How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT

[zoomzoom]

@Steo My hunch is the reason why you have no log information after the DH key is because when OpenVPN tries to load the DH key, it errors out, then stops the server. This could be caused by a few things... corrupt dh key, permissions related, path in config is wrong, etc. You can try increasing verbosity to 11 (max) to see if it provides technical output that may explain why the loading of the DH key is causing it to error out.

 

[robles]

Saw a few things, which you could very well already be aware:

• ta.key needs to have 400 or 600 permissions... it's critical for security
• SHA1 isn't secure, and if you're running a x64 system, utilize SHA512 since 64bit systems process SHA512 substantially faster than SHA256. If not using an x64 system, SHA256 should be utilized.
• DH cert must exceed the encryption value you want for you connection, so if you want 2048bit, your DH cert must be atleast 3072bit... I always recommend 4096 since it provides flexibility.
• It appears you utilized Easy-RSA for certificate generation, which does not create secure certs for VPNs. It's convenient, but it would be more convenient if OpenVPN simply packaged a secure openssl.cnf to generate a CA and certs via OpenSSL directly. There's a link in my signature to a pre-built openssl.cnf on my GitHub, which has all commands required starting at line 507. You'll need to customize the SAN [SubjectAlternativeName] section with the applicable IPs and DNS names [IP.1, IP.2, etc.).

Many also aren't aware OpenVPN and OpenSSL support actual TLS ECDHE and DHE authentication, which is generally faster than SSL. There's also a link in my signature to my GitHub, where there's also a pre-built openvpn server config you can look at to see the TLS directives that need to be added.

I'll have to recreate this jail (created per the instructions of this tutorial) and see if changing EASYRSA_KEY_SIZE and EASYRSA_DIGEST create SHA512 digests and 4096 bit parameters. The tutorial will also have an additional chmod instruction to change the ta.key permissions.

Can you elaborate on EasyRSA not being secure enough? I am truly concerned about this tutorial security, so if there's a way to create an OpenVPN setup without it being too complicated for new people and not compromising security, would be ideal.

 

[zoomzoom]

I'll have to recreate this jail (created per the instructions of this tutorial) and see if changing EASYRSA_KEY_SIZE and EASYRSA_DIGEST create SHA512 digests and 4096 bit parameters. The tutorial will also have an additional chmod instruction to change the ta.key permissions.

Can you elaborate on EasyRSA not being secure enough? I am truly concerned about this tutorial security, so if there's a way to create an OpenVPN setup without it being too complicated for new people and not compromising security, would be ideal.

You shouldn't need to recreate the jail (unless it's simply easier for you to do so). If you wanted to recreate your certs, you just need to download my openssl.cnf and place in /etc/ssl (unless FreeBSD has the ssl directory somewhere else, as I can't recall... I do know FreeNAS stores certificates added, or created, via the WebUI to /etc/certificates). Once done, a few options in the server and client configs would need to then be modified.

Easy-RSA doesn't set proper KUs [keyUsage] and EKUs [extendedKeyUsage], of which matter when creating server and client certs.

• For example, nscerttype options in OpenVPN should not be used as they were depreciated in the mid 2000's [the "ns" stands for NetScape Browser, of which no longer exists].
  • In order to remove this from the openvpn configs requires the EKU serverAuth to be added to the VPN server cert and the EKU clientAuth to be added to the VPN client cert
    • This would then allow remote-cert-tls to be replaced with remote-cert-ku f8, telling OpenVPN to utilize the EKU of serverAuth the server cert was generated with

While not security related, Easy-RSA also doesn't allow for the usage of SANs [subjectAltName], of which allows for the certificate to be issued with multiple IPs, DNS names, user names [via email address], as well as other OIDs, which in turn allows one to set the CommonName as whatever one wishes, instead of the IP or DNS name.

• For example, you could create a web server certificate for the FreeNAS WebUI with the Common Name being "FreeNAS Web Server", then list the IP(s) and DNS names the server can be accessed at under the SAN profile name in an openssl.cnf
• All servers with a web interface need to have the loopback IP [127.0.0.1] specified in their SAN profile, as this prevents certificate errors if accessing the web interface via an SSH tunnel. This is especially important nowadays since Chrome will no longer allow one to visit a webpage with an invalid certificate for that IP. It used to allow you the ability to still continue to the site by manually expanding the bottom section on the error page, however this was removed earlier this year.

It's baffling to me why OpenVPN doesn't simply ditch attaching itself to Easy-RSA and simply include an openssl.cnf and script to create the certs, as the way they're currently doing it is neither the proper, nor secure way of doing so. One shouldn't have to rely on a VPN server config specifically stating it's a server... that's the purpose of a properly issued server certificate, much the same as a client config should not have to rely on specifying itself as a client, as that's the purpose of a properly generated client certificate.

• I do understand how confusing an openssl.cnf can appear at first glance, especially since a default one has a ridiculous amount of comments and unneeded information, which is why I built one and posted it on GitHub. I split the one on GitHub in easy to understand, easy to follow categorical sections, only commenting where absolutely necessary, leaving 99% of the commends to the bottom of the config file.
  • In the bottom of my config, I've compiled all the necessary information that one would otherwise have an extremely difficult time tracking down, such as the meanings of all 5 KUs and all the EKUs, as well as the meanings of the different TLS ciphers (ECDHE and DHE, albeit elliptic curve is not currently supported in OpenVPN ), and how to generate them.
  • Additionally, I condensed certificate creation into 3 commands:
    1. Generates a CSR [certificate request] and private key for the certificate
    2. Signing of the certificate with one's CA
       • The exception to this is the creation of the CA, which is self signed (unless one also creates an ICA [Intermediate Certificate Authority], which is signed by the self signed CA)
    3. [optional] Creating a PKCS12 file that contains the certificate, certificate key, and CA that signed the certificate, maintaining the chain of trust
       • [optional] Creating a CRL for the CA and/or ICA(s)
  • The only caveat is for ease of use, I do not use the openssl ca command to sign certs, of which results in the manual management of the index file. I explain how to add certificate information to the index file, of which takes ~30 seconds per certificate.

If you utilize Windows, I created a Notepad++ language file to specifically view an openssl.cnf with, which can be accessed on my GitHub here (Import via Language -> Define Your Language -> Import).

 

[robles]

You shouldn't need to recreate the jail (unless it's simply easier for you to do so). If you wanted to recreate your certs, you just need to download my openssl.cnf and place in /etc/ssl (unless FreeBSD has the ssl directory somewhere else, as I can't recall... I do know FreeNAS stores certificates added, or created, via the WebUI to /etc/certificates). Once done, a few options in the server and client configs would need to then be modified.

Easy-RSA doesn't set proper KUs [keyUsage] and EKUs [extendedKeyUsage], of which matter when creating server and client certs.

• For example, nscerttype options in OpenVPN should not be used as they were depreciated in the mid 2000's [the "ns" stands for NetScape Browser, of which no longer exists].
  • In order to remove this from the openvpn configs requires the EKU serverAuth to be added to the VPN server cert and the EKU clientAuth to be added to the VPN client cert
    • This would then allow remote-cert-tls to be replaced with remote-cert-ku f8, telling OpenVPN to utilize the EKU of serverAuth the server cert was generated with

While not security related, Easy-RSA also doesn't allow for the usage of SANs [subjectAltName], of which allows for the certificate to be issued with multiple IPs, DNS names, user names [via email address], as well as other OIDs, which in turn allows one to set the CommonName as whatever one wishes, instead of the IP or DNS name.

• For example, you could create a web server certificate for the FreeNAS WebUI with the Common Name being "FreeNAS Web Server", then list the IP(s) and DNS names the server can be accessed at under the SAN profile name in an openssl.cnf
• All servers with a web interface need to have the loopback IP [127.0.0.1] specified in their SAN profile, as this prevents certificate errors if accessing the web interface via an SSH tunnel. This is especially important nowadays since Chrome will no longer allow one to visit a webpage with an invalid certificate for that IP. It used to allow you the ability to still continue to the site by manually expanding the bottom section on the error page, however this was removed earlier this year.

It's baffling to me why OpenVPN doesn't simply ditch attaching itself to Easy-RSA and simply include an openssl.cnf and script to create the certs, as the way they're currently doing it is neither the proper, nor secure way of doing so. One shouldn't have to rely on a VPN server config specifically stating it's a server... that's the purpose of a properly issued server certificate, much the same as a client config should not have to rely on specifying itself as a client, as that's the purpose of a properly generated client certificate.

• I do understand how confusing an openssl.cnf can appear at first glance, especially since a default one has a ridiculous amount of comments and unneeded information, which is why I built one and posted it on GitHub. I split the one on GitHub in easy to understand, easy to follow categorical sections, only commenting where absolutely necessary, leaving 99% of the commends to the bottom of the config file.
  • In the bottom of my config, I've compiled all the necessary information that one would otherwise have an extremely difficult time tracking down, such as the meanings of all 5 KUs and all the EKUs, as well as the meanings of the different TLS ciphers (ECHDE and DHE), and how to generate them.
  • Additionally, I condensed certificate creation into 3 commands:
    1. Generates a CSR [certificate request] and private key for the certificate
    2. Signing of the certificate with one's CA
       • The exception to this is the creation of the CA, which is self signed (unless one also creates an ICA [Intermediate Certificate Authority], which is signed by the self signed CA)
    3. [optional] Creating a PKCS12 file that contains the certificate, certificate key, and CA that signed the certificate, maintaining the chain of trust
       • [optional] Creating a CRL for the CA and/or ICA(s)
  • The only caveat is for ease of use, I do not use the openssl ca command to sign certs, of which results in the manual management of the index file. I explain how to add certificate information to the index file, of which takes ~30 seconds per certificate.

If you utilize Windows, I created a Notepad++ language file to specifically view an openssl.cnf with, which can be accessed on my GitHub here (Import via Language -> Define Your Language -> Import).

Great detailed explanation, I'll take a look at the openssl.cnf file to see how it may be incorporated into the tutorial.

 

[Joseph Lennemann]

@robles - Thank you for the condensed version. I followed your instructions and was able to establish a tunnel. The only issue I had was after connecting to the VPN I was not able to get out on either side of the network. I troubleshot it for a few hours and finally decided to reboot my FreeNAS box. Issue was resolved. I'm seeing an error in the FreeNAS log stating "can't re-name node epair1b" and was wondering if someone could assist.

Code:

Oct  2 14:11:07 freenas kernel: ng_ether_ifnet_arrival_event: can't re-name node epair0b
Oct  2 14:11:07 freenas kernel: ng_ether_ifnet_arrival_event: can't re-name node epair0b
Oct  2 14:11:07 freenas devd: Executing '/etc/rc.d/dhclient quietstart epair0a'
Oct  2 14:11:11 freenas kernel: tun0: link state changed to UP
Oct  2 14:11:11 freenas kernel: tun0: link state changed to UP
Oct  2 14:11:13 freenas devd: Executing '/etc/pccard_ether epair1a start'
Oct  2 14:11:13 freenas devd: Executing '/etc/pccard_ether epair1b start'
Oct  2 14:11:13 freenas epair1a: Ethernet address: 02:ff:20:00:06:0a
Oct  2 14:11:13 freenas epair1b: Ethernet address: 02:ff:70:00:07:0b
Oct  2 14:11:13 freenas kernel: epair1a: link state changed to UP
Oct  2 14:11:13 freenas kernel: epair1a: link state changed to UP
Oct  2 14:11:13 freenas kernel: epair1b: link state changed to UP
Oct  2 14:11:13 freenas kernel: epair1b: link state changed to UP
Oct  2 14:11:13 freenas kernel: epair1a: promiscuous mode enabled
Oct  2 14:11:13 freenas devd: Executing '/etc/rc.d/dhclient quietstart epair1a'
Oct  2 14:11:13 freenas kernel: ng_ether_ifnet_arrival_event: can't re-name node epair1b
Oct  2 14:11:13 freenas kernel: ng_ether_ifnet_arrival_event: can't re-name node epair1b

I'm assuming it has to do with the firewall code that I copied from the tutorial. The part of the code that I believe is causing the error in the log is the {EPAIR} command. The code is below.

Code:

#!/bin/sh

EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 172.16.8.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0

 

[robles]

@robles - Thank you for the condensed version. I followed your instructions and was able to establish a tunnel. The only issue I had was after connecting to the VPN I was not able to get out on either side of the network. I troubleshot it for a few hours and finally decided to reboot my FreeNAS box. Issue was resolved. I'm seeing an error in the FreeNAS log stating "can't re-name node epair1b" and was wondering if someone could assist.

Code:

Oct  2 14:11:07 freenas kernel: ng_ether_ifnet_arrival_event: can't re-name node epair0b
Oct  2 14:11:07 freenas kernel: ng_ether_ifnet_arrival_event: can't re-name node epair0b
Oct  2 14:11:07 freenas devd: Executing '/etc/rc.d/dhclient quietstart epair0a'
Oct  2 14:11:11 freenas kernel: tun0: link state changed to UP
Oct  2 14:11:11 freenas kernel: tun0: link state changed to UP
Oct  2 14:11:13 freenas devd: Executing '/etc/pccard_ether epair1a start'
Oct  2 14:11:13 freenas devd: Executing '/etc/pccard_ether epair1b start'
Oct  2 14:11:13 freenas epair1a: Ethernet address: 02:ff:20:00:06:0a
Oct  2 14:11:13 freenas epair1b: Ethernet address: 02:ff:70:00:07:0b
Oct  2 14:11:13 freenas kernel: epair1a: link state changed to UP
Oct  2 14:11:13 freenas kernel: epair1a: link state changed to UP
Oct  2 14:11:13 freenas kernel: epair1b: link state changed to UP
Oct  2 14:11:13 freenas kernel: epair1b: link state changed to UP
Oct  2 14:11:13 freenas kernel: epair1a: promiscuous mode enabled
Oct  2 14:11:13 freenas devd: Executing '/etc/rc.d/dhclient quietstart epair1a'
Oct  2 14:11:13 freenas kernel: ng_ether_ifnet_arrival_event: can't re-name node epair1b
Oct  2 14:11:13 freenas kernel: ng_ether_ifnet_arrival_event: can't re-name node epair1b

I'm assuming it has to do with the firewall code that I copied from the tutorial. The part of the code that I believe is causing the error in the log is the {EPAIR} command. The code is below.

Code:

#!/bin/sh

EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 172.16.8.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0

The EPAIR line only reads your interfaces and stores them in a variable. I've looked up the ng_ether_ifnet_arrival_event error but haven't come up with anything significant. Bug #7413 suggests you may safely ignore those errors.

Cert revocation was part of this tutorial until Easy-RSA changed the procedure in its new version. I'll be working on investigating how to implement it here.

 

[Joseph Lennemann]

Cert revocation was part of this tutorial until Easy-RSA changed the procedure in its new version. I'll be working on investigating how to implement it here.

It took me a few hours, but I figured it out. The command is below.

1. /usr/local/share/easy-rsa]# ./easyrsa revoke NAME-OF-CERT
2. /usr/local/share/easy-rsa]# ./easyrsa gen-crl
3. [root@openvpn /]# service openvpn stop
4. /usr/local/share/easy-rsa/pki]# nano index.txt

Code:

V	   260930150303Z		   01	  unknown /CN=joseph

R	   260930150554Z   161003035602Z   02	  unknown /CN=joseph.lennemann

The "R" means the certificate is revoked. I believe you will still need to delete it from your "keys" directory, but I'm not sure. I have not moved to that point until now. After testing with my iPhone, it will still connect, but the OpenVPN app logs show CN:joseph and not CN:joseph.lennemann. I did try to revoke "joseph" using "/easyrsa revoke joseph", but I received an error. I've posted it below.

Code:

[root@OpenVPN /usr/local/share/easy-rsa]# ./easyrsa revoke joseph


Note: using Easy-RSA configuration from: ./vars


Easy-RSA error:


Unable to revoke as the input file is not a valid certificate. Unexpected

input in file: /usr/local/share/easy-rsa/pki/issued/joseph.crt

Looking in the /pki/issued directory it still shows up. If I understand correctly, the certificate can still be there as long as the index.txt file shows "R" next to the certificate and you run "/easyrsa gen-crl".

Code:

[root@OpenVPN /]# cd /usr/local/share/easy-rsa/pki/issued

[root@OpenVPN /usr/local/share/easy-rsa/pki/issued]# ls

joseph.lennemann.crt	openvpn-server.crt

At this point I'm lost.

 

[Joseph Lennemann]

If anyone is interested I've figured out how to successfully revoke a certificate and prevent the revoked user from connecting to the OpenVPN server with their old certificate.

 

[robles]

If anyone is interested I've figured out how to successfully revoke a certificate and prevent the revoked user from connecting to the OpenVPN server with their old certificate.

Sure, care to share?

 

[Doc Chacha]

Many thanks for your tutorial
I installed openVPN using your tutorial today, and it works perfectly. I just had to change a little thing in the rc.conf file:

Code:

cloned_interfaces="tun0"

When I tried at first without the "0", each time I would restart the jail, the number of the tun interface openVPN tries to bind to would grow by one. But since the actual interface was always tun0, it would not work. With this change, the correct interface is used each time. I wasn not able to find what the problem was, and followed your tutorial very precisely.

Hope it helps someone... I admit I did not read through every message of the thread to see if someone already pointed it out, since the tutorial wasnot updated anyway.

 

[Joseph Lennemann]

Sure, care to share?

I have not forgotten to write up the steps. Been a little busy preparing for Hurricane Matthew. I will get it posted sometime this week.

 

[Joseph Lennemann]

When you follow the steps I provided to revoke a certificate it will generate a cert.pem file. This file has thousands of revoked certificates including the one you already revoked. When you try to connect with a certificate that has been revoked on the server, it will be checked against the cert.pem file. Being that the revoked certificate is now in that file the user will NOT be able to connect. You may need to stop/start the OpenVPN service for the changes to take effect. Move the cert.pem to the /mnt/keys/ directory. Unfortunately, I cannot remember the exact folder the cert.pem file is generated in, but one can easily find it by using the "ls" command in each directory. I have tested this for myself with positive results.

 

[robles]

I have not forgotten to write up the steps. Been a little busy preparing for Hurricane Matthew. I will get it posted sometime this week.

Don't worry about that, I've also been busy with work and being with my family. I'll test this in a new setup to see how it works and incorporate it in at a latter time in the tutorial.

 

[Smarley]

PROBLEM SOLVED.
May I erase the post?


Hi,

I´m trying to install the jail at 9.10.
Which jail template should I use?
http://download.freenas.org/jails/
Standard or pluginjail?
In this Jail I need to choose FreeBSD or Linux at the configuration?

I try to created without, in the basic mode, but freenas asked the template.

Sorry about the question, I do not have experience in linux.

Thanks!

----------

I install using pluginjail template and work fine.
But when I try to use pkg update or upgrade I receive the following message:

root@OpenVPN:/ # pkg update
Updating FreeBSD repository catalogue...
pkg: Repository FreeBSD has a wrong packagesite, need to re-create database
[OpenVPN] Fetching meta.txz: 100% 944 B 0.9kB/s 00:01
[OpenVPN] Fetching packagesite.txz: 100% 5 MiB 525.6kB/s 00:11
Processing entries: 0%
pkg: wrong architecture: freebsd:10:x86:64 instead of FreeBSD:9:amd64
pkg: repository FreeBSD contains packages with wrong ABI: freebsd:10:x86:64
Processing entries: 100%
pkg: Unable to update repository FreeBSD

And when usgin pkg isntall bash, return that did not find it.

Any ideia how to solve this?
It´s correct the server bellow?
I used the template http://download.freenas.org/jails/9.3/x64/freenas-pluginjail-9.3-RELEASE.tgz in x64.

This is the end of output pkg -vv.

Repositories:
FreeBSD: {
url : "pkg+http://pkg.FreeBSD.org/freebsd:10:x86:64/latest",
enabled : yes,
priority : 0,
mirror_type : "SRV",
signature_type : "FINGERPRINTS",
fingerprints : "/usr/share/keys/pkg"
}

--

Solve the problem with this solution:
https://forums.freenas.org/index.php?threads/jail-9-3.34821/

 

[Smarley]

Hi,

How is the correct configuration of jail network?
I need to check box VIMAGE only and assight static IP?

I note something:
When I does not check VIMAGE, the jail take the network IP but can´t start openvpn.
I only can start openvpn when VIMAGE is checked.
In my case I put 192.168.25.54 as Jail IP and redirect the port 443 to this IP in the router (I use only 443 and not 10011 like in the tutorial).
But when I check the state of the port, seens not be open (http://www.canyouseeme.org/).
I also check the other ports like one that I use in a VM with Windows on Freenas and it´s working fine.
My router is on 192.168.25.1 and Freenas on 192.168.25.55.

Anyone has some tip about it?

Open VPN is runing and listening the correct port.

I think that one of my problems is that the port ir not opening.
I did the configration again, using 10011 and the same result.
Port is not opening.

Thanks!

 

[Smarley]

I delete everything and did the procedure again with standard instead pluginjail and the result are the same.
I think that my problem is because the port is not opening, but router is configure ok.

Need to configure some special at FreeNAS to port forwarding this?
I check VIMAGE box after pkg update, upgrade, install...
With this check box I did not get internet.
And if I leave this unmarked openvpn does not start.

Here my files:

nano openvpn.conf

Code:

port 10011
proto udp
dev tun
ca ca.crt
cert openvpn-server.crt #Server public key
key openvpn-server.key #Server private key
dh dh.pem #Diffie-Hellman parameters
server 172.16.8.0 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 192.168.25.0 255.255.255.0" #Yellow network
tls-auth ta.key 0
#crl-verify crl.pem
keepalive 10 120
cipher AES-256-CBC
group nobody
user nobody
comp-lzo
persist-key
persist-tun

nano /usr/local/etc/ipfw.rules

Code:

#!/bin/sh

EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 172.16.8.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0

nano /etc/rc.conf

Code:

portmap_enable="NO"
sshd_enable="NO"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
hostname="openvpn"
devfs_enable="YES"
devfs_system_ruleset="devfsrules_common"
inet6_enable="YES"
ip6addrctl_enable="YES"
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/mnt/keys/openvpn.conf"
openvpn_dir="/mnt/keys"
cloned_interfaces="tun"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

Client

Code:

client
dev tun
proto udp
remote [my ddns here] 10011
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert smarley.crt
key smarley.key
remote-cert-tls server
cipher AES-256-CBC
tls-auth ta.key 1
#dhcp-option DNS 0.0.0.0
#redirect-gateway def1
comp-lzo
verb 3

root@openvpn:/mnt/keys # ipfw list
00100 nat 1 ip from 172.16.8.0/24 to any out via epair2b
00200 nat 1 ip from any to any in via epair2b
65535 allow ip from any to any


root@openvpn:/mnt/keys # ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair2b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:ff:70:00:09:0b
inet 192.168.25.54 netmask 0xffffff00 broadcast 192.168.25.255
nd6 options=9<PERFORMNUD,IFDISABLED>
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet 172.16.8.1 --> 172.16.8.2 netmask 0xffffffff
nd6 options=9<PERFORMNUD,IFDISABLED>

 

[NasKar]

@robles thank you for this guide with the excellent explanations. It's amazing that I can access my network on my iphone like I'm on my home network.
1) Is there a way to limit a client to access only a particular IP on the network? for example my Plex in it's own jail.
2) Can someone clarify what "route all your traffic as a true VPN" means in the Know This section. (sorry if this is to basic)

 

[zoomzoom]

@robles thank you for this guide with the excellent explanations. It's amazing that I can access my network on my iphone like I'm on my home network.
1) Is there a way to limit a client to access only a particular IP on the network? for example my Plex in it's own jail.
2) Can someone clarify what "route all your traffic as a true VPN" means in the Know This section. (sorry if this is to basic)

1. Firewall rules.
   1. Configure CCD in the server config with static IPs [if referring to the VPN only]
      
   2. Allow all traffic to be forwarded to the vpn port
   3. Allow traffic from specified static IP to specific ports
   4. Block all other traffic from static IP
2. Gateway Redirect

 

[zoomzoom]

@robles You had asked about the steps for using an openssl.cnf, and they can be found here. It's a revamped OpenWrt wiki I wrote a while back with DokuWiki plugins I integrated over the past week to make it far more cohesive and easier to follow.

 

[NasKar]

1. Firewall rules.
   1. Configure CCD in the server config with static IPs [if referring to the VPN only]
      
   2. Allow all traffic to be forwarded to the vpn port
   3. Allow traffic from specified static IP to specific ports
   4. Block all other traffic from static IP
2. Gateway Redirect

I've been trying to research your recommendations for #1 but not making much progress. I get the feeling that you create a text file (CCD) and it gives the vpn user a static IP on the purple part of the network. https://openvpn.net/index.php/open-source/documentation/howto.html#scope . I'm not sure even were to put it . Seems like /etc/openvpn but I don't have that directory after my install. Any possiblity you could give an example of the 4 steps that I could adapt to my current network. Thanks for your prior response.