Step by step to install OpenVPN inside a Jail in FreeNAS 11.1-U1

[Bibi40k]

You generate all necessary files then you open .conf file with ovpn. If it does not recognize .conf you rename it to .ovpn

If you want, you can also copy certificates from each file into .conf instead of that link/path.

Is the same thing

Bibi40k.conf
ca.crt
Bibi40k.crt
Bibi40k.key
ta.key


Example:

client
dev tun
proto udp
remote myserver.com 11941
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass

<ca>
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIJAPZi8xHec85GMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNV
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
MIIDSTCCAjGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAdMRswGQYDVQQDDBJPcGVu
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIecU3Dsb/F/UCAggA
-----END ENCRYPTED PRIVATE KEY-----
</key>

key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
ea2e6d2f985acdcdc716b6109b284e28
-----END OpenVPN Static key V1-----
</tls-auth>


 

[twsps]

I have figured out the ovpn file. Thanks here!
But it seems like I don't get

Code:

nobody  openvpn  64842  7   udp46  *:1194		 *:*

by this code

Code:

sockstat -4 -l

Which means my openvpn might not be working. How can I solve this?
Thanks.

 

[Bibi40k]

Well, that result is as it should be. Did you forward port on your router ? What is the error on server log ? What is the error on client log ?

 

[Bibi40k]

try this and read the messages
service openvpn stop
openvpn --config /usr/local/etc/openvpn/openvpn.conf

 

[twsps]

Well, that result is as it should be. Did you forward port on your router ? What is the error on server log ? What is the error on client log ?

I mean by I only get this code below:

Code:

USER	 COMMAND	PID   FD PROTO  LOCAL ADDRESS		 FOREIGN ADDRESS	  

root	 syslogd	23862 7  udp4   *:514				 *:*

So meaning I don't have openvpn running, correct?

 

[twsps]

try this and read the messages
service openvpn stop
openvpn --config /usr/local/etc/openvpn/openvpn.conf

Here's the result:

Code:

# service openvpn stop

openvpn not running? (check /var/run/openvpn.pid).

# openvpn --config /usr/local/etc/openvpn/openvpn.conf

Options error: --dh fails with 'dh2048.pem': No such file or directory (errno=2)

Options error: --ca fails with 'ca.crt': No such file or directory (errno=2)

Options error: --cert fails with 'server.crt': No such file or directory (errno=2)

Tue Jul 24 19:40:16 2018 WARNING: cannot stat file 'server.key': No such file or directory (errno=2)

Options error: --key fails with 'server.key': No such file or directory (errno=2)

Tue Jul 24 19:40:16 2018 WARNING: cannot stat file 'ta.key': No such file or directory (errno=2)

Options error: --tls-auth fails with 'ta.key': No such file or directory (errno=2)

Options error: Please correct these errors.

Use --help for more information.

 

[twsps]

This is what I tried and the result after stopping openvpn:

Code:

# service openvpn start

Starting openvpn.

/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn

 

[Bibi40k]

like it says, you did not adjust the openvpn.conf file

# cd /usr/local/etc/openvpn/
# nano openvpn.conf

As i said from the very beginning, please read the first post and follow everything step-by-step, please

 

[Bibi40k]

port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key # This file should be kept secret
dh /usr/local/etc/openvpn/keys/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
keepalive 10 120
tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret
remote-cert-tls client
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

pay attention to ca,cert,key,dh paths ...

 

[twsps]

# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
push "route 192.168.1.0 255.255.255.0"

For 192.168.1.0, should I use jail's ipv4 address or my NAS IP address (e.g. 192.168.2.110)?

 

[Bibi40k]

Neither, it's not anyones IP, is the network
in your case it should be
push "route 192.168.2.0 255.255.255.0" considering your example.

please read the Legend from the beginning of the tutorial. It's easier to follow everything slowly than those partial informations.

 

[twsps]

Neither, it's not anyones IP, is the network
in your case it should be
push "route 192.168.2.0 255.255.255.0" considering your example.

please read the Legend from the beginning of the tutorial. It's easier to follow everything slowly than those partial informations.

Ok, I did changed my openvpn.conf, but I still get the same error above.

 

[Bibi40k]

pay attention to ca,cert,key,dh paths ...

 

[twsps]

pay attention to ca,cert,key,dh paths ...

I keep double check, but still the same.

 

[Bibi40k]

did you generate all those files ?
did you restart the service after changes ?

 

[twsps]

did you generate all those files ?
did you restart the service after changes ?

Yes I did. I did check all those files are in the right place.

 

[Bibi40k]

PM with a TeamViewer account. You're missing something....

 

[twsps]

Code:

client
dev tun
proto udp
remote nas.mydomain.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert Bibi40k.crt
key Bibi40k.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.1.1
#redirect-gateway def1
verb 3

For nas.mydomain.com, can I use 192.168.2.110?

Sorry that I might not be able to do TM now.

Thanks for all the help.

 

[gsrcrxsi]

reboot your entire freenas server.

i had this same problem where it would not connect unless the server is on a fresh boot. if i stop and restart the jail, it breaks "something". never bothered to figure out what the problem is. I just know that it just works after a fresh reboot.

 

[gsrcrxsi]

Code:

client
dev tun
proto udp
remote nas.mydomain.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert Bibi40k.crt
key Bibi40k.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.1.1
#redirect-gateway def1
verb 3

For nas.mydomain.com, can I use 192.168.2.110?

Sorry that I might not be able to do TM now.

Thanks for all the help.

no. your domain needs to be your dynamic DNS address or your public IP address (the address given to you by your ISP).