostname="OpenVPN"
devfs_enable="YES"
devfs_system_ruleset="devfsrules_common"
inet6_enable="YES"
ip6addrctl_enable="YES"
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/mnt/openvpn/openvpn.conf"
openvpn_dir="/mnt/openvpn"
cloned_interfaces="tun"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

But I still have the same the same problem

 

[f8340fidsolfwhf20]

Hi all, like many here I'm having trouble getting this working despite following the instructions to a T. I've tried, failed, and started from scratch a few times now (including reinstalling freenas) with no luck. Here is all of my related info as of right now:

/mnt/openvpn/openvpn.conf:

Code:

port 10011
proto udp
dev tun
ca /mnt/openvpn/keys/ca.crt
cert /mnt/openvpn/keys/openvpn-server.crt #Server key created previously
key /mnt/openvpn/keys/openvpn-server.key
dh /mnt/openvpn/keys/dh2048.pem #Diffie-Hellman parameters are now 2048 bits long
server 10.8.0.0 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.255.255.0" #Yellow network
route 192.168.1.2 255.255.255.0 10.8.0.1 #Routes traffic from the Yellow network side (10.0.0.0/24)
                                      #to the Purple network side (10.8.0.0/24)
#tls-auth /mnt/openvpn/keys/auth.key 0
#crl-verify /mnt/openvpn/keys/crl.pem
keepalive 10 120
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 5

work-vpn.ovpn:

Code:

client
dev tun
proto udp
remote <mydns>.duckdns.org 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert kkc.crt
key kkc.key
#tls-auth auth.key 1
ns-cert-type server
comp-lzo
verb 3

/usr/local/etc/ipfw.rules:

Code:

#!/bin/sh

EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0

/etc/rc.conf:

Code:

portmap_enable="NO"
sshd_enable="NO"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
hostname="OpenVPN"
devfs_enable="YES"
devfs_system_ruleset="devfsrules_common"
inet6_enable="YES"
ip6addrctl_enable="YES"
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/mnt/openvpn/openvpn.conf"
openvpn_dir="/mnt/openvpn"
cloned_interfaces="tun"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

sockstat -4 -l:

Code:

[root@OpenVPN /mnt/openvpn]# sockstat -4 -l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS    
nobody   openvpn    4765  6  udp4   *:10011               *:*
root     syslogd    4733  7  udp4   *:514                 *:*

ipfw list:

Code:

[root@OpenVPN /mnt/openvpn]# ipfw list
00100 nat 1 ip from 10.8.0.0/24 to any out via epair0b
00200 nat 1 ip from any to any in via epair0b
65535 allow ip from any to any

ps aux:

Code:

[root@OpenVPN /mnt/openvpn]# ps aux
USER    PID %CPU %MEM   VSZ  RSS TT  STAT STARTED    TIME COMMAND
root   4733  0.0  0.0 12080 1868 ??  SsJ   1:10AM 0:00.00 /usr/sbin/syslogd -s
nobody 4765  0.0  0.0 18296 4192 ??  SsJ   1:10AM 0:00.01 /usr/local/sbin/openvpn --cd /mnt/openvpn --daemon openvpn
root   4796  0.0  0.0 14184 1860 ??  SsJ   1:10AM 0:00.00 /usr/sbin/cron -s
root   6045  0.0  0.0 17512 3220  0  SJ    1:21AM 0:00.01 bash
root   7081  0.0  0.0 16296 1808  0  R+J   1:54AM 0:00.00 ps aux

ifconfig:

Code:

[root@OpenVPN /mnt/openvpn]# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:91:3f:00:09:0b
    inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
    nd6 options=9<PERFORMNUD,IFDISABLED>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
    nd6 options=9<PERFORMNUD,IFDISABLED>
    Opened by PID 4765

Some additional info/questions:
- I have my DDNS URL pointing at my public IP address
- My jail address, as listed in the GUI and used in the openvpn.conf file, is 192.168.1.2
- I don't remember using my address for my freenas server anywhere (only used my public IP for the ddns and my jail ip), should I have used it somewhere?
- When creating the jail, I didn't change any advanced options since it didn't say to, and left the VIMAGE option checked as a result. Could this be a problem? What effect would it have?
- During this whole process I've never gone to my router's URL and changed any settings/setup any port forwarding since the instructions never said to. Is there anything I need to do on my router or any settings I should make sure are enabled (like static NAT, or something else?)
- I noticed from the "ps aux" command that the "--config /mnt/openvpn/openvpn.conf" option wasmissing, even though it should have been specified. How can I force this option/try this as a fix?

So far whenever I try to connect to the server on my phone, OpenVPN finds the server name, tries to ping the server for a minute, then times out. I have tried rebooting and restarting the jail multiple times with no affect. If there is anything else I can try or can do to make it easier to understand the issue please please let me know.

 

[f8340fidsolfwhf20]

To follow up on my own post, I did some more work adjusting my files, specifically according to posts made by @JJT211 and @Krowvin on pages 8 and 9, and was able to connect locally, isolating the problem to the port forwarding.

My server's internet map goes Verizon Modem -> TP-Link Switch (not router) -> server, and I tried setting up port forwarding on my verizon modem as both UDP 443 -> 10011 and 443 -> 443 (making the necessary config adjustments) but neither worked. I was able to resolve this by ditching the port forwarding and placing my jail's local IP in the DMZ host field. Now I can access everything remotely, however I'm not sure if this was the right thing to do; does using the DMZ Host and assigning my jails IP create a gaping security hole in my network?

 

[Dainis Berzins]

Just to add my 2 cents worth, after days of experimenting...
I followed the excellent tutorial by @robles. (Thank you!) Upon completion, I found that my Windows PC could connect to the VPN, but could not ping the VPN server
(10.8.0.1) or any of the devices on my LAN even though I was pushing the correct route to the client.

What finally solved the problem for me was rebooting the FreeNAS server, something I was really sceptical of. I had rebooted the jail and the laptop many times, but never the FreeNAS server. As soon as I rebooted that, my pings when through exactly as they should!

The other thing I added, that may or may not be needed for those trying to access their full LAN that resides behind the OpenVPN jail, was a static route on my router that is also my gateway to the internet, pointing all traffic for by VPN subnet (1o.8.0.0 subnet 255.255.255.0) to be sent to my OpenVPN jail.

@robles, can I suggest that you add the reboot of the FreeNAS server to the bottom of your tutorial?

 

[Joe Fenton]

Any ideas about the firewall issue above, I'm sure it's my last hurdle? I'm still nowhere with this after intermittently trying to get it working for months over SSH while travelling abroad. Would really like to get the VPN working so I can use Bittorrent Sync, as I can't get that working through SSH tunneling for some reason

 

[Chakalov]

Hi Joe,

May we have your /usr/local/etc/ipfw.rules please?

 

[Joe Fenton]

They are posted on the previous page, at the time I didn't realise to tag them in a code block

 

[DearestDreamer]

So I looked into this but I couldn't find an answer anywhere. I followed this tutorial and here's the error I'm getting:

Wed Jan 13 21:05:31 2016 OpenVPN 2.3.10 amd64-portbld-freebsd9.3 [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Jan 13 2016
Wed Jan 13 21:05:31 2016 library versions: OpenSSL 0.9.8za-freebsd 5 Jun 2014, LZO 2.09
Wed Jan 13 21:05:31 2016 Diffie-Hellman initialized with 2048 bit key
Wed Jan 13 21:05:31 2016 Socket Buffers: R=[42080->42080] S=[9216->9216]
Wed Jan 13 21:05:31 2016 ROUTE_GATEWAY 192.168.1.1
Wed Jan 13 21:05:31 2016 TUN/TAP device /dev/tun4 opened
Wed Jan 13 21:05:31 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Jan 13 21:05:31 2016 /sbin/ifconfig tun4 192.168.2.1 192.168.2.2 mtu 1500 netmask 255.255.255.255 up
ifconfig: interface tun4 does not exist
Wed Jan 13 21:05:31 2016 FreeBSD ifconfig failed: external program exited with error status: 1
Wed Jan 13 21:05:31 2016 Exiting due to fatal error

-------------------------------- ifconfig
epair2b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:1b:ed:F0:0A:0b
inet 192.168.1.50 netmask 0xffffff00 broadcast 192.168.1.255
nd6 options=9<PERFORMNUD,IFDISABLED>
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
tun0: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
nd6 options=9<PERFORMNUD,IFDISABLED>

-------------------------------- /etc/rc.conf
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/mnt/openvpn/openvpn.conf"
openvpn_dir="/mnt/openvpn"
cloned_interfaces="tun"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

-------------------------------- /mnt/openvpn/openvpn.conf
port 10011
proto udp
dev tun

ca /mnt/openvpn/keys/ca.crt
cert /mnt/openvpn/keys/openvpn-server.crt
key /mnt/openvpn/keys/openvpn-server.key
dh /mnt/openvpn/keys/dh2048.pem

server 192.168.2.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
route 192.168.1.50 255.255.255.0 192.168.2.1 # .50 is the jail's IP in my home network and .2.1 should be the virtual gateway IP once the VPN is set up

ifconfig-pool-persist ipp.txt
#tls-auth /mnt/openvpn/keys/auth.key 0
#crl-verify /mnt/openvpn/keys/crl.pem

keepalive 10 120
group vpn # I created the user and group and gave them the correct rights
user vpn
comp-lzo
persist-key
persist-tun
verb 3
log /var/log/openvpnsrv

-------------------------------- /usr/local/etc/ipfw.rules
#!/bin/sh

EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 192.168.2.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0

------------------------EDIT:

Ha, I just figured it out.. basically changing:
ifconfig ${TUN} name tun0
to:
ifconfig ${TUN} name tun4

Solved the issue entirely. Why is that though? Maybe this should be specified in the guide? Seems like a very troublesome issue.

 

[Chakalov]

Joe, I see you've set your epair manually. I suppose you are doing this on purpose but the script should be setting this for you just flawless. Have you tried it?

Also have you tried rebooting the whole NAS box?

 

[robles]

Ha, I just figured it out.. basically changing:
ifconfig ${TUN} name tun0
to:
ifconfig ${TUN} name tun4

Solved the issue entirely. Why is that though? Maybe this should be specified in the guide? Seems like a very troublesome issue.

This is going to be a temporary solution, as your tun devices change as the warden starts and stops jails, also after rebooting they may change depending on your jail id. The script is supposed to scan your available tun interfaces and create the NAT automatically.

 

[DearestDreamer]

This is going to be a temporary solution, as your tun devices change as the warden starts and stops jails, also after rebooting they may change depending on your jail id. The script is supposed to scan your available tun interfaces and create the NAT automatically.

I see, well there seems to be something fishy going on, albeit it might just be my complex setup here. I have 4 jails with different VPN clients connected and each of them takes up one of the tun0-3 devices. Now with the Openvpn server in the last jail, it tries to establish a connection on tun4. You're right however if I restart one of the previous jails, the openvpn client in it will try to establish a connection on tun5 this time and for some reason it doesn't work. The logs just say (same as the error I wrote about in my previous post):

ifconfig interface tun5 does not exist

And this error occurs on every client that I reboot/restart openvpn on. I tried rebooting the whole FreeNAS but it still doesn't solve this issue. I only started experiencing this issue when I started building my openvpn server according to this tutorial, really odd.


I have another question about the routing and that is I followed the tutorial precisely and I can successfully connect to my openvpn server from the outside and the client receives an IP in the purple network which for me is 192.168.2.0/24. However I can't ping anyone in it or in the yellow LAN. I can't even ping 192.168.2.1 which is supposed to be my openvpn server and the openvpn server also can't ping the new client at 192.168.2.6. What could be going wrong here?

 

[Chakalov]

This surely sounds odd but many of us have solved this problem by rebooting the whole NAS box, not only the Jail itself.

 

[citizen.lambda]

Thanks for the tutorial and all the info guys, but I'm trying to get my own set up going, and the first thing I'm getting is when I try the source ./vars command, I get "
You appear to be sourcing an Easy-RSA 'vars' file.
This is no longer necessary and is disallowed. See the section called
'How to use this file' near the top comments for more details.
Has there been an update to easy-rsa that borks things?

Thanks!

 

[moo083]

Thanks for the tutorial and all the info guys, but I'm trying to get my own set up going, and the first thing I'm getting is when I try the source ./vars command, I get "
You appear to be sourcing an Easy-RSA 'vars' file.
This is no longer necessary and is disallowed. See the section called
'How to use this file' near the top comments for more details.
Has there been an update to easy-rsa that borks things?

Thanks!

I got the same thing. Working through it. I'll let you know if I figure it out.

Also, here is the output when I installed:
[OpenVPN] [3/3] Installing openvpn-2.3.10...
[OpenVPN] [3/3] Extracting openvpn-2.3.10: 100%
Message from openvpn-2.3.10:
### ------------------------------------------------------------------------
### Edit /etc/rc.conf[.local] to start OpenVPN automatically at system
### startup. See /usr/local/etc/rc.d/openvpn for details.
### ------------------------------------------------------------------------
### Connect to VPN server as a client with this command to include
### the client.up/down scripts in the initialization:
### openvpn-client <spec>.ovpn
### ------------------------------------------------------------------------
### For compatibility notes when interoperating with older OpenVPN
### versions, please, see <http://openvpn.net/relnotes.html>
### ------------------------------------------------------------------------

 

[Pseudolife]

Thanks for the tutorial and all the info guys, but I'm trying to get my own set up going, and the first thing I'm getting is when I try the source ./vars command, I get "
You appear to be sourcing an Easy-RSA 'vars' file.
This is no longer necessary and is disallowed. See the section called
'How to use this file' near the top comments for more details.
Has there been an update to easy-rsa that borks things?

I'm having that same issue too.
I can't "./build-ca" either.

I don't recall having this issue last weekend when I took my first stab at getting OpenVPN going.

 

[Pekka Piippo]

I'm having that same issue too.
I can't "./build-ca" either.

I don't recall having this issue last weekend when I took my first stab at getting OpenVPN going.

It seems easy-rsa package has updated to 3.0.1 and functionality has changed. There are no separate binaries like ./build-ca, instead there's only ./easyrsa which takes a subcommand as argument, like so: ./easyrsa build-ca. Run ./easyrsa without arguments to see what functions are available.

With the new easy-rsa package, generating certificates is somewhat different. You need openssl pkg also and need to copy /usr/local/openssl/openssl.cnf.sample to /usr/local/share/easy-rsa/openssl-1.0.cnf, among other things (and edit paths and filenames in it).

I'll continue OpenVPN jail setup tomorrow, not sure if things work yet.