Resource icon

TrueNAS and OpenVPN client configuration

Pitfrr

Wizard
Joined
Feb 10, 2014
Messages
1,523
Pitfrr submitted a new resource:

TrueNAS and OpenVPN client configuration - How to configure the OpenVPN client in TrueNAS 12.0

Here is a short tutorial to configure the OpenVPN client on TrueNAS 12.0.

Prerequisite: an OpenVPN server running with a similar configuration:
Code:
dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA512
tls-client
client
resolv-retry infinite
remote vpn.domain.org 1194 udp
lport 0
verify-x509-name "vpn.domain.org " name
auth-user-pass
remote-cert-tls server
comp-lzo adaptive

<ca>
-----BEGIN CERTIFICATE-----...

Read more about this resource...
 

profwalken

Patron
Joined
Nov 19, 2013
Messages
410
Hi,

I've updated my FN 11.3 to TN 12 and would like to enable openvpn server to give remote access to user with OpenVPN connect software on windows 10 PC.

Have no knowledge about VPN settings, and steps to follow, is your tutorial usable in the same way to set an OpenVPN server side ?
 

Pitfrr

Wizard
Joined
Feb 10, 2014
Messages
1,523
Well, I don't think so because the server configuration is different to the client configuration.
I'm not using the OpenVPN server in TrueNAS since I already have a separate OpenVPN server running.

I checked it out though...
I'd say (at least for me) the most complicated would be to get the certificates sorted out, the root certificate and the client certificate but for that I'd check out the link given in the tool tip in the GUI. Maybe those can be generated in the System>CA or System>Certificates??
Then the next part would be the remote address. There, if you have a fixed (public) IP, then it's easy. If you don't have a fixed IP then you'll need to couple that with a dynDNS service. That I don't know how it works.
Maybe you can find some resources in the OpenVPN forum (or some tutorial on setting an OpenVPN server)?
The rest of the parameters are more related to the encryption (authentication algorithm, cipher) and more global settings (compression, protocol and device).

Again, I would try to find an openVPN server tutorial and use it as basis.
 

profwalken

Patron
Joined
Nov 19, 2013
Messages
410
Merci pour cette réponse rapide.: clin d'œil:
Je ne suis pas sur de tout maitriser, j'ai déjà passé une après-midi à chercher tous azimuts ce qui pourrait être une solution pour mettre en œuvre openvpn.
Oui j'ai des Ip publiques fixe et liens internet Fibre.
Je verrai demain si j'ai de la chance pour tester cela.
Merci pour l'aide
 

Astrodonkey

Explorer
Joined
Jul 18, 2017
Messages
72
My VPN provider provides only the CRL, certificate, and user password/login. How can I configure the OpenVPN client service in TrueNAS 12.0 without a private key? It isn't possible to add the cert in step 2 without one.
 

Pitfrr

Wizard
Joined
Feb 10, 2014
Messages
1,523
Sorry but I don't know how you can add it without the private key... :-(
 

dnilgreb

Contributor
Joined
Mar 29, 2016
Messages
168
Awesome guide! Got it running on my frst try! thank you thank you thank you thank you thank you!
 

greysave

Cadet
Joined
Aug 26, 2020
Messages
9
Have you gotten this to work with a third party VPN provider? I have tried at least 6 or 7 providers and no luck. Here is an example of my configuration. Each time I get an error stating
Code:
Client certificate must have "TLS Web Client Authentication" set in ExtendedKeyUsage extension.


Here are some screenshots of the steps that I have completed.
1606513066267.png

1606513139594.png

1606513167167.png
 
Last edited:

Pitfrr

Wizard
Joined
Feb 10, 2014
Messages
1,523
Sorry haven't used it with any third party VPN provider. I tried it only with OpenVPN and the server I have running. I don't have any third party VPN...
 

smcclos

Dabbler
Joined
Jan 22, 2021
Messages
43
My VPN provider provides only the CRL, certificate, and user password/login. How can I configure the OpenVPN client service in TrueNAS 12.0 without a private key? It isn't possible to add the cert in step 2 without one.

I have fixed that problem, you need to add a dummy key. The VPN provider doesn't care about it, it will be just used for the encryption tunnel.
 

smcclos

Dabbler
Joined
Jan 22, 2021
Messages
43
I have a different issue. Here is what I see in my /var/log/messages, when I attempt to start the OpenVPN client service


Code:
Feb  3 20:03:59 truenas 1 2021-02-03T20:03:59.736193-05:00 truenas.local root 12685 - - /usr/local/etc/rc.d/openvpn_client: WARNING: /usr/local/etc/openvpn/client/openvpn_client.conf is not readable.
Feb  3 20:03:59 truenas 1 2021-02-03T20:03:59.738272-05:00 truenas.local root 12686 - - /usr/local/etc/rc.d/openvpn_client: WARNING: failed precmd routine for openvpn_client
 

smcclos

Dabbler
Joined
Jan 22, 2021
Messages
43
Have you gotten this to work with a third party VPN provider? I have tried at least 6 or 7 providers and no luck. Here is an example of my configuration. Each time I get an error stating
Code:
Client certificate must have "TLS Web Client Authentication" set in ExtendedKeyUsage extension.


Here are some screenshots of the steps that I have completed.
View attachment 43035
View attachment 43038
View attachment 43039

I got around this problem. You need to create a certificate. It looks like you cannot create it in TrueNas. I created a new Internal CA on pfSense, and then using that Internal CA, created a new certificate.

Then I exported the CA and Certificate from pfSense, and then imported it into TrueNAS. I a little cumbersome, but it works.
 

ymestechwey

Cadet
Joined
Feb 24, 2021
Messages
1
I have a different issue. Here is what I see in my /var/log/messages, when I attempt to start the OpenVPN client service


Code:
Feb  3 20:03:59 truenas 1 2021-02-03T20:03:59.736193-05:00 truenas.local root 12685 - - /usr/local/etc/rc.d/openvpn_client: WARNING: /usr/local/etc/openvpn/client/openvpn_client.conf is not readable.
Feb  3 20:03:59 truenas 1 2021-02-03T20:03:59.738272-05:00 truenas.local root 12686 - - /usr/local/etc/rc.d/openvpn_client: WARNING: failed precmd routine for openvpn_client

How did you fix this?
 

Pitfrr

Wizard
Joined
Feb 10, 2014
Messages
1,523
The username and password are plain text.

I'm no expert on the openvpn config and I couldn't find any indication that you can enter these parameters directly in the "additional parameters" field... all the resources I read used an entry auth-user-pass with a path to a file.
And in the text file, there aren't any identifier, just the first line with the username and the second with the password. So you can't use it directly like that in the "additional parameters" (if that's even possible).
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
You need to create a certificate. It looks like you cannot create it in TrueNas.
TrueNAS contains a complete CA if needed just as pfSense or OPNSense do.
 

AleXileD

Cadet
Joined
Apr 4, 2021
Messages
2
The username and password are plain text.

I'm no expert on the openvpn config and I couldn't find any indication that you can enter these parameters directly in the "additional parameters" field... all the resources I read used an entry auth-user-pass with a path to a file.
And in the text file, there aren't any identifier, just the first line with the username and the second with the password. So you can't use it directly like that in the "additional parameters" (if that's even possible).

Thanks ! This worked.
This file with username and password is removed by TrueNAS on reboot though. Does anyone know how to prevent this?
 

Pitfrr

Wizard
Joined
Feb 10, 2014
Messages
1,523
Where did you put the file?

I put mine in /root and it doesn't get deleted at reboot.
 

nereus

Cadet
Joined
May 7, 2021
Messages
3
@greysave did you solve your problem? I have the same issue.

My setup is:
  • OpenVPN server running from unraid NAS (openvpn-as docker)
  • CA and Cert extracted from ovpn file and imported to TrueNAS
  • TrueNAS client says exactly as yours:
    • Client certificate must have "TLS Web Client Authentication" set in ExtendedKeyUsage extension.
    • Root CA must have CRL Sign set for KeyUsage extension.
No idea how to solve this. It would be best if we could just import ovpn file and let TrueNAS setup itself as other OpenVPN clients.

FIY I also shared my struggle here: https://www.truenas.com/community/t...-for-openvpn-on-truenas-12.92768/#post-644230
 

nereus

Cadet
Joined
May 7, 2021
Messages
3
I got around this problem. You need to create a certificate. It looks like you cannot create it in TrueNas. I created a new Internal CA on pfSense, and then using that Internal CA, created a new certificate.

Then I exported the CA and Certificate from pfSense, and then imported it into TrueNAS. I a little cumbersome, but it works.

Can you elaborate on this, please?

I have ovpn file and inside that is a CA, cert and a key. What to do with them? How?
 
Top