Step by step to install OpenVPN inside a Jail in FreeNAS 11.1-U1

Bibi40k

Contributor
Joined
Jan 26, 2018
Messages
136
Hi,
i am new to this community and i decided to mix info from How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT and OpenVPN On FreeBSD 10.3 tutorials.
Please report inconsistency.

PS: i've also created a script to fully automate this process. Automatic install OpenVPN inside iocage Jail in FreeNAS all versions

change-log: 0.7 - 2020.01.29 - Added note that external LAN should be different than FreeNAS LAN.
0.7 - 2020.01.29 - Added note that external LAN should be different than FreeNAS LAN.
0.6 - 2020.01.29 - Tested on FreeNAS FreeNAS-11.2-U7.
0.5 - 2018.10.14 - Added note that full restart is required sometimes
0.4 - 2018.07.26 - Removed "comp-lzo" from configuration due to becoming obsolete
0.3 - 2018.02.18 - Minor touches and test everything from scratch following all the steps
0.2 - 2018.02.17 - Beautify code and few more details
0.1 - 2018.02.16 - First release

Legend:
  1. Green text - should remain like it is
  2. Blue text - you may cange it if you like
  3. Red text - needs to be changed by you

Requirements:
  1. FreeNAS 11.1-U1 - 11.2-U7 ( may work with other versions either )
  2. FreeNAS User with ssh access and sudo
  3. SSH Client ( Putty for Windows and Terminal for MAC )
  4. Admin access to the router where FreeNAS exists
  5. Own domain or domain updated by DDNS or a static IP
  6. Please follow this step by step tutorial before ask for help
Relevant data to use later in this tutorial ( use your own, this is just for reference )
  1. Home Network: 192.168.222.0/24 ( LAN where is your FreeNAS * Try to use at home different subnet than common ones to avoid conflicts when connecting from outside)
  2. NAT Network: 10.8.0.0/24 ( virtual LAN between VPN clients and your LAN )
  3. Domain: nas.mydomain.com
  4. VPN Server Port: 1194 UDP.
  5. VPN Outside Access Port: 1194 UDP
  6. Certificate Authority Password: Password1
  7. Bibi40k Client Certificate Password: Password2

3,2,1.. START

Use FreeNAS Web GUI

Jails -> Add Jail ( Jail Name: OpenVPN, keep default settings )

SSH to your FreeNAS box
Code:
% jls
JID     IP Address    Hostname      Path
...
4                     OpenVPN       /mnt/Vol1-Z2/jails/OpenVPN
% sudo jexec 4 sh
Password:

Get everything updated and install necessary apps
Code:
# pkg update
# pkg upgrade -y
# pkg install -y nano openvpn mpack

Create directories for OpenVPN
Code:
# mkdir /usr/local/etc/openvpn /usr/local/etc/openvpn/keys

Copy necessary files
Code:
# cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/openvpn.conf
# cp -r /usr/local/share/easy-rsa /usr/local/etc/openvpn/easy-rsa

Easy-RSA ( edit /usr/local/etc/openvpn/easy-rsa/vars )
Code:
# cd /usr/local/etc/openvpn/easy-rsa
# nano vars
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "me@mydomain.com"
set_var EASYRSA_REQ_OU "My Organizational Unit"
set_var EASYRSA_KEY_SIZE 2048
# The default crypto mode is rsa; ec can enable elliptic curve support.
# Note that not all software supports ECC, so use care when enabling it.
# Choices for crypto alg are: (each in lower-case)
# * rsa
# * ec
#set_var EASYRSA_ALGO rsa
# Define the named curve, used in ec mode only:
#set_var EASYRSA_CURVE secp384r1
# In how many days should the root CA key expire?
set_var EASYRSA_CA_EXPIRE 3650
# In how many days should certificates expire?
set_var EASYRSA_CERT_EXPIRE 3650
if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
echo "This is no longer necessary and is disallowed. See the section called" >&2
echo "'How to use this file' near the top comments for more details." >&2
return 1
fi
set_var EASYRSA_REQ_COUNTRY "US"

set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "me@mydomain.com"
set_var EASYRSA_REQ_OU "My Organizational Unit"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 3650

Generate Keys
Code:
# ./easyrsa.real init-pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /usr/local/etc/openvpn/easy-rsa/pki

Build Certificate Authority ( follow instructions using Password1 and common name )
Code:
# ./easyrsa.real build-ca
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.......................................+++
..+++
writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/ca.key.vpfhw9orph'
Enter PEM pass phrase:Password1
Verifying - Enter PEM pass phrase:Password1
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: OpenVPN FreeNAS CA
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/usr/local/etc/openvpn/easy-rsa/pki/ca.crt

Build Server Certificates
Code:
# ./easyrsa.real build-server-full openvpn-server nopass
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...............................................+++
.................................+++
writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/openvpn-server.key.JKfgnZ3Ae8'
-----
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key:Password1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName      :ASN.1 12:'openvpn-server'
Certificate is to be certified until Feb 13 18:22:32 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated

Build Client Certificate ( use unique name for each certificate, use Bibi40k with Password2 and authorize with Password1 )
Code:
# ./easyrsa.real build-client-full Bibi40k
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.............................................................................................+++
.................+++
writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/Bibi40k.key.cd545aPaIq'
Enter PEM pass phrase: Password2
Verifying - Enter PEM pass phrase: Password2
-----
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key: Password1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName      :ASN.1 12:'Bibi40k'
Certificate is to be certified until Feb 13 18:28:59 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated

Generate Diffie Hellman Parameters ( /usr/local/etc/openvpn/easy-rsa/pki/dh.pem )
Code:
# ./easyrsa.real gen-dh
Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...........................................................................................................
...........................................................................................................
......................................................................................+...................
...........................................................................................................
.............................................................+............................................
...........................................................................................................
.............................+......................................................+...................
.......+.................................................................................................
..........................................................................................................
..............................................................................+..................+.....
...
...................................................................................+....................
.........................................................................................................
.........................................................................................................
...+....................................................................................................
..........+..........................++*++*
DH parameters of size 2048 created at /usr/local/etc/openvpn/easy-rsa/pki/dh.pem

Generate the TA key
Code:
# openvpn --genkey --secret ta.key

Copy Keys Together
Code:
# cp pki/dh.pem pki/ca.crt pki/issued/openvpn-server.crt pki/private/openvpn-server.key /usr/local/etc/openvpn/keys/
# cp ta.key /usr/local/etc/openvpn/keys/
# cp pki/issued/Bibi40k.crt pki/private/Bibi40k.key /usr/local/etc/openvpn/keys/

OpenVPN ( edit /usr/local/etc/openvpn/openvpn.conf )
Code:
# cd /usr/local/etc/openvpn/
# nano openvpn.conf
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh2048.pem 2048
dh /usr/local/etc/openvpn/keys/dh.pem
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
push "route 192.168.222.0 255.255.255.0"
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret
remote-cert-tls client
# You can uncomment this out on
# non-Windows systems.
user nobody
group nobody
port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key # This file should be kept secret
dh /usr/local/etc/openvpn/keys/dh.pem
server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt
push "route 192.168.222.0 255.255.255.0"

keepalive 10 120
tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret
remote-cert-tls client
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

Client Config ( /usr/local/etc/openvpn/Bibi40k.conf )
Code:
# cp /usr/local/share/examples/openvpn/sample-config-files/client.conf /usr/local/etc/openvpn/Bibi40k.conf
# nano Bibi40k.conf
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
;remote my-server-1 1194
remote nas.mydomain.com 1194
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert Bibi40k.crt

key Bibi40k.key
# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.222.1

#redirect-gateway def1
client
dev tun
proto udp
remote nas.mydomain.com 1194

resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert Bibi40k.crt

key Bibi40k.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.222.1
#redirect-gateway def1
verb 3
You can include everything in one file (useful on mobile and more convenient than keeping all certs appart)
client
client
dev tun
proto udp
remote mynas.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass

<ca>
-----BEGIN CERTIFICATE-----
add cert content here...
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
add cert content here...
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
add cert content here...
-----END ENCRYPTED PRIVATE KEY-----
</key>

key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
add cert content here...
-----END OpenVPN Static key V1-----
</tls-auth>

# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.222.1
#redirect-gateway def1

Server NAT Configuration ( create /usr/local/etc/ipfw.rules and add green text )
Code:
# nano /usr/local/etc/ipfw.rules
#!/bin/sh
EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0


More configuration ( edit /etc/rc.conf and add green text at the end of the file )
Code:
# nano /etc/rc.conf
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
openvpn_dir="/usr/local/etc/openvpn/"
cloned_interfaces="tun"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
Setup Logging ( edit /etcsyslog.conf )
Code:
# nano /etc/syslog.conf
!ppp
*.* /var/log/ppp.log
!openvpn
*.* /var/log/openvpn.log

!*
Setup log rotation ( edit /etcnewsyslog.conf )
Code:
# nano /etc/newsyslog.conf
/var/log/weekly.log 640 5 * $W6D0 JN
/var/log/xferlog 600 7 100 * JC
/var/log/openvpn.log 600 30 * @T00 ZC
Use FreeNAS Web GUI
Jails -> Select OpenVPN Jail -> Restart


Note: sometimes is necessary to restart whole FreeNAS server because the routes are build properly after full restart.

SSH to your FreeNAS box and make some checks
Code:
% jls
JID  IP Address   Hostname        Path
...
5                 OpenVPN         /mnt/Vol1-Z2/jails/OpenVPN
% sudo jexec 5 sh
Password:
# ipfw list
00100 nat 1 ip from 10.8.0.0/24 to any out via epair0b
00200 nat 1 ip from any to any in via epair0b
65535 allow ip from any to any
# sockstat -4 -l
USER    COMMAND  PID    FD  PROTO  LOCAL ADDRESS  FOREIGN ADDRESS
nobody  openvpn  64842  7   udp46  *:1194         *:*
root    syslogd  64803  7   udp4   *:514          *:*

Let's send our OpenVPN client files and test connection from outside
Code:
# cd /usr/local/etc/openvpn/
# tar cvf Bibi40k.tar Bibi40k.conf -C keys/ ca.crt Bibi40k.crt Bibi40k.key ta.key
a Bibi40k.conf
a ca.crt
a Bibi40k.crt
a Bibi40k.key
a ta.key
# service sendmail onestart
# mpack -s "Bibi40k OpenVPN files" Bibi40k.tar me@mydomain.com
 
Last edited:

joebad1

Explorer
Joined
Nov 21, 2015
Messages
58
Beautiful! Worked like a charm! Much appreciated.
 

omerome

Dabbler
Joined
Apr 24, 2014
Messages
17
Thanks for the guide!

I am just having one problem. I am not getting the email after trying to send it to myself in the last step.
 

Bibi40k

Contributor
Joined
Jan 26, 2018
Messages
136
run again pkg install -y mpack
...
when you run service sendmail onestart it says ?
Code:
# service sendmail onestart
Starting sendmail.
Starting sendmail_msp_queue.
#

...
you also have those lines into nano /etc/rc.conf
Code:
portmap_enable="NO"
sshd_enable="NO"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
hostname="OpenVPN"
devfs_enable="YES"
devfs_system_ruleset="devfsrules_common"
inet6_enable="YES"
ip6addrctl_enable="YES"

...
try a system reboot.
 

joebad1

Explorer
Joined
Nov 21, 2015
Messages
58
It may be your email account filtering emails with attachments. I had the same problem when I tried to email my Gmail account. It sent my email to the spam folder.
 
Last edited:

omerome

Dabbler
Joined
Apr 24, 2014
Messages
17
run again pkg install -y mpack
...
when you run service sendmail onestart it says ?
Code:
# service sendmail onestart
Starting sendmail.
Starting sendmail_msp_queue.
#

...
you also have those lines into nano /etc/rc.conf
Code:
portmap_enable="NO"
sshd_enable="NO"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
hostname="OpenVPN"
devfs_enable="YES"
devfs_system_ruleset="devfsrules_common"
inet6_enable="YES"
ip6addrctl_enable="YES"

...
try a system reboot.
Okay thanks.

When I rebooted the system and entered the jail, the first thing it says is "You have mail." Something it didn't say before.

I re-ran pkg install -y mpack and it says, "The most recent version of packages are already installed".

I also confirmed that I have the following lines in the rc.conf like above.
 

Bibi40k

Contributor
Joined
Jan 26, 2018
Messages
136
Try what joebad1 suggested. And if still doesn't work, i have no other idea, put the files in a shared folder and take them manually.
 

omerome

Dabbler
Joined
Apr 24, 2014
Messages
17
It may be your email account filtering emails with attachments. I had the same problem when I tried to email my Gmail account. It sent my email to the spam folder.
Thanks. I checked my spam folder, but the emails are not there.
 

joebad1

Explorer
Joined
Nov 21, 2015
Messages
58
Is your server connected to VPN? I believe email services are sometimes blocked by VPN providers.
 

omerome

Dabbler
Joined
Apr 24, 2014
Messages
17
Is your server connected to VPN? I believe email services are sometimes blocked by VPN providers.
I guess I have a lot more research to do when it comes to using a VPN because I don't think so. I am not sure what VPN provider to use or anything. This is a concept I've been reading about for a while and still trying to learn more about.
 

joebad1

Explorer
Joined
Nov 21, 2015
Messages
58
I guess I have a lot more research to do when it comes to using a VPN because I don't think so. I am not sure what VPN provider to use or anything. This is a concept I've been reading about for a while and still trying to learn more about.
OK. Probably not connected to VPN then. It's a service you usually have to pay for through a third party. You might try sending your mail to a different account to see if that has any effect. I'm at the limit of my knowledge here. Sorry you're having trouble.

The only other thing I would suggest is to add storage to your jail using some common folder on your system. Transfer the files to that folder and then pull them down from an NFS share or AFP share to your laptop.
 

joebad1

Explorer
Joined
Nov 21, 2015
Messages
58
Based on what I'm reading about sendmail, some email servers/domains can be very particular about "where" the emails come from. If you have other email accounts, I would try those too . . .
 

Krowvin

Explorer
Joined
Jul 24, 2014
Messages
60
Greetings Everyone!

I finally got it working. From the 6 guides I looked through and followed none of them mentioned this, so I thought I might share. If you have more than one jail, or even if you have one,

restart your entire FreeNAS box after you complete everything.

If I had to guess I would think my network settings were fighting with each other (Someone more technical might have the words for this)

Here are the settings I wound up with:

OpenVPN Connect Client Configuration - On Android Galaxy Note 8 running 7.1.1
Code:
client
dev tun
proto udp
remote vpn.domain.com 11001
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert krowvin.crt
key krowvin.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
dhcp-option DNS 192.168.1.1
redirect-gateway def1
comp-lzo
verb 4


OpenVPN Server Configuration- Inside a jail running FreeNAS-11.1-RELEASE

Code:
local 192.168.1.43
port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key
dh /usr/local/etc/openvpn/keys/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
route 192.168.1.43 255.255.255.0 10.8.0.1
tls-auth /usr/local/etc/openvpn/keys/ta.key 0
keepalive 10 120
cipher AES-256-CBC
#auth SHA256
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3


192.168.1.0 is the network/subnet your FreeNAS jail is running OpenVPN on.
192.168.1.43 is the IP address of your FreeNAS jail running OpenVPN.
10.8.0.0 is the network/subnet your VPN will host
10.8.0.1 is the gateway of the subnet, these two values will only change if you use 10.x.x.x as a private IP on your network. In which case you might change this to 172.x.x.x

The idea is to avoid conflicts with the networks while routing. OpenVPN warns against this on startup,

NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet

You'll notice I have one line commented out on the server configuration.
this line: #auth SHA256

If I try just enabling that line, my device was unable to connect. YMMV, but for the Android client, I had no luck.

Thank you for rewriting this guide from the others. The color coding helped me understand the positioning of some of the IP addresses.


It was noted by Robles in his guide that adding route 192.168.1.43 255.255.255.0 10.8.0.1 is not needed because of the firewall rules. I added it, but I still think it might have been the restart that pushed this whole thing forward. Not sure!

Goodluck, everyone!
 
Last edited:

zach7953

Dabbler
Joined
Feb 13, 2017
Messages
11
Greetings Everyone!

I finally got it working. From the 6 guides I looked through and followed none of them mentioned this, so I thought I might share. If you have more than one jail, or even if you have one,

restart your entire FreeNAS box after you complete everything.

If I had to guess I would think my network settings were fighting with each other (Someone more technical might have the words for this)

Here are the settings I wound up with:

OpenVPN Connect Client Configuration - On Android Galaxy Note 8 running 7.1.1
Code:
client
dev tun
proto udp
remote vpn.domain.com 11001
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert krowvin.crt
key krowvin.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
dhcp-option DNS 192.168.1.1
redirect-gateway def1
comp-lzo
verb 4


OpenVPN Server Configuration- Inside a jail running FreeNAS-11.1-RELEASE

Code:
local 192.168.1.43
port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt #Server public key
key /usr/local/etc/openvpn/keys/openvpn-server.key #Server private key
dh /usr/local/etc/openvpn/keys/dh.pem #Diffie-Hellman parameters
server 10.8.0.0 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0" #Yellow network
route 192.168.1.43 255.255.255.0 10.8.0.1
tls-auth /usr/local/etc/openvpn/keys/ta.key 0
crl-verify crl.pem
keepalive 10 120
cipher AES-256-CBC
#auth SHA256
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3


192.168.1.0 is the network your FreeNAS jail is running OpenVPN on.
192.168.1.43 is the IP address of your FreeNAS jail running OpenVPN.
10.8.0.0 is the subnet your VPN will host
10.8.0.1 is the gateway of the subnet, these two values will only change if you use 10.x.x.x as a private IP on your network. In which case you might change this to 172.x.x.x

The idea is to avoid conflicts with the networks while routing. OpenVPN warns against this on startup,



You'll notice I have one line commented out on the server configuration.
this line: auth SHA256

If I try just enabling that line, my device was unable to connect. YMMV, but for the Android client, I had no luck.

Thank you for rewriting this guide from the others. The color coding helped me understand the positioning of some of the IP addresses.


It was noted by Robles in his guide that adding route 192.168.1.43 255.255.255.0 10.8.0.1 is not needed because of the firewall rules. I added it, but I still think it might have been the restart that pushed this whole thing forward. Not sure!

Goodluck, everyone!

Hey, if I could get your help then I would appreciate it as I am trying to set this VPN up currently. Would you mind explaining and diving more into detail about your OpenVPN Server configuration to make sure I am not confused here... When you say the following....

192.168.1.0 is the network your FreeNAS jail is running OpenVPN on.
192.168.1.43 is the IP address of your FreeNAS jail running OpenVPN.
10.8.0.0 is the subnet your VPN will host
10.8.0.1 is the gateway of the subnet, these two values will only change if you use 10.x.x.x as a private IP on your network. In which case you might change this to 172.x.x.x

Will your 192.168.1.0 be equal to my default gateway of my network (i.e. 192.168.1.1)? And the IP address that my FreeNAS Jail that is running OpenVPN is set to 192.168.1.135 so I forwarded my port in my local network (UDP). Now is that equal to your 192.168.1.43?
 

zach7953

Dabbler
Joined
Feb 13, 2017
Messages
11
Hey, if I could get your help then I would appreciate it as I am trying to set this VPN up currently. Would you mind explaining and diving more into detail about your OpenVPN Server configuration to make sure I am not confused here... When you say the following....

192.168.1.0 is the network your FreeNAS jail is running OpenVPN on.
192.168.1.43 is the IP address of your FreeNAS jail running OpenVPN.
10.8.0.0 is the subnet your VPN will host
10.8.0.1 is the gateway of the subnet, these two values will only change if you use 10.x.x.x as a private IP on your network. In which case you might change this to 172.x.x.x

Will your 192.168.1.0 be equal to my default gateway of my network (i.e. 192.168.1.1)? And the IP address that my FreeNAS Jail that is running OpenVPN is set to 192.168.1.135 so I forwarded my port in my local network (UDP). Now is that equal to your 192.168.1.43?

Actually I figured out my problem... My firewall and all those settings are dandy but for the life of me I cannot figure out why when I check if my OpenVPN is running nothing shows up... I get this error when I manually try and start OpenVPN, any help???
Code:
Mar 29 14:52:57 OpenVPN openvpn[10638]: Options error: --crl-verify fails with $
Mar 29 14:52:57 OpenVPN openvpn[10638]: Options error: Please correct these err$
Mar 29 14:52:57 OpenVPN openvpn[10638]: Use --help for more information.
 

Krowvin

Explorer
Joined
Jul 24, 2014
Messages
60
Try removing that line from your server configuration. The pem file is for combined key files, I think. I meant to remove it from my post.


Will your 192.168.1.0 be equal to my default gateway of my network (i.e. 192.168.1.1)?
192.168.1.0 is the entire network in that subnet. This is assuming your subnet mask is 255.255.255.0
If your FreeNAS jail IP address was 192.168.0.135, then this IP would be 192.168.0.0

I don't mean to confuse you with this next statement, but i'll try to explain the subnet mask if I can:
Most common consumer networks are setup as a Class C /24 Meaning it is 8 bits from a 32 bit network.

8 bits on a binary system 0 or 1 (total of 2 values) is 255 max values (2^8 = 256), or 0-255. Which is why your IP range is set this way.

If your subnet mask was 255.255.0.0 Then you would have 8 + 8 bits of representation, 8 bits for each zero in the subnet. This equates to 16 bits or 2^16 = 65,536
Most home networks will not see this mask, as they don't break 255 devices.... Yet


And the IP address that my FreeNAS Jail that is running OpenVPN is set to 192.168.1.135 so I forwarded my port in my local network (UDP). Now is that equal to your 192.168.1.43?

For the port I am not doing what the other authors are doing, they have the right idea for security. This also might let them use their VPN behind a corporate firewall that doesn't have as many blocks on the common HTTPS port 443.

They choose to open 443 and redirect it from the router to an internal port of say 11001 or 1194 in the router configuration. This depends on your router but nothing is stopping you from setting the external port to 1194 and the internal port to 1194 as well.
 
Top