How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT

[Tyson Howard]

Any updates on how to get it working now? I'm new to the linux-type enviroment, so forgive me asking, but is there a way to install the older version of easyrsa so I can perform this walkthrough?

 

[Pekka Piippo]

I don't know freebsd pkg management so don't know how to downgrade.

Anyhow, i got OpenVPN running. Here's what i did to get certificates generated and some other things that differ from OP. Commands run in jail:

pkg install openssl
cd /usr/local/share/easy-rsa
cp ../openssl/openssl.cnf.sample easy-rsa/openssl-1.0.cnf

Now edit the copied openssl-1.0.cnf and change (use nano, vim...):

dir = ./pki
certs = $dir
new_certs_dir = $dir
certificate = $dir/ca.crt
private_key = $dir/private/ca.key
default_md = md5

If you want, you can also change following values to your liking so creating new certificates doesn't require as much writing when inputting details:

countryName_default = AU
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (e.g. server FQDN or YOUR name)
emailAddress = Email Address

Now run some commands:

cd /usr/local/share/easy-rsa
easyrsa init-pki
easyrsa build-ca # CA key and crt

easyrsa gen-req openvpn-server nopass # server signing request
easyrsa sign-req server openvpn-server # sign the request

easyrsa gen-req someclient1 nopass # client signing request
easyrsa sign-req client someclient1 # sign the request

easyrsa gen-dh # dh.pem


cp pki/private/* /mnt/openvpn/keys
cp pki/issued/* /mnt/openvpn/keys
cp pki/ca.crt /mnt/openvpn/keys
cp pki/dh.pem /mnt/openvpn/keys/dh2048.pem

Now the certificates are created and one should be able to follow the original guide.
One change is needed to client config: change ns-cert-type server to remote-cert-tls server. I couldn't connect Android OpenVPN client because the generated certs don't have ns-cert-type field or something...
I also needed to reboot FreeNAS to get routing work, as someone pointed out earlier.

edit: added nopass options to gen-req lines

 

[moo083]

That all worked for me until I ran
$ easyrsa sign-req client someclient

that command all seemed to work and displays the Certificate Details. Then below that it says:
failed to update database
TXT_DB error number 2

Easy-RSA error:

signing failed (openssl output above may have more detail)

Know what that might mean? I even tried deleting my jail and remaking it, starting from scratch, and it still failed in the same way.

 

[moo083]

Of course I found an answer. It seems that only happens when the common name on the server matches the one on the client. I thought they were supposed to match but apparently they are specifically NOT supposed to match. Hope that helps someone.

 

[Pekka Piippo]

Of course I found an answer. It seems that only happens when the common name on the server matches the one on the client. I thought they were supposed to match but apparently they are specifically NOT supposed to match. Hope that helps someone.

Well the common name is kind of the name of the entity using the certificate so two shouldn't have same name.

I editedthe previous message, forgot to add nopass option to gen-req lines. It omits the passphrase on the certificate. Normally server uses certificate without passphrase. Nopass is optional for client certificate, you can use passphrase for added security.

 

[moo083]

Yeah, it makes sense now that I think about it closer. But I wish the error message was a little better. "TXT_DB error number 2" is a pretty terrible error message.

 

[Pseudolife]

I'm having issues with the EasyRSA 3 updates.

I get to "easyrsa sign-req server" and I get "signing failed (openssl output above may have more details)" and looking above "AU:invalid type in 'policy' configuration"

 

[moo083]

I'm having issues with the EasyRSA 3 updates.

I get to "easyrsa sign-req server" and I get "signing failed (openssl output above may have more details)" and looking above "AU:invalid type in 'policy' configuration"

Note that in the config for openssl, it has:
policy = policy_match

# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

It looks like the country on one thing is AU and something else in another place. I would alter the defaults to your values and try again.

 

[Pseudolife]

Thanks Moo083, that got me through.

I was able to get the auth.key worked out too, but I'm having more trouble getting the revocation list figured out.

It looks like the revocation list details have also changed a bit. I'm having some trouble withe the "crl.pem" either needing special commands to generate, or not being where I thought it should be.

I used "easyrsa revoke <user name>" but it told me I needed to run a gen-crl, which I haven't had much luck with.

 

[Pekka Piippo]

Thanks Moo083, that got me through.

I was able to get the auth.key worked out too, but I'm having more trouble getting the revocation list figured out.

It looks like the revocation list details have also changed a bit. I'm having some trouble withe the "crl.pem" either needing special commands to generate, or not being where I thought it should be.

I used "easyrsa revoke <user name>" but it told me I needed to run a gen-crl, which I haven't had much luck with.

Create /usr/local/share/easy-rsa/pki/crlnumber with 01 as content, then run gen-crl.

 

[Pseudolife]

Create /usr/local/share/easy-rsa/pki/crlnumber with 01 as content, then run gen-crl.

Thank you for the help, but I'm still a little confused. Yes, I'm a newbie at this.

Can you clarify what is meant by "01 as content" ? A file named 01? What should the file structure look like?
/usr/local/share/easy-rsa/pki/crlnumber/01
/usr/local/share/easy-rsa/pki/01
/usr/local/share/easy-rsa/pki/crl01

 

[moo083]

He means a file named crlnumber. Inside the file the only text inside is "01".

 

[rbanaco]

Hello ppl, I'm having a strange behavior of my OpenVPN jail.
All seems ok and clients can connect... the problem is that sometimes they can't... it seems really random and that the server some times "sleeps", I need to go inside the jail and do a restart of the service that sometimes work and sometimes doesn't... when it doesn't I restart the complete freenas and it works again for some time before doing it again =/

Does anyone have an idea what it is? the outputs of my jail are the same as the tutorial and all seems fine... except that it is not constant.

Thank you very much for your support!

 

[dghoti]

Thanks for all the wonderful help on here - Ive got the VPN working like a dream thanks to you wonderful folk!
Ive gone a little further and slightly automated the process of adding extra users - and I thought I would share in case any of you might find this useful.

For this script to work, I am assuming that you have the folders configured as per this tutorial (Keys etc stored in /mnt/openvpn/)
I added a subfolder called default_package, which contains the file SERVER-vpn.ovpn (Change SERVER to your preferred name for the server)
This file contains:

Code:

client
dev tun
proto udp
remote SERVERURL SERVERPORT
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert XXXXX.crt
key XXXXX.key
#tls-auth auth.key 1
remote-cert-tls server
comp-lzo
verb 3

edit SERVERURL and SERVERPORT to the values configured earlier.

copy the following into a file (I use "add_vpnuser")

Code:

#!/bin/csh -f

##                      check if called properly
    if ($#argv != 1) then
        echo "Usage: $0 certname"
        echo "creates and signs a cert for the vpn, then copies it to storage"
        goto done
    endif
##                  save command line args in variables
    set cert_name=$1

cd /usr/local/share/easy-rsa
echo "Starting setup:"
echo "Generating keys"
easyrsa gen-req $cert_name nopass
echo "Signing keys"
easyrsa sign-req client $cert_name
echo "Copying keys to central store"
cp -v pki/private/$cert_name* /mnt/openvpn/keys/
cp -v pki/issued/$cert_name* /mnt/openvpn/keys/
#-----------------------------------------------------------------
echo "Creating export package"
echo "1. Create directory"
mkdir -v /mnt/openvpn/${cert_name}_package
echo "2. Copy ca.crt"
cp -v /mnt/openvpn/keys/ca.crt /mnt/openvpn/${cert_name}_package/
echo "3. Copy user keys"
cp -v /mnt/openvpn/keys/$cert_name* /mnt/openvpn/${cert_name}_package/
echo "4. Create config file"
cat /mnt/openvpn/default_package/SERVER-vpn.ovpn | sed -e "s/XXXXX/$cert_name/g" >/mnt/openvpn/${cert_name}_package/SERVER-vpn.ovpn
echo "5. Change permissions on export folder"
chmod -v -v -R 644 /mnt/openvpn/${cert_name}_package/*
echo "Done."

##           Labels to jump to exit OK (done) or not OK (error)
    done:
     exit 0
    error:
     exit 1

edit the file, and change SERVER to the desired connection name (I use the server actual name)
chmod +x <scriptname>

now if you run the script, it takes you through all the steps of creating a user, and creates a folder with all the needed settings and certs for an openvpn client.

EDIT: Just to point out, this is a rough and ready script, and does little (if any) error checking - hence the verbose output of all commands.

 

[adrianwi]

This looks like a great addition, but I'm not sure I've got it set-up right. I added the SERVER-vpn.ovpn file into the /mnt/default_package subfolder (I'd created without the openvpn subfolder) and edited the SERVERURL and SERVERPORT to my values.

I added the add_vpnuser.sh file into the /mnt/deafult_package folder and edited the script with the SERVER name and also remove various /openvpn files (as I don't have this subfolder)

When I run the script with csh add_vpnuser user.name it completes and created a /mnt/user.name_package with a SERVER-vpn.ovpn and ca.crt file, but I was expecting to see user.name files in the /mnt/key folder. Looking at it again, it doesn't look like the easyrsa command is running correctly. Any ideas?

Cheers

 

[Pseudolife]

I've got OpenVPN running in a jail, and I've been able to get my OpenVPN client (on a windows laptop) to connect to it from my internet connection at work: the little tray icon turns green, and the console window closes. It was very exciting for a networking newbie like myself.

Unfortunately, I haven't been able to do anything with it. I can't see my FreeNAS shares nor connect to my FreeNAS GUI.

I suspect I've got something wrong in my configs, but poking at it blindly isn't getting me far.
I'd love some expert help.

This is using the EasyRSA 3 modified instructions...

Here is my server config:

Code:

port 10011
proto udp
dev tun
ca /mnt/openvpn/keys/ca.crt
cert /mnt/openvpn/keys/Necronomicon.crt #Server key created previously
key /mnt/openvpn/keys/Necronomicon.key
dh /mnt/openvpn/keys/dh2048.pem #Diffie-Hellman parameters are now 2048 bits long
server 10.8.0.0 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0" #Yellow network
route 192.168.0.203 255.255.255.0 10.8.0.1 #Routes traffic from the Yellow network side (192.168.0.0/24)
  #to the Purple network side (10.8.0.0/24)
#tls-auth /mnt/openvpn/keys/auth.key 0
#crl-verify /mnt/openvpn/keys/crl.pem
keepalive 10 120
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3
#two factor authenitcation
#plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so login

Here is my client config:

Code:

client
dev tun
proto udp
remote pseudolife.ddns.net 10011
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert pseudolife.crt
key pseudolife.key
#tls-auth auth.key 1
#ns-cert-type server
remote-cert-tls server
comp-lzo
verb 3
# Force username & password authenitcation
#auth-user-pass
# Disable client-side password caching
#auth-nocache

 

[dghoti]

This looks like a great addition, but I'm not sure I've got it set-up right. I added the SERVER-vpn.ovpn file into the /mnt/default_package subfolder (I'd created without the openvpn subfolder) and edited the SERVERURL and SERVERPORT to my values.

I added the add_vpnuser.sh file into the /mnt/deafult_package folder and edited the script with the SERVER name and also remove various /openvpn files (as I don't have this subfolder)

When I run the script with csh add_vpnuser user.name it completes and created a /mnt/user.name_package with a SERVER-vpn.ovpn and ca.crt file, but I was expecting to see user.name files in the /mnt/key folder. Looking at it again, it doesn't look like the easyrsa command is running correctly. Any ideas?

Cheers

if you message me with the output of the "csh add_vpnuser user.name" command, I may be able to help debug it, but you may have hacked a bit too much off ;)
i should have added that this is a rough and ready script with very little error checking :(

 

[samwheat90]

I'm trying to figure out the step where I move my generated keys to my desktop. What's the preferred method to do this straight from the /mnt/opevpn/keys file? I did cp the folder to my media folder that I have a CIFS share with, but only the client.key file moved. I tried using chmod 644 on the client.crt and the ca.crt, but getting a permissions error. This is the only step I have not figured out before attempting to connect, so any help would be appreciated!

 

[Scareh]

I'm trying to figure out the step where I move my generated keys to my desktop. What's the preferred method to do this straight from the /mnt/opevpn/keys file? I did cp the folder to my media folder that I have a CIFS share with, but only the client.key file moved. I tried using chmod 644 on the client.crt and the ca.crt, but getting a permissions error. This is the only step I have not figured out before attempting to connect, so any help would be appreciated!

you could just use ftp to go to the folder, if you have log on as root enabled you won't have any issues with the download then.

 

[pirateghost]

I'm trying to figure out the step where I move my generated keys to my desktop. What's the preferred method to do this straight from the /mnt/opevpn/keys file? I did cp the folder to my media folder that I have a CIFS share with, but only the client.key file moved. I tried using chmod 644 on the client.crt and the ca.crt, but getting a permissions error. This is the only step I have not figured out before attempting to connect, so any help would be appreciated!

You have SSH enabled right?

You can use winscp or filezilla and connect to it via ssh port and get to whatever directory you want.