Configure IPSEC VPN + FREENAS print server

Status
Not open for further replies.
A

andyclimb

Contributor
Joined
Aug 17, 2012
Messages
101
I've been experimenting with freenas for over a year now, and its been a great learning experience. I'm coming from a QNAP 419P+ which is feature rich and performance poor.. I want more space but totally do not want to be paying £2K plus for a few extra drive slots. Currently I'm running a HP N40L with 8GB ECC RAM and on this I have transmission, couch potato, sick beard, them, plex all running in jails. All my data is now on the test system and I'm running it all in parallel before i make the switch. my only issues are that the N40L is a bit slow for media streaming, and it also does not have many bays.... I'm currently thinking about selling the QNAP, freenas and an lenovo Q190 (core i3) to then purchase a proper server... i've got a X10SL7-f + Xeon E3 1220 V3 in my sights but they are not readily available yet!

There are two things I can not figure out.

1) How to configure a VPN server in a jail that I can connect to with my iPhone, iPad, and laptop. I have an EC2 instance configured using this script / tutorial (here) and it works great. I have set up an openvpn but this is not the PPTP, IPSEC that the iPhone supports. For this I believe I need the IPSEC goodness... but this is a bit beyond me in the amount of configuring required. I'm new to both linux and freebsd... which is why i used this script on my EC2 instance. and it works well.. my QNAP has a VPN setting which is very simple to implement.. just turn it on, and give credentials to use. This would be absolutely amazing if it could be included in freenas by default. I Tried getting this to work on an old ubuntu server and failed miserably, so at the moment the voodoo privacy script is my only working VPN implementation.

2) Get CUPS working in a jail so that freenas can work as a print server. I've tried multiple times and can't seem to get it to work perfectly. I will post another forum post going into more detail later. But essentially I get a test page to print fro CUPS in a JAIL, but i had to change the connection from usb to file:/dev/ulpt0. But then when i send a document to print it seems to get stopped, or paused... if anyone has any other solutions... I have passed the permissions for the device through to the jail, and the cups users..

cheers

Andrew
 
c32767a

c32767a

Patron
Joined
Dec 13, 2012
Messages
371
I would strongly suggest looking at something like pfsense on a dedicated box to do your VPN/Firewall services. There are some really inexpensive ALIX based boards that can act as firewall and VPN server for your environment. I use one as my home router and can connect via the built in cisco IPsec clients on my Apple devices. (iPhone, laptop). From there I can access my NAS and other internal network devices. In my opinion, It's much cleaner and safer than trying to run something in a jail.
 
A

andyclimb

Contributor
Joined
Aug 17, 2012
Messages
101
In an ideal world that would be the best thing to do.. unfortunately I've just dropped rather a lot of money on a xeon machine and sold all my other stuff! I'm trying to consolidate as I had 3 servers running a load of other stuff. Wonder if i could configure a rPi to do the VPN, and probably defo the print server.

Still I'm in this for the educational reasons, so any advice on FREEBSD print server in a jail, and an ipsec iPhone compatible VPN would be appreciated!

I may tackle this myself! will be long and slow though!

A
 
C

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
I know that an rPI *can* do VPN. But from what I've heard(never done it) it is extremely slow.
 
c32767a

c32767a

Patron
Joined
Dec 13, 2012
Messages
371
You'd be severely limited by the USB bus in the rPi. Plus, I'm not sure there's a version of BSD that boots, so you would need to use a Linux environment to do the VPN termination.

I can't comment on the print server part. Haven't built one in years. Our windows people own all that stuff.. :)

If you want to terminate your own ipsec VPNs, you want to learn about IPSec-tools..

http://ipsec-tools.sourceforge.net
http://www.netbsd.org/docs/network/ipsec/rasvpn.html


(The instructions for the Cisco IPSec client should work for your apple i-Devices, all of which should have the Cisco VPN client option in their VPN config. )

Honestly, I don't know enough about FreeBSD/FreeNAS's jails to say whether IPsec could be done inside a jail or not. Google turns up a lot of discussion about it, but not a lot of clear documentation. Sounds like a fun learning experience.
 
A

andyclimb

Contributor
Joined
Aug 17, 2012
Messages
101
Cheers for the advice, i've come up empty on this one, for the first time in awhile. The script I used for my AWS instance installs OPENSWAN in ubuntu so now I'm in a double world of pain.

I think having a VPN server and Print server would be an awesome addition to freenas. I'm moving everything over from a QNAP.. basically because they are seriously expensive for the crap hardware (should qualify that as being for the money. ie.. my 419P+ that cost me over £500... has awful write performance and basically dies when ever you do anything... rsync, write... etc..) and you get no expansion past 4 slots unless you start paying silly money... I'm building a xeon rig, ECC memory, X10SL7-F MB.. which has 6+8 SATA connectors... for a fraction of the cost of a QNAP. The downside is the software for the QNAP comes ready to rock...

so far though I've got a bunch of extra features working on freenas that doesn't exist on QNAP... a jail that routes all traffic through a VPN.. a jail running fhem which controls my house, and now there are only two things left. A VPN and a Print server..

I think I can get a print server working. CUPS works just fine... But Ive just spent an hour struggling with the devfs.conf and devfs.rules.

I've googled and searched, but I can't seem to answer a few questions...

1) How are the devfs.conf and devfs.rules configured by default in freenas. there are extensive entries in both the host and the jail files by default.

2) What is the difference between devfs.conf and devfs.rules.... both in the host and the jail..

3) What is
Code:
devfs_system_ruleset="devfsrules_common"
? This is referenced in the jail rc.conf but I can't find it anywhere... if it works like the
Code:
devfs_system_ruleset="usbrules"
which is located in the rc.conf of the host then there should be a devfs.rules file in the jail with [devfsrules_common XX] entry.. but there is no devfs.rules file.

4) How do you give access to a device on the host to a jail? I've been trying to set
Code:
add path 'ABC/0.2.*' mode 0660 group cups
where ABC = unlpt*,ulpt*,usb*,ugen* etc.... both on the host and the jail. CUPS sees the printers... I have two visible both listed at /dev/unlpt0 but I get permission denied when I send a document to it.

5) interestingly if i change the printers.conf entry to from
Code:
usb:/dev/unlpt0
to
Code:
file:/dev/unlpt0
then i can print a test page but noting else! it still gives me the error..."unable to connect to system bus" but it does print the test page... but nothing else... if i connect to the printer on my mac... at the address http://IP:631/printers/printername.. then it says printing but it never appears in the queue. I'm not sure if this is related to the devfs rules / changing it to file... or not.

phew... this is turning into an epic... but one that I think quite a few people will appreciate!
 
A

andyclimb

Contributor
Joined
Aug 17, 2012
Messages
101
ps... I will look into racoon as i came across it searching for an OPENSWAN alternative... thanks for the advice...

I also agree that the rPi will be dog slow... which is why it would be nice to get it all working on freenas... a VPN jail would be amazing...
 
C

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
There's nothing stopping you from creating your own VPN in a jail. There's lots of potential security risks involved, but that's beyond the scope of this forum.
 
nello

nello

Patron
Joined
Dec 30, 2012
Messages
351
andyclimb said:
… I have set up an openvpn but this is not the PPTP, IPSEC that the iPhone supports. For this I believe I need the IPSEC goodness …
Click to expand...


Regarding iOS support for OpenVPN …

You are correct that OpenVPN support isn't built into iOS, but there is an OpenVPN app that allows you to connect an iOS device to an OpenVPN server:
https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=8


Regarding IPSEC on FreeNAS …

Did you ever get IPSec working on FreeNAS? I'm trying to figure out how to do so myself and could use a few clues.

- nello
 
Status
Not open for further replies.

Similar threads

I
  • Locked
FreeNAS Print Server
Replies
16
Views
22K
Robert Smith
Robert Smith
C
Vnet Jail And Site-To-Site Strong Swapn VPN over IPSec
Replies
2
Views
821
Chris McDowell
C
f3lang
Very slow performance via IPSec tunneling
Replies
2
Views
1K
Samuel Tai
Samuel Tai
gren236
MPD5 is not running in jail
Replies
1
Views
1K
gren236
gren236
R
Clients need a Samba Print server on FreeNAS-11.2-U5
Replies
2
Views
2K
RegularJoe
R
Top