Hi guys!
First I want to thank you for this very well explained tutorial with all required steps! Well done Bibi!
I am nearly done with all my different configurations, different ports, adresses etc.
I tried to complete your configuration by creating new iocage jails for the third time now...
OpenVPN Service is running like mentioned in the OP but I cannot connect to my Tunnel using configurations with OpenVPN for android.
Here is my Machine/Jail Configuration:
Code:
OS on my physical Server is a Debian 9.5
I am using FreeNAS with VirtualBox (Bridged Network)
private network behind hardware firewall: 192.168.0.0/24
router which going outside with network 192.168.1.0/24
OpenVPN 2.4.6 on FreeNAS 11.2 RC1 with 11.2 RELEASE-P4 iocage jail.
I am using DHCP (because when not using DHCP, ipfw doesn't work) with IP-Address 192.168.0.30
Heres my
openvpn.conf:
Code:
local 192.168.0.30
port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key # This file should be kept secret
dh /usr/local/etc/openvpn/keys/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
client-to-client
keepalive 10 120
tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret
remote-cert-tls client
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
Here my AndiM202.conf:
Code:
client
dev tun
proto udp
remote murkcloud.ddns.net 443
;remote my-server-2 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert AndiM202.crt
key AndiM202.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3
# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.0.1
#redirect-gateway def1
When starting openvpn server with command
openvpn --config openvpn.conf there is following output:
Code:
Sun Jan 6 05:52:30 2019 OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Dec 20 2018
Sun Jan 6 05:52:30 2019 library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10
Sun Jan 6 05:52:30 2019 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Sun Jan 6 05:52:30 2019 Diffie-Hellman initialized with 2048 bit key
Sun Jan 6 05:52:30 2019 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jan 6 05:52:30 2019 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jan 6 05:52:30 2019 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=epair0b HWADDR=02:ff:60:36:38:32
Sun Jan 6 05:52:30 2019 TUN/TAP device /dev/tun0 opened
Sun Jan 6 05:52:30 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Jan 6 05:52:30 2019 /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
Sun Jan 6 05:52:30 2019 /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0
add net 10.8.0.0: gateway 10.8.0.2
Sun Jan 6 05:52:30 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sun Jan 6 05:52:30 2019 Socket Buffers: R=[42080->42080] S=[9216->9216]
Sun Jan 6 05:52:30 2019 UDPv4 link local (bound): [AF_INET]192.168.0.30:1194
Sun Jan 6 05:52:30 2019 UDPv4 link remote: [AF_UNSPEC]
Sun Jan 6 05:52:30 2019 GID set to nobody
Sun Jan 6 05:52:30 2019 UID set to nobody
Sun Jan 6 05:52:30 2019 MULTI: multi_init called, r=256 v=256
Sun Jan 6 05:52:30 2019 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Sun Jan 6 05:52:30 2019 IFCONFIG POOL LIST
Sun Jan 6 05:52:30 2019 Initialization Sequence Completed
Is there a problem because I'm using a
Bridged Network in VirtualBox? If yes, should I change the normally specified server address
10.8.0.0 to a
bridged network? I am not aware of these other configurations due to I am relatively new to this topic with FreeNAS and Jails...
I am using
external port 443 and forwarded it from
443 UDP to
1194 UDP (canyouseeme.org says that
Port is opened correctly)
Here my
ifconfig:
Code:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:ff:60:36:38:32
hwaddr 02:6f:d0:00:05:0b
inet 192.168.0.30 netmask 0xffffff00 broadcast 192.168.0.255
nd6 options=1<PERFORMNUD>
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
groups: epair
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
nd6 options=1<PERFORMNUD>
groups: tun
Opened by PID 5053
ipfw.rules:
Code:
#!/bin/sh
EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}
TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0
When connecting with my Smartphone to the VPN it always says:
Code:
2019-01-06 15:02:51 official build 0.7.5 running on Xiaomi POCOPHONE F1 (sdm845), Android 9 (PKQ1.180729.001) API 28, ABI arm64-v8a, (Xiaomi/beryllium/beryllium:9/PKQ1.180729.001/V10.1.3.0.PEJMIFI:user/release-keys)
2019-01-06 15:02:51 New OpenVPN Status (USER_VPN_PERMISSION->LEVEL_WAITING_FOR_USER_INPUT):
2019-01-06 15:02:52 Building configuration…
2019-01-06 15:02:52 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START):
2019-01-06 15:02:52 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START):
2019-01-06 15:02:52 started Socket Thread
2019-01-06 15:02:52 Network Status: CONNECTED LTE to MOBILE webaut
2019-01-06 15:02:52 Debug state info: CONNECTED LTE to MOBILE webaut, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2019-01-06 15:02:52 Debug state info: CONNECTED LTE to MOBILE webaut, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2019-01-06 15:02:53 Current Parameter Settings:
2019-01-06 15:02:53 config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2019-01-06 15:02:53 mode = 0
2019-01-06 15:02:53 show_ciphers = DISABLED
2019-01-06 15:02:53 show_digests = DISABLED
2019-01-06 15:02:53 show_engines = DISABLED
2019-01-06 15:02:53 genkey = DISABLED
2019-01-06 15:02:53 key_pass_file = '[UNDEF]'
2019-01-06 15:02:53 show_tls_ciphers = DISABLED
2019-01-06 15:02:53 connect_retry_max = 0
2019-01-06 15:02:53 Connection profiles [0]:
2019-01-06 15:02:53 proto = udp
2019-01-06 15:02:53 local = '[UNDEF]'
2019-01-06 15:02:53 local_port = '1194'
2019-01-06 15:02:53 remote = 'murkcloud.ddns.net'
2019-01-06 15:02:53 remote_port = '443'
2019-01-06 15:02:53 remote_float = DISABLED
2019-01-06 15:02:53 bind_defined = DISABLED
2019-01-06 15:02:53 bind_local = ENABLED
2019-01-06 15:02:53 bind_ipv6_only = DISABLED
2019-01-06 15:02:53 connect_retry_seconds = 2
2019-01-06 15:02:53 connect_timeout = 90
2019-01-06 15:02:53 socks_proxy_server = '[UNDEF]'
2019-01-06 15:02:53 socks_proxy_port = '[UNDEF]'
2019-01-06 15:02:53 tun_mtu = 1500
2019-01-06 15:02:53 tun_mtu_defined = ENABLED
2019-01-06 15:02:53 link_mtu = 1500
2019-01-06 15:02:53 link_mtu_defined = DISABLED
2019-01-06 15:02:53 tun_mtu_extra = 0
2019-01-06 15:02:53 tun_mtu_extra_defined = DISABLED
2019-01-06 15:02:53 mtu_discover_type = -1
2019-01-06 15:02:53 fragment = 0
2019-01-06 15:02:53 mssfix = 1450
2019-01-06 15:02:53 explicit_exit_notification = 0
2019-01-06 15:02:53 Connection profiles END
2019-01-06 15:02:53 remote_random = DISABLED
2019-01-06 15:02:53 ipchange = '[UNDEF]'
2019-01-06 15:02:53 dev = 'tun'
2019-01-06 15:02:53 dev_type = '[UNDEF]'
2019-01-06 15:02:53 dev_node = '[UNDEF]'
2019-01-06 15:02:53 lladdr = '[UNDEF]'
2019-01-06 15:02:53 topology = 1
2019-01-06 15:02:53 ifconfig_local = '[UNDEF]'
2019-01-06 15:02:53 ifconfig_remote_netmask = '[UNDEF]'
2019-01-06 15:02:53 ifconfig_noexec = DISABLED
2019-01-06 15:02:53 ifconfig_nowarn = ENABLED
2019-01-06 15:02:53 Waiting 0s seconds between connection attempt
2019-01-06 15:02:53 ifconfig_ipv6_local = '[UNDEF]'
2019-01-06 15:02:53 ifconfig_ipv6_netbits = 0
2019-01-06 15:02:53 ifconfig_ipv6_remote = '[UNDEF]'
2019-01-06 15:02:53 shaper = 0
2019-01-06 15:02:53 mtu_test = 0
2019-01-06 15:02:53 mlock = DISABLED
2019-01-06 15:02:53 keepalive_ping = 0
2019-01-06 15:02:53 keepalive_timeout = 0
2019-01-06 15:02:53 inactivity_timeout = 0
2019-01-06 15:02:53 ping_send_timeout = 0
2019-01-06 15:02:53 ping_rec_timeout = 0
2019-01-06 15:02:53 ping_rec_timeout_action = 0
2019-01-06 15:02:53 ping_timer_remote = DISABLED
2019-01-06 15:02:53 remap_sigusr1 = 0
2019-01-06 15:02:53 persist_tun = DISABLED
2019-01-06 15:02:53 persist_local_ip = DISABLED
2019-01-06 15:02:53 persist_remote_ip = DISABLED
2019-01-06 15:02:53 persist_key = DISABLED
2019-01-06 15:02:53 passtos = DISABLED
2019-01-06 15:02:53 resolve_retry_seconds = 60
2019-01-06 15:02:53 resolve_in_advance = DISABLED
2019-01-06 15:02:53 username = '[UNDEF]'
2019-01-06 15:02:53 groupname = '[UNDEF]'
2019
And here the attempt when connecting from my Smartphone:
View attachment 27575
I have read that I need to define the
local IP in the
openvpn.conf to avoid TLS Handshake failure, but with no success..
Maybe someone of you can help me out!
Big thanks!!!