Truenas 12 OpenVPN service testing

jurijp

Cadet
Joined
Dec 13, 2020
Messages
1
Hi,
I need a little help. When i trying get client config, i'm getting error "[EFAULT] Please ensure provided client certificate exists in Root CA chain and has necessary extensions set. "
Everything was done by templates. Maybe someone have idea how fix it?
 

trif

Cadet
Joined
Dec 16, 2020
Messages
6
Hi all,
I have same issue "[EFAULT] Please ensure provided client certificate exists in Root CA chain and has necessary extensions set. " if i try too download my user certificate.
I running on TrueNAS-12.0-U1

Offcourse my user and certificate server is create with same CA.
 

nissnn

Cadet
Joined
Mar 14, 2019
Messages
7
Hi,
I'm experiencing the same problem. Even after creating new CAs and Certificates.

The Detailed Infos are:
Code:
Error: Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 137, in call_method
    result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self,
  File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1195, in _call
    return await methodobj(*prepared_call.args)
  File "/usr/local/lib/python3.8/site-packages/middlewared/schema.py", line 973, in nf
    return await f(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/vpn.py", line 391, in client_configuration_generation
    raise CallError(
middlewared.service_exception.CallError: [EFAULT] Please ensure provided client certificate exists in Root CA chain and has necessary extensions set.


I'm also on TrueNAS-12.0-U1.
 
  • Like
Reactions: avi

wavesswe

Dabbler
Joined
Dec 2, 2020
Messages
21
I have the same problem, worked before u upgrade to U1 but I didn’t get the VPN to work. T
LS handshake error.
 

Sezguin

Cadet
Joined
Dec 16, 2020
Messages
1
Hi all,

Is there anyway to get around adding in static routes (as mentioned on the previous page) if your router does not support static routing?

Might be a silly question - this seems to be the last thing I'm stuck on in order to access my LAN remotely.
 

trif

Cadet
Joined
Dec 16, 2020
Messages
6
Hi,
I'm experiencing the same problem. Even after creating new CAs and Certificates.

The Detailed Infos are:
Code:
Error: Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 137, in call_method
    result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self,
  File "/usr/local/lib/python3.8/site-packages/middlewared/main.py", line 1195, in _call
    return await methodobj(*prepared_call.args)
  File "/usr/local/lib/python3.8/site-packages/middlewared/schema.py", line 973, in nf
    return await f(*args, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/middlewared/plugins/vpn.py", line 391, in client_configuration_generation
    raise CallError(
middlewared.service_exception.CallError: [EFAULT] Please ensure provided client certificate exists in Root CA chain and has necessary extensions set.


I'm also on TrueNAS-12.0-U1.
it's possible too create issue ?
 

ChrisChros

Patron
Joined
Nov 24, 2018
Messages
218
I got it to work when filling in the "Common name" row
Unfortunately this is not marked as mandatory and should be fixed within the next updates.
 

thierry333

Cadet
Joined
Dec 12, 2020
Messages
8
the gateway_enable you have to enable.

regarding the interface you have to chose, i don't know. i am not familiar with your router.

Thanks for the help, it is not perfect but it works. :smile:
For info, I choosed IP_BR_LAN.

I tought that if I was connected by VPN, it will be faster to copy a file from my NAS to my NAS but it is really slow (Around 2 mB/s). Probably the DATA transit by the computer connected by VPN. I don't understand.
 

avi

Cadet
Joined
Oct 20, 2016
Messages
5
Hi all,
Filling out the "common name", I was able to download the client config. However, I don't manage to connect to the server using OpenVPN connect (attached are the logs).

I'm using TrueNAS-12.0-U1. The local NAS IP is 192.168.178.23, the OpenVPN server is set to 10.5.0.0. Port forwarding is set to 192.168.178.23:1194. DDNS using No-IP.com seems to work fine, too. Server and user use same CA.

Thanks for your help!
 

Attachments

  • OpenVPN.txt
    3 KB · Views: 698

cyan

Cadet
Joined
Apr 23, 2014
Messages
4
Mine appears to connect, but after about 10s it says:
Session invalidated: KEEPALIVE_TIMEOUT
and reconnects. It just cycles like this endlessly.
 

avi

Cadet
Joined
Oct 20, 2016
Messages
5
Mine appears to connect, but after about 10s it says:
Session invalidated: KEEPALIVE_TIMEOUT
and reconnects. It just cycles like this endlessly.
Strangely, I can now also connect but also only for 10s before the vicious cycle starts.
 
Joined
Aug 22, 2019
Messages
6
For those that have an Arris Router, I was able to get this to work by adding the Push Route... and Push DHCP... options to the Advanced Parameters of the OpenVPN server properties (as suggested above by tumpanaios and ChrisChros), and then in the Advanced Settings on the Arris Router in the LAN & DHCP section in the Cascaded Router section, I turned this on and entered the IP address of the TrueNAS server in the Cascaded Router Address and the IP address of the VPN server as the Network Address.
 

invar

Dabbler
Joined
Jan 23, 2021
Messages
36
Hmm is there are way to delete/edit my post above? Made some changes/fixes to my post and want to update as follows:


Sharing to all my personal experience:
So based on input from this thread and others, I think everything is working the way I want where ALL traffic goes through the VPN. I've tried signing into my VPN via my mobile wireless (LTE) connection from my Samsung Galaxy S10+ using Android OpenVPN and it appears to be working. I had to do the following to get it to work:

1) Setup the OpenVPN CA using the OpenVPN CA template.

2) Setup the OpenVPN Server Certificate using the OpenVPN Server template.

3) Setup the OpenVPN Client Certificate using the OpenVPN Client template.
(There is a video walkthrough guide for steps 1-3 above on YouTube.)

4) Forward the appropriate port from your router to your TrueNAS server IP. 1194 is the default port so I just stuck with that. My TrueNAS server's IP on my LAN is 192.168.0.2 (yes, I know, I should change it to something else that is unlikely to be used in the outside world... I will in due time.

Once I confirmed the above was working and I could connect from my phone to my VPN, I disconnected and got to the real work, namely routing everything through the VPN, which is where I think most people get the hangup.

1) From TrueNAS WebGUI, go to System->Tunables and add the following 3 tunables:
Code:
Variable: firewall_enable
Value: yes
Type: rc.conf
Description: enable firewall

Code:
Variable: gateway_enable
Value: yes
Type: rc.conf
Description: enable gateway

Code:
Variable: firewall_script
Value: /mnt/NAME_OF_POOL/ipfwrules.sh
Type: rc.conf
Description: ipfw script to execute at boot time. I put it in the pool to ensure that it carries should I have to reinstall and restore from a config.


2) Open a console/shell. Personally, I SSH in with PuTTY as root. But the WebGUI Shell will suffice.

3) input the following line by line into the shell. Change 10.8.8.0/24 to whatever you configured OpenSSH to use for VPN devices and NAME_OF_POOL to the correct location of your ipfwrules.sh that you decided above in the Tunables.

Code:
cd /mnt/NAME_OF_POOL
echo ipfw -q -f flush > ipfwrules.sh
echo ipfw -q nat 1 config if re0  >> ipfwrules.sh
echo ipfw -q add nat 1 all from 10.8.8.0/24 to any out via re0  >> ipfwrules.sh
echo ipfw -q add nat 1 all from any to any in via re0  >> ipfwrules.sh
chmod 755 ipfwrules.sh


4) Under the OpenVPN server settings, put the following in additional parameters:

Code:
push "redirect-gateway def1"
push "remote-gateway vpn_server_ip"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
duplicate-cn


The last line for "duplicate-cn" is only if you want to have the same user client/certificate be used simultaneously by multiple devices. (i.e. I use the same client configuration for my laptop and my smartphone, so this option must be included. Otherwise, OpenVPN will assign the same IP address to both devices and cause a conflict and cease working correctly.)

5) Save and download the new Client Configuration, choosing the correct Certificate.

6) Restart the TrueNAS server

7) EDIT the client configuration file with a text editor and change the line that starts with "remote" to reflect the correct address whether it is a static IP address or the Dynamic DNS you have setup. I use dynamic DNS so mine looks like so:
Code:
remote "mydomain.privatedns.org"


8) Test connect. Hopefully it works for you!

Note how I did NOT make any configuration changes to my router other than the port forwarding. I do NOT have any static routes setup anywhere, and I believe this should work fine as the TrueNAS server is performing NAT for anything originating to and going back to a VPN device.

Good luck!
 

FMAranda

Cadet
Joined
Feb 27, 2021
Messages
2
Hmm is there are way to delete/edit my post above? Made some changes/fixes to my post and want to update as follows:


Sharing to all my personal experience:
So based on input from this thread and others, I think everything is working the way I want where ALL traffic goes through the VPN. I've tried signing into my VPN via my mobile wireless (LTE) connection from my Samsung Galaxy S10+ using Android OpenVPN and it appears to be working. I had to do the following to get it to work:

1) Setup the OpenVPN CA using the OpenVPN CA template.

2) Setup the OpenVPN Server Certificate using the OpenVPN Server template.

3) Setup the OpenVPN Client Certificate using the OpenVPN Client template.
(There is a video walkthrough guide for steps 1-3 above on YouTube.)

4) Forward the appropriate port from your router to your TrueNAS server IP. 1194 is the default port so I just stuck with that. My TrueNAS server's IP on my LAN is 192.168.0.2 (yes, I know, I should change it to something else that is unlikely to be used in the outside world... I will in due time.

Once I confirmed the above was working and I could connect from my phone to my VPN, I disconnected and got to the real work, namely routing everything through the VPN, which is where I think most people get the hangup.

1) From TrueNAS WebGUI, go to System->Tunables and add the following 3 tunables:
Code:
Variable: firewall_enable
Value: yes
Type: rc.conf
Description: enable firewall

Code:
Variable: gateway_enable
Value: yes
Type: rc.conf
Description: enable gateway

Code:
Variable: firewall_script
Value: /mnt/NAME_OF_POOL/ipfwrules.sh
Type: rc.conf
Description: ipfw script to execute at boot time. I put it in the pool to ensure that it carries should I have to reinstall and restore from a config.


2) Open a console/shell. Personally, I SSH in with PuTTY as root. But the WebGUI Shell will suffice.

3) input the following line by line into the shell. Change 10.8.8.0/24 to whatever you configured OpenSSH to use for VPN devices and NAME_OF_POOL to the correct location of your ipfwrules.sh that you decided above in the Tunables.

Code:
cd /mnt/NAME_OF_POOL
echo ipfw -q -f flush > ipfwrules.sh
echo ipfw -q nat 1 config if re0  >> ipfwrules.sh
echo ipfw -q add nat 1 all from 10.8.8.0/24 to any out via re0  >> ipfwrules.sh
echo ipfw -q add nat 1 all from any to any in via re0  >> ipfwrules.sh
chmod 755 ipfwrules.sh


4) Under the OpenVPN server settings, put the following in additional parameters:

Code:
push "redirect-gateway def1"
push "remote-gateway vpn_server_ip"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
duplicate-cn


The last line for "duplicate-cn" is only if you want to have the same user client/certificate be used simultaneously by multiple devices. (i.e. I use the same client configuration for my laptop and my smartphone, so this option must be included. Otherwise, OpenVPN will assign the same IP address to both devices and cause a conflict and cease working correctly.)

5) Save and download the new Client Configuration, choosing the correct Certificate.

6) Restart the TrueNAS server

7) EDIT the client configuration file with a text editor and change the line that starts with "remote" to reflect the correct address whether it is a static IP address or the Dynamic DNS you have setup. I use dynamic DNS so mine looks like so:
Code:
remote "mydomain.privatedns.org"


8) Test connect. Hopefully it works for you!

Note how I did NOT make any configuration changes to my router other than the port forwarding. I do NOT have any static routes setup anywhere, and I believe this should work fine as the TrueNAS server is performing NAT for anything originating to and going back to a VPN device.

Good luck!

Thank you! This solution works perfectly :)
 

IronSheepdog

Dabbler
Joined
May 27, 2020
Messages
25
Hmm is there are way to delete/edit my post above? Made some changes/fixes to my post and want to update as follows:

.....

Good luck!

I followed these instructions to a "t" and I still cannot access anything on my network, let alone the internet. I'm at my wit's end with this. All I want is a split-tunnel VPN to my home network from my cell phone so I can leave the VPN running all of the time.
EDIT: What's odd is that I'm noticing that after connection, I can send data to TrueNAS via OpenVPN but I am not receiving any data at all back from the server. Plus, I am constantly getting Keep Alive timeout disconnects.
 
Last edited:

IronSheepdog

Dabbler
Joined
May 27, 2020
Messages
25
Is your mobile provider T-Mobile by any chance?
No, AT&T. But it's the same when connecting from my work through a Windows 10 computer.
 
Top