Step by step to install OpenVPN inside a Jail in FreeNAS 11.1-U1

[Bibi40k]

remote nas.mydomain.com 443
nas.mydomain.com is your external IP (router's) from where you forward port 443 to your local 192.168.2.110:443

But before try to connect you should be able to run the server with

Code:

openvpn --config /usr/local/etc/openvpn/openvpn.conf

and see no error

 

[twsps]

remote nas.mydomain.com 443
nas.mydomain.com is your external IP (router's) from where you forward port 443 to your local 192.168.2.110:443

But before try to connect you should be able to run the server with

Code:

openvpn --config /usr/local/etc/openvpn/openvpn.conf

and see no error

I got this error. I'm still checking if I did anything wrong in openvpn.conf file

Code:

# openvpn --config /usr/local/etc/openvpn/openvpn.conf					 

Options error: Unrecognized option or missing or extra parameter(s) in /usr/local/etc/openvpn/openvpn.conf:81: be (2.4.6)

Use --help for more information.

 

[twsps]

For /usr/local/etc/openvpn/openvpn.conf , I copied the code from the first post (The directory is the same). But still the same problem, I did change 192.168.1.0 to my 192.168.2.0.

Also for the ports, are those required to get the openvpn service start in freenas? I know it's required to connect outside my home network, but I'm concerning about openvpn won't start.

 

[twsps]

I believe I got it, I got the file error by an enter after a #, which makes me feels like its continuing the previous line, but apparently it's an enter. Sorry for spending all the time here.

 

[Bibi40k]

so everything working now or is just a small victory ?

 

[twsps]

remote nas.mydomain.com 443
nas.mydomain.com is your external IP (router's) from where you forward port 443 to your local 192.168.2.110:443

But before try to connect you should be able to run the server with

Code:

openvpn --config /usr/local/etc/openvpn/openvpn.conf

and see no error

I got this message:

Code:

# openvpn --config /usr/local/etc/openvpn/openvpn.conf

Tue Jul 24 22:57:20 2018 OpenVPN 2.4.6 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 26 2018

Tue Jul 24 22:57:20 2018 library versions: OpenSSL 1.0.2j-freebsd  26 Sep 2016, LZO 2.10

Tue Jul 24 22:57:20 2018 Diffie-Hellman initialized with 2048 bit key

Tue Jul 24 22:57:20 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Tue Jul 24 22:57:20 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Tue Jul 24 22:57:20 2018 ROUTE_GATEWAY 192.168.2.1/255.255.255.0 IFACE=epair1b HWADDR=xx:xx:xx:xx:xx:xx

Tue Jul 24 22:57:20 2018 TUN/TAP device /dev/tun1 opened

Tue Jul 24 22:57:20 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0

Tue Jul 24 22:57:20 2018 /sbin/ifconfig tun1 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up

Tue Jul 24 22:57:20 2018 /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0

add net 10.8.0.0: gateway 10.8.0.2 fib 0: route already in table

Tue Jul 24 22:57:20 2018 ERROR: FreeBSD route add command failed: external program exited with error status: 1

Tue Jul 24 22:57:20 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET6

Tue Jul 24 22:57:20 2018 Socket Buffers: R=[42080->42080] S=[9216->9216]

Tue Jul 24 22:57:20 2018 setsockopt(IPV6_V6ONLY=0)

Tue Jul 24 22:57:20 2018 TCP/UDP: Socket bind failed on local address [AF_INET6][undef]:1194: Address already in use (errno=48)

Tue Jul 24 22:57:20 2018 Exiting due to fatal error

Tue Jul 24 22:57:20 2018 Closing TUN/TAP interface

Tue Jul 24 22:57:20 2018 /sbin/ifconfig tun1 destroy

 

[twsps]

so everything working now or is just a small victory ?

Sorry I believe it's just a small victory

 

[Bibi40k]

nano /usr/local/etc/ipfw.rules

 

[twsps]

nano /usr/local/etc/ipfw.rules

This is what I did

Code:

#!/bin/sh

EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)

ipfw -q -f flush

ipfw -q nat 1 config if ${EPAIR}

ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR}

ipfw -q add nat 1 all from any to any in via ${EPAIR}


TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)

ifconfig ${TUN} name tun0

 

[Bibi40k]

nano /etc/rc.conf

 

[twsps]

nano /etc/rc.conf

Here

Code:

portmap_enable="NO"

sshd_enable="NO"

sendmail_enable="NO"

sendmail_submit_enable="NO"

sendmail_outbound_enable="NO"

sendmail_msp_queue_enable="NO"

hostname="OpenVPN"

devfs_enable="YES"

devfs_system_ruleset="devfsrules_common"

inet6_enable="YES"

ip6addrctl_enable="YES"

openvpn_enable="YES"

openvpn_if="tun"

openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"

openvpn_dir="/usr/local/etc/openvpn/"

cloned_interfaces="tun"

gateway_enable="YES"

firewall_enable="YES"

firewall_script="/usr/local/etc/ipfw.rules"

 

[Bibi40k]

good, please exit and restart the Jail or even the FreeNAS itself and then try again
openvpn --config /usr/local/etc/openvpn/openvpn.conf

 

[twsps]

good, please exit and restart the Jail or even the FreeNAS itself and then try again
openvpn --config /usr/local/etc/openvpn/openvpn.conf

Well, Those are the exact code I did before. I just copy it here for you to double check. I'll restart the FreeNAS itself and report to you. Thanks

 

[twsps]

Also I got confused by this:

1. VPN Server Port: 1194 UDP
2. VPN Outside Access Port: 443 UDP

In router settings, do I set both as external port: 1194 internal port: 1194 UDP?
So it would be
ext: 1194 int: 1194 UDP
ext: 443 int: 443 UDP

Previously I thought it's ext:443 int:1194 UDP due to the description above

 

[twsps]

good, please exit and restart the Jail or even the FreeNAS itself and then try again
openvpn --config /usr/local/etc/openvpn/openvpn.conf

I got the same error previously.

Code:

# openvpn --config /usr/local/etc/openvpn/openvpn.conf

Tue Jul 24 23:16:08 2018 OpenVPN 2.4.6 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 26 2018

Tue Jul 24 23:16:08 2018 library versions: OpenSSL 1.0.2j-freebsd  26 Sep 2016, LZO 2.10

Tue Jul 24 23:16:08 2018 Diffie-Hellman initialized with 2048 bit key

Tue Jul 24 23:16:08 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Tue Jul 24 23:16:08 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Tue Jul 24 23:16:08 2018 ROUTE_GATEWAY 192.168.2.1/255.255.255.0 IFACE=epair1b HWADDR=xx:xx:xx:xx:xx:xx

Tue Jul 24 23:16:08 2018 TUN/TAP device /dev/tun1 opened

Tue Jul 24 23:16:08 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0

Tue Jul 24 23:16:08 2018 /sbin/ifconfig tun1 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up

Tue Jul 24 23:16:08 2018 /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0

add net 10.8.0.0: gateway 10.8.0.2 fib 0: route already in table

Tue Jul 24 23:16:08 2018 ERROR: FreeBSD route add command failed: external program exited with error status: 1

Tue Jul 24 23:16:08 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET6

Tue Jul 24 23:16:08 2018 Socket Buffers: R=[42080->42080] S=[9216->9216]

Tue Jul 24 23:16:08 2018 setsockopt(IPV6_V6ONLY=0)

Tue Jul 24 23:16:08 2018 TCP/UDP: Socket bind failed on local address [AF_INET6][undef]:1194: Address already in use (errno=48)

Tue Jul 24 23:16:08 2018 Exiting due to fatal error

Tue Jul 24 23:16:08 2018 Closing TUN/TAP interface

Tue Jul 24 23:16:08 2018 /sbin/ifconfig tun1 destroy

 

[Bibi40k]

that's why i told you to read the step-by-step tutorial because you offer only incomplete pieces of information. The guide is made in colors and in a simple and logic way to follow.

Of course if VPN inside server port is 1194 and Outside Access port is 443 you forward 443 to 1194 and configure client to connect to 443 from outside

 

[Bibi40k]

i'm sorry, i don't have time anymore for this. Please PM with TW credentials if/when you have time. This kind of communication does not help anyone.

 

[gsrcrxsi]

so apparently i've totally borked my permissions of my openvpn jail. Long story how, but basically at some point i chmod 777'd the whole thing. it didnt impact the function until i rebooted the server, which was rare, it was up over 80 days without issue. but after rebooting the whole server, the OpenVPN jail, as well as all my other jails, wont run and are totally borked.

so i need to create a new jail.

what i want to know is if it's possible to keep all of the existing configuration and certificate files and port them over from the old jail into the new jail. and will that work?

I'm trying to avoid having to re-create new certificates and configs for the clients.

 

[Bibi40k]

I really can't answer to that question but you should try to copy all those config and certs files to the new jail and say to us if it works.

 

[Bibi40k]

BTW, you should enable auto snapshots of jails also so you can revert everything in seconds