How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT

Status
Not open for further replies.

rbanaco

Cadet
Joined
Oct 15, 2012
Messages
6
Hello ppl, I'm having a strange behavior of my OpenVPN jail.
All seems ok and clients can connect... the problem is that sometimes they can't... it seems really random and that the server some times "sleeps", I need to go inside the jail and do a restart of the service that sometimes work and sometimes doesn't... when it doesn't I restart the complete freenas and it works again for some time before doing it again =/

Does anyone have an idea what it is? the outputs of my jail are the same as the tutorial and all seems fine... except that it is not constant.

Thank you very much for your support!

I installed everything again and the same is happening... some times it connects perfectly from outside, sometimes it doesn't... after restarting freenas it works again. Restarting the jail sometimes works sometimes it doesn't, restarting service sometimes works sometimes doesn't...

The outputs from NAT are all ok... don't understand what is happening.

Does anyone have a clue? Thank you!


Another info: If I connect from withing the same network it always connects but from outside I have this results... if the NAT is ok what could it be?
 
Last edited:

samwheat90

Cadet
Joined
Jan 30, 2016
Messages
5
Edit: Found my own typo dh /mnt/openvpn/keys/dh2048.pemserver

Edit2: I was able to connect to OpenVPN, but not able to access anything on my home network

I removed:

Code:
dhcp-option DNS 10.0.0.25
redirect-gateway def1


and can now access the internet, but still can't access anything on the home network.



I'm going through the steps with a fine tooth comb. This is how my sockstat -4 -l looks:
upload_2016-2-6_21-16-3.png


Not sure why it's not showing"nobody openvpn 63758 6 udp4 *:10010 *:*" as well.

Here is my server:
Code:
port 10011
proto udp
dev tun
ca /mnt/openvpn/keys/ca.crt
cert /mnt/openvpn/keys/openvpn-server.crt
key /mnt/openvpn/keys/openvpn-server.key
dh /mnt/openvpn/keys/dh2048.pemserver
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0  255.255.255.0"
route 192.168.1.9 255.255.255.0 10.8.0.1
#tls-auth /mnt/openvpn/keys/auth.key 0
#crl-verify /mnt/openvpn/keys/crl.pem
keepalive 10 120
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3











My ipfw.rules:

Code:
#!/bin/sh

EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0







My rc.conf:

Code:
portmap_enable="NO"
sshd_enable="NO"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
hostname="openvpn_1"
hostname="openvpn_1"
devfs_enable="YES"
devfs_system_ruleset="devfsrules_common"
inet6_enable="YES"
ip6addrctl_enable="YES"
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/mnt/openvpn/openvpn.conf"
openvpn_dir="/mnt/openvpn"
cloned_interfaces="tun"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
 
Last edited:

Osiris

Contributor
Joined
Aug 15, 2013
Messages
148
Just wanted to add: superb tutorial, but could you add Pekka Piippo's entries on certificate generation with the latest easyrsa to it?
 
Last edited:

samwheat90

Cadet
Joined
Jan 30, 2016
Messages
5
Following the guide and the help from the comments, I was able to get my jail setup correctly. I use OpenVPN on my phone and Tunnelbick on my Macbook Air. I've noticed that my connection seems to drop and have to reconnect often on my MBA. Are there any adjustments I can make in the server or client that will eliminate this issue?
 
O

obsoleteserver

Guest
Followed the guide, now stuck at sourcing ./vars.
It outputs this:

You appear to be sourcing an Easy-RSA 'vars' file.
This is no longer necessary and is disallowed. See the section called
'How to use this file' near the top comments for more details.

The next steps fail, presumably because I haven't sourced the vars file. How can I 'source' it? Or is it because this guide outdated and now I'm supposed to use another way to install OpenVPN?

Bit of an OpenVPN newbie here, please help!!

EDIT: Looks like I need to ditch vars, and just append 'easyrsa' without the quotes to the commands following the sourcing of the vars file.

So, ./build-ca would be 'easyrsa build-ca' and so on. One thing you must notice is that some of the commands are different, and must be checked out by just plain writing 'easyrsa' in the shell. There's a list of commands that you guys must use.

If you guys still don't get it, just look below:

easyrsa build-ca
easyrsa build-server-full openvpn-server
easyrsa gen-dh
easyrsa build-client-full johnny.appleseed (repeat if you need more users, like the ones down below)
easyrsa build-client-full timmy.cook

Then you guys could follow the rest of the guide.

EDIT2: Keep in mind, you must use

cp -R instead of cp to copy the entire directory.

And since we used a different way, we must copy the pki directory, not the keys.

So, the copy command would be like this:

cp -R pki/* /mnt/openvpn/keys

I will be posting this on my blog.. If I have time. Despite it being in Korean, I think you guys could comprehend Linux commands, right?
 
Last edited by a moderator:

Tiwox

Cadet
Joined
Mar 2, 2016
Messages
5
Followed the guide, now stuck at sourcing ./vars.
It outputs this:

You appear to be sourcing an Easy-RSA 'vars' file.
This is no longer necessary and is disallowed. See the section called
'How to use this file' near the top comments for more details.

The next steps fail, presumably because I haven't sourced the vars file. How can I 'source' it? Or is it because this guide outdated and now I'm supposed to use another way to install OpenVPN?

Bit of an OpenVPN newbie here, please help!!

...

Hi ideaman924

Please check Pekka Piipos posting

I don't know freebsd pkg management so don't know how to downgrade.

Anyhow, i got OpenVPN running. Here's what i did to get certificates generated and some other things that differ from OP. Commands run in jail:

pkg install openssl
cd /usr/local/share/easy-rsa
cp ../openssl/openssl.cnf.sample easy-rsa/openssl-1.0.cnf


Now edit the copied openssl-1.0.cnf and change (use nano, vim...):

dir = ./pki
certs = $dir
new_certs_dir = $dir
certificate = $dir/ca.crt
private_key = $dir/private/ca.key
default_md = md5


If you want, you can also change following values to your liking so creating new certificates doesn't require as much writing when inputting details:

countryName_default = AU
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (e.g. server FQDN or YOUR name)
emailAddress = Email Address


Now run some commands:

cd /usr/local/share/easy-rsa
easyrsa init-pki
easyrsa build-ca # CA key and crt

easyrsa gen-req openvpn-server nopass # server signing request
easyrsa sign-req server openvpn-server # sign the request

easyrsa gen-req someclient1 nopass # client signing request
easyrsa sign-req client someclient1 # sign the request

easyrsa gen-dh # dh.pem


cp pki/private/* /mnt/openvpn/keys
cp pki/issued/* /mnt/openvpn/keys
cp pki/ca.crt /mnt/openvpn/keys
cp pki/dh.pem /mnt/openvpn/keys/dh2048.pem


Now the certificates are created and one should be able to follow the original guide.
One change is needed to client config: change ns-cert-type server to remote-cert-tls server. I couldn't connect Android OpenVPN client because the generated certs don't have ns-cert-type field or something...
I also needed to reboot FreeNAS to get routing work, as someone pointed out earlier.

edit: added nopass options to gen-req lines
 
O

obsoleteserver

Guest
Thanks, but now my problem is more complicated. I'm trying to access my server in the yellow network: 192.168.0.100. My OpenVPN jail is in 192.168.0.200. My router is an Archer C2 with an IP address of 192.168.0.1.

Now, I'm in a library, where I initially had problems connecting through the VPN. After a successful connection (after many tries), I was able to access the internet (presumably because I did not choose to filter every connection), but I could not access my home share. The operation timed out on Chrome.

Okay, so filter all connection time, right? Nope. After I tried the DHCP-option thing mentioned by @robles, (and gnashed my teeth as I tried to establish a connection yet again,) I finally found myself with... no internet at all. I tried changing the IP next to 192.168.0.1, to 8.8.8.8. No change. I saw that I had connected, yes, but when I pinged my server, 192.168.0.100 through CMD, the operation kept timing out.

How can I fix this?

Oh, and also, how can I setup fail2ban on my OpenVPN?
 

fbafkis

Dabbler
Joined
Dec 14, 2014
Messages
12
Hi everybody. I have FreeNas 9.3 and I followed exactly the steps from the guide, but now if I tip "ipfw list" I get a
"pfw: getsockopt(IP_FW_GET): Operation not permitted" message. What can I do? Will the openvpn script work anyway?

Thank you very much for the support!
 

wreuel

Dabbler
Joined
Oct 26, 2012
Messages
47
Hello, everyone, I have followed the tutorial using the FreeNas 9,3 but when I try to install the the openvpn package, the system return the package doesn't exists.
Can anyone help me with this?
 

Janox

Cadet
Joined
Apr 18, 2016
Messages
2
First of all, big thanks for this guide.
After a few hours i was happy to connect into my VPN.
The problem is, I can connect to my VPN but have no network access to any other device.
I can't ping anything in 192.168.178.x or 10.8.0.x
I have checked everything multiple times, but i can not find the Problem.
(I just want to have access to my Files on the Nas, no need for Internet through it.)

192.168.178.0 /24 is my regular home network
192.168.178.1 /24 is my router
192.168.178.89 /24 is my FreeNAS
192.168.178.123 /24 is my OpenVPN-jail
10.8.0.0 /24 is the network where the VPN-clients will end up

openvpn.config
Code:
port 1194
proto udp
dev tun

ca /openvpn/keys/ca.crt
cert /openvpn/keys/openvpn-server.crt
key /openvpn/keys/openvpn-server.key  # This file should be kept secret
dh /openvpn/keys/dh2048.pem

server 10.8.0.0 255.255.255.0
push "route 192.168.178.0 255.255.255.0"
route 192.168.178.123 255.255.255.0 10.8.0.1

keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status /openvpn/openvpn-status.log
log /openvpn/openvpn.log
ifconfig-pool-persist /openvpn/ipp.txt
verb 3


client.ovpn
Code:
client
dev tun
proto udp
remote adress.noip.me 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert jano1.crt
key jano1.key
#tls-auth auth.key 1
remote-cert-tls server
comp-lzo
verb 3


/etc/rc.conf
Code:
portmap_enable="NO"
sshd_enable="NO"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
hostname="OpenVPN"
devfs_enable="YES"
devfs_system_ruleset="devfsrules_common"
inet6_enable="YES"
ip6addrctl_enable="YES"
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/openvpn/server.conf"
openvpn_dir="/openvpn"
cloned_interfaces="tun"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"


/usr/local/etc/ipfw.rules
Code:
#!/bin/sh

EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0


openvpn-status.log
Code:
OpenVPN CLIENT LIST
Updated,Mon Apr 18 19:30:16 2016
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
jano,xx.xx.41.139:62793,41813,17923,Mon Apr 18 18:44:37 2016
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.6,jano,xx.xx.41.139:62793,Mon Apr 18 18:50:49 2016
GLOBAL STATS
Max bcast/mcast queue length,0
END


connecting part of openvpn.log
Code:
Mon Apr 18 19:33:45 2016 xx.xx.41.139:62793 TLS: Initial packet from [AF_INET]xx.xx.41.139:62793, sid=1e213aa0 f5413706
Mon Apr 18 19:33:46 2016 xx.xx.41.139:62793 VERIFY OK: depth=1, C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
Mon Apr 18 19:33:46 2016 xx.xx.41.139:62793 VERIFY OK: depth=0, C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=jano
Mon Apr 18 19:33:46 2016 xx.xx.41.139:62793 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Apr 18 19:33:46 2016 xx.xx.41.139:62793 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 18 19:33:46 2016 xx.xx.41.139:62793 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Apr 18 19:33:46 2016 xx.xx.41.139:62793 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 18 19:33:46 2016 xx.xx.41.139:62793 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Mon Apr 18 19:33:46 2016 xx.xx.41.139:62793 [jano] Peer Connection Initiated with [AF_INET]xx.xx.41.139:62793
Mon Apr 18 19:33:46 2016 MULTI: new connection by client 'jano' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using$
Mon Apr 18 19:33:46 2016 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Mon Apr 18 19:33:46 2016 MULTI: Learn: 10.8.0.6 -> jano/xx.xx.41.139:62793
Mon Apr 18 19:33:46 2016 MULTI: primary virtual IP for jano/xx.xx.41.139:62793: 10.8.0.6
Mon Apr 18 19:33:48 2016 jano/xx.xx.41.139:62793 PUSH: Received control message: 'PUSH_REQUEST'
Mon Apr 18 19:33:48 2016 jano/xx.xx.41.139:62793 send_push_reply(): safe_cap=940
Mon Apr 18 19:33:48 2016 jano/xx.xx.41.139:62793 SENT CONTROL [jano]: 'PUSH_REPLY,route 192.168.178.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status$


thanks for the help!
 

Chakalov

Explorer
Joined
Feb 9, 2015
Messages
53
Have you tried rebooting the whole NAS as we all did when experiencing this problem?
 
Joined
Apr 9, 2015
Messages
1,258
https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto

Followed the guide, now stuck at sourcing ./vars.
It outputs this:

You appear to be sourcing an Easy-RSA 'vars' file.
This is no longer necessary and is disallowed. See the section called
'How to use this file' near the top comments for more details.

The next steps fail, presumably because I haven't sourced the vars file. How can I 'source' it? Or is it because this guide outdated and now I'm supposed to use another way to install OpenVPN?

Bit of an OpenVPN newbie here, please help!!

EDIT: Looks like I need to ditch vars, and just append 'easyrsa' without the quotes to the commands following the sourcing of the vars file.

So, ./build-ca would be 'easyrsa build-ca' and so on. One thing you must notice is that some of the commands are different, and must be checked out by just plain writing 'easyrsa' in the shell. There's a list of commands that you guys must use.

If you guys still don't get it, just look below:

easyrsa build-ca
easyrsa build-server-full openvpn-server
easyrsa gen-dh
easyrsa build-client-full johnny.appleseed (repeat if you need more users, like the ones down below)
easyrsa build-client-full timmy.cook

Then you guys could follow the rest of the guide.

EDIT2: Keep in mind, you must use

cp -R instead of cp to copy the entire directory.

And since we used a different way, we must copy the pki directory, not the keys.

So, the copy command would be like this:

cp -R pki/* /mnt/openvpn/keys

I will be posting this on my blog.. If I have time. Despite it being in Korean, I think you guys could comprehend Linux commands, right?

Just a note doing this on 9.10 with a 10.3 jail you need to do a:

easyrsa init-pki

to get the process started. After that point you can go through the steps listed above.

Also the certs and keys are being placed in subfolders like "issued" and "private" so you will either need to modify your config to reflect this or copy them individually into a folder.

cert /mnt/openvpn/keys/issued/VPN-Certificate.crt #Server key created previously
key /mnt/openvpn/keys/private/VPN-Key.key

Also the dh2048.pem now seems to be dh.pem
 
Last edited:

treboR2Robert

Dabbler
Joined
Sep 24, 2014
Messages
46
Is anyone planning to write a fresh guide on how to install OpenVPN on FreeNAS 9.10 with the new easy-rsa thing ?

I have been trying to get it going for hours now but I'm not the smartest cookie in the tin, and would really appreciate a "FOOL" proof guide lol.

I have now given up for the day and just deleted the Jail. Maybe start from scratch again tomorrow ?

So Pretty Please my clever coding buddies, can you write a nice new guide ;)
 

Dan Nguyen

Cadet
Joined
Jun 22, 2015
Messages
1
I ran pkg install easy-rsa2

Then used the steps in #1 with the same commands.
Got it working on FreeNAS-9.3-STABLE-201602031011
Thanks for the steps.
 

nello

Patron
Joined
Dec 30, 2012
Messages
351
Has anyone considered updating this guide for either:
  • An installation in the new Jails in FreeNAS 9.10, i.e., FreeBSD 10.3-RC2 based template? Does anything change?
  • Migrating a 9.3.x Jail installation to the 9.10 Jail
I'd like to upgrade to 9.10 but I'd rather not be the first person to set up OpenVPN on a 9.10 Jail. :)
 
Last edited:

rustydreamcast

Dabbler
Joined
Aug 12, 2013
Messages
11
any idea why I get this

[root@open_vpn /usr/local/share/easy-rsa]# source ./vars
You appear to be sourcing an Easy-RSA 'vars' file.
This is no longer necessary and is disallowed. See the section called
'How to use this file' near the top comments for more details
 
Last edited:
Status
Not open for further replies.
Top