How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT

Status
Not open for further replies.

bigjay517

Dabbler
Joined
Jan 14, 2015
Messages
14
Hello everyone!

I appreciate the guide and all of the advice everyone has been given. I seem to be stuck on the same problem that quite a few people are/were having. I am able to connect to my VPN network just fine, but I am unable to access anything on the "local" side of the VPN. I have completly wiped the jail and started from scratch to verify that I had everything correct.

Here is a small overview of the network I have.
Local Network:
Router/Gateway 192.168.1.1
OpenVPN Jail 192.168.1.246
Clients 192.168.1.X

VPN Network:
OpenVPN server 10.8.0.1
Clients 10.8.0.X

In this case I am connecting to the VPN from my Macbook, through a portable hot-spot on my phone. I connect to the VPN and I can browse the internet fine, but if I attempt to ping anything on the local network (ie. 192.168.1.1, or 192.168.1.100 etc.) I get no response. I am also unable to ping 10.8.0.1, which I think should be the address of the VPN server as seen from the VPN client.

One of the suggestions given was to add the following two lines to the client configuration, but they only manage to make the internet completely unusable on the client. I think this is because the DNS requests are being routed to 192.168.1.1, which is not accessible by the client.
Code:
dhcp-option DNS 192.168.1.1
redirect-gateway def1


Here are the configurations that I have.
server.conf
Code:
port 10011
proto udp
dev tun
ca /mnt/openvpn/keys/ca.crt
cert /mnt/openvpn/keys/openvpn-server.crt    # Server key created previously
key /mnt/openvpn/keys/openvpn-server.key
dh /mnt/openvpn/keys/dh2048.pem    # Diffie-Hellman parameters are now 2048 bits long
server 10.8.0.0 255.255.255.0    # Purple network
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"    # Yellow network
route 192.168.1.246 255.255.255.0 10.8.0.1    # Routes traffic from the Yellow network side (10.0.0.0/24)
                                           # to the Purple network side (10.8.0.0/24)
#tls-auth /mnt/openvpn/keys/auth.key 0
#crl-verify /mnt/openvpn/keys/crl.pem
keepalive 10 120
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 6

log-append /mnt/openvpn/server_log.log


client.ovpn
Code:
client
dev tun
proto udp
remote myhomenetwork.com 444
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert JayMacBook.crt
key JayMacBook.key
#tls-auth auth.key 1
ns-cert-type server
comp-lzo
verb 3


sockstat -4 -l
Code:
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
nobody   openvpn    83211 5  udp4   *:10011               *:*
root     syslogd    77519 7  udp4   *:514                 *:*


ipfw list
Code:
00100 nat 1 ip from 10.8.0.0/24 to any out via epair4b
00200 nat 1 ip from any to any in via epair4b
65535 allow ip from any to any


ifconfig
Code:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair4b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:81:94:00:0c:0b
        inet 192.168.1.246 netmask 0xffffff00 broadcast 192.168.1.255
        nd6 options=9<PERFORMNUD,IFDISABLED>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
        nd6 options=9<PERFORMNUD,IFDISABLED>


I have restarted the jail, and well as the whole freeNAS server, but I still have the same results. I feel like there is some routing configuration that is missing. From what I can tell though, I have all of the settings correct based on the guide in the first post. Am I missing something?
 
Last edited:

jspcto

Cadet
Joined
Oct 24, 2015
Messages
8
Hello everyone!
In this case I am connecting to the VPN from my Macbook, through a portable hot-spot on my phone. I connect to the VPN and I can browse the internet fine, but if I attempt to ping anything on the local network (ie. 192.168.1.1, or 192.168.1.100 etc.) I get no response. I am also unable to ping 10.8.0.1, which I think should be the address of the VPN server as seen from the VPN client.

One of the suggestions given was to add the following two lines to the client configuration, but they only manage to make the internet completely unusable on the client. I think this is because the DNS requests are being routed to 192.168.1.1, which is not accessible by the client.
Code:
dhcp-option DNS 192.168.1.1
redirect-gateway def1
I am a new to FreeNAS and OpenVPN but I was able to successfully set everything up using the guide last week (thanks robles!). That said, take my questions/comments with a grain of salt... I could be completely off base.

Since you can't ping any of your network clients, I'm wondering if your Macbook might be connecting to the Internet through your broadband instead making it seem like you have successfully connected to your VPN when in fact you haven't. Did you verify that your public IP (when connected through your hotspot) matches the public IP of your gateway? Use Google and search "My IP". If the IP's don't match, then it would make sense that you couldn't ping your server and other clients. Bottom line: you aren't really connected to your VPN. Perhaps there is a certificate error of some type.

Also, my understanding is that those 2 lines must be part of the client opvn in order for you to route Internet traffic through your VPN. But, before that would matter, you would need to successfully be able to ping your other clients.

Again, not sure if this is even remotely on target, but thought I would chime in just in case it would help.
 

bigjay517

Dabbler
Joined
Jan 14, 2015
Messages
14
I am a new to FreeNAS and OpenVPN but I was able to successfully set everything up using the guide last week (thanks robles!). That said, take my questions/comments with a grain of salt... I could be completely off base.

Since you can't ping any of your network clients, I'm wondering if your Macbook might be connecting to the Internet through your broadband instead making it seem like you have successfully connected to your VPN when in fact you haven't. Did you verify that your public IP (when connected through your hotspot) matches the public IP of your gateway? Use Google and search "My IP". If the IP's don't match, then it would make sense that you couldn't ping your server and other clients. Bottom line: you aren't really connected to your VPN. Perhaps there is a certificate error of some type.

Also, my understanding is that those 2 lines must be part of the client opvn in order for you to route Internet traffic through your VPN. But, before that would matter, you would need to successfully be able to ping your other clients.

Again, not sure if this is even remotely on target, but thought I would chime in just in case it would help.

Sorry for the long wait before my reply, with the holiday last week I was quite busy. Thank you for the ideas. I am not sure how, but when I went to test the setup today everything was working! I had tried the server reboot multiple times, but that had not changed the outcome before. The only thing I can think of that I did differently was I had completely shutdown the MacBook earlier in the week. So for anyone else reading this in the future, try rebooting both of your devices. I am not sure what changed, but something did.

Now it seems I have another question related to DNS. On my home network, local to the VPN server; I have static DHCP setup with hostnames like, MBP.local, router.local, freenas.local. Is there a way to get those *.local domains to resolve properly? A
Code:
dig freenas.local

from the VPN client(my MacBook) returns the correct IP to my FreeNAS server, but chrome is returning ERR_NAME_NOT_RESOLVED and a ping is returning an unknown host error. I am thinking this is not a VPN problem, but a problem somewhere else. Has anyone else experienced this and been able to work around it?
 

g00mbs

Dabbler
Joined
Sep 13, 2015
Messages
31
I am unable to get openvpn to start. It looks like it has something to do with the tun.

Here is the server log:
Code:
Wed Dec  2 01:15:12 2015 OpenVPN 2.3.8 amd64-portbld-freebsd9.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Nov  6 2015
Wed Dec  2 01:15:12 2015 library versions: OpenSSL 0.9.8za-freebsd 5 Jun 2014, LZO 2.09
Wed Dec  2 01:15:12 2015 Diffie-Hellman initialized with 2048 bit key
Wed Dec  2 01:15:12 2015 Socket Buffers: R=[42080->65536] S=[9216->65536]
Wed Dec  2 01:15:12 2015 ROUTE_GATEWAY 192.168.0.1
Wed Dec  2 01:15:12 2015 TUN/TAP device /dev/tun1 opened
Wed Dec  2 01:15:12 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Dec  2 01:15:12 2015 /sbin/ifconfig tun1 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
ifconfig: interface tun1 does not exist
Wed Dec  2 01:15:12 2015 FreeBSD ifconfig failed: external program exited with error status: 1
Wed Dec  2 01:15:12 2015 Exiting due to fatal error


Local Network:
Router/Gateway 192.168.0.1
OpenVPN Jail 192.168.0.46
Clients 192.168.0.###

My openvpn.conf file looks like this:
Code:
port 10011
proto udp
dev tun
ca /mnt/openvpn/keys/ca.crt
cert /mnt/openvpn/keys/openvpn-server.crt #Server key created previously
key /mnt/openvpn/keys/openvpn-server.key
dh /mnt/openvpn/keys/dh2048.pem #Diffie-Hellman parameters are now 2048 bits long
server 10.8.0.0 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0" #Yellow network
route 192.168.0.46 255.255.255.0 10.8.0.1 #Routes traffic from the Yellow network side (10.0.0.0/24)
                                      #to the Purple network side (10.8.0.0/24)
#tls-auth /mnt/openvpn/keys/auth.key 0
#crl-verify /mnt/openvpn/keys/crl.pem
keepalive 10 120
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3

log-append /mnt/openvpn/server_log.log


Here is my rc.conf:
Code:
portmap_enable="NO"
sshd_enable="NO"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
hostname="vpn_1"
devfs_enable="YES"
devfs_system_ruleset="devfsrules_common"
inet6_enable="YES"
ip6addrctl_enable="YES"
#openvpn config
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/mnt/openvpn/openvpn.conf"
openvpn_dir="/mnt/openvpn"
cloned_interfaces="tun"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"


ifconfig run in the jail:
Code:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair5b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:77:1a:00:0d:0b
    inet 192.168.0.46 netmask 0xffffff00 broadcast 192.168.0.255
    nd6 options=9<PERFORMNUD,IFDISABLED>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
tun0: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    nd6 options=9<PERFORMNUD,IFDISABLED>


Here is what my /dev/tun* looks like:
Code:
root@vpn_1 /mnt/openvpn/ $ ls -l /dev/tun*
crw-------  1 uucp  dialer  0xf2 Dec  2 01:15 /dev/tun1


This is my keys directory:
Code:
root@vpn_1 /mnt/openvpn/ $ ls /mnt/openvpn/keys
01.pem             ca.key             g00mbs.csr         index.txt.attr     openvpn-server.crt serial
02.pem             dh2048.pem         g00mbs.key         index.txt.attr.old openvpn-server.csr serial.old
ca.crt             g00mbs.crt         index.txt          index.txt.old      openvpn-server.key


It looks like @whatnissan had a similar issue back on pages 5 through 7 with tun. He noted he was able to get it to work, but I wasn't able to find his solution.

Any help here would be appreciated.
 

adrianwi

Guru
Joined
Oct 15, 2013
Messages
1,231
Have you rebooted your server?
 

bigjay517

Dabbler
Joined
Jan 14, 2015
Messages
14
I did a couple times last night, but that didn't seem to help. I have some pending updates I can try to run on the server tonight to see if that helps.

Hey g00mbs,

Check your ipfw.rules file. The two last lines (I believe) rename your tunX interface to tun0. I have copied and pasted the section from the first post about this. The lines I am talking about are:

Code:
TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0


[root@openvpn /mnt/openvpn]# nano /usr/local/etc/ipfw.rules

This will create a new file in /usr/local/etc/ named ipfw.rules. Insert the next rules in that file:

  1. #!/bin/sh

  2. EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
  3. ipfw -q -f flush
  4. ipfw -q nat 1 config if ${EPAIR}
  5. ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR}
  6. ipfw -q add nat 1 all from any to any in via ${EPAIR}

  7. TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
  8. ifconfig ${TUN} name tun0
 

g00mbs

Dabbler
Joined
Sep 13, 2015
Messages
31
Hey g00mbs,

Check your ipfw.rules file. The two last lines (I believe) rename your tunX interface to tun0. I have copied and pasted the section from the first post about this. The lines I am talking about are:

Code:
TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0

So, my ipfw.rules is located where you noted /usr/local/etc and unedited looks like:
Code:
#!/bin/sh
EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}
TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0


Is that correct?

I think the epair looks right:
Code:
root@vpn_1//$ ipfw list
00100 nat 1 ip from 10.8.0.0/24 to any out via epair5b
00200 nat 1 ip from any to any in via epair5b
65535 allow ip from any to any
 

bigjay517

Dabbler
Joined
Jan 14, 2015
Messages
14
So, my ipfw.rules is located where you noted /usr/local/etc and unedited looks like:
Code:
#!/bin/sh
EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}
TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0


Is that correct?

I think the epair looks right:
Code:
root@vpn_1//$ ipfw list
00100 nat 1 ip from 10.8.0.0/24 to any out via epair5b
00200 nat 1 ip from any to any in via epair5b
65535 allow ip from any to any
Hmm, yes that looks correct to me.

Maybe it is working, since in your ifconfig it showed you had the tun0 device. OpenVPN seemed to be trying to connect on the tun1 device. I am not sure why.

The is beyond my expertise, but the next thing I would try would be to rename tun0 back to tun1 with:

ifconfig tun0 name tun1

Then try restarting the VPN server.

Sent from my SM-N910V using Tapatalk
 

g00mbs

Dabbler
Joined
Sep 13, 2015
Messages
31
I updated the server and I changed out my router (got a new one today) and things are working more so now. I don't know what did the magic, but I'm on my way but not 100%.

When I changed to the new router - I changed the config of each jail to use DHCP instead of a static IP set through FreeNAS GUI. I then assigned static IP through the router using the hostname of each jail.

With the change out of the router here is my new config:

Local Network:

Router/Gateway 192.168.86.1
OpenVPN Jail 192.168.86.46
Clients 192.168.86.###

openvpn.conf:
Code:
port 10010
proto udp
dev tun
ca /mnt/openvpn/keys/ca.crt
cert /mnt/openvpn/keys/openvpn-server.crt #Server key created previously
key /mnt/openvpn/keys/openvpn-server.key
dh /mnt/openvpn/keys/dh2048.pem #Diffie-Hellman parameters are now 2048 bits long
server 10.8.0.0 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 192.168.86.0 255.255.255.0" #Yellow network
route 192.168.86.46 255.255.255.0 10.8.0.1 #Routes traffic from the Yellow network side (10.0.0.0/24)
                                      #to the Purple network side (10.8.0.0/24)
#tls-auth /mnt/openvpn/keys/auth.key 0
#crl-verify /mnt/openvpn/keys/crl.pem
keepalive 10 120
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3

log-append /mnt/openvpn/server_log.log


Using UDP port 10010. My router is forwarding 443 (external) to 10010 (internal) for UDP only.

ipfw.rules
Code:
#!/bin/sh
EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}
TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0


ps aux
Code:
root@vpn_1 // $ ps aux | grep openvpn
nobody 74774  0.0  0.0 18292 4704 ??  SsJ  12:46AM 0:00.20 /usr/local/sbin/openvpn --cd /mnt/openvpn --daemon openvpn --config /mnt/openvpn
root   76990  0.0  0.0 10264 1788  0  R+J   1:13AM 0:00.00 grep openvpn


ipfw list
Code:
00100 nat 1 ip from 10.8.0.0/24 to any out via epair5b
00200 nat 1 ip from any to any in via epair5b
65535 allow ip from any to any


sockstat -4 -l
Code:
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS    
nobody   openvpn    74774 5  udp4   *:10010               *:*
root     syslogd    74742 7  udp4   *:514                 *:*


ls /dev/tun*
Code:
root@vpn_1//$ ls /dev/tun*
/dev/tun0


ifconfig
Code:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair5b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:77:1a:00:0d:0b
    inet 192.168.86.46 netmask 0xffffff00 broadcast 192.168.86.255
    nd6 options=9<PERFORMNUD,IFDISABLED>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
    nd6 options=9<PERFORMNUD,IFDISABLED>
    Opened by PID 11779


I tried to connect from my phone (on LTE) and from my latptop (hotspot started on my phone connected to LTE) using Tunnelblick. Both the connection from the phone alone and laptop/tunnelblick say connected, but my IP address doesn't change.

Any idea's on what to look at next?
 

g00mbs

Dabbler
Joined
Sep 13, 2015
Messages
31
So... my openvpn is back to not starting up. I have two different jails using openvpn. I have my transmission_1 jail using openvpn as a client and my vpn_1 jail as a server. The transmssion_1 jail openvpn client use should be obvious in its use case.

I noticed this morning that the transmission_1 jail wasn't working correctly and had a similar error. I rebooted the freenas and not the transmission_1 is working where the vpn_1 is not.

That brings me to my question. Can tun0 exist in both jails simultaneously? I assume it should be able to. Just something I noticed that might not be related at all.
 

bigjay517

Dabbler
Joined
Jan 14, 2015
Messages
14
I have both running at the same time as well. My Transmission Jail VPN is running on tun1 and the OpenVPN only Jail is running on tun0.
 

g00mbs

Dabbler
Joined
Sep 13, 2015
Messages
31
Here is my openvpn log:
Code:
Thu Dec  3 22:46:41 2015 OpenVPN 2.3.8 amd64-portbld-freebsd9.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Nov  6 2015
Thu Dec  3 22:46:41 2015 library versions: OpenSSL 0.9.8za-freebsd 5 Jun 2014, LZO 2.09
Thu Dec  3 22:46:41 2015 Diffie-Hellman initialized with 2048 bit key
Thu Dec  3 22:46:41 2015 Socket Buffers: R=[42080->65536] S=[9216->65536]
Thu Dec  3 22:46:41 2015 ROUTE_GATEWAY 192.168.86.1
Thu Dec  3 22:46:41 2015 TUN/TAP device /dev/tun1 opened
Thu Dec  3 22:46:41 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Dec  3 22:46:41 2015 /sbin/ifconfig tun1 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
ifconfig: interface tun1 does not exist
Thu Dec  3 22:46:41 2015 FreeBSD ifconfig failed: external program exited with error status: 1
Thu Dec  3 22:46:41 2015 Exiting due to fatal error


From the above I gathered that my openvpn server wants to see tun1. I'm pretty sure that the tun* exist across the entire freenas system. I proved this by restarting the vpn server multiple times and each time a new entry could be seen from ls /dev/tun* . This new entry was also seen from another jail (transmission_1).

I edited my ipfw.rules to rename my tun* to tun1 .
Code:
#!/bin/sh
EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}
TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun1


At that point the openvpn service starts.

Now I'm back to connecting to my openvpn server from my phone using an .apk I downloaded. The logs of connecting look as follows:
Code:
Thu Dec  3 22:57:35 2015 OpenVPN 2.3.8 amd64-portbld-freebsd9.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Nov  6 2015
Thu Dec  3 22:57:35 2015 library versions: OpenSSL 0.9.8za-freebsd 5 Jun 2014, LZO 2.09
Thu Dec  3 22:57:35 2015 Diffie-Hellman initialized with 2048 bit key
Thu Dec  3 22:57:35 2015 Socket Buffers: R=[42080->65536] S=[9216->65536]
Thu Dec  3 22:57:35 2015 ROUTE_GATEWAY 192.168.86.1
Thu Dec  3 22:57:35 2015 TUN/TAP device /dev/tun1 opened
Thu Dec  3 22:57:35 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Dec  3 22:57:35 2015 /sbin/ifconfig tun1 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
Thu Dec  3 22:57:35 2015 /sbin/route add -net 192.168.86.46 10.8.0.1 255.255.255.0
route: writing to routing socket: File exists
add net 192.168.86.46: gateway 10.8.0.1 fib 0: route already in table
Thu Dec  3 22:57:35 2015 ERROR: FreeBSD route add command failed: external program exited with error status: 1
Thu Dec  3 22:57:35 2015 /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0
add net 10.8.0.0: gateway 10.8.0.2
Thu Dec  3 22:57:35 2015 GID set to nobody
Thu Dec  3 22:57:35 2015 UID set to nobody
Thu Dec  3 22:57:35 2015 UDPv4 link local (bound): [undef]
Thu Dec  3 22:57:35 2015 UDPv4 link remote: [undef]
Thu Dec  3 22:57:35 2015 MULTI: multi_init called, r=256 v=256
Thu Dec  3 22:57:35 2015 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Thu Dec  3 22:57:35 2015 ifconfig_pool_read(), in='g00mbs,10.8.0.4', TODO: IPv6
Thu Dec  3 22:57:35 2015 succeeded -> ifconfig_pool_set()
Thu Dec  3 22:57:35 2015 IFCONFIG POOL LIST
Thu Dec  3 22:57:35 2015 g00mbs,10.8.0.4
Thu Dec  3 22:57:35 2015 Initialization Sequence Completed
Thu Dec  3 22:59:27 2015 172.56.38.139:52122 TLS: Initial packet from [AF_INET]172.56.38.139:52122, sid=3504a30a 21c01f76
Thu Dec  3 22:59:28 2015 172.56.38.139:52122 VERIFY OK: depth=1, C=US, ST=CA, L=SanJose, O=g00mbs, CN=FreeNas, name=EasyRSA, emailAddress=g00mbs@gmail.com
Thu Dec  3 22:59:28 2015 172.56.38.139:52122 VERIFY OK: depth=0, C=US, ST=CA, L=SanJose, O=g00mbs, CN=g00mbs, name=EasyRSA, emailAddress=g00mbs@gmail.com
Thu Dec  3 22:59:28 2015 172.56.38.139:52122 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Dec  3 22:59:28 2015 172.56.38.139:52122 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec  3 22:59:28 2015 172.56.38.139:52122 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Dec  3 22:59:28 2015 172.56.38.139:52122 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec  3 22:59:28 2015 172.56.38.139:52122 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Thu Dec  3 22:59:28 2015 172.56.38.139:52122 [g00mbs] Peer Connection Initiated with [AF_INET]172.56.38.139:52122
Thu Dec  3 22:59:28 2015 g00mbs/172.56.38.139:52122 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Thu Dec  3 22:59:28 2015 g00mbs/172.56.38.139:52122 MULTI: Learn: 10.8.0.6 -> g00mbs/172.56.38.139:52122
Thu Dec  3 22:59:28 2015 g00mbs/172.56.38.139:52122 MULTI: primary virtual IP for g00mbs/172.56.38.139:52122: 10.8.0.6
Thu Dec  3 22:59:28 2015 g00mbs/172.56.38.139:52122 PUSH: Received control message: 'PUSH_REQUEST'
Thu Dec  3 22:59:28 2015 g00mbs/172.56.38.139:52122 send_push_reply(): safe_cap=940
Thu Dec  3 22:59:28 2015 g00mbs/172.56.38.139:52122 SENT CONTROL [g00mbs]: 'PUSH_REPLY,route 192.168.86.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Thu Dec  3 23:00:29 2015 g00mbs/172.56.38.139:52122 SIGTERM[soft,remote-exit] received, client-instance exiting
Thu Dec  3 23:02:25 2015 172.56.38.139:25962 TLS: Initial packet from [AF_INET]172.56.38.139:25962, sid=78e9e98b a9409648
Thu Dec  3 23:02:26 2015 172.56.38.139:25962 VERIFY OK: depth=1, C=US, ST=CA, L=SanJose, O=g00mbs, CN=FreeNas, name=EasyRSA, emailAddress=g00mbs@gmail.com
Thu Dec  3 23:02:26 2015 172.56.38.139:25962 VERIFY OK: depth=0, C=US, ST=CA, L=SanJose, O=g00mbs, CN=g00mbs, name=EasyRSA, emailAddress=g00mbs@gmail.com
Thu Dec  3 23:02:26 2015 172.56.38.139:25962 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Dec  3 23:02:26 2015 172.56.38.139:25962 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec  3 23:02:26 2015 172.56.38.139:25962 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Dec  3 23:02:26 2015 172.56.38.139:25962 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Dec  3 23:02:26 2015 172.56.38.139:25962 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Thu Dec  3 23:02:26 2015 172.56.38.139:25962 [g00mbs] Peer Connection Initiated with [AF_INET]172.56.38.139:25962
Thu Dec  3 23:02:26 2015 g00mbs/172.56.38.139:25962 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Thu Dec  3 23:02:26 2015 g00mbs/172.56.38.139:25962 MULTI: Learn: 10.8.0.6 -> g00mbs/172.56.38.139:25962
Thu Dec  3 23:02:26 2015 g00mbs/172.56.38.139:25962 MULTI: primary virtual IP for g00mbs/172.56.38.139:25962: 10.8.0.6
Thu Dec  3 23:02:26 2015 g00mbs/172.56.38.139:25962 PUSH: Received control message: 'PUSH_REQUEST'
Thu Dec  3 23:02:26 2015 g00mbs/172.56.38.139:25962 send_push_reply(): safe_cap=940
Thu Dec  3 23:02:26 2015 g00mbs/172.56.38.139:25962 SENT CONTROL [g00mbs]: 'PUSH_REPLY,route 192.168.86.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)


ifconfig:
Code:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair5b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:77:1a:00:0d:0b
    inet 192.168.86.46 netmask 0xffffff00 broadcast 192.168.86.255
    nd6 options=9<PERFORMNUD,IFDISABLED>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
tun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
    nd6 options=9<PERFORMNUD,IFDISABLED>
    Opened by PID 12164


My current problem is that I am unable connect to any local ip's in my network and my phone doesn't have the same WAN IP as the rest of my network. Any ideas there?

I can reach normal webpages, just nothing internal to my network.

***********UPDATE**************
Got it working.
I added these last two lines to my client config. The IP address there is my Router. I was getting confused as I couldn't connect to DNS server name "freenas/" on chrome. When I used the IP everything worked fine. So DNS isn't getting passed through. Is there a way to do that?

Here is my client config:
Code:
client
dev tun
proto udp
remote ###yourdomain### 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert g00mbs.crt
key g00mbs.key
#tls-auth auth.key 1
ns-cert-type server
comp-lzo
verb 3
dhcp-option DNS 192.168.100.1
redirect-gateway def1
 
Last edited:

Chakalov

Explorer
Joined
Feb 9, 2015
Messages
53
Please allow me a quick question that will perhaps end my sleepless nights...

My config is working just fine when it comes to creating the connection. My router is at 10.0.1.1, my Jail is at 10.0.1.12 and the rest of the VPN config is the default as instructed in the first page. The only problem is that I can't reach any server on my home network regardless of my efforts and playing with the configuration files. I suppose it's a simple forwarding glitch but I'm not at the expert level to solve it myself so here I am kindly turning to you all for just a little help. Here's a part of my log file:

Code:
Fri Dec  4 22:57:27 2015 85.118.92.17:34603 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Dec  4 22:57:27 2015 85.118.92.17:34603 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec  4 22:57:27 2015 85.118.92.17:34603 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Fri Dec  4 22:57:27 2015 85.118.92.17:34603 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec  4 22:57:27 2015 85.118.92.17:34603 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Fri Dec  4 22:57:27 2015 85.118.92.17:34603 [ach1] Peer Connection Initiated with [AF_INET]85.118.92.17:34603
Fri Dec  4 22:57:27 2015 ach1/85.118.92.17:34603 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Fri Dec  4 22:57:27 2015 ach1/85.118.92.17:34603 MULTI: Learn: 10.8.0.6 -> ach1/85.118.92.17:34603
Fri Dec  4 22:57:27 2015 ach1/85.118.92.17:34603 MULTI: primary virtual IP for ach1/85.118.92.17:34603: 10.8.0.6
Fri Dec  4 22:57:29 2015 ach1/85.118.92.17:34603 PUSH: Received control message: 'PUSH_REQUEST'
Fri Dec  4 22:57:29 2015 ach1/85.118.92.17:34603 send_push_reply(): safe_cap=940
Fri Dec  4 22:57:29 2015 ach1/85.118.92.17:34603 SENT CONTROL [ach1]: 'PUSH_REPLY,route 10.0.1.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1)
Fri Dec  4 23:03:58 2015 ach1/85.118.92.17:34603 [ach1] Inactivity timeout (--ping-restart), restarting
Fri Dec  4 23:03:58 2015 ach1/85.118.92.17:34603 SIGUSR1[soft,ping-restart] received, client-instance restarting


Here's my config file:

Code:
port 10011
proto udp
dev tun
ca /mnt/openvpn/keys/ca.crt
cert /mnt/openvpn/keys/openvpn-server.crt #Server key created previously
key /mnt/openvpn/keys/openvpn-server.key
dh /mnt/openvpn/keys/dh2048.pem #Diffie-Hellman parameters are now 2048 bits long
server 10.8.0.0 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 10.0.1.0 255.255.255.0" #Yellow network
route 10.0.1.12 255.255.255.0 10.8.0.1 #Routes traffic from the Yellow network side (10.0.0.0/24)
                                      #to the Purple network side (10.8.0.0/24)
#push "dhcp-option DNS 10.0.1.1"
#tls-auth /mnt/openvpn/keys/auth.key 0
#crl-verify /mnt/openvpn/keys/crl.pem
keepalive 10 120
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3
log-append /mnt/openvpn/server_log.log


Do you notice a problem somewhere? :(

Thank you very much in advance for any help given!

p.s.
just one more thing: when I specifically point my router DNS (10.0.1.1) I loose any internet connection which is rather strange I think. With no DNS specified (as by default) at least I do have internet.
 
Last edited:

Joe Fenton

Dabbler
Joined
May 5, 2015
Messages
40
Hi everyone,

I've been through these instructions several times now, and feel that I am quite close to getting this working, but need a little help to finish. I've read through quite a lot of these comment pages and tried quite a few things, but can't seem to quite get there.

When I run ipfw list I just get:
[root@OpenVPN /]# ipfw list
65535 allow ip from any to any

The ipfw.rules file is:
#!/bin/sh

EPAIR=$(/sbin/ifconfig -1 | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${epair0b}
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${epair0b}
ipfw -q add nat 1 all from any to any in via ${epair0b}

TUN=$(/sbin/ifconfig -1 | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${tun0} name tun0

I also get this in the log file:
Sun Dec 6 08:57:35 2015 us=411110 OpenVPN 2.3.8 amd64-portbld-freebsd9.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Nov 6 2015
Sun Dec 6 08:57:35 2015 us=411161 library versions: OpenSSL 0.9.8za-freebsd 5 Jun 2014, LZO 2.09
Sun Dec 6 08:57:35 2015 us=432693 Diffie-Hellman initialized with 2048 bit key
Sun Dec 6 08:57:35 2015 us=433779 WARNING: file '/mnt/openvpn/keys/openvpn-server.key' is group or others accessible
Sun Dec 6 08:57:35 2015 us=434472 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:3 ]
Sun Dec 6 08:57:35 2015 us=434550 Socket Buffers: R=[42080->65536] S=[9216->65536]
Sun Dec 6 08:57:35 2015 us=434698 ROUTE_GATEWAY 192.168.1.254
Sun Dec 6 08:57:35 2015 us=434842 TUN/TAP device /dev/tun0 opened
Sun Dec 6 08:57:35 2015 us=434891 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Dec 6 08:57:35 2015 us=434950 /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
Sun Dec 6 08:57:35 2015 us=437229 /sbin/route add -net 192.168.1.223 10.8.0.1 255.255.255.0
route: writing to routing socket: File exists
add net 192.168.1.223: gateway 10.8.0.1 fib 0: route already in table
Sun Dec 6 08:57:35 2015 us=439039 ERROR: FreeBSD route add command failed: external program exited with error status: 1
Sun Dec 6 08:57:35 2015 us=439161 /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0
add net 10.8.0.0: gateway 10.8.0.2
Sun Dec 6 08:57:35 2015 us=440876 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
Sun Dec 6 08:57:35 2015 us=441901 GID set to nobody
Sun Dec 6 08:57:35 2015 us=441966 UID set to nobody
Sun Dec 6 08:57:35 2015 us=442005 UDPv4 link local (bound): [undef]
Sun Dec 6 08:57:35 2015 us=442038 UDPv4 link remote: [undef]
Sun Dec 6 08:57:35 2015 us=442081 MULTI: multi_init called, r=256 v=256
Sun Dec 6 08:57:35 2015 us=442164 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Sun Dec 6 08:57:35 2015 us=442209 IFCONFIG POOL LIST
Sun Dec 6 08:57:35 2015 us=442306 Initialization Sequence Completed

I am not quite sure what those errors are about? My openvpn.conf file reads:

port 10011
proto udp
dev tun
ca /mnt/openvpn/keys/ca.crt
cert /mnt/openvpn/keys/openvpn-server.crt
key /mnt/openvpn/keys/openvpn-server.key
dh /mnt/openvpn/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
route 192.168.1.223 255.255.255.0 10.8.0.1

keepalive 10 120
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 6

log-append /mnt/openvpn/server_log.log

I wasn't sure what the push "route address should be, should it be the gateway/router in which case it should be 192.168.1.255, or the freenas server, or just 0?

[root@OpenVPN /]# sockstat -4 -l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
nobody openvpn 4907 5 udp4 *:10011 *:*
root syslogd 4875 7 udp4 *:514 *:*

[root@OpenVPN /]# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:d6:51:00:0d:0b
inet 192.168.1.223 netmask 0xffffff00 broadcast 192.168.1.255
nd6 options=9<PERFORMNUD,IFDISABLED>
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
nd6 options=9<PERFORMNUD,IFDISABLED>
Opened by PID 4907

Any help much appreciated on this. I am quite new to this platform and having tried this several times now feel like I've exhausted my options.

Thanks
 

Chakalov

Explorer
Joined
Feb 9, 2015
Messages
53
Hi Joe,

If you receive "65535 allow ip from any to any" just double check that your /etc/rc.conf is pointing to ipfw.rules and of course you have the ipfw.rules file already in place. Fix this and come back if something else is still broken.

Also try to quote your logs as CODE for more readable format. Thanks.
 

tstorm

Explorer
Joined
Jan 5, 2015
Messages
69
I was able to connect to my vpn today but couldn't access anything on the network and internet was down. This has happened before, the epair changed and needed to update the ipfw.rules. Any idea why/ how this happens?
 

Chakalov

Explorer
Joined
Feb 9, 2015
Messages
53
Strangely you shouldn't have to change anything regarding the firewall as the script in the ipfw.rules take care of all this.

You do have this line in your /etc/rc.conf, right?

Code:
firewall_script="/usr/local/etc/ipfw.rules"


Not having access to anything on the intranet seems to be a common issue from which personally I'm suffering as well. For the internet connection try to skip the DNS push if you have such added in you openvpn.conf. I also happen to loose any internet when I add any DNS push regardless of if it's my router or Google's DNS IP.
 

tstorm

Explorer
Joined
Jan 5, 2015
Messages
69
Yes I have that in rc.conf, that's not the issue, it's that if I ran ifconfig my epair#b changes numbers and my ipfw.rules needs to be updated to reflect that. I'm curious as to what could cause this, a new jail, a freenas update, gremlins? This is the 3rd time in just under a year this has happened.

EDIT: Should also mention that I usually have openVPN running great without issues.
 

Chakalov

Explorer
Joined
Feb 9, 2015
Messages
53
I just briefly wanted to confirm what others have already stated before me that if you have problem connecting to the local hosts than you should try rebooting the whole FreeNAS box. I also have no idea why is that so but the fact is that it works so give it a try if like.
 
Last edited:
Status
Not open for further replies.
Top