How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT

[dnxist]

When creating the jail, did you left the "VIMAGE" option ticked?
Try updating the OpenVPN dependencies, run pkg install openvpn to see if everything is ok.
Try and create a tun interface manually using the ifconfig tun create command. More info here: https://forums.freebsd.org/viewtopic.php?t=22143
Did you include the cloned_interfaces="tun" line in /etc/rc.conf?

I got the exact same problem. I have followed your guide and double checked everything.
I get this error:

Code:

[root@openvpn /]# service openvpn start
Starting openvpn.
ifconfig: interface tun0 does not exist
/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn

If I run "ifconfig" I have no interface called "tun0", but I got a "tun2".

Code:

[root@openvpn /]# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair3b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:82:7c:00:0b:0b
        inet 192.168.0.5 netmask 0xffffff00 broadcast 192.168.0.255
        nd6 options=9<PERFORMNUD,IFDISABLED>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
tun2: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        nd6 options=9<PERFORMNUD,IFDISABLED>

Tried to create a new interface but ended up with "tun03" that can't be uses (not tun02 either). Tried to create it named tun0 but then it say it already exist.

How should I do? Can you help me with it?
Let me know if you need to see any config files or something!

 

[robles]

For the people who are having trouble setting this up, try running the pkg upgrade command to upgrade your jail. I just fresh installed FreeNAS 9.3 and was able to create an OpenVPN jail successfully. If everything else fails, create a new jail from scratch with the "vanilla" option checked, I've heard of people having success with it.

And apparently OpenVPN is NOT listening on port 443 as it should:

Descartes:~ nello$ nc -vz 10.10.49.12 443
nc: connectx to 10.10.49.12 port 443 (tcp) failed: Connection refused​

That command was misleading as OpenVPN uses UDP packets and netcat tests for a TCP connection. Please disregard it. If the process is listed in the processes list with the correct arguments, it should be assumed to be running properly.

 

[nello]

If everything else fails, create a new jail from scratch with the "vanilla" option checked, I've heard of people having success with it.

I'm sorry, but I don't recall seeing a "vanilla" option. Would you please post where this option is located?

Thank you.

- nello


UPDATE: Apparently there is no "vanilla" option in FreeNAS 9.3. See below for details.

 

[enemy85]

I'm sorry, but I don't recall seeing a "vanilla" option. Would you please post where this option is located?

Thank you.

- nello

EDIT
The "vanilla" option is selectable in the jail parameters only when you create the jail.
Were you able to make it work? I'm getting these errors:

Code:

Sun Jan 04 16:49:43 2015 OpenVPN 2.3.6 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec  1 2014
Sun Jan 04 16:49:43 2015 library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.08
Sun Jan 04 16:49:43 2015 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Jan 04 16:49:43 2015 Need hold release from management interface, waiting...
Sun Jan 04 16:49:43 2015 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Jan 04 16:49:43 2015 MANAGEMENT: CMD 'state on'
Sun Jan 04 16:49:43 2015 MANAGEMENT: CMD 'log all on'
Sun Jan 04 16:49:43 2015 MANAGEMENT: CMD 'hold off'
Sun Jan 04 16:49:43 2015 MANAGEMENT: CMD 'hold release'
Sun Jan 04 16:49:43 2015 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jan 04 16:49:43 2015 MANAGEMENT: >STATE:1420386583,RESOLVE,,,
Sun Jan 04 16:49:45 2015 UDPv4 link local: [undef]
Sun Jan 04 16:49:45 2015 UDPv4 link remote: [AF_INET]79.32.xx.xxx:443
Sun Jan 04 16:49:45 2015 MANAGEMENT: >STATE:1420386585,WAIT,,,
Sun Jan 04 16:50:45 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Jan 04 16:50:45 2015 TLS Error: TLS handshake failed

and i don't know if i did some mistake in the openvpn.conf file or it is related to something else...

 

[enemy85]

Ok, i found what my problem is, but i can't understand why:
I'm able to make the openvpn client connect only when both internal/external ports on my firewall are set to 10011. If i set 443 internal/10011 external, i get the TLS errors.
Moreover, once connected, i'm not able to navigate on my LAN, neither access to freenas.

 

[nello]

The "vanilla" option is selectable in the jail parameters only when you create the jail.

I didn't see that option when I created the jail. Is there a way of making taking this option with a Jail after it's created?

Regarding your log, I also have these messages:

UDPv4 link remote: [AF_INET]79.32.xx.xxx:443
MANAGEMENT: >STATE:1420386585,WAIT,,,​

I presume that it's a problem with my router configuration not forwarding the port correctly. Are you forwarding both incoming UDP and TCP on port 443?


UPDATE 1: You can check whether your port is open using this website:

http://www.yougetsignal.com/tools/open-ports/


UPDATE: 2: On second thought, I think the above URL will scan only TCP ports. You need to scan UDP ports for OpenVPN. This site appears to scan UDP ports:

https://pentest-tools.com/discovery-probing/udp-port-scanner-online-nmap

 

[enemy85]

IAre you forwarding both incoming UDP and TCP on port 443?

I'm forwarding just the UDP port of my openvpn jail ip address, but as stated, it "works" (in the sense that the openvpn client says it's connected, but cannot access my freenas) only if i set both internal/external ports to 10011.

 

[enemy85]

Giant note: This will only help you access clients in the yellow network. If you want to route all your traffic as a true VPN, insert this lines into your OVPN file:

Code:

dhcp-option DNS 10.0.0.254
redirect-gateway def1

Replace 10.0.0.254 with your local DNS server (almost always your gateway's IP address).

Hi @robles , sorry to bother you, but could you help me explain this part?
I tried to set up everything but even if my openvpn client says I'm connected, it seems I'm still not able to connect to my internal LAN ip's,
Only when i added in the client OVPN file these lines, it started to work, but obviously routing ALL the traffic through my freenas (I checked my External IP and it was the one of my freenas box LAN).
I know this is what should be the expected behaviour, but I really cannot figure out why it doesn't work without that lines!
Thanks in advance.

 

[derekzchu]

Hi @robles

Really awesome post with the pictures and the explanations. Thanks so much for taking the time to explain how to setup openvpn in a easy and clear way. I had 2 quick questions regarding my setup. I'm running freenas 9.3 with the openvpn jail with IP 192.168.2.206. When i startup the openvpn service, I see this in the logs:

Jan 8 09:10:50 openvpn openvpn[77163]: /sbin/route add -net 192.168.2.206 10.8.0.1 255.255.255.0
Jan 8 09:10:50 openvpn openvpn[77163]: ERROR: FreeBSD route add command failed: external program exited with error status: 1

My second question is on my client, when I try to connect, I get the error in the client logs:

2015-01-08 09:11:14 MANAGEMENT: Client disconnected
2015-01-08 09:11:14 Error: private key password verification failed
2015-01-08 09:11:14 Exiting due to fatal error

odd thing is my .ca, .crt, and .key files were copied directly from the open vpn directory. did I make a mistake creating the certificates? Thanks again!

 

[derekzchu]

Hi @robles

Really awesome post with the pictures and the explanations. Thanks so much for taking the time to explain how to setup openvpn in a easy and clear way. I had 2 quick questions regarding my setup. I'm running freenas 9.3 with the openvpn jail with IP 192.168.2.206. When i startup the openvpn service, I see this in the logs:

Jan 8 09:10:50 openvpn openvpn[77163]: /sbin/route add -net 192.168.2.206 10.8.0.1 255.255.255.0
Jan 8 09:10:50 openvpn openvpn[77163]: ERROR: FreeBSD route add command failed: external program exited with error status: 1

My second question is on my client, when I try to connect, I get the error in the client logs:

2015-01-08 09:11:14 MANAGEMENT: Client disconnected
2015-01-08 09:11:14 Error: private key password verification failed
2015-01-08 09:11:14 Exiting due to fatal error

odd thing is my .ca, .crt, and .key files were copied directly from the open vpn directory. did I make a mistake creating the certificates? Thanks again!

nevermind. my haste in trying to get this to work this morning i named the key incorrectly. @robles thanks again for all the information. it's these types of posts that really help make these technologies easier for everyone.

 

[derekzchu]

[deleted]

 

[robles]

nevermind. my haste in trying to get this to work this morning i named the key incorrectly. @robles thanks again for all the information. it's these types of posts that really help make these technologies easier for everyone.

I'm glad this post helped you =)

I didn't see that option when I created the jail. Is there a way of making taking this option with a Jail after it's created?

Regarding your log, I also have these messages:

UDPv4 link remote: [AF_INET]79.32.xx.xxx:443
MANAGEMENT: >STATE:1420386585,WAIT,,,​

I presume that it's a problem with my router configuration not forwarding the port correctly. Are you forwarding both incoming UDP and TCP on port 443?


EDIT

You can check whether your port is open using this website:

http://www.yougetsignal.com/tools/open-ports/

I don't know of any way to check if the "vanilla" option was ticked after creating the jail.

Yes, I'm forwarding both UDP and TCP, but it's not necessary to have TCP from this configuration. I've seen some services that fallback to TCP if they don't work at first (e.g. DNS), but UDP should suffice.

You can check if OpenVPN is listening on the configuration port using sockstat:

Code:

root@openvpn:/ # sockstat -4 -l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS     
root     openvpn    25448 6  udp4   *:10011               *:*
root     syslogd    25413 7  udp4   *:514                 *:*

 

[AirborneTrooper]

I updated to 9.3 and it basically broke all my jails and templates so I had to reload 9.3 to a new USB drive and rebuild everything. Got all SAB, CouchPotato, SickRage, and Transmission working, the main reason why I have FreeNAS to be begin with. Now, trying to install OpenVPN again. I found a flaw on your first page again with OpenVPN.conf.

8. server 10.8.0.0 255.255.255.240

Shouldn't it be 255.255.255.0 if it's a /24?

Anyways, when I get to the point to start the openvpn service I get this

root@openvpn:/mnt/openvpn # service openvpn start
Starting openvpn.
/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn
root@openvpn:/mnt/openvpn #

Any suggestions?

 

[depasseg]

Yes it should be a /24. See posts #40 and #41 for clarification.

 

[AirborneTrooper]

Guess I overlooked that. Haven't really needed to come back to the forum until 9.3 messed my system up. I was going to go another route and run OpenVPN on my DD-WRT router, but I can't get easy-rsa to work on my computer. Most tutorials I find online are using DD-WRT as a client connecting to an OpenVPN server service.

Hopefully @robles can help me narrow down why I can't start OpenVPN. If he doesn't get on sometime tonight, I'll wipe the jail and try again.

 

[robles]

Shouldn't it be 255.255.255.0 if it's a /24?

You're right, I'll change the tutorial because the diagram doesn't match the code snippets.

As for why you can't start the service, try changing the OpenVPN verbosity to 5. But if you ask me and you're able to start from scratch: do it, it's way quicker than trying to diagnose OpenVPN.

 

[AirborneTrooper]

Deleted the jail and started over... same results. Just changed the verbosity to 5... still no luck. Have you tried it on a fresh 9.3 install? I'll give it another shot tomorrow and report back either way.

 

[robles]

Yeah, I just did a fresh install about 2 weeks ago. Check your logs with the verbosity at 5 to look for clues. Best of luck!

 

[nello]

I decided to start over and deleted both the jail and the dataset it used. I'm running FreeNAS-9.3-STABLE-201501212031


Add Jail dialog shown in the tutorial:

Add Jail dialog I get

As you can see above, there are (at least?) two differences between the Tutorial:

1. Type does NOT include a "pluginjail" option.
   
   
2. There is no "vanilla" checkbox.

Do these differences matter? Do they mean that there's something wrong with my installation (of FreeNAS-9.3-STABLE-201501212031)? How do I fix it?

What setting should I use for the Jail given the dialog I have?

Thank you.

- nello

UPDATE 1: If I accept the default Jail Type, then I get a "standard" Jail, not a "pluginjail" Jail.

UPDATE 2: Apparently, FreeNAS ver 9.3 no longer supports the "pluginjail" Type. For details, see:

https://forums.freenas.org/index.php?threads/can-not-create-pluginjail.26993/#post-172310


UPDATE 3: This Jail is working for me so apparently the absence of the "vanilla" option is irrelevant to OpenVPN. Also, apparently the "standard" Type works.

 

[AirborneTrooper]

I had to recreate some jails after upgrading to 9.3 because things weren't working correctly. The type doesn't matter nor should vanilla anymore.

Also, I pretty much gave up trying to get OpenVPN working on FreeNAS so I just setup Dynamic DNS and port forwarding for the time being. I can access all my stuff at work so that's what really matters for now.