How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT

[zoomzoom]

so i guess to answer my own question it is preferable to change local ips to 10.**** type A addresses in order not to have conficts.

The 10.0.0.0/8 subnet block is set aside for LAN usage which means every subnet from 10.0.0.0/8 [255.0.0.0] through 10.255.255.255/30 [255.255.255.252]. 10.0.0.0/24 [255.255.255.0] is not the same subnet as 10.8.0.0/24.

• Also, conflicts won't arise unless you're also using 10.0.0.0/24 somewhere on you're network, and if you'd prefer to have multiple subnets with the same IP prefix, you change the subnet mask.
  • For example, one could have 10.0.0.0/24 for their LAN [covers 10.0.0.0/24 - 10.0.0.255/24 (subnet mask 255.255.255.0)] and 10.0.0.0/26 for their VPN [10.0.0.63 - 10.0.0.63/26 (subnet mask 255.255.255.192)]
    • The 4th digit block in an IP will always use the first and last digit of the 4th digit block for broadcasting (i.e. in 10.0.0.0/24, 10.0.0.0 & 10.0.0.255 would be broadcast IPs that are not assignable, just as the netmask of 255.255.255.255 is a broadcast address)
  
  
• This Subnet Mask Cheat Sheet should help to visualize the subnet ranges better.

im still having an issue opening/forwarding ports to my jail cell. i tried forwarding emby server and it worked file on 8096 port but any port forwarded from openVPN jail is closed. any ideas? using ddns address with standard 1194. using settings from this tutorial otherwise almost to the T. have to switched yet from 192. to 10. type A.

seems like any port i open and forward to the jail is closed.

Someone else will need to respond for this, as I've never used Emby.

 

[vodka1983]

The 10.0.0.0/8 subnet block is set aside for LAN usage which means every subnet from 10.0.0.0/8 [255.0.0.0] through 10.255.255.255/30 [255.255.255.252]. 10.0.0.0/24 [255.255.255.0] is not the same subnet as 10.8.0.0/24.

• Someone else will need to respond for this, as I've never used Emby.

its not so much an issue for Emby, its the fact that it points out inherit issue with the vpn box. certificates, service are all up as expected just cant open and connect to the vpn as no ports open.

so my issue so far, i followed this guide, i see that OpenVpn is working, listening in the jail. i tried listening on the port 1194 which is default and 10011 which is what the guide enlists. also tried neutral ports 2294 and 8096

while listening on default port 1194:

-forwarding the port to router, ANY port is rejected. I looked at the ddns log and all ports i extend/forward are rejected, even though the server is set to listen to them (change .conf, restart etc)
- forwarding to another port to ANOTHER box, for example, EMBY, works. ports open as expected. So it is the box and the vpn configuration. Currently at work, looking again at documentation.

-in the config right now i have 1194 port set instead of 10011 from tutorial, default port.
-im still using Type C (starts with 192) for lan, havent switched up.
- the vpn internal network inside the vpn box is set in .conf to type B (starts with 172, otherwise same address as in this tutorial)

 

[vodka1983]

so my guess i need to go ahead and reconfigure my router to use Type A lan and get rid of 192.*** addresses

 

[zoomzoom]

@vodka1983 did you take the time to read the HowTo and man page? Please post your server and client configs, as well as sever and client logs.

 

[vodka1983]

@vodka1983 did you take the time to read the HowTo and man page? Please post your server and client configs, as well as sever and client logs.

i ran through it yes. spent some time reading some other areas on the actual openvpn site, fairly interesting.

i finally got my jail to open ports, right now using default and i see it from work as open:

Host is up (0.16s latency).

PORT STATE SERVICE
1194/udp open|filtered openvpn


however i cannot connect from my android phone:
-Server poll timeout...
-Event: reconnecting...
-Event: resolve..
event: wait..
reconnect trying next entry ..

....and so on in a circle. those were the highlights of the log.

on router side:
firewall off. UpnP off. verified the firewall has a port from another jail and from outside, port is open.


here is server config:

local 192.168.1.5
proto udp
dev tun
ca ca.crt
cert openvpn-server.crt
key openvpn-server.key
dh dh.pem
server 172.16.8.0 255.255.255.0 #Purple
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0" #Yellow
tls-auth ta.key 0
#crl-verify crl.pem
keepalive 10 120
cipher AES-256-CBC
auth SHA256
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3

here is client config:

client
dev tun
proto udp
remote this.ddns.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
g.crt
g.key
remote-cert-tls server
cipher AES-256-CBC
tls-auth ta.key 1
#dhcp-option DNS 192.168.1.0
#redirect-gateway def1
comp-lzo
verb 3

 

[zoomzoom]

Please paste config and log output within [code] [/code] brackets​

You're missing port in in your server config port 1194 & topology subnet. The missing port option should fix the issue, but if it doesn't, please change the following, then re-post both configs and log files:

• Server
  • port 1194
  • proto tcp
  • topology subnet
  • verb 4

• Client
  • proto tcp
  • float
  • verb 5

Once done, please restart the server and try to reconnect with the client. Once both have been done/attempted, please paste the log output from the server and client. Additionally, please post the output [in code brackets] of ls -lsa of each of the directories the following files are stored within:

• server config
• certs
• keys

 

[vodka1983]

Please paste config and log output within [code] [/code] brackets​

You're missing port in in your server config port 1194 & topology subnet. The missing port option should fix the issue, but if it doesn't, please change the following, then re-post both configs and log files:

• Server
  • port 1194
  • proto tcp
  • topology subnet
  • verb 4

• Client
  • proto tcp
  • float
  • verb 5

Once done, please restart the server and try to reconnect with the client. Once both have been done/attempted, please paste the log output from the server and client. Additionally, please post the output [in code brackets] of ls -lsa of each of the directories the following files are stored within:

• server config
• certs
• keys

will do when i get home, however according to openvpn when you dont specify the port, 1194 will open. this is why i said you can see it open in sockstat, nmap on local and nmap on remote.

-is there a reason to specify tcp? manual called for udp so thats what i used.

will post the ls for dirs when i get home.

-verbose would help for sure.[/COLOR][/SIZE][/CENTER]

 

[zoomzoom]

...however according to openvpn when you dont specify the port, 1194 will open. this is why i said you can see it open in sockstat, nmap on local and nmap on remote.

Unless something changed in 2.4, port should be specified. As I mentioned previously, a non-standard port should be utilized (i.e. not 1194 and one that is >1024, but <10000), otherwise if you're exposing the VPN to WAN, you're going to get hundreds to thousands of dropped/rejected inbound WAN traffic in the firewall log of the WAN facing router on 1194 [same reason for a WAN facing SSH server not using port 22 WAN side].

All VPN traffic should be logged in the router firewall with rules similar to:

Code:

#!/bin/sh

             ##::[[----->  IPtables Firewall Script  <-----]]::##


  # These rules make the assumption the default port of 1194 is not used for the VPN
	# Port 4999 is being used arbitrarily for the VPN SSH port
    # Port 5000 is being used arbitrarily for the VPN port
	# INPUT should be replaced by the router's incoming zone for WAN traffic


    # Establish Custom Zones #
#---------------------------------------------------

	# Drop:
iptables    -N  DROP-Zone_LAN-dest
iptables    -N  DROP-Zone_WAN-dest
iptables    -N  DROP-Zone_WAN-src

	# Rate Limit:
iptables    -N  Rate_Limit

	# Reject:
iptables    -N  REJECT-Zone_LAN-dest
iptables    -N  REJECT-Zone_WAN-dest
iptables    -N  REJECT-Zone_WAN-src

    # VPN:
iptables    -N  LOG-VPN


    # Log All Dropped #
#---------------------------------------------------

    # Inbound LAN:
iptables    -w  -A  DROP-Zone_LAN-dest      -j  LOG     --log-prefix    "<[[--- LAN Inbound DROPPED ---]]> : "  --log-level 4
iptables    -w  -A  DROP-Zone_LAN-dest      -j  DROP

    # Outbound WAN:
iptables    -w  -A  REJECT-Zone_WAN-dest    -j  LOG     --log-prefix    "<[[--- WAN Outbound DROPPED ---]]> : " --log-level 4
iptables    -w  -A  REJECT-Zone_WAN-dest    -j  DROP

    # Inbound WAN:
iptables    -w  -A  REJECT-Zone_WAN-src     -j  LOG     --log-prefix    "<[[--- WAN Inbound DROPPED ---]]> : "  --log-level 4
iptables    -w  -A  REJECT-Zone_WAN-src     -j  DROP


    # Establish Rate Limit #
#---------------------------------------------------

    # Pings
iptables    -A  INPUT           -p  ICMP    --icmp-type echo-request                                -j  Rate_Limit

    # SSH & VPN:
iptables    -A  INPUT           -p  tcp     --dport 4999                -m  state   --state NEW     -j  Rate_Limit
iptables    -A  INPUT           -p  tcp     --dport 5000                -m  state   --state NEW     -j  Rate_Limit
iptables    -A  INPUT           -p  udp     --dport 5000                -m  state   --state NEW     -j  Rate_Limit

    # Drop / Reject:
iptables    -A  Rate_Limit      -p  tcp                                                             -j  REJECT          --reject-with   tcp-reset
iptables    -A  Rate_Limit      -p  udp                                                             -j  REJECT          --reject-with   icmp-port-unreachable
iptables    -A  Rate_Limit  !   -p  ICMP                                                            -j  LOG             --log-prefix    "<[[--- Connection DROPPED ---]]>: "
iptables    -A  Rate_Limit                                                                          -j  DROP


    # Apply Rate Limit #
#---------------------------------------------------

    # Pings:
iptables    -A  Rate_Limit      -p  ICMP    --icmp-type echo-request    -m  limit   --limit 4/sec                               -j  ACCEPT

    # SSH & VPN:
iptables    -A  Rate_Limit      -p  tcp     --dport 4999                -m  limit   --limit 3/min   --limit-burst   3           -j  LOG-SSH
iptables    -A  Rate_Limit      -p  tcp     --dport 5000                -m  limit   --limit 3/min   --limit-burst   3           -j  LOG-VPN
iptables    -A  Rate_Limit      -p  udp     --dport 5000                -m  limit   --limit 3/min   --limit-burst   3           -j  LOG-VPN

    # Drop / Reject:
iptables    -A  Rate_Limit      -p  tcp                                                                                         -j  REJECT      --reject-with   tcp-reset
iptables    -A  Rate_Limit      -p  udp                                                                                         -j  REJECT      --reject-with   icmp-port-unreachable
iptables    -A  Rate_Limit  !   -p  ICMP                                                                                        -j  LOG         --log-prefix    "<[[--- Connection DROPPED ---]]>: "
iptables    -A  Rate_Limit


    # Log Traffic #
#---------------------------------------------------

    # SSH & VPN:
iptables    -A  LOG-SSH     -p  tcp     --dport 4999    -j  LOG_VPN
iptables    -A  LOG-SSH                                 -j  LOG     --log-prefix    "<[[---  SSH Traffic ---]]> : "         --log-level 4
iptables    -A  LOG-SSH                                 -j  ACCEPT

iptables    -A  LOG-VPN     -p  tcp     --dport 4999    -j  LOG     --log-prefix    "<[[--- VPN --> SSH Traffic ---]]> : "  --log-level 4
iptables    -A  LOG-VPN                                 -j  LOG     --log-prefix    "<[[---  VPN Traffic ---]]> : "         --log-level 4
iptables    -A  LOG-VPN                                 -j  ACCEPT

​

...is there a reason to specify tcp? manual called for udp so thats what i used.

TCP should only be used for two use cases, troubleshooting and when a user has high packet loss utilizing udp.

• The reason why UDP should be used in every other situation is because TCP cannot efficiently encapsulate itself [all traffic over an SSL VPN is TCP encapsulated in UDP packets].

...verbose would help for sure.

Verbosity default should be 4 on the server and 5 on the client, as both provide the basic information required when troubleshooting, negating the need to constantly change verbosity if a problem arises (same reason why all VPN firewall rules should be for both tcp & udp].

• Anything higher than 4 in the server config will result in r/w access being logged, with anything over 5 in the client will result in a lot of unneeded information.

 

[vodka1983]

not planning on using 1194, i had it setup with other ports, i just want it to work before i make other changes so i tried to simplify it.

also for unwarranted requests this:
https://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_with_OpenVPN

i used denyhost before and it worked well for an ssh gateway server.
however with sniffing tools and nmap its easy to spot ports, os type etc. it might slow someone down but thats it. the only really good way is to add rsa key, disable password and insta ban on absense of key :)

will get on this when i get to the house.

 

[zoomzoom]

also for unwarranted requests this:
https://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_with_OpenVPN

Fail2Ban is an option, however, depending on the use case, there may be more efficient ways to employ the same effect through iptables. All WAN facing routers should reject or drop inbound WAN traffic unless explicitly configured not to via NAT.

• The reason for usage of non-standard ports is simply so that the firewall log isn't bogged down by the hundreds to thousands of inbound requests made everyday to WAN facing routers on ports 1194, 22, 23, 4444, etc. All SSH and VPN traffic on a WAN facing router should be logged, and Fail2Ban could potentially consume more resources than simply utilizing a few iptables rules, such as:
  
  Code:

  #!/bin/sh
  
  			 ##::[[----->  OpenWrt Firewall Script  <-----]]::##
  
  
  	# Note: 
  	  # Port 4998 is being used arbitrarily for the SSH port
  	  # Port 4999 is being used arbitrarily for the VPN SSH port
  	  # Port 5000 is being used arbitrarily for the VPN port
  
  
  	# Variables #
  #---------------------------------------------------
  
  	# VPN:
  VPN=`uci get network.vpn.ifname`
  
  	# WAN:
  WAN=`uci get network.wan.ifname`
  
  
  	# Establish Custom Zones #
  #---------------------------------------------------
  
  	# Brute Force:
  iptables	-w  -N  DROP-Brute
  
  	# Drop:
  iptables	-w  -N  DROP-Zone_LAN-dest
  iptables	-w  -N  DROP-Zone_WAN-dest
  iptables	-w  -N  DROP-Zone_WAN-src
  
  	# Rate Limit:
  iptables	-w  -N  Rate_Limit
  
  	# Reject:
  iptables	-w  -N  REJECT-Zone_LAN-dest
  iptables	-w  -N  REJECT-Zone_WAN-dest
  iptables	-w  -N  REJECT-Zone_WAN-src
  
  	# SSH & VPN:
  iptables	-w  -N  LOG-SSH
  iptables	-w  -N  LOG-VPN
  
  
  	# Log All Dropped #
  #---------------------------------------------------
  
  	# Brute Force:
  iptables	-w  -A  DROP-Brute			  -j  LOG	 --log-prefix	"<[[--- BRUTE DROPPED ---]]> : "		--log-level 4
  iptables	-w  -A  DROP-Brute			  -j  DROP
  
  	# Inbound LAN:
  iptables	-w  -A  DROP-Zone_LAN-dest	  -j  LOG	 --log-prefix	"<[[--- LAN Inbound DROPPED ---]]> : "  --log-level 4
  iptables	-w  -A  DROP-Zone_LAN-dest	  -j  DROP
  
  	# Outbound WAN:
  iptables	-w  -A  REJECT-Zone_WAN-dest	-j  LOG	 --log-prefix	"<[[--- WAN Outbound DROPPED ---]]> : " --log-level 4
  iptables	-w  -A  REJECT-Zone_WAN-dest	-j  DROP
  
  	# Inbound WAN:
  iptables	-w  -A  REJECT-Zone_WAN-src	 -j  LOG	 --log-prefix	"<[[--- WAN Inbound DROPPED ---]]> : "  --log-level 4
  iptables	-w  -A  REJECT-Zone_WAN-src	 -j  DROP
  
  
  	# Establish Rate Limit #
  #---------------------------------------------------
  
  	# Pings
  iptables	-w  -A  INPUT	   -p  ICMP	--icmp-type echo-request		-i  $WAN																							-j  Rate_Limit
  
  	# Brute Force Ban:
  iptables	-w  -A  INPUT	   -p  tcp	 --dport	 22																													  -j  Rate_Limit
  iptables	-w  -A  INPUT	   -p  tcp	 --dport	 22				  -i  $WAN	-m  state   --state NEW -m  recent  --set
  iptables	-w  -A  INPUT	   -p  tcp	 --dport	 22				  -i  $WAN	-m  state   --state NEW -m  recent		  --update	--seconds   60  --hitcount  1   -j  DROP-Brute
  
  iptables	-w  -A  INPUT	   -p  tcp	 --dport	 23																													  -j  Rate_Limit
  iptables	-w  -A  INPUT	   -p  tcp	 --dport	 23				  -i  $WAN	-m  state   --state NEW -m  recent  --set
  iptables	-w  -A  INPUT	   -p  tcp	 --dport	 23				  -i  $WAN	-m  state   --state NEW -m  recent		  --update	--seconds   60  --hitcount  1   -j  DROP-Brute
  
  iptables	-w  -A  INPUT	   -p  tcp	 --dport	 1194																													-j  Rate_Limit
  iptables	-w  -A  INPUT	   -p  tcp	 --dport	 1194				-i  $WAN	-m  state   --state NEW -m  recent  --set
  iptables	-w  -A  INPUT	   -p  tcp	 --dport	 1194				-i  $WAN	-m  state   --state NEW -m  recent		  --update	--seconds   60  --hitcount  1   -j  DROP-Brute
  
  iptables	-w  -A  INPUT	   -p  udp	 --dport	 1194																													-j  Rate_Limit
  iptables	-w  -A  INPUT	   -p  udp	 --dport	 1194				-i  $WAN	-m  state   --state NEW -m  recent  --set
  iptables	-w  -A  INPUT	   -p  udp	 --dport	 1194				-i  $WAN	-m  state   --state NEW -m  recent		  --update	--seconds   60  --hitcount  1   -j  DROP-Brute
  
  	# SSH & VPN:
  iptables	-w  -A  INPUT	   -p  tcp	 --dport	 4998				-i  $WAN	-m  state   --state NEW																 -j  Rate_Limit
  iptables	-w  -A  INPUT	   -p  tcp	 --dport	 4999				-i  $WAN	-m  state   --state NEW																 -j  Rate_Limit
  iptables	-w  -A  INPUT	   -p  tcp	 --dport	 5000				-i  $WAN	-m  state   --state NEW																 -j  Rate_Limit
  iptables	-w  -A  INPUT	   -p  udp	 --dport	 5000				-i  $WAN	-m  state   --state NEW																 -j  Rate_Limit
  
  
  	# Apply Rate Limit #
  #---------------------------------------------------
  
  	# Pings:
  iptables	-w  -A  Rate_Limit	  -p  ICMP	--icmp-type echo-request	-i  $WAN	-m  limit   --limit 4/sec							   -j  ACCEPT
  
  	# SSH & VPN:
  iptables	-w  -A  Rate_Limit	  -p  tcp	 --dport	 4998			-i  $WAN	-m  limit   --limit 3/min   --limit-burst   3		   -j  LOG-SSH
  iptables	-w  -A  Rate_Limit	  -p  tcp	 --dport	 4999			-i  $WAN	-m  limit   --limit 3/min   --limit-burst   3		   -j  LOG-SSH
  
  iptables	-w  -A  Rate_Limit	  -p  tcp	 --dport	 5000			-i  $WAN	-m  limit   --limit 3/min   --limit-burst   3		   -j  LOG-VPN
  iptables	-w  -A  Rate_Limit	  -p  udp	 --dport	 5000			-i  $WAN	-m  limit   --limit 3/min   --limit-burst   3		   -j  LOG-VPN
  
  	# Drop / Reject:
  iptables	-w  -A  Rate_Limit	  -p  tcp																									 -j  REJECT		  --reject-with   tcp-reset
  iptables	-w  -A  Rate_Limit	  -p  udp																									 -j  REJECT		  --reject-with   icmp-port-unreachable
  iptables	-w  -A  Rate_Limit  !   -p  ICMP																									-j  LOG			 --log-prefix	"<[[--- Connection DROPPED ---]]>: "
  iptables	-w  -A  Rate_Limit																												  -j  DROP
  
  
  	# Log Traffic #
  #---------------------------------------------------
  
  	# SSH:
  iptables	-w  -A  LOG-SSH	 -p  tcp	 --dport	 4998	-j  LOG-VPN
  iptables	-w  -A  LOG-SSH									 -j  LOG		 --log-prefix	"<[[---  SSH Traffic ---]]> : "		 --log-level 4
  iptables	-w  -A  LOG-SSH									 -j  ACCEPT
  
  	# VPN:
  iptables	-w  -A  LOG-VPN	 -p  tcp	 --dport	 4998	-j  LOG		 --log-prefix	"<[[--- VPN --> SSH Traffic ---]]> : "  --log-level 4
  iptables	-w  -A  LOG-VPN									 -j  LOG		 --log-prefix	"<[[---  VPN Traffic ---]]> : "		 --log-level 4
  iptables	-w  -A  LOG-VPN									 -j  ACCEPT
  

 

[vodka1983]

definitely thanks for the ip table idea, will implement next.


as far as my problem,

its something this guide missing on first page: the routing to lan has to be complete.

so first thing after using the tutorial, got to look at sample config from official site.

purple net 0
yellow lan net 0
route : vpnserver --->> router

 

[zoomzoom]

definitely thanks for the ip table idea, will implement next.


as far as my problem,

its something this guide missing on first page: the routing to lan has to be complete.

so first thing after using the tutorial, got to look at sample config from official site.

purple net 0
yellow lan net 0
route : vpnserver --->> router

Not only is that not what route is for, it should not be needed. Please post your configs and log files, as no one can help you without the information I have repeatedly requested and you have repeatedly ignored. If you're not going to post the information requested of you, please stop posting in this thread.

 

[Samael]

I'm having a slightly different issue. I'm on 9.10 behind a pfsense firewall running a few different VLANs. I would use pfsense for inbound VPN, but I also run haproxy and have had one heck of a time getting the two to cooperate, so I thought using a jail as a VPN dest might be the ticket. I followed this guide with some minor changes included in this guide. 1194 is forwarded from my pfsense into my jail. I'm able to connect to the OpenVPN instance with the Android OpenVPN client over my provider's 4G network, but I'm not able to use this connection to RDP (Microsoft RDP app for Android, standard port 3389) to other machines on my LAN (same VLAN/subnet as the jail, different subnet from the internal ovpn interface. Android OpenVPN app notes I am connected, and displays an IP address in the server subnet (10.8.0.X) range.

I'll post my client and server config (thought that works). I'm also not able to ping any of my other workstations from within this jail. I can ping/traceroute my gateway and external internet sites (8.8.8.8, www.google.com, etc). This jail is set up with VIMAGE enabled. I think it's less of an OpenVPN issue and more of a routing issue from within the jail, but after reading as much as I can I'm stuck.

Server config:

Code:

local 192.168.105.30
port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/pki/ca.crt
cert /usr/local/etc/openvpn/pki/issued/VPNSERVER.crt
key /usr/local/etc/openvpn/pki/private/VPNSERVER.key
dh /usr/local/etc/openvpn/pki/dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /usr/local/etc/openvpn/ipp.txt
push "route 192.168.105.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
auth SHA512
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 4
explicit-exit-notify 1

Client config:

Code:

client
dev tun
proto udp
remote <somehostname> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca ca.crt
cert VPNCLIENT.crt
key VPNCLIENT.key
remote-cert-tls server
tls-auth ta.key 1
auth SHA512
cipher AES-256-CBC
verb 3

Any ideas? I'd really love to have this working.

 

[zoomzoom]

@Samael You need client-to-client added to your server config

 

[Samael]

That sorted me out. I'm in. Thanks @zoomzoom !

 

[Lucas Rey]

Dear all, I'm in trouble with the config. I created the VPN as described on the first post (tested twice), but this is the result when a client try to connect to FreeNAS VPN (no response from server at all):
TLS Error: cannot locate HMAC in incoming packet from [AF_INET6]::ffff:192.168.10.7:64273
Commenting the tls-auth both from client and server I was able to connect to VPN, but I'm stuck on client and I cannot reach the FreeNAS IP or FreeNAS share, from server I see a lot of following error:
user.name/192.168.10.7 Authenticate/Decrypt packet error: packet HMAC authentication failed

Please help, I'm getting crazy.

Server Config:
port 1195
proto udp
dev tun
ca ca.crt
cert openvpn-server.crt
key openvpn-server.key
dh dh.pem
server 172.16.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.10.0 255.255.255.0"
#tls-auth ta.key 0
#crl-verify crl.pem
keepalive 10 120
cipher AES-256-CBC
auth SHA256
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3

Client Config:
client
dev tun
proto udp
remote 192.168.10.100 1195
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert user.name.crt
key user.name.key
remote-cert-tls server
cipher AES-256-CBC
#tls-auth ta.key 1
#dhcp-option DNS 192.168.10.1
#redirect-gateway def1
comp-lzo
verb 3

The Firewall:
[root@OpenVPN /mnt/keys]# ipfw list
00100 nat 1 ip from 172.16.8.0/24 to any out via epair0b
00200 nat 1 ip from any to any in via epair0b
65535 allow ip from any to any

My network:
FreeNAS 192.168.10.128
OpenVPN Jail: 192.168.10.100

[root@OpenVPN /mnt/keys]# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 92:5b:27:f8:a1:07
inet 192.168.10.100 netmask 0xffffff00 broadcast 192.168.10.255
nd6 options=9<PERFORMNUD,IFDISABLED>
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
tun0: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
nd6 options=9<PERFORMNUD,IFDISABLED>


Then compelte OpenVPN Server Log (start and connecting Client):
root@OpenVPN:/mnt/keys # openvpn --config /mnt/keys/openvpn.conf
Mon Apr 17 07:32:30 2017 OpenVPN 2.4.1 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Apr 13 2017
Mon Apr 17 07:32:30 2017 library versions: OpenSSL 1.0.1s-freebsd 1 Mar 2016, LZO 2.10
Mon Apr 17 07:32:30 2017 Diffie-Hellman initialized with 2048 bit key
Mon Apr 17 07:32:30 2017 Failed to extract curve from certificate (UNDEF), using secp384r1 instead.
Mon Apr 17 07:32:30 2017 ECDH curve secp384r1 added
Mon Apr 17 07:32:30 2017 ROUTE_GATEWAY 192.168.10.1/255.255.255.0 IFACE=epair0b HWADDR=92:5b:27:f8:a1:07
Mon Apr 17 07:32:30 2017 TUN/TAP device /dev/tun0 opened
Mon Apr 17 07:32:30 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Apr 17 07:32:30 2017 /sbin/ifconfig tun0 172.16.8.1 172.16.8.2 mtu 1500 netmask 255.255.255.255 up
Mon Apr 17 07:32:30 2017 /sbin/route add -net 172.16.8.0 172.16.8.2 255.255.255.0
add net 172.16.8.0: gateway 172.16.8.2
Mon Apr 17 07:32:30 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET6
Mon Apr 17 07:32:30 2017 Socket Buffers: R=[42080->42080] S=[9216->9216]
Mon Apr 17 07:32:30 2017 setsockopt(IPV6_V6ONLY=0)
Mon Apr 17 07:32:30 2017 UDPv6 link local (bound): [AF_INET6][undef]:1195
Mon Apr 17 07:32:30 2017 UDPv6 link remote: [AF_UNSPEC]
Mon Apr 17 07:32:30 2017 GID set to nobody
Mon Apr 17 07:32:30 2017 UID set to nobody
Mon Apr 17 07:32:30 2017 MULTI: multi_init called, r=256 v=256
Mon Apr 17 07:32:30 2017 IFCONFIG POOL: base=172.16.8.4 size=62, ipv6=0
Mon Apr 17 07:32:30 2017 ifconfig_pool_read(), in='user.name,172.16.8.4', TODO: IPv6
Mon Apr 17 07:32:30 2017 succeeded -> ifconfig_pool_set()
Mon Apr 17 07:32:30 2017 IFCONFIG POOL LIST
Mon Apr 17 07:32:30 2017 user.name,172.16.8.4
Mon Apr 17 07:32:30 2017 Initialization Sequence Completed

Mon Apr 17 07:33:13 2017 192.168.10.7 TLS: Initial packet from [AF_INET6]::ffff:192.168.10.7:54855, sid=36b9e2d0 5d983149
Mon Apr 17 07:33:13 2017 192.168.10.7 VERIFY OK: depth=1, CN=Studio CA
Mon Apr 17 07:33:13 2017 192.168.10.7 VERIFY OK: depth=0, CN=user.name
Mon Apr 17 07:33:13 2017 192.168.10.7 peer info: IV_VER=2.3.14
Mon Apr 17 07:33:13 2017 192.168.10.7 peer info: IV_PLAT=win
Mon Apr 17 07:33:13 2017 192.168.10.7 peer info: IV_PROTO=2
Mon Apr 17 07:33:13 2017 192.168.10.7 peer info: IV_GUI_VER=OpenVPN_GUI_10
Mon Apr 17 07:33:13 2017 192.168.10.7 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1558'
Mon Apr 17 07:33:13 2017 192.168.10.7 WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Mon Apr 17 07:33:13 2017 192.168.10.7 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 17 07:33:13 2017 192.168.10.7 Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Apr 17 07:33:13 2017 192.168.10.7 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 17 07:33:13 2017 192.168.10.7 Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Apr 17 07:33:13 2017 192.168.10.7 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Apr 17 07:33:13 2017 192.168.10.7 [user.name] Peer Connection Initiated with [AF_INET6]::ffff:192.168.10.7:54855
Mon Apr 17 07:33:13 2017 user.name/192.168.10.7 MULTI_sva: pool returned IPv4=172.16.8.6, IPv6=(Not enabled)
Mon Apr 17 07:33:13 2017 user.name/192.168.10.7 MULTI: Learn: 172.16.8.6 -> user.name/192.168.10.7
Mon Apr 17 07:33:13 2017 user.name/192.168.10.7 MULTI: primary virtual IP for user.name/192.168.10.7: 172.16.8.6
Mon Apr 17 07:33:16 2017 user.name/192.168.10.7 PUSH: Received control message: 'PUSH_REQUEST'
Mon Apr 17 07:33:16 2017 user.name/192.168.10.7 SENT CONTROL [user.name]: 'PUSH_REPLY,route 192.168.10.0 255.255.255.0,route 172.16.8.1,topology net30,ping 10,ping-restart 120,ifconfig 172.16.8.6 172.16.8.5,peer-id 0' (status=1)
Mon Apr 17 07:33:16 2017 user.name/192.168.10.7 Authenticate/Decrypt packet error: packet HMAC authentication failed

 

[zoomzoom]

@Lucas Rey You're missing auth SHA256 in your client config

 

[zoomzoom]

An FYI to all:

• OpenVPN 2.4 added support for EC ciphers, and you'll get better encryption/decryption speeds by using a TLS EC cipher.
  • View compatible TLS EC ciphers by performing the following on the server and the client(s):
    1. openvpn --show-tls
       • Add applicable TLS options to server config
         
         Code:

         	# Depends on the client, as not all are compatible with TLS 1.2
         	# Where version is either: 1.0, 1.1, or 1.2 
         #--------------------------------------------------------------------------------
         	tls-version-min	 1.2
         
         
         	# ECDHE ciphers 1st, DHE 2nd, ECDH 3rd, plain TLS RSA 4th, exclusions 5th  
         #--------------------------------------------------------------------------------
         	tls-cipher		  'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384:TLS-RSA-WITH-AES-256-GCM-SHA384:TLS-RSA-WITH-AES-256-CBC-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!SHA:!EXP:!PSK:!SRP:!DSS:!RC4'
         

    2. tls-server may also be needed in the server config, but I'm not sure if it's required on FreeBSD
    • Server & client logs will show the TLS cipher used.
    
    
  • ECDHE, DHE, and ECDH requires:
    • DH_RSA
      1. Key exchange occurs via a static Diffie-Hellman key. Server Public Key must be a Diffie-Hellman key, of which must have been issued by a CA that was using an RSA signing key.
    • DHE_RSA
      • Key exchange occurs via an ephemeral Diffie-Hellman; the server dynamically generates & signs a DH public key, sending it to the client. Server Public Key must be an RSA key, and it's certificate must utilize digitalSignature keyUsage
    • ECDH_RSA
      • Like DH_RSA, but with elliptic curves: the server public key must be an ECDH key, with a certificate issued by a CA which utilized an RSA signing key
    • ECDHE_RSA
      • Like ECDH_RSA, except that the server public key is an RSA key, utilized for signing the ephemeral elliptic-curve Diffie-Hellman key the server sends, along with the signature having an elliptic curve
  
  
• It is also recommended to employ tuning options, which can be seen in the server config on my GitHub

 

[Lucas Rey]

@Lucas Rey You're missing auth SHA256 in your client config

Thank you, it works perfect!!! ;)

 

[x64]

Can anybody please help me here... I'm able to connect to the server successfully but I can't ping anything on the network.

My network (where my FreeNAS is located) has this IP range: 192.168.1.0/24
OpenVPN jail IP: 192.168.1.55

Server:

Code:

port 1194
proto udp
dev tun
ca ca.crt
cert openvpn-server.crt #Server public key
key openvpn-server.key #Server private key
dh dh.pem #Diffie-Hellman parameters
server 172.16.8.0 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0" #Yellow network
mode server
tls-server
tls-auth ta.key 0
#crl-verify crl.pem
keepalive 10 120
cipher AES-256-CBC
auth SHA256
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3
status /var/log/openvpn/openvpn-status.log

Client:

Code:

client
dev tun
proto udp
remote x.duckdns.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert myMac.crt
key myMac.key
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
tls-client
tls-auth ta.key 1
dhcp-option DNS 192.168.1.1
redirect-gateway def1
comp-lzo
verb 3

ipfw.rules:

Code:

#!/bin/sh

EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 172.16.8.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0

Log:

Code:

Apr 24 03:07:09 OpenVPN rtsold[12570]: <rtsock_input_ifannounce> interface epair0b removed
Apr 24 03:07:09 OpenVPN openvpn[12507]: event_wait : Interrupted system call (code=4)
Apr 24 03:07:09 OpenVPN openvpn[12507]: /sbin/route delete -net 172.16.8.0 172.16.8.2 255.255.255.0
Apr 24 03:07:09 OpenVPN openvpn[12507]: ERROR: FreeBSD route delete command failed: external program exited with error status: 77
Apr 24 03:07:09 OpenVPN openvpn[12507]: Closing TUN/TAP interface
Apr 24 03:07:09 OpenVPN openvpn[12507]: /sbin/ifconfig tun0 destroy
Apr 24 03:07:09 OpenVPN openvpn[12507]: FreeBSD 'destroy tun interface' failed (non-critical): external program exited with error status: 1
Apr 24 03:07:09 OpenVPN openvpn[12507]: SIGTERM[hard,] received, process exiting
Apr 24 03:07:09 OpenVPN syslogd: exiting on signal 15
Apr 24 03:07:14 OpenVPN syslogd: kernel boot file is /boot/kernel/kernel
Apr 24 03:07:14 OpenVPN openvpn[20052]: OpenVPN 2.4.1 amd64-portbld-freebsd10.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Apr 13 2017
Apr 24 03:07:14 OpenVPN openvpn[20052]: library versions: OpenSSL 1.0.1s-freebsd  1 Mar 2016, LZO 2.10
Apr 24 03:07:14 OpenVPN openvpn[20053]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Apr 24 03:07:14 OpenVPN openvpn[20053]: Diffie-Hellman initialized with 2048 bit key
Apr 24 03:07:14 OpenVPN openvpn[20053]: Failed to extract curve from certificate (UNDEF), using secp384r1 instead.
Apr 24 03:07:14 OpenVPN openvpn[20053]: ECDH curve secp384r1 added
Apr 24 03:07:14 OpenVPN openvpn[20053]: ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=epair0b HWADDR=e6:e0:f3:99:d3:4a
Apr 24 03:07:14 OpenVPN openvpn[20053]: TUN/TAP device /dev/tun0 opened
Apr 24 03:07:14 OpenVPN openvpn[20053]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Apr 24 03:07:14 OpenVPN openvpn[20053]: /sbin/ifconfig tun0 172.16.8.1 172.16.8.2 mtu 1500 netmask 255.255.255.255 up
Apr 24 03:07:14 OpenVPN openvpn[20053]: /sbin/route add -net 172.16.8.0 172.16.8.2 255.255.255.0
Apr 24 03:07:14 OpenVPN openvpn[20053]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Apr 24 03:07:14 OpenVPN openvpn[20053]: Socket Buffers: R=[42080->42080] S=[9216->9216]
Apr 24 03:07:14 OpenVPN openvpn[20053]: setsockopt(IPV6_V6ONLY=0)
Apr 24 03:07:14 OpenVPN openvpn[20053]: UDPv6 link local (bound): [AF_INET6][undef]:1194
Apr 24 03:07:14 OpenVPN openvpn[20053]: UDPv6 link remote: [AF_UNSPEC]
Apr 24 03:07:14 OpenVPN openvpn[20053]: GID set to nobody
Apr 24 03:07:14 OpenVPN openvpn[20053]: UID set to nobody
Apr 24 03:07:14 OpenVPN openvpn[20053]: MULTI: multi_init called, r=256 v=256
Apr 24 03:07:14 OpenVPN openvpn[20053]: IFCONFIG POOL: base=172.16.8.4 size=62, ipv6=0
Apr 24 03:07:14 OpenVPN openvpn[20053]: IFCONFIG POOL LIST
Apr 24 03:07:14 OpenVPN openvpn[20053]: Initialization Sequence Completed
Apr 24 03:08:04 OpenVPN openvpn[20053]: x.x.x.x TLS: Initial packet from [AF_INET6]::ffff:x.x.x.x:64810, sid=9540bdd1 da38440f
Apr 24 03:08:05 OpenVPN openvpn[20053]: x.x.x.x VERIFY OK: depth=1, CN=myMac CA
Apr 24 03:08:05 OpenVPN openvpn[20053]: x.x.x.x VERIFY OK: depth=0, CN=myMac
Apr 24 03:08:05 OpenVPN openvpn[20053]: x.x.x.x peer info: IV_VER=2.3.12
Apr 24 03:08:05 OpenVPN openvpn[20053]: x.x.x.x peer info: IV_PLAT=mac
Apr 24 03:08:05 OpenVPN openvpn[20053]: x.x.x.x peer info: IV_PROTO=2
Apr 24 03:08:05 OpenVPN openvpn[20053]: x.x.x.x WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1570', remote='link-mtu 1558'
Apr 24 03:08:05 OpenVPN openvpn[20053]: x.x.x.x WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Apr 24 03:08:05 OpenVPN openvpn[20053]: x.x.x.x Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Apr 24 03:08:05 OpenVPN openvpn[20053]: x.x.x.x Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Apr 24 03:08:05 OpenVPN openvpn[20053]: x.x.x.x Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Apr 24 03:08:05 OpenVPN openvpn[20053]: x.x.x.x Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Apr 24 03:08:05 OpenVPN openvpn[20053]: x.x.x.x Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Apr 24 03:08:05 OpenVPN openvpn[20053]: x.x.x.x [myMac] Peer Connection Initiated with [AF_INET6]::ffff:x.x.x.x:64810
Apr 24 03:08:05 OpenVPN openvpn[20053]: myMac/x.x.x.x MULTI_sva: pool returned IPv4=172.16.8.6, IPv6=(Not enabled)
Apr 24 03:08:05 OpenVPN openvpn[20053]: myMac/x.x.x.x MULTI: Learn: 172.16.8.6 -> myMac/x.x.x.x
Apr 24 03:08:05 OpenVPN openvpn[20053]: myMac/x.x.x.x MULTI: primary virtual IP for myMac/x.x.x.x: 172.16.8.6
Apr 24 03:08:07 OpenVPN openvpn[20053]: myMac/x.x.x.x PUSH: Received control message: 'PUSH_REQUEST'
Apr 24 03:08:07 OpenVPN openvpn[20053]: myMac/x.x.x.x SENT CONTROL [myMac]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 172.16.8.1,topology net30,ping 10,ping-restart 120,ifconfig 172.16.8.6 172.16.8.5,peer-id 0' (status=1)