How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT

[JJT211]

I was under the impression adding those two extra lines to the client config would change my WAN IP on my remote client to the WAN IP of my server? Also giving me access to the geo-location of my server.

ipconfig shows as having the assigned private network on the adapter, but if I am to Google "What's my IP", for example, I still have the same IP as I would if I wasn't connected to the VPN.

Sorry, having a hard time conveying what I mean

I've accomplished what I really wanted, access to my LAN for both my phone and laptop using one VPN.

But man oh man, would it be fun to use my home IP too.

So I did a lil experimentation with this True VPN stuff, and I got some pretty interesting results.

- I first tried my phone checked my phone ip, no vpn, and I got my wireless carrier IP.
- I then connected using the Android OpenVPN client and I got my LAN IP!! Success!!

Now in order to test my laptop, I have to wifi tether my laptop to my phone.
- Checked ip without using Windows OpenVPN client, I got my wireless carrier IP
- Checked ip with Windows OpenVPN client, I still got my wireless carrier IP
- I was still able access my LAN though.

So then I thought, maybe its a Windows OpenVPN issue, so I,
- connected using Android OpenVPN client, checked ip, and got LAN IP.
- turned on Wifi Tether and checked ip from phone browser, and got wireless carrier IP!
- connected laptop to Wifi Tether and checked ip, got wirless carrier IP.

It appears to be a Wifi Tether issue!

 

[Krowvin]

I still got my wireless carrier IP
WIP

Curious if this has anything to do with how the tether handles the packets.

Easy-tether uses its own network adapter to create a connection.

 

[JJT211]

^^ Wow beat me to it! See edit above!

This seems to be a case for XDA/OpenVPN forums!

Or maybe as you said, its just a limitation of the Wifi Tether

 

[JJT211]

nm

 

[Jag_Five-O]

Well I have tried the suggestions and I still keep coming up empty. I even tried to connect via a laptop, cellphone, and tablet and still nothing. I have reviewed all of the settings you have posted and mine are the exact same, and nothing. If you guys have any suggestions or need any logs let me know, I feel out of options at this point.

 

[JJT211]

I know the frustration, and it definitely makes things more difficult. My best advice is to walk away for a while and come back with a fresh mind and some patience. Its what I had to do. It took me about a month, off and on, to finally get everything to work.

 

[Jag_Five-O]

After about a dozen times, perhaps I am doing something small wrong. I can get everything to connect to OpenVPN but it never seems to connect to the network, but I can't tell.

With this setup I should be able to access my FreeNAS webgui correct? If so then I would just enter 192.168.1.135 it should take me to the same page as when I'm on my network, however, I can't do that. If that isn't right then I don't know what IP address to be entering.

 

[JJT211]

Post up everything you can.

 

[JJT211]

Instead of going crazy with what the issue is, lets start with what the it isnt.

 

[Jag_Five-O]

Alright here are all my settings:

Client config

Code:

client
dev tun
proto udp
remote myremote.site.net 443 #I have my address
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert HomeNAS.crt
key HomeNAS.key
#tls-auth auth.key 1
ns-cert-type server
comp-lzo
verb 3

Server config

Code:

port 10011
proto udp
dev tun
ca /mnt/openvpn/keys/ca.crt
cert /mnt/openvpn/keys/openvpn-server.crt
key /mnt/openvpn/keys/openvpn-server.key
dh /mnt/openvpn/keys/dh1024.pem
server 10.0.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
route 192.168.1.101 255.255.255.0 10.0.8.1
#tls-auth /mnt/openvpn/keys/auth.key 0
#crl-verify /mnt/openvpn/keys/crl.pem
keepalive 10 120
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3

ipfw.rules

Code:

ipfw -q -f flush
ipfw -q nat 1 config if epair0b
ipfw -q add nat 1 all from 10.0.8.0/24 to any out via epair0b
ipfw -q add nat 1 all from any to any in via epair0b

ipfw list

Code:

00100 nat 1 ip from 10.0.8.0/24 to any out via epair0b
00200 nat 1 ip from any to any in via epair0b
65535 allow ip from any to any

rc.conf

Code:

portmap_enable="NO"
sshd_enable="NO"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
hostname="openvpn"
hostname="openvpn"
devfs_enable="YES"
devfs_system_ruleset="devfsrules_common"
inet6_enable="YES"
ip6addrctl_enable="YES"
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/mnt/openvpn/openvpn.conf"
openvpn_dir="/mnt/openvpn"
cloned_interfaces="tun"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

service openvpn start

Code:

route: writing to routing socket: File exists
add net 192.168.1.101: gateway 10.0.8.1 fib 0: route already in table
add net 10.0.8.0: gateway 10.0.8.2

I have double checked my router which is a Linksys E4200 that the ports are forwarding correctly from 443 to 10011. I have verified this by messing around with them and I can't connect through OpenVPN unless it goes like it's suppose to. Like I said before, it connects via OpenVPN but it doesn't look like it does anything. I haven't attempted to turn it into a TrueVPN or harder anything yet cause I can't get the easy stuff working. I also have tried a cell phone, tablet and laptop. All connect via OpenVPN but I can't get to any internal network links. If you need more info let me know, I'll try to find the logs, but I don't know where they are kept at the moment.

 

[JJT211]

I was thinking the same exact thing about the True VPN, that it was a more complex configuration.

But it wasn't until I added the additional lines to my client config that I was FINALLY able to access other host on my LAN. I now believe it actually simplifies the network for both server and client as there's only one way for traffic to go, through the VPN. I really think it was the difference for me.

Also,

In your firewall rules, you sure epair0b is correct?

Thats exactly from the tutorial but you are supposed to change the epair number according to what you get from the below command

Code:

ifconfig | grep epair

Everybody's epair # is different, depends on how many jails you are running, here's mine

Code:

[root@openvpn /mnt/openvpn]# ifconfig | grep epair
epair2b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

So my ipfw.rules looks like this:

Code:

ipfw -q -f flush
ipfw -q nat 1 config if epair2b
ipfw -q add nat 1 all from 10.0.8.0/24 to any out via epair2b
ipfw -q add nat 1 all from any to any in via epair2b

Which leads to me this, when you restart your jail, sometimes your epair #, or your tun # will change. Thats where I said you need to ifconfig after the jail restart and double check those numbers stayed the same.

If the epair # changes, then just edit the ipfw.rules. If the tun # changes, (i.e from tun1 to tun 2) you can change it back to the tun1 using this command.

Code:

ifconfig tun2 name tun1

 

[JJT211]

Also, not sure this makes much of a difference or not, but under rc.conf, on line 7, you have hostname in there twice.

Any luck so far?

 

[Jag_Five-O]

Alright well I checked on the epair# and it's definitely 0 (zero). I then checked my 3 other jails and they were numbered 1-3. So if this jail is suppose to have a number I don't know what is wrong. I also removed the double line in the rc.conf and that doesn't seem to have changed anything. I have to keep changing my tun# back as it keeps increasing with every restart but that is minor...I think.

If I add the DHCP option to my client config I cannot connect to any website.

Is it odd that in the reporting section of my server it doesn't list any "b" connections. They are epair0a, epair1a, etc.

 

[JJT211]

I dunno, mine gives both epair a's and b's in the reporting section. Reboot your server if you havent in a while. That usually resets my epair/tun/jls #'s to where they're supposed to be, if I recall correctly.

Also, read up on the Robles/Nello exchange around pg3-5. There's a TON of info and commands to check your logs, listening ports, ect....

 

[JW0914]

• If you can connect to the VPN, but not access other clients on the LAN, you're missing client to client in your server config.

• As far as the wireless carrier IP vs LAN IP while connected via VPN goes, I don't think [and I could very well be wrong] it's possible to only pull the LAN IP while connected via VPN due to the cellular radio not utilizing 802.1q (which is also why it doesn't have a permanent MAC address [one is dynamically assigned when the cellular device boots and changes upon every reboot]). If my assumption is wrong, then it's because you're server config isn't set up to redirect gateway to clients (list push redirect-gateway).

If using Android, I'd recommend the app "OpenVPN for Android", which allows for on the fly changes and offers complete customization of the VPN client config directly from the app and without having to physically alter the config file itself​

I don't utilize redirect-gateway, however this is how my server and client configs are configured:​

Server (OpenWRT 3.18 kernel, coding will differ slightly from yours):

config openvpn 'VPNserver'

option enabled '1'

# --- Protocol ---#
option dev 'tun'
option topology 'subnet'
option proto 'udp'
option port 'xxxx'

#--- Routes ---#
option server '10.0.0.0 255.255.255.0'

#--- Client Config ---#
option ccd_exclusive '1'
option ifconfig_pool_persist '/etc/openvpn/clients/private/ipp.txt'
option client_config_dir '/etc/openvpn/clients/private'
option ifconfig '10.0.0.1 255.255.255.0'

#--- Pushed Configurations ---#
list push 'route 192.168.0.0 255.255.255.0'
list push 'dhcp-option DNS 192.168.0.1'
list push 'dhcp-option WINS 192.168.0.1'
list push 'dhcp-option DNS 8.8.8.8'
list push 'dhcp-option DNS 8.8.4.4'
list push 'dhcp-option NTP 129.6.15.30'

#--- Encryption ---#
option cipher 'AES-256-CBC'
option dh '/etc/openvpn/VPNserver/dh2048.pem'
option ca '/etc/openvpn/VPNserver/ca.crt'
option cert '/etc/openvpn/VPNserver/OpenWRT-VPNserver.crt'
option key '/etc/openvpn/VPNserver/OpenWRT-VPNserver.key'
option tls_auth '/etc/openvpn/VPNserver/ta.key 0'

#--- Logging ---#
option log '/tmp/openvpn-private.log'
option status '/tmp/openvpn-private-status.log'
option verb '7'

#--- Connection Options ---#
option keepalive '10 120'
option comp_lzo 'yes'

#--- Connection Reliability ---#
option client_to_client '1'
option persist_key '1'
option persist_tun '1'

#--- Permissions ---#
option user 'nobody'
option group 'nogroup'
option chroot '/etc/openvpn/jail/vpnserver'​

config openvpn 'NASserver'

option enabled '1'

# --- Protocol ---#
option dev 'tun'
option topology 'subnet'
option proto 'udp'
option port 'xxxx'

#--- Routes ---#
option server '10.1.0.0 255.255.255.0'
option route '192.168.0.0 255.255.255.0'

#--- Client Config ---#
option ccd_exclusive '1'
option ifconfig_pool_persist '/etc/openvpn/clients/nas/ipp.txt'
option client_config_dir '/etc/openvpn/clients/nas'
option ifconfig '10.1.0.1 255.255.255.0'

#--- Pushed Configurations ---#
list push 'route 192.168.0.0 255.255.255.0'
list push 'dhcp-option DNS 192.168.0.1'
list push 'dhcp-option WINS 192.168.0.1'
list push 'dhcp-option DNS 8.8.8.8'
list push 'dhcp-option DNS 8.8.4.4'
list push 'dhcp-option NTP 129.6.15.30'

#--- Encryption ---#
option cipher 'AES-256-CBC'
option dh '/etc/openvpn/NASserver/dh2048.pem'
option ca '/etc/openvpn/NASserver/ca.crt'
option cert '/etc/openvpn/NASserver/NAS-VPNserver.crt'
option key '/etc/openvpn/NASserver/NAS-VPNserver.key'
option tls_auth '/etc/openvpn/NASserver/ta.key 0'

#--- Logging ---#
option log '/tmp/openvpn-nas.log'
option status '/tmp/openvpn-nas-status.log'
option verb '7'

#--- Connection Options ---#
option keepalive '10 120'
option comp_lzo 'yes'

#--- Connection Reliability ---#
option client_to_client '1'
option persist_key '1'
option persist_tun '1'

#--- Permissions ---#
option user 'nobody'
option group 'nogroup'
option chroot '/etc/openvpn/jail/nasserver​

Client

client
dev tun
proto udp
remote your.ddns.com xxx
float
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----

-----END OpenVPN Static key V1-----
</tls-auth>
remote-cert-tls server
cipher AES-256-CBC
verb 4
comp-lzo​

I utilize pkcs12 certs, which are installed into the android keychain, so it's not needed to list the pkcs12 cert path; however, within Windows, the client config must reference the PKCS12 path via:

pkcs12 filename.p12 ---> (file path must also be included IF the config file and pkcs12 cert do not reside in the same folder)

 

[Jag_Five-O]

• If you can connect to the VPN, but not access other clients on the LAN, you're missing client to client in your server config.

My server config is a couple posts above what is missing for the client to client config?

 

[JW0914]

My server config is a couple posts above what is missing for the client to client config?

All of my comments within your configs will be in italics, while all of my additions and/or edits will be in bold. I've separated your configs into distinct sections, mirrored off mine, as an organized script makes your life easier if it ever needs to be edited.

• All comments will apply to whatever option is above them

#--------------------------------------------------------------------------------------------------#

##---------- Client Config ----------##​

#--------------------------------------------------------------------------------------------------#

client

dev tun
proto udp
remote myremote.site.net 443 #I have my address
#--------------------------------------------------------------------------------------------------#
## The port number should match the port number in the server config
#--------------------------------------------------------------------------------------------------#
float

resolv-retry infinite
nobind
persist-key
persist-tun

cipher AES-256-CBC ## Your cipher is missing, should be something similar ##
ca ca.crt
cert HomeNAS.crt
key HomeNAS.key
tls-auth auth.key 1
remote-cert-tls server
#--------------------------------------------------------------------------------------------------#
## ns-cert-type server has been depreciated, also you're utilizing tls with a ta.key
#--------------------------------------------------------------------------------------------------#

comp-lzo
verb 4


#--------------------------------------------------------------------------------------------------#

##---------- Server Config ---------##​

#--------------------------------------------------------------------------------------------------#

dev tun
topology subnet
#--------------------------------------------------------------------------------------------------#
## Recommended if you have more than one client, as net 30 is depreciated; pls, subnet is far easier
## to configure as anyone who has basic networking skills utilizes subnet topology within their home
## networks
#--------------------------------------------------------------------------------------------------#

proto udp
port 10011
#--------------------------------------------------------------------------------------------------#
## I'd recommend a lower port, higher than 1025 (1 - 1025 are privileged ports), lower than 10k,
## and obviously not 1194 (no sense in doing half the job for an intrusion)
#--------------------------------------------------------------------------------------------------#
server 10.0.8.0 255.255.255.0
#--------------------------------------------------------------------------------------------------#
## Should mirror about how many clients you'll think you'll have. /28 (255.255.255.240) is a good
## option, with 15 IPs... I'd strongly recommend you assign static IPs as well, as I personally
## believe it makes it easier to track who and/or what devices are connected. You will need to
## configure ccd-exclusive, it's directory, and the accompanying files to insure a non-static
## client isn't assigned a statically assigned IP for a device that isn't connected.
#--------------------------------------------------------------------------------------------------#

ccd-exclusive 1
#--------------------------------------------------------------------------------------------------#
## You will need to reference the How-To and Man Page links below to configure this
#--------------------------------------------------------------------------------------------------#
ifconfig-pool-persist ipp.txt
client-config-dir "path/to/config/dir"
#--------------------------------------------------------------------------------------------------#
## Remember, if it's windows, double backslashes must be utilized in paths, i.e.
## "C:\\Program Files\\OpenVPN\\Keys\\ca.crt"
#--------------------------------------------------------------------------------------------------#
ifconfig-pool-linear "10.0.8.101 10.0.8.105 255.255.255.240"
#--------------------------------------------------------------------------------------------------#
## This, for instance, would allow for .101 - .105 to be assigned dynamically while your static IPs
## may be in the range of .2 - .10
#--------------------------------------------------------------------------------------------------#

#--------------------------------------------------------------------------------------------------#
## If your client is a windows pc, I'd recommend pushing local DNS, as well as google's DNS if you
## want your non-cellular clients to have internet access while connected to the VPN; you'll want
## to push NTP, via NIST, as there's a very small window of difference that must be maintained,
## otherwise the server will refuse the connection:
#--------------------------------------------------------------------------------------------------#

push "dhcp-option DNS 192.168.1.1" ## DNS of the LAN you're trying to remotely connect to ##
push "dhcp-option WINS 192.168.1.1" ## DNS of the LAN you're trying to remotely connect to ##
push "dhcp-option DNS 8.8.8.8" ## Google's DNS ##
push "dhcp-option DNS 8.8.4.4" ## Google's DNS ##
push "dhcp-option NTP 129.6.15.30" ## NIST's main IP, host would be time.nist.gov ##
push "route 192.168.1.0 255.255.255.0"
route "192.168.1.101 255.255.255.0 10.0.8.1"
#--------------------------------------------------------------------------------------------------#
## I can't remember what this is for, and I couldn't find the option when skimming the man pages, but if I
## recall right (and I may be wrong) this is done when you want to route all internet traffic through the
## VPN and if this is what it is, you must utilize the redirect gateway option as well (I also believe it needs
## quotations). Or is it for a Bridge (which I believe can only be set if set to tap)? You'll have to refer to
## the two links at the bottom, one is the OpenVPN How-T0, the other is the OpenVPN man page, as I
## didn't set mine up to redirect gateway or to have a server bridge (the slower speed isn't worth it - with
## the WRT 1900ac's 1.2Ghz dual core it's about 10 Mbps or ~1.25 MB/s... far too slow on a 60 Mbps
## internet connection)
#--------------------------------------------------------------------------------------------------#

#crl-verify /mnt/openvpn/keys/crl.pem
#--------------------------------------------------------------------------------------------------#
## You don't need this unless you've revoked certificates created with your certificate authority;
## CCD, above, is a better option IMO, however crl-verify should still be used if you have revoked
## certificates... provided your client pool is small, I'd be more in favor, at that point, to simply
## scrap all certs and begin again with a new ca, which is the most secure way of doing it)
#--------------------------------------------------------------------------------------------------#
cipher AES-256-CBC ## I'd recommend only this option ##
dh /mnt/openvpn/keys/dh1024.pem
ca /mnt/openvpn/keys/ca.crt
cert /mnt/openvpn/keys/openvpn-server.crt
key /mnt/openvpn/keys/openvpn-server.key
tls-auth /mnt/openvpn/keys/auth.key 0
#--------------------------------------------------------------------------------------------------#
## You can simplify this section by creating a pkcs12 file, reference that, then plain text the ta.key
## in via xml, with key-direction 0 above the xml code (see my client config; within the client config
## it would be key-direction 1 or vice versa... whichever is 0, the other must be 1). You can also do
## away with all certs and keys paths by utilizing xml and pasting the plain text of each certificate
## encryption string into the appropriate xml section. The xml format is explained in the OpenVPN How-
## To (when pasting the crt encryption strings, you only need the actual string, not all the information
## above it). I personally only prefer to plain text the ta.key, but that's simply my personal preference.
##
#--------------------------------------------------------------------------------------------------#
## To create a p12 file, you must launch the following command from within the folder where the specified
## certificates are at (it should be the same command regardless of windows or linux, though with
## Windows, you must first load the applicable batch file):

Code:

openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.crt -name ClientCommonName -out ClientCommonName.p12

#--------------------------------------------------------------------------------------------------#


log "path/to/openvpn.log"
#--------------------------------------------------------------------------------------------------#
## If the server is on Windows, it may automatically create a log without this, but verify none the
## less, as this log is vital
#--------------------------------------------------------------------------------------------------#
status "path/to/openvpn.status.log"
#--------------------------------------------------------------------------------------------------#
## Logs currently connected clients, their client name based on certificate, and the IP they're assigned
#--------------------------------------------------------------------------------------------------#
verb 7
#--------------------------------------------------------------------------------------------------#
## High enough to allow you to monitor who's connected, as well as any errors, without filling up the
## log with wait status messages that are generated at 8 & above due to udp
#--------------------------------------------------------------------------------------------------#

keepalive 10 120
comp-lzo

client-to-client ## This is what allows clients to see other clients connected to the same VPN ##
persist-key
persist-tun

group nobody ## Only affects Unix based OSs ##
user nobody ## Only affects Unix based OSs ##

#--------------------------------------------------------------------------------------------------#
## Note:
##
## In regards to client-to-client, if you have 1 or more devices that you do not want to have access
## to other devices within the VPN, simply configure an additional VPN server (my server config from
## my post includes two servers, one for my private network, the other for devices that only need access
## to my NAS server, and both configurations go inside the same server config). If you want to restrict
## devices on the VPN from accessing all devices on the LAN the VPN tunnel points to, you must utilize
## firewall rules on the router to prevent the access.
##
## TEST! TEST! TEST! Whenever dealing with security and configurations, always test to make sure not
## only the configurations work, but so does the security put in place. If constraining clients with
## access restrictions, connect as that client and attempt to connect to what they've been restricted
## from accessing. If utilizing non-windows firewalls, always utilize drop not reject.
##
#--------------------------------------------------------------------------------------------------#
##
## ccd-exclusive prevents anyone, except those clients implicitly specified within the ccd client
## directory, from connecting to the VPN, even if they have proper certificates
##
#--------------------------------------------------------------------------------------------------#
##
## I'd strongly recommend redoing your dh key with 2048 encryption, as 1024 is crackable, while 2048
## won't be crackable until at least 2100 (via Moore's Law). I'd also recommend redoing all certificates,
## including the certificate authority, with AES 256, as it's the industry standard... both 2048 and 256
## are used exclusively by the DoD and other governmental bodies, such as the NSA. 2048 has the same
## encryption/decryption time as 1024, so you get no lag from processing, however anything higher than
## 2048 will have a negative impact on speed of the connection... Both options are set via vars.
##
## It's far easier to create keys on non-windows systems, and this is the vars file I use. You'll need to
## add in your information into the fields at the bottom in between the empty quotation marks until you
## reach the "OpenSSL" value (you can change "OpenSSL" to whatever you want). When creating the
## client keys, whatever name you input for the key will automatically become the common name of that
## certificate if using this vars script on Linux

• Do NOT create certificates that have the same common name, as it severely degrades security
• Remember to create the server cert/key with build-key-server, which helps to prevent MITM attacks
• Remember to create client certs with build-key, not build-key-server

#--------------------------------------------------------------------------------------------------#


#--------------------------------------------------------------------------------------------------#

##---------- vars ----------##​

#--------------------------------------------------------------------------------------------------#

Code:

# easy-rsa parameter settings

# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.

# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="/etc/easy-rsa"

#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"


# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`/usr/sbin/whichopensslcnf $EASY_RSA`

# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"

# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"

# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=2048

# In how many days should the root CA key expire?
export CA_EXPIRE=3650

# In how many days should certificates expire?
export KEY_EXPIRE=3650

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE=""
export KEY_CITY=""
export KEY_ORG=""
export KEY_EMAIL=""
export KEY_OU=""

# X509 Subject Field
export KEY_NAME="OpenSSL"

# PKCS11 Smart Card
# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
# export PKCS11_PIN=1234

OpenVPN How-To: https://openvpn.net/index.php/open-source/documentation/howto.html
OpenVPN Man Page: https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html
OpenVPN Android Info: https://docs.openvpn.net/docs/openvpn-connect/openvpn-connect-android-faq.html

If you're having connection issues or need to troubleshoot, change the protocol to tcp;
however, change it back once troubleshooting has concluded, as tcp is slower than udp
due to how the packet is inefficiently processed.



#--------------------------------------------------------------------------------------------------#
##---------- Server Config (with comments removed and changes applied) ---------##
#--------------------------------------------------------------------------------------------------#

Code:

dev tun
topology subnet
proto udp
port 10011

server 10.0.8.0 255.255.255.0

ccd-exclusive 1
ifconfig-pool-persist ipp.txt
client-config-dir "path/to/config/dir"
#ifconfig-pool-linear "10.0.8.101 10.0.8.105 255.255.255.0"

push "dhcp-option DNS 192.168.1.1"
push "dhcp-option WINS 192.168.1.1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option NTP 129.6.15.30"
push "route 192.168.1.0 255.255.255.0"
#route "192.168.1.101 255.255.255.0 10.0.8.1"

cipher AES-256-CBC
dh /mnt/openvpn/keys/dh1024.pem
ca /mnt/openvpn/keys/ca.crt
cert /mnt/openvpn/keys/openvpn-server.crt
key /mnt/openvpn/keys/openvpn-server.key
tls-auth /mnt/openvpn/keys/auth.key 0
#crl-verify /mnt/openvpn/keys/crl.pem

log "path/to/openvpn.log"
status "path/to/openvpn.status.log"
verb 7

keepalive 10 120
comp-lzo

client-to-client
persist-key
persist-tun

group nobody
user nobody 

#--------------------------------------------------------------------------------------------------#
##--------- Client Config (with comments removed and changes applied) ---------##
#--------------------------------------------------------------------------------------------------#

Code:

client

dev tun
proto udp
remote myremote.site.net 443 #I have my address
float

resolv-retry infinite
nobind
persist-key
persist-tun

cipher AES-256-CBC
ca ca.crt
cert HomeNAS.crt
key HomeNAS.key
tls-auth auth.key 1
remote-cert-tls server

comp-lzo
verb 4

 

[JJT211]

WOW!

Thanks for the incredibly detailed explanation!

 

[JW0914]

WOW!

Thanks for the incredibly detailed explanation!

No problem at all... there were multiple things I wanted to address, and I figured it would be easier for you and anyone else if the reasons for the additions were explained.

I'd strongly recommend anyone setting up an SSL VPN via OpenVPN to read through the entire How-To and man[ual] pages, as you'll probably find an option or two in there that you'll want to apply. Most configurations you find online are vanilla with very few customizations, many of which are the absolute bare minimum to get a VPN to work [though not securely]. Considering the purpose of a VPN is to ensure the security of the connection and all data within, I believe it's of the utmost importance to understand all options that can be applied. Neither are a quick study and if going through both in one go, expect to spend about an hour reading through both (How-To will take ~15 - 20 min, while the man pages will take ~45 min).

The OpenVPN How-To explains the basics, while the man page provides all options available for both server and client configs. VPNs are easy to set up and don't require an in depth knowledge of networking, and while a few options within the man page may go over some user's heads (as they did with me), I believe it important for any user to understand what configuration options there are for their VPN, as they may just find an option they need, an option that makes their configuration easier to set up, or maybe an option that further secures their VPN. I look at the man pages like the Windows Control Panel of sorts, where it allows you to truly customize and personalize your VPN.

EDIT: I added some additional information to my post addressing your server and client configs to further explain a couple of things I forgot to address

 

[JJT211]

Well the server config wasnt mine but regardless, thanks anyway, as its a relief to have a much more knowledgeable poster other than myself lending some advice in this thread. My only qualification was I was able to get it to work. For a bit, it felt like the blind leading the deaf haha....

Anyways, I find that teaching is quite a powerful learning tool. I've been through though those manuals previously, and it was quite a bit to digest. But just like in my Engineering studies, read through the text, and dont sweat it so much if you dont understand much of it. Go apply it the best you can, come back, read through again, you will start understanding more. Step away for awhile, come back again, and you'll be surprised how much starts to click. And every once in a while, you will have a poster that explains things in a way that speeds that process up 10x. So for that, I say thank you!

I have one question for you though in regards to this:

I'd strongly recommend redoing your dh key with 2048 encryption, as 1024 is crackable, while 2048
## won't be crackable until at least 2100 (via Moore's Law). I'd also recommend redoing all certificates,
## including the certificate authority, with AES 256, as it's the industry standard... both 2048 and 256
## are used exclusively by the DoD and other governmental bodies, such as the NSA. 2048 has the same
## encryption/decryption time as 1024, so you get no lag from processing, however anything higher than
## 2048 will have a negative impact on speed of the connection... Both options are set via vars.

I've read that the difference b/w AES 128 vs 256 is negligible in regards to a brute force attack as both are such mind-boggling large numbers, there is nothing that can even break 128. The primary reason the NSA suggests AES-256 as the standard is the possibility of quantum computing technology (which hasnt even been invented yet!) making it a remote possibility to brute force. Not to mention, marketing and the placebo effect of the number 256 simply being larger than 128. But people dont quite realize how unimaginably large even the number 2^128 really is.

See link for a very good and entertaining explanation why
https://blog.agilebits.com/2013/03/09/guess-why-were-moving-to-256-bit-aes-keys/

Just curious, as to why you say AES 256 is the best security. However, if there's no speed penalty in going 256 anyway, then I guess why not?


EDIT: Oops, Just realized you're referencing a different security standard 1024 vs 2048. Time for me to hit Google. But for the sake of discussion the question still stands.