How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT

Status
Not open for further replies.
Joined
Apr 9, 2015
Messages
1,258
any idea why I get this

[root@open_vpn /usr/local/share/easy-rsa]# source ./vars
You appear to be sourcing an Easy-RSA 'vars' file.
This is no longer necessary and is disallowed. See the section called
'How to use this file' near the top comments for more details
They switched to EasyRSA 3.0 as default on the new install. I believe that you can install EasyRSA 2.0 and go back to the old style of setup otherwise you will need to scroll up and possibly back a couple pages to get the updated instructions.
 

kpeng

Dabbler
Joined
May 16, 2016
Messages
11
I have been trying to setup my OpenVPN for past couple days and get intermittent result. First, the tutorial works, thank you for making great tutorial. But somehow my connection thru VPN is intermittent somehow. Here is my network setup:

DD-WRT router IP at home: 10.0.0.1, WAN IP is 73.x.x.x
freenas IP: 10.0.0.100
openvpn jail IP: 10.0.0.6 (10.8.0.1)
client is a macbook with OSX using Tunnelblick. It is connected to my cellphone hotspot, IP is 192.168.43.x

freenas version is FreeNAS-9.10-STABLE-201604261518

I can connect the VPN, but sometimes it cannot connect to internet, sometime it can. When it connects to VPN, it get IP 10.8.0.6. When I try to ping 10.8.0.1, it is intermittent, when it pings, I can access internet, when it doesn't, I can't. I suspect that cellphone hotspot might be an issue, so I tried to connect the VPN thru LAN directly. The result is the same, ping intermittently. I must be missing something but I can't figure out what that is. I tried to port forward to different ports on my router, same result. I appreciate any suggestion to get this work.

Here is what it looks like when I say intermittent
Code:
pkai ~ $ ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1): 56 data bytes
Request timeout for icmp_seq 0
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=1.935 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=2.941 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=3.292 ms
64 bytes from 10.8.0.1: icmp_seq=4 ttl=64 time=2.756 ms
Request timeout for icmp_seq 5
Request timeout for icmp_seq 6
Request timeout for icmp_seq 7
Request timeout for icmp_seq 8
Request timeout for icmp_seq 9
Request timeout for icmp_seq 10
Request timeout for icmp_seq 11
Request timeout for icmp_seq 12
Request timeout for icmp_seq 13
64 bytes from 10.8.0.1: icmp_seq=14 ttl=64 time=1.605 ms
64 bytes from 10.8.0.1: icmp_seq=15 ttl=64 time=1.682 ms
64 bytes from 10.8.0.1: icmp_seq=16 ttl=64 time=1.533 ms
64 bytes from 10.8.0.1: icmp_seq=17 ttl=64 time=1.496 ms
64 bytes from 10.8.0.1: icmp_seq=18 ttl=64 time=2.616 ms
64 bytes from 10.8.0.1: icmp_seq=19 ttl=64 time=2.420 ms
64 bytes from 10.8.0.1: icmp_seq=20 ttl=64 time=2.525 ms
Request timeout for icmp_seq 21
Request timeout for icmp_seq 22
Request timeout for icmp_seq 23
Request timeout for icmp_seq 24
Request timeout for icmp_seq 25
Request timeout for icmp_seq 26
Request timeout for icmp_seq 27
64 bytes from 10.8.0.1: icmp_seq=28 ttl=64 time=2.015 ms
64 bytes from 10.8.0.1: icmp_seq=29 ttl=64 time=1.603 ms
64 bytes from 10.8.0.1: icmp_seq=30 ttl=64 time=1.611 ms
64 bytes from 10.8.0.1: icmp_seq=31 ttl=64 time=1.695 ms
64 bytes from 10.8.0.1: icmp_seq=32 ttl=64 time=1.507 ms
64 bytes from 10.8.0.1: icmp_seq=33 ttl=64 time=1.582 ms
64 bytes from 10.8.0.1: icmp_seq=34 ttl=64 time=2.580 ms
64 bytes from 10.8.0.1: icmp_seq=35 ttl=64 time=1.390 ms
64 bytes from 10.8.0.1: icmp_seq=36 ttl=64 time=1.603 ms


openvpn.conf
Code:
local 10.0.0.6
port 10011
proto udp
dev tun
ca /mnt/openvpn/keys/ca.crt
cert /mnt/openvpn/keys/openvpn-server.crt #Server key created previously
key /mnt/openvpn/keys/openvpn-server.key
dh /mnt/openvpn/keys/dh2048.pem           #Diffie-Hellman parameters are now 2048 bits long
server 10.8.0.0 255.255.255.0                         #Purple network
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.255.255.0"            #Yellow network
route 10.0.0.6 255.255.255.0 10.8.0.1          #Routes traffic from the Yellow network side
                                                                              #(10.0.0.0/24)
                                                                              #to the Purple network side (10.8.0.0/24)
push "redirect-gateway def1"
push "dhcp-option DNS 10.0.0.1"
#tls-auth /mnt/openvpn/keys/auth.key 0
#crl-verify /mnt/openvpn/keys/crl.pem
keepalive 10 120
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3



ipfw.rules

Code:
#!/bin/sh

EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0


ipfw list
Code:
[root@openvpn /]# ipfw list
00100 nat 1 ip from 10.8.0.0/24 to any out via epair2b
00200 nat 1 ip from any to any in via epair2b
65535 allow ip from any to any
[root@openvpn /]#


Code:
[root@openvpn /]# sockstat -4 -l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS   
nobody   openvpn    8774  6  udp4   10.0.0.6:10011        *:*
root     syslogd    8740  7  udp4   *:514                 *:*
[root@openvpn /]# 



client config
Code:
client
dev tun
proto udp
remote kpeng.duckdns.org 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert kpeng.crt
key kpeng.key
#tls-auth auth.key 1
remote-cert-tls server
comp-lzo
verb 3
 
Joined
Apr 9, 2015
Messages
1,258
Yeah, go somewhere that has free WiFi or a friend/family members house to test this before trying to troubleshoot. WiFi can be a pain but using a WiFi hotspot that uses cellular screams issues to me. It plain could be the high latency that is the problem if the carrier is overloaded or it has a mediocre signal. You also have to remember that they could be routing your internet connection hundreds of miles through towers even if you are in the middle of town to a point that they were easily and cheaply able to bring in their own backbone plus the connection to the internet at large and then the connection to your home ISP.
 

kpeng

Dabbler
Joined
May 16, 2016
Messages
11
I deleted the jail and start over, now I can connect to VPN, but cannot do anything with it. Cannot ping anything in LAN, cannot access internet. It seems the NAT is not working at all. I did reboot my freenas box several times, no luck. I also tried to reboot my macbook several times, nothing changes. I do see the error message in the /var/log/messages. I wonder that might be the reason the routing is not working. I tried to google but cannot find a solution on that. Any suggestion is welcome before I shoot myself. I have spent 4 days on this.

Code:
May 17 21:42:21 vpnserver openvpn[26747]: /sbin/ifconfig tun0 10.10.0.1 10.10.0.2 mtu 1500 netmask 255.255.255.255 up
May 17 21:42:21 vpnserver openvpn[26747]: /sbin/route add -net 10.0.0.9 10.10.0.1 255.255.255.0
May 17 21:42:21 vpnserver openvpn[26747]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
 

kpeng

Dabbler
Joined
May 16, 2016
Messages
11
I don't know what to say, after numerous reboot of the freenas box, it works now.
 

catnas

Explorer
Joined
Dec 12, 2015
Messages
57
Wanted to report success!

I followed the guide in the OP, but used this post to generate the certs/keys. I also used the method suggested for compatibility with the mobile OpenVPN app. I didn't test it the other way. Confirmed no DNS leaks and confirmed VPN IP. Confirmed access to local network.

A couple things:
  1. The OP is a somewhat needlessly confusing because he uses a 10.0.0.0 network for the NAS and a very similar 10.0.8.0 network for the virtual/VPN network. If anyone is having issues, make sure that you change the OpenVPN configuration file as indicated in the OP to push your 192.168.1.XXX network to the VPN -- in other words, don't gloss over all of his 10.X.X.X addresses and assume they are the same. He says this in the OP, but don't miss it.
  2. A reboot was required, just like everyone else. The VPN will connect without the reboot, but there is no WAN access and there is no VPN-LAN access either. So just reboot.
  3. Make sure OpenVPN is starting in your jail. When I created my jail, my keys are stored in a root directory of /openvpn/keys. I didn't put them in /mnt/openvpn/keys. So make sure you change all your references to /mnt/openvpn to /openvpn if you're like me. If you don't, this will prevent OpenVPN from even starting in your jail and you're going to have problems
Build FreeNAS-9.3-STABLE-201602031011
I considered upgrading, but if it ain't broke, don't fix it. If you're upgraded, YMMV.
 

JeroenDB

Cadet
Joined
May 19, 2016
Messages
4
Hi,

Like most of the posts: I'm completely new to linux and FreeNAS, but a quick learner (I guess) :)

I have FreeNAS-9.10-STABLE-201605021851 (35c85f7) and wanted to setup the OpenVPN server. As many of you I also tried the great tutorial but got stuck on the ./vars
By reading all the reply's here I managed to create the certificates, so thanks to all off your contributions!

I've done the tutorial over and over again and now I'm kind of stuck;
Testing the VPN listening:
Code:
[root@OpenVPN /]# sockstat -4 -l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
???????????
root syslogd 63726 7 udp4 *:514 *:*
[root@OpenVPN /]#

I don't get the 3rd line (should be something like: <<nobody openvpn 63758 6 udp4 *:10010 *:*>>), and I can't find any troubleshooting on solving the problem...

On the other hand, the firewall is considered configured properly:
Code:
[root@openvpn /mnt/openvpn]# ipfw list
00100 nat 1 ip from 10.8.0.0/24 to any out via epair0b
00200 nat 1 ip from any to any in via epair0b
65535 allow ip from any to any
[root@openvpn /mnt/openvpn]#


If I look to the FreeNAS console, it's giving an error on renaming epair0b (I searched Google: might this be a driver problem?)
The exact error message is:
<<... freenaskernel: ng_ether_ifnet_arrival_event: can't re-name node epair0b>>
<<... OpenVPN openvpn[31061]: Options error: Please correct these errors.>>

What are my options here? :confused:

edit: Today I also performed a new clean installation of FreeNas with only the jail for OpenVPN, same result... :(
 
Last edited:

theprez

Explorer
Joined
Oct 18, 2014
Messages
72
Coming from years of Ubuntu and setting up open VPN on that platform, typically a masquerade rule is needed if the same box isn't also your gateway.

For example, I used this configuration:

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -A FORWARD -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

I don't believe the rules on the first page perform the same functions from what I can tell..anyone know the ipfw equivalent for the rules above?

Thanks
 

FritVetBE

Explorer
Joined
Dec 28, 2013
Messages
87
Hey Robles!

Thanks for this great tutorial! Though isn't really up to date anymore with the new easyRSA and stuff, I did manage to get it working in my test environment.
I'll install it once more to verify my own documentation, after that I'll share it back to you, just in case you would be interested :)

EDIT: Finally I found some time to finish my blogpost, it can be found here: http://blog.fritvet.be/2016/06/openvpn-in-freenas-jail.html

Any feedback is welcome.

And Robles, thanks again for this tutorial! I got it up and running within 2 weeks, I'm sure it would have taken me more then 1 month if this guide wasn't available!
 
Last edited:

catnas

Explorer
Joined
Dec 12, 2015
Messages
57
I noticed that I'm connecting using TLS 1.0. How can i change this to 1.2?
 
Joined
Jul 16, 2016
Messages
17
Hey Robles!

Thanks for this great tutorial! Though isn't really up to date anymore with the new easyRSA and stuff, I did manage to get it working in my test environment.
I'll install it once more to verify my own documentation, after that I'll share it back to you, just in case you would be interested :)

EDIT: Finally I found some time to finish my blogpost, it can be found here: http://blog.fritvet.be/2016/06/openvpn-in-freenas-jail.html

Any feedback is welcome.

And Robles, thanks again for this tutorial! I got it up and running within 2 weeks, I'm sure it would have taken me more then 1 month if this guide wasn't available!


Hi FritVetBE
I've been following your tutorial step by step. It's very well done!!! Congrats!! I'm a total newbie in terms of FN, FreeBSD and OpenVPN and I could do "almost" everything. But I'm stuck around the end of your process.

Just a few infos and differences:

1) my jail is called "OpenVPN" and where you wrote "OpenVPN-ACC" I corrected with my name

2) my jail IP is 192.168.1.77 and I corrected it where you wrote your IP

3) in the "openvpn_priv.conf" I supposed there was a typo in the "push" field and I wrote "route 192.168.1.0 255.255.255.0" (and not 192.168.1.10). Right?

4) I didn't know well where to create & edit the "/etc/rc.conf": I tried on both "/usr/local/etc/rc.conf" and "/usr/local/etc/openvpn/rc.conf".

But at the end of the day I have a different ipfw list. Here's mine:

00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
65535 allow ip from any to any


Where did I do wrong? As you said, I checked ipfw.rules and rc.conf files and they are ok. I also restarted (with onerestart) the ipfw service.

I'm here!... could you help me?

Thx

Michele
 

FritVetBE

Explorer
Joined
Dec 28, 2013
Messages
87
Hi FritVetBE
I've been following your tutorial step by step. It's very well done!!! Congrats!! I'm a total newbie in terms of FN, FreeBSD and OpenVPN and I could do "almost" everything. But I'm stuck around the end of your process.

Just a few infos and differences:

1) my jail is called "OpenVPN" and where you wrote "OpenVPN-ACC" I corrected with my name

2) my jail IP is 192.168.1.77 and I corrected it where you wrote your IP

3) in the "openvpn_priv.conf" I supposed there was a typo in the "push" field and I wrote "route 192.168.1.0 255.255.255.0" (and not 192.168.1.10). Right?

4) I didn't know well where to create & edit the "/etc/rc.conf": I tried on both "/usr/local/etc/rc.conf" and "/usr/local/etc/openvpn/rc.conf".

But at the end of the day I have a different ipfw list. Here's mine:

00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
65535 allow ip from any to any


Where did I do wrong? As you said, I checked ipfw.rules and rc.conf files and they are ok. I also restarted (with onerestart) the ipfw service.

I'm here!... could you help me?

Thx

Michele


Hey Michele

Thanks for pointing me on that error, as you mentioned it should be "route 192.168.1.0 255.255.255.0". I corrected it now in the blog, thanks for that!

4) Regarding your last question, there should already be a file inside the OpenVPN jail called rc.conf which is located in the /etc directory. you can modify it by writing ee /etc/rc.conf and then you can continue to follow the steps written below the title "/etc/rc.conf configuration".

I hope those are the answers necessary to have it working on your end! :)
 
Joined
Dec 13, 2015
Messages
15
So at one point in the past I had this working perfectly across all my devices, however I'm back to having trouble. The change that brought about this trouble was moving to a different house (and from that a new ISP, IP, and router). I made all the necessary changes to my router's settings to port forward to my OpenVPN jail, however I think that by bringing my system down for the move, something has changed somewhere in my configurations. Whenever I try connecting now I end up receiving a connection refused (error:111), I ran a couple of the commands again from the OP and it doesn't show the openvpn process in the jail which is obviously suspect, but I'm not sure how to approach debugging that. Here's a dump of the terminal command outputs, my connection log from my phone, and my configs:

Code:
root@OpenVPN:/ # ipfw list
00100 nat 1 ip from 10.8.0.0/24 to any out via epair0b
00200 nat 1 ip from any to any in via epair0b
65535 allow ip from any to any


Code:
root@OpenVPN:/ # sockstat -4 -l
USER   COMMAND   PID   FD   PROTO   LOCAL ADDRESS   FORIEGN ADDRESS
root   syslogd   86104   7   udp4   *:514   *:*


Code:
2016-08-09 22:31:38 official build 0.6.57 running on google Nexus 6 (shamu), Android 6.0.1 (MOB30O) API 23, ABI armeabi-v7a, (google/shamu/shamu:6.0.1/MOB30O/2920157:user/release-keys)
2016-08-09 22:31:38 Building configuration…
2016-08-09 22:31:38 started Socket Thread
2016-08-09 22:31:38 Current Parameter Settings:
2016-08-09 22:31:38  config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2016-08-09 22:31:38  mode = 0
2016-08-09 22:31:38  show_ciphers = DISABLED
2016-08-09 22:31:38  show_digests = DISABLED
2016-08-09 22:31:38  show_engines = DISABLED
2016-08-09 22:31:38  genkey = DISABLED
2016-08-09 22:31:38  key_pass_file = '[UNDEF]'
2016-08-09 22:31:38  show_tls_ciphers = DISABLED
2016-08-09 22:31:38  connect_retry_max = 5
2016-08-09 22:31:38 Connection profiles [0]:
2016-08-09 22:31:38  proto = udp
2016-08-09 22:31:38  local = '[UNDEF]'
2016-08-09 22:31:38  local_port = '[UNDEF]'
2016-08-09 22:31:38  remote = '<mydns>.duckdns.org'
2016-08-09 22:31:38  remote_port = '1194'
2016-08-09 22:31:38  remote_float = DISABLED
2016-08-09 22:31:38  bind_defined = DISABLED
2016-08-09 22:31:38  bind_local = DISABLED
2016-08-09 22:31:38  bind_ipv6_only = DISABLED
2016-08-09 22:31:38  connect_retry_seconds = 5
2016-08-09 22:31:38  connect_timeout = 120
2016-08-09 22:31:38  socks_proxy_server = '[UNDEF]'
2016-08-09 22:31:38  socks_proxy_port = '[UNDEF]'
2016-08-09 22:31:38  tun_mtu = 1500
2016-08-09 22:31:38  tun_mtu_defined = ENABLED
2016-08-09 22:31:38  link_mtu = 1500
2016-08-09 22:31:38  link_mtu_defined = DISABLED
2016-08-09 22:31:38  tun_mtu_extra = 0
2016-08-09 22:31:38  tun_mtu_extra_defined = DISABLED
2016-08-09 22:31:38  mtu_discover_type = -1
2016-08-09 22:31:38  fragment = 0
2016-08-09 22:31:38  mssfix = 1450
2016-08-09 22:31:38  explicit_exit_notification = 0
2016-08-09 22:31:38 Connection profiles END
2016-08-09 22:31:38  remote_random = DISABLED
2016-08-09 22:31:38  ipchange = '[UNDEF]'
2016-08-09 22:31:38  dev = 'tun'
2016-08-09 22:31:38  dev_type = '[UNDEF]'
2016-08-09 22:31:38  dev_node = '[UNDEF]'
2016-08-09 22:31:38  lladdr = '[UNDEF]'
2016-08-09 22:31:38  topology = 1
2016-08-09 22:31:38  tun_ipv6 = DISABLED
2016-08-09 22:31:38  ifconfig_local = '[UNDEF]'
2016-08-09 22:31:38  ifconfig_remote_netmask = '[UNDEF]'
2016-08-09 22:31:38  ifconfig_noexec = DISABLED
2016-08-09 22:31:38  ifconfig_nowarn = ENABLED
2016-08-09 22:31:38  ifconfig_ipv6_local = '[UNDEF]'
2016-08-09 22:31:38  ifconfig_ipv6_netbits = 0
2016-08-09 22:31:38  ifconfig_ipv6_remote = '[UNDEF]'
2016-08-09 22:31:38  shaper = 0
2016-08-09 22:31:38  mtu_test = 0
2016-08-09 22:31:38  mlock = DISABLED
2016-08-09 22:31:38  keepalive_ping = 0
2016-08-09 22:31:38  keepalive_timeout = 0
2016-08-09 22:31:38  inactivity_timeout = 0
2016-08-09 22:31:38  ping_send_timeout = 0
2016-08-09 22:31:38  ping_rec_timeout = 0
2016-08-09 22:31:38  ping_rec_timeout_action = 0
2016-08-09 22:31:38  ping_timer_remote = DISABLED
2016-08-09 22:31:38  remap_sigusr1 = 0
2016-08-09 22:31:38  persist_tun = ENABLED
2016-08-09 22:31:38  persist_local_ip = DISABLED
2016-08-09 22:31:38  persist_remote_ip = DISABLED
2016-08-09 22:31:38  persist_key = DISABLED
2016-08-09 22:31:38  passtos = DISABLED
2016-08-09 22:31:38  resolve_retry_seconds = 1000000000
2016-08-09 22:31:38  resolve_in_advance = ENABLED
2016-08-09 22:31:38  username = '[UNDEF]'
2016-08-09 22:31:38  groupname = '[UNDEF]'
2016-08-09 22:31:38  chroot_dir = '[UNDEF]'
2016-08-09 22:31:38  cd_dir = '[UNDEF]'
2016-08-09 22:31:38  writepid = '[UNDEF]'
2016-08-09 22:31:38  up_script = '[UNDEF]'
2016-08-09 22:31:38  down_script = '[UNDEF]'
2016-08-09 22:31:38  down_pre = DISABLED
2016-08-09 22:31:38  up_restart = DISABLED
2016-08-09 22:31:38  up_delay = DISABLED
2016-08-09 22:31:38  daemon = DISABLED
2016-08-09 22:31:38  inetd = 0
2016-08-09 22:31:38  log = DISABLED
2016-08-09 22:31:38  suppress_timestamps = DISABLED
2016-08-09 22:31:38  machine_readable_output = ENABLED
2016-08-09 22:31:38  nice = 0
2016-08-09 22:31:38  verbosity = 4
2016-08-09 22:31:38  mute = 0
2016-08-09 22:31:38  gremlin = 0
2016-08-09 22:31:38  status_file = '[UNDEF]'
2016-08-09 22:31:38  status_file_version = 1
2016-08-09 22:31:38  status_file_update_freq = 60
2016-08-09 22:31:38  occ = ENABLED
2016-08-09 22:31:38  rcvbuf = 0
2016-08-09 22:31:38  sndbuf = 0
2016-08-09 22:31:38  sockflags = 0
2016-08-09 22:31:38  fast_io = DISABLED
2016-08-09 22:31:38  comp.alg = 2
2016-08-09 22:31:38  comp.flags = 1
2016-08-09 22:31:38  route_script = '[UNDEF]'
2016-08-09 22:31:38  route_default_gateway = '[UNDEF]'
2016-08-09 22:31:38  route_default_metric = 0
2016-08-09 22:31:38  route_noexec = DISABLED
2016-08-09 22:31:38  route_delay = 0
2016-08-09 22:31:38  route_delay_window = 30
2016-08-09 22:31:38  route_delay_defined = DISABLED
2016-08-09 22:31:38  route_nopull = DISABLED
2016-08-09 22:31:38  route_gateway_via_dhcp = DISABLED
2016-08-09 22:31:38  allow_pull_fqdn = DISABLED
2016-08-09 22:31:38  management_addr = '/data/user/0/de.blinkt.openvpn/cache/mgmtsocket'
2016-08-09 22:31:38  management_port = 'unix'
2016-08-09 22:31:38  management_user_pass = '[UNDEF]'
2016-08-09 22:31:38  management_log_history_cache = 250
2016-08-09 22:31:38  management_echo_buffer_size = 100
2016-08-09 22:31:38  management_write_peer_info_file = '[UNDEF]'
2016-08-09 22:31:38  management_client_user = '[UNDEF]'
2016-08-09 22:31:38  management_client_group = '[UNDEF]'
2016-08-09 22:31:38  management_flags = 4390
2016-08-09 22:31:38  shared_secret_file = '[UNDEF]'
2016-08-09 22:31:38  key_direction = 0
2016-08-09 22:31:38  ciphername_defined = ENABLED
2016-08-09 22:31:38  ciphername = 'BF-CBC'
2016-08-09 22:31:38  authname_defined = ENABLED
2016-08-09 22:31:38  authname = 'SHA1'
2016-08-09 22:31:38  prng_hash = 'SHA1'
2016-08-09 22:31:38  prng_nonce_secret_len = 16
2016-08-09 22:31:38  keysize = 0
2016-08-09 22:31:38  engine = DISABLED
2016-08-09 22:31:38  replay = ENABLED
2016-08-09 22:31:38  mute_replay_warnings = DISABLED
2016-08-09 22:31:38  replay_window = 64
2016-08-09 22:31:38  replay_time = 15
2016-08-09 22:31:38  packet_id_file = '[UNDEF]'
2016-08-09 22:31:38  use_iv = ENABLED
2016-08-09 22:31:38  test_crypto = DISABLED
2016-08-09 22:31:38  tls_server = DISABLED
2016-08-09 22:31:38  tls_client = ENABLED
2016-08-09 22:31:38  key_method = 2
2016-08-09 22:31:38  ca_file = '[[INLINE]]'
2016-08-09 22:31:38  ca_path = '[UNDEF]'
2016-08-09 22:31:38  dh_file = '[UNDEF]'
2016-08-09 22:31:38  cert_file = '[[INLINE]]'
2016-08-09 22:31:38  extra_certs_file = '[UNDEF]'
2016-08-09 22:31:38  priv_key_file = '[[INLINE]]'
2016-08-09 22:31:38  pkcs12_file = '[UNDEF]'
2016-08-09 22:31:38  cipher_list = '[UNDEF]'
2016-08-09 22:31:38  tls_verify = '[UNDEF]'
2016-08-09 22:31:38  tls_export_cert = '[UNDEF]'
2016-08-09 22:31:38  verify_x509_type = 0
2016-08-09 22:31:38  verify_x509_name = '[UNDEF]'
2016-08-09 22:31:38  crl_file = '[UNDEF]'
2016-08-09 22:31:38  ns_cert_type = 1
2016-08-09 22:31:38  remote_cert_ku = 0
2016-08-09 22:31:38  remote_cert_ku = 0
2016-08-09 22:31:38  remote_cert_ku = 0
2016-08-09 22:31:38  remote_cert_ku = 0
2016-08-09 22:31:38  remote_cert_ku = 0
2016-08-09 22:31:38  remote_cert_ku = 0
2016-08-09 22:31:38  remote_cert_ku = 0
2016-08-09 22:31:38  remote_cert_ku = 0
2016-08-09 22:31:38  remote_cert_ku = 0
2016-08-09 22:31:38  remote_cert_ku = 0
2016-08-09 22:31:38  remote_cert_ku = 0
2016-08-09 22:31:38  remote_cert_ku = 0
2016-08-09 22:31:38  remote_cert_ku = 0
2016-08-09 22:31:38  remote_cert_ku = 0
2016-08-09 22:31:38  remote_cert_ku = 0
2016-08-09 22:31:38  remote_cert_ku = 0
2016-08-09 22:31:38  remote_cert_eku = '[UNDEF]'
2016-08-09 22:31:38  ssl_flags = 0
2016-08-09 22:31:38  tls_timeout = 2
2016-08-09 22:31:38  renegotiate_bytes = 0
2016-08-09 22:31:38  renegotiate_packets = 0
2016-08-09 22:31:38  renegotiate_seconds = 3600
2016-08-09 22:31:38  handshake_window = 60
2016-08-09 22:31:38  transition_window = 3600
2016-08-09 22:31:38  single_session = DISABLED
2016-08-09 22:31:38  push_peer_info = DISABLED
2016-08-09 22:31:38  tls_exit = DISABLED
2016-08-09 22:31:38  tls_auth_file = '[UNDEF]'
2016-08-09 22:31:38  client = ENABLED
2016-08-09 22:31:38  pull = ENABLED
2016-08-09 22:31:38  auth_user_pass_file = '[UNDEF]'
2016-08-09 22:31:38 OpenVPN 2.4-icsopenvpn [git:icsopenvpn-b89b098fc66488b9] android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH] [IPv6] built on Jul  6 2016
2016-08-09 22:31:38 library versions: OpenSSL 1.0.2h  3 May 2016, LZO 2.09
2016-08-09 22:31:38 MANAGEMENT: Connected to management server at /data/user/0/de.blinkt.openvpn/cache/mgmtsocket
2016-08-09 22:31:38 MANAGEMENT: CMD 'hold release'
2016-08-09 22:31:38 MANAGEMENT: CMD 'bytecount 2'
2016-08-09 22:31:38 MANAGEMENT: CMD 'proxy NONE'
2016-08-09 22:31:38 MANAGEMENT: CMD 'state on'
2016-08-09 22:31:38 Network Status: CONNECTED  to WIFI "<ssn>"
2016-08-09 22:31:39 LZO compression initializing
2016-08-09 22:31:39 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2016-08-09 22:31:39 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
2016-08-09 22:31:39 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
2016-08-09 22:31:39 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
2016-08-09 22:31:39 TCP/UDP: Preserving recently used remote address: [AF_INET]<myip>:1194
2016-08-09 22:31:39 Socket Buffers: R=[163840->163840] S=[163840->163840]
2016-08-09 22:31:39 MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
2016-08-09 22:31:39 UDP link local: (not bound)
2016-08-09 22:31:39 UDP link remote: [AF_INET]<myip>:1194
2016-08-09 22:31:39 MANAGEMENT: >STATE:1470807099,WAIT,,,,,,
2016-08-09 22:31:39 read UDP [ECONNREFUSED]: Connection refused (code=111)
2016-08-09 22:31:41 read UDP [ECONNREFUSED]: Connection refused (code=111)
2016-08-09 22:31:45 read UDP [ECONNREFUSED]: Connection refused (code=111)


Code:
local 192.168.0.181
port 1194
proto udp
dev tun
ca /mnt/openvpn/keys/ca.crt
cert /mnt/openvpn/keys/openvpn-server.crt
key /mnt/openvpn/keys/openvpn-server.key
dh /mnt/openvpn/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
push "redirect-gateway"
push "dhcp-option DNS 8.8.8.8"
route 192.168.0.181 255.255.255.0 10.8.0.1
#tls-auth /mnt/openvpn/keys/auth.key 0
#crl-verify /mnt/openvpn/keys/crl.pem
keepalive 10 120
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 5


Code:
client
dev tun
remote <mydns>.duckdns.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert serv.crt
key serv.key
#tls-auth auth.key 1
ns-cert-type server
comp-lzo
verb 5
 

FritVetBE

Explorer
Joined
Dec 28, 2013
Messages
87
Hey there
I think you should comment out the "ns-cert-type server" parameter, i've read somewhere that it would be depreciated.

The output of sockstat -4 -l shows all opened sockets on your jail, every instance of openvpn should also be displayed there, but in your case it is not.
Is the OpenVPN daemon running? Do you see an error when you start to run the daemon?


Verstuurd vanaf mijn SM-G920F met Tapatalk
 
Joined
Dec 13, 2015
Messages
15
Hey there
I think you should comment out the "ns-cert-type server" parameter, i've read somewhere that it would be depreciated.

The output of sockstat -4 -l shows all opened sockets on your jail, every instance of openvpn should also be displayed there, but in your case it is not.
Is the OpenVPN daemon running? Do you see an error when you start to run the daemon?


Verstuurd vanaf mijn SM-G920F met Tapatalk
Here's a log screenshot from when I stopped the jail then started the jail.
 

Attachments

  • openvpnlogs.PNG
    openvpnlogs.PNG
    31.4 KB · Views: 356

FritVetBE

Explorer
Joined
Dec 28, 2013
Messages
87
Hey kkc

You will get more useful output when you open a shell inside the openVPN jail. (like where you executed the sockstat -4 -l command)

Then you should run service openvpn restart.

What you would want to check then is the output in shell, and additionally the log file. The default location where you can find the log file should be /var/log/, if i'm not mistaken :) It could also be possible you modified the default log location for the openVPN daemon, so check the path in your config file (/usr/local/etc/openVPN/openVPN.conf)
 
Joined
Dec 13, 2015
Messages
15
Hey kkc

You will get more useful output when you open a shell inside the openVPN jail. (like where you executed the sockstat -4 -l command)

Then you should run service openvpn restart.

What you would want to check then is the output in shell, and additionally the log file. The default location where you can find the log file should be /var/log/, if i'm not mistaken :) It could also be possible you modified the default log location for the openVPN daemon, so check the path in your config file (/usr/local/etc/openVPN/openVPN.conf)

Alright progress- so I tried restarting the daemon and got the following:

Code:
root@OpenVPN:/ # service openvpn restart
openvpn not running? (check /var/run/openvpn.pid).
/usr/local/etc/rc.d/openvpn: WARNING: /mnt/openvpn/Created/openvpn.conf is not readable.
/usr/local/etc/rc.d/openvpn: WARNING: failed precmd routine for openvpn


The warning about my conf file not being readable is there because that path doesn't exist. The actual path in /mnt/openvpn/openvpn.conf. I've tried looking in a couple configuration files, but I can't find where it is getting this path from. As a sidenote, when I go to the path you mentioned (/usr/local/etc/openvpn/openvpn.conf), it doesn't exist since that's not where my conf file is. I haven't changed where the logs are stored, but looking at /var/log/ there are a ton of various logfiles here, not sure which one I should be looking around in. Most of the ones I tried only had an entry dating when they were first made.
 

FritVetBE

Explorer
Joined
Dec 28, 2013
Messages
87
Alright progress- so I tried restarting the daemon and got the following:

Code:
root@OpenVPN:/ # service openvpn restart
openvpn not running? (check /var/run/openvpn.pid).
/usr/local/etc/rc.d/openvpn: WARNING: /mnt/openvpn/Created/openvpn.conf is not readable.
/usr/local/etc/rc.d/openvpn: WARNING: failed precmd routine for openvpn


The warning about my conf file not being readable is there because that path doesn't exist. The actual path in /mnt/openvpn/openvpn.conf. I've tried looking in a couple configuration files, but I can't find where it is getting this path from. As a sidenote, when I go to the path you mentioned (/usr/local/etc/openvpn/openvpn.conf), it doesn't exist since that's not where my conf file is. I haven't changed where the logs are stored, but looking at /var/log/ there are a ton of various logfiles here, not sure which one I should be looking around in. Most of the ones I tried only had an entry dating when they were first made.

Hey kkc

When executing service openvpn restart the following file will be read: /usr/local/etc/rc.d/openvpn
By reading this file ( ee /usr/local/etc/rc.d/openvpn ) you'll notice that some options can be set:
  • openvpn_enable="NO"
  • openvpn_if=
  • openvpn_flags=
  • openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
  • openvpn_dir=""
Those options could be set in /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/openvpn

Could you list the contents of /etc/rc.conf ? I expect you specified the openvpn_configfile="" parameter which points to /mnt/openvpn/Created/openvpn.conf . if so, comment out that line (place an # in front of that line), save the /etc/rc.conf file and restart the daemon again: service openvpn restart
 
Joined
Dec 13, 2015
Messages
15
Hey kkc

When executing service openvpn restart the following file will be read: /usr/local/etc/rc.d/openvpn
By reading this file ( ee /usr/local/etc/rc.d/openvpn ) you'll notice that some options can be set:
  • openvpn_enable="NO"
  • openvpn_if=
  • openvpn_flags=
  • openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
  • openvpn_dir=""
Those options could be set in /etc/rc.conf, /etc/rc.conf.local or /etc/rc.conf.d/openvpn

Could you list the contents of /etc/rc.conf ? I expect you specified the openvpn_configfile="" parameter which points to /mnt/openvpn/Created/openvpn.conf . if so, comment out that line (place an # in front of that line), save the /etc/rc.conf file and restart the daemon again: service openvpn restart

That was it! At one point though I definitely went through the rc config and looked for the path (as well as a few other files), so I'm not sure if it got regenerated with the old path value or if I just missed it the first time through, probably the latter :) Thanks for the sanity check and all the help!
 
Status
Not open for further replies.
Top