Best practices for routing through a VPN

[electricsquid]

I've been using TrueNAS Scale 22.02.4 for a little bit and so far it's been great. However It's time I get a VPN connection setup so that my traffic will go through that instead. I've purchased a VPN connection and have a working .ovpn config file that I can use. My question is, What are the best practices for putting TrueNAS and/or Docker Container traffic through a VPN, while still retaining local access to services like Homer?

From what I've gathered so far, there are a few options:

1. Setup an OpenVPN connection through the OpenVPN Client service found under System Settings > Services > OpenVPN Client
2. Setup a script to connect the machine to OpenVPN using the provided config file and launching it through System Settings > Advanced > Init/Shutdown Scripts
3. Configure the VPN manually for each docker container, Either through:
   1. A built in OpenVPN instance within the container
   2. TrueCharts VPN connection solution
4. Have a docker container that connects to the VPN, then have the containers use the network stack from that VPN container

OpenVPN Client Service​

This was my first thought for setting things up. I imported the Certificate and Certificate Authority under Credentials > Certificates, and then configured the service, but received errors saying that the "client certificate chain could not be verified with specified root CA" and that the CA from the configuration file "must have CRL Sign set for KeyUsage extension."

After doing some digging, I gathered that the CA provided to me would need to be regenerated to include this KeyUsage extension. seeing as how I'm just importing them and not generating them myself. Since this is out of my control I presume I won't be able to fix this unless someone knows otherwise. The first error I'm still not sure about, but haven't found much documentation surrounding this to begin with, and my knowledge of OpenVPN is rather limited.

OpenVPN Startup Script​

My next approach was to simply run a command on the booting of the server, and have it connect to OpenVPN using the config that was provided. I ran the following command during the PostInit phase of the boot sequence:

Code:

nohup openvpn --config <path to config>

This worked, in that it connected to the VPN, however the docker containers were no longer reachable from my LAN network, although curiously the TrueNAS GUI was still available. I've been scratching my head on this one, and have not found a solution to allow access to those containers from LAN while maintaining the VPN connection. The closest I've found is that I need to allow access to my LAN subnet from the VPN connection but I am unsure how to do so.

Built in OpenVPN Instances​

This way relies on an OpenVPN service running within the container alongside the program you initially wanted to run. This way seems simple though relies on the maintaining of another docker image. Additionally it requires manual configuration for each service I'd want to run through the VPN, and would take up several connection slots, not a fan of this idea but is certainly an option if all else fails.

TrueCharts VPN configuration​

Probably the simplest way is to install the desired app through a TrueCharts helm chart, and configure the container to use a VPN that way. While this is certainly easy, It will require reconfiguration of all my services that I'd like to avoid, and also will require seperate connections for each service which I'm not a fan of.

Docker OpenVPN Instance shared to other containers​

This solution intrigues me as being a very flexible solution, and is supported by docker with the '--network container:id' run option. However it seems that TrueNAS doesn't really support this sort of configuration. If there is a way to do this however I think it would be a good way to go about this.


My question is, out of these options which is the best solution, or is there another that I've not yet found. Additionally, if the best solution is one that I've had errors with, is it possible to get some insight into what I could do to fix things?

Thank you for your time!

 

[electricsquid]

Bit of an update for those that are interested. After further consideration I decided to go with the TrueCharts option. I replaced the apps that I wanted to tunnel through the VPN with TrueChart versions of the apps and configured the VPN that way. The downside to this of course is that each app takes up a connection if you have limited connections to your VPN.

I'd also like to point out that my experience with the OpenVPN Client service does not seem to work well with imported certificates and authorities. This of course could just be something strange with my setup, or user error though so I can't really say anything definitive. Although, it seems like I'm not alone. Additionally, I would like to point some attention to another thread here:

OpenVPN client - upload .ovpn config file?

I'm looking into a scenario where I'd have a remote TrueNAS box connecting to my pfSense box via OpenVPN, so I could replicate to it from my main system. ZeroTier would have been perfect for this, but no, iX had to take that away (and never implemented it well to begin with). But no problem...

www.truenas.com

Seeing as how openvpn can take a config file as an option, and just run strictly using that, I'm not sure why we have to put the configuration in manually, when we could just tell it where the config is and let it pass that on. TrueCharts even does this in their OpenVPN section of their charts. TrueCharts also handles the automatic routing of traffic between the LAN (in this case, the kubernetes subnet) to the VPN subnet, meaning that no additional configuration needs to be done to access any services on the machine (in this case, the container). So it would be nice to see a feature that could assist users with this in the future.

Thank you to everyone who works on TrueNAS, whether big or small contributions. I really have enjoyed using it so far and appreciate the work that has been done.