How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT

[underw3b]

Could you make another tuto simplier based on the non-official PBI plugin openVPN please ? (openvpn-2.3.2-amd64.pbi)

http://forums.freenas.org/index.php...-7-openvpn-plugin-installed-and-config.23468/

 

[robles]

Mmm well, the thing is that you still would have to do everything except the pkg install openvpn command. Even if you could get the custom PBI to start, you'd still have to:

1. Create a CA
2. Create a Server Certificate
3. Create a Client Certificate
4. Create an OpenVPN Server configuration file
5. Configure the Firewall
6. Create an OpenVPN Client configuration file.

 

[underw3b]

Ok too bad there is no way to make everything automatic... :)

Can you just tell me where do i have to write down all the command line you wrote ? How enter the jail with SSH ?

Thx again !

 

[robles]

All the commands are in the tutorial, but if you feel a little bit shaky in FreeNAS (as I did initially) I recommend looking into the basic "get started" tutorials in this forum. Familiarise yourself with the platform and read carefully, everything is in there :)

 

[underw3b]

ok thx ;)

 

[underw3b]

I passed this 1st step succesfully :

Robles-MacBook-Pro:~ robles$ ssh robles@10.0.0.11
Last login: Tue Aug 19 12:29:05 2014 from 10.0.0.192
Welcome to FreeNAS
[robles@nas] ~> jls
JID IP Address Hostname Path
7 - openvpn /mnt/vault/pluginjails/openvpn

But then it tells me that my user is not allowed to use :

[robles@nas] ~> sudo jexec 7 tcsh

Sorry, user Pierre is not allowed to execute '/usr/sbin/jexec 2 tcsh' as root on
freenas.local.


(permissions problems). So, i tried to put my user in every group, to put as a primary groop "wheel" but it still doesn't work... why ? Besides, for all storage folders and my volume i checked every permissions for everyone (owner, group, others)

 

[underw3b]

ok i figured it out, i had to check "permit sudo"

 

[underw3b]

Now, i have this :

[root@openvpn /usr/local/share/easy-rsa]# mkdir /mnt/openvpn/keys
bash: mkdir: command not found
[root@openvpn /usr/local/share/easy-rsa]# cp keys/* /mnt/openvpn/keys
bash: cp: command not found

anyone can help me ?

 

[Metalcraft]

Good luck! Hope you get it working.

Got it hate on Windows. The damn issue was permission. You need to run as administrator the openvpn or it will not route correctly. Now it is working like it should.

 

[KoreanJesus]

Anyone have any idea why im getting
ifconfig: interface tun0 does not exist
when i try to start the VPN?

 

[KMcClain]

Getting the same issue as KoreanJesus. When I start the openvpn service I get
ifconfig: interface tun0 does not exist
Here is what I get when I run ifconfig:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair3b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:05:64:00:11:0b
inet 192.168.100.5 netmask 0xffffff00 broadcast 192.168.100.255
nd6 options=9<PERFORMNUD,IFDISABLED>
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
tun1: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
nd6 options=9<PERFORMNUD,IFDISABLED>
I checked all my config twice but do not see anything that I did wrong.
Any idea where I screwed up?

 

[robles]

When creating the jail, did you left the "VIMAGE" option ticked?
Try updating the OpenVPN dependencies, run pkg install openvpn to see if everything is ok.
Try and create a tun interface manually using the ifconfig tun create command. More info here: https://forums.freebsd.org/viewtopic.php?t=22143
Did you include the cloned_interfaces="tun" line in /etc/rc.conf?

 

[AirborneTrooper]

I got everything installed correctly on FreeNAS but my only problem now is when I try to connect using the OpenVPN app on my phone. I did exactly like you said to get the files synced to my iPhone, but I am getting "Transport Error: PolarSSL: SSL read error: X509 - Certificate verification failed. e.g. CRL, CA or signature check failed". Any thoughts or suggestions?

 

[KMcClain]

When creating the jail, did you left the "VIMAGE" option ticked?
Try updating the OpenVPN dependencies, run pkg install openvpn to see if everything is ok.
Try and create a tun interface manually using the ifconfig tun create command. More info here: https://forums.freebsd.org/viewtopic.php?t=22143
Did you include the cloned_interfaces="tun" line in /etc/rc.conf?

Sorry it took me so long to reply. Been out of town, just got back in last night.
Rebooting my Freenas Server fixed the issue just incase anyone else has the same problem.
FYI- Before rebooting I ran: run pkg install openvpn and it was all ok.
also cloned_interfaces="tun" line was in /etc/rc.conf.

 

[AirborneTrooper]

So I noticed FreeNAS 9.2.1.8 was released and I updated my system. It's working fine now. I also messed with my Apple Time Capsule some so until I revert those changes I'm not 100% but as of now I'm 98% sure the update alone allowed me to connect using the app now. The release notes said it fixed some SSL issues so maybe that was it?

 

[Nigel]

Hell yes it does work! I imported the OVPN profile into my phone, here it is connected (notice I'm using my celular network):

Firstly, thank you very much for producing this article Robles, my installation worked first time!
A question; how did you get the ovpn file to work with an iphone? For the iphone, the Ovpn app expects the crts, and keys to be embedded in the ovpn file. I created one, including making the 3des, and ta key required, but I cannot get my iPhone to connect (PS this method worked when i had OpenVPN installed on my OpenMediaVault server)

 

[AirborneTrooper]

Easiest way is to sync all of the files described in the tutorial to the OpenVPN app using iTunes.

 

[Nigel]

Easiest way is to sync all of the files described in the tutorial to the OpenVPN app using iTunes.

Brilliant! thanks! it's easy when you know how ;-)

 

[AirborneTrooper]

I can connect to the OpenVPN server using the app but I can't access my FreeNAS. I tried navigating to Couch Potato, Sick Rage, etc. but it just times out.

 

[AirborneTrooper]

I figured it out. The OpenVPN config should be:

Code:

port 10011
proto udp
dev tun
ca /mnt/openvpn/keys/ca.crt
cert /mnt/openvpn/keys/openvpn-server.crt
key /mnt/openvpn/keys/openvpn-server.key
dh /mnt/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.255.255.0"
route 10.0.0.14 255.255.255.0 10.8.0.1
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3

You should also either update the tutorial or update the screenshots because it's confusing to see 10.0.8.0/24 used in the images and 10.8.0.0/24 used in the code snipets. I went with what you had in the code snipets and made corrections where needed.