samwheat90
Cadet
- Joined
- Jan 30, 2016
- Messages
- 5
@pirateghost Thank you. I was intially trying to access the FTP through terminal on my mac. I'll try winscp instead. Thank you
Filezilla will work for you@pirateghost Thank you. I was intially trying to access the FTP through terminal on my mac. I'll try winscp instead. Thank you
Hello ppl, I'm having a strange behavior of my OpenVPN jail.
All seems ok and clients can connect... the problem is that sometimes they can't... it seems really random and that the server some times "sleeps", I need to go inside the jail and do a restart of the service that sometimes work and sometimes doesn't... when it doesn't I restart the complete freenas and it works again for some time before doing it again =/
Does anyone have an idea what it is? the outputs of my jail are the same as the tutorial and all seems fine... except that it is not constant.
Thank you very much for your support!
dhcp-option DNS 10.0.0.25 redirect-gateway def1
port 10011 proto udp dev tun ca /mnt/openvpn/keys/ca.crt cert /mnt/openvpn/keys/openvpn-server.crt key /mnt/openvpn/keys/openvpn-server.key dh /mnt/openvpn/keys/dh2048.pemserver server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.1.0 255.255.255.0" route 192.168.1.9 255.255.255.0 10.8.0.1 #tls-auth /mnt/openvpn/keys/auth.key 0 #crl-verify /mnt/openvpn/keys/crl.pem keepalive 10 120 group nobody user nobody comp-lzo persist-key persist-tun verb 3
#!/bin/sh EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair) ipfw -q -f flush ipfw -q nat 1 config if ${EPAIR} ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR} ipfw -q add nat 1 all from any to any in via ${EPAIR} TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun) ifconfig ${TUN} name tun0
portmap_enable="NO" sshd_enable="NO" sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" hostname="openvpn_1" hostname="openvpn_1" devfs_enable="YES" devfs_system_ruleset="devfsrules_common" inet6_enable="YES" ip6addrctl_enable="YES" openvpn_enable="YES" openvpn_if="tun" openvpn_configfile="/mnt/openvpn/openvpn.conf" openvpn_dir="/mnt/openvpn" cloned_interfaces="tun" gateway_enable="YES" firewall_enable="YES" firewall_script="/usr/local/etc/ipfw.rules"
Followed the guide, now stuck at sourcing ./vars.
It outputs this:
You appear to be sourcing an Easy-RSA 'vars' file.
This is no longer necessary and is disallowed. See the section called
'How to use this file' near the top comments for more details.
The next steps fail, presumably because I haven't sourced the vars file. How can I 'source' it? Or is it because this guide outdated and now I'm supposed to use another way to install OpenVPN?
Bit of an OpenVPN newbie here, please help!!
...
I don't know freebsd pkg management so don't know how to downgrade.
Anyhow, i got OpenVPN running. Here's what i did to get certificates generated and some other things that differ from OP. Commands run in jail:
pkg install openssl
cd /usr/local/share/easy-rsa
cp ../openssl/openssl.cnf.sample easy-rsa/openssl-1.0.cnf
Now edit the copied openssl-1.0.cnf and change (use nano, vim...):
dir = ./pki
certs = $dir
new_certs_dir = $dir
certificate = $dir/ca.crt
private_key = $dir/private/ca.key
default_md = md5
If you want, you can also change following values to your liking so creating new certificates doesn't require as much writing when inputting details:
countryName_default = AU
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (e.g. server FQDN or YOUR name)
emailAddress = Email Address
Now run some commands:
cd /usr/local/share/easy-rsa
easyrsa init-pki
easyrsa build-ca # CA key and crt
easyrsa gen-req openvpn-server nopass # server signing request
easyrsa sign-req server openvpn-server # sign the request
easyrsa gen-req someclient1 nopass # client signing request
easyrsa sign-req client someclient1 # sign the request
easyrsa gen-dh # dh.pem
cp pki/private/* /mnt/openvpn/keys
cp pki/issued/* /mnt/openvpn/keys
cp pki/ca.crt /mnt/openvpn/keys
cp pki/dh.pem /mnt/openvpn/keys/dh2048.pem
Now the certificates are created and one should be able to follow the original guide.
One change is needed to client config: change ns-cert-type server to remote-cert-tls server. I couldn't connect Android OpenVPN client because the generated certs don't have ns-cert-type field or something...
I also needed to reboot FreeNAS to get routing work, as someone pointed out earlier.
edit: added nopass options to gen-req lines
port 1194 proto udp dev tun ca /openvpn/keys/ca.crt cert /openvpn/keys/openvpn-server.crt key /openvpn/keys/openvpn-server.key # This file should be kept secret dh /openvpn/keys/dh2048.pem server 10.8.0.0 255.255.255.0 push "route 192.168.178.0 255.255.255.0" route 192.168.178.123 255.255.255.0 10.8.0.1 keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status /openvpn/openvpn-status.log log /openvpn/openvpn.log ifconfig-pool-persist /openvpn/ipp.txt verb 3
client dev tun proto udp remote adress.noip.me 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert jano1.crt key jano1.key #tls-auth auth.key 1 remote-cert-tls server comp-lzo verb 3
portmap_enable="NO" sshd_enable="NO" sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" hostname="OpenVPN" devfs_enable="YES" devfs_system_ruleset="devfsrules_common" inet6_enable="YES" ip6addrctl_enable="YES" openvpn_enable="YES" openvpn_if="tun" openvpn_configfile="/openvpn/server.conf" openvpn_dir="/openvpn" cloned_interfaces="tun" gateway_enable="YES" firewall_enable="YES" firewall_script="/usr/local/etc/ipfw.rules"
#!/bin/sh EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair) ipfw -q -f flush ipfw -q nat 1 config if ${EPAIR} ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR} ipfw -q add nat 1 all from any to any in via ${EPAIR} TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun) ifconfig ${TUN} name tun0
OpenVPN CLIENT LIST Updated,Mon Apr 18 19:30:16 2016 Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since jano,xx.xx.41.139:62793,41813,17923,Mon Apr 18 18:44:37 2016 ROUTING TABLE Virtual Address,Common Name,Real Address,Last Ref 10.8.0.6,jano,xx.xx.41.139:62793,Mon Apr 18 18:50:49 2016 GLOBAL STATS Max bcast/mcast queue length,0 END
Mon Apr 18 19:33:45 2016 xx.xx.41.139:62793 TLS: Initial packet from [AF_INET]xx.xx.41.139:62793, sid=1e213aa0 f5413706 Mon Apr 18 19:33:46 2016 xx.xx.41.139:62793 VERIFY OK: depth=1, C=AU, ST=Some-State, O=Internet Widgits Pty Ltd Mon Apr 18 19:33:46 2016 xx.xx.41.139:62793 VERIFY OK: depth=0, C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=jano Mon Apr 18 19:33:46 2016 xx.xx.41.139:62793 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Mon Apr 18 19:33:46 2016 xx.xx.41.139:62793 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Apr 18 19:33:46 2016 xx.xx.41.139:62793 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Mon Apr 18 19:33:46 2016 xx.xx.41.139:62793 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Mon Apr 18 19:33:46 2016 xx.xx.41.139:62793 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Mon Apr 18 19:33:46 2016 xx.xx.41.139:62793 [jano] Peer Connection Initiated with [AF_INET]xx.xx.41.139:62793 Mon Apr 18 19:33:46 2016 MULTI: new connection by client 'jano' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using$ Mon Apr 18 19:33:46 2016 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled) Mon Apr 18 19:33:46 2016 MULTI: Learn: 10.8.0.6 -> jano/xx.xx.41.139:62793 Mon Apr 18 19:33:46 2016 MULTI: primary virtual IP for jano/xx.xx.41.139:62793: 10.8.0.6 Mon Apr 18 19:33:48 2016 jano/xx.xx.41.139:62793 PUSH: Received control message: 'PUSH_REQUEST' Mon Apr 18 19:33:48 2016 jano/xx.xx.41.139:62793 send_push_reply(): safe_cap=940 Mon Apr 18 19:33:48 2016 jano/xx.xx.41.139:62793 SENT CONTROL [jano]: 'PUSH_REPLY,route 192.168.178.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status$
Followed the guide, now stuck at sourcing ./vars.
It outputs this:
You appear to be sourcing an Easy-RSA 'vars' file.
This is no longer necessary and is disallowed. See the section called
'How to use this file' near the top comments for more details.
The next steps fail, presumably because I haven't sourced the vars file. How can I 'source' it? Or is it because this guide outdated and now I'm supposed to use another way to install OpenVPN?
Bit of an OpenVPN newbie here, please help!!
EDIT: Looks like I need to ditch vars, and just append 'easyrsa' without the quotes to the commands following the sourcing of the vars file.
So, ./build-ca would be 'easyrsa build-ca' and so on. One thing you must notice is that some of the commands are different, and must be checked out by just plain writing 'easyrsa' in the shell. There's a list of commands that you guys must use.
If you guys still don't get it, just look below:
easyrsa build-ca
easyrsa build-server-full openvpn-server
easyrsa gen-dh
easyrsa build-client-full johnny.appleseed (repeat if you need more users, like the ones down below)
easyrsa build-client-full timmy.cook
Then you guys could follow the rest of the guide.
EDIT2: Keep in mind, you must use
cp -R instead of cp to copy the entire directory.
And since we used a different way, we must copy the pki directory, not the keys.
So, the copy command would be like this:
cp -R pki/* /mnt/openvpn/keys
I will be posting this on my blog.. If I have time. Despite it being in Korean, I think you guys could comprehend Linux commands, right?