How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT

[whatnissan]

update now my interfaces look like this... ugh any help would be really awesome

Code:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:35:5e:00:09:0b
    inet 10.0.0.22 netmask 0xffffff00 broadcast 10.0.0.255
    nd6 options=9<PERFORMNUD,IFDISABLED>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
tun5: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    nd6 options=1<PERFORMNUD>
tun6: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    nd6 options=1<PERFORMNUD>

 

[robles]

@robles, please consider adding the following topics to your tutorial:

1. Certificate Revocation
   How to revoke a client certificate, including modifications to the server conf to ensure that revoked certificates are denied access
   
   
2. Maintenance
   How to upgrade OpenVPN, EasySSL, and other components as new versions become available.

Thank you.

Beat me to it, I was finishing the certificate revocation part just now. I hadn't considered the upgrading options, but that's as easy as just using pkg update. I'll include something about this in the future. Thanks!

Im sorry im really new to this im not completely sure how to do that..

To change the verbosity of OpenVPN, change the last line of your /mnt/openvpn/openvpn.conf file from verb 3 to 6.

 

[whatnissan]

I think its running now

Code:

Feb 18 13:59:40 vpn2 openvpn[14746]: OpenVPN 2.3.6 amd64-portbld-freebsd9.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 12 2015
Feb 18 13:59:40 vpn2 openvpn[14746]: library versions: OpenSSL 0.9.8za-freebsd 5 Jun 2014, LZO 2.09
Feb 18 13:59:40 vpn2 openvpn[14746]: Diffie-Hellman initialized with 1024 bit key
Feb 18 13:59:40 vpn2 openvpn[14746]: Socket Buffers: R=[42080->65536] S=[9216->65536]
Feb 18 13:59:40 vpn2 openvpn[14746]: ROUTE_GATEWAY 10.0.0.1
Feb 18 13:59:40 vpn2 openvpn[14746]: TUN/TAP device tun5 exists previously, keep at program end
Feb 18 13:59:40 vpn2 openvpn[14746]: TUN/TAP device /dev/tun5 opened
Feb 18 13:59:40 vpn2 openvpn[14746]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Feb 18 13:59:40 vpn2 openvpn[14746]: /sbin/ifconfig tun5 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
Feb 18 13:59:40 vpn2 openvpn[14746]: /sbin/route add -net 10.0.0.22 10.8.0.1 255.255.255.0
Feb 18 13:59:40 vpn2 openvpn[14746]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Feb 18 13:59:40 vpn2 openvpn[14746]: /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0
Feb 18 13:59:40 vpn2 openvpn[14750]: GID set to nobody
Feb 18 13:59:40 vpn2 openvpn[14750]: UID set to nobody
Feb 18 13:59:40 vpn2 openvpn[14750]: UDPv4 link local (bound): [undef]
Feb 18 13:59:40 vpn2 openvpn[14750]: UDPv4 link remote: [undef]
Feb 18 13:59:40 vpn2 openvpn[14750]: MULTI: multi_init called, r=256 v=256
Feb 18 13:59:40 vpn2 openvpn[14750]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Feb 18 13:59:40 vpn2 openvpn[14750]: IFCONFIG POOL LIST
Feb 18 13:59:40 vpn2 openvpn[14750]: Initialization Sequence Completed

 

[nello]

Im sorry im really new to this im not completely sure how to do that..

You posted the following log, presumably using a command something like this: cat /var/log/messages

Code:

OpenVPN 2.3.6 amd64-portbld-freebsd9.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 12 2015
library versions: OpenSSL 0.9.8za-freebsd 5 Jun 2014, LZO 2.09
Diffie-Hellman initialized with 1024 bit key
Socket Buffers: R=[42080->65536] S=[9216->65536]
ROUTE_GATEWAY 10.0.0.1
TUN/TAP device /dev/tun0 opened
do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
/sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
FreeBSD ifconfig failed: external program exited with error status: 1
Exiting due to fatal error
root: /usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn

I am suggesting that you are more likely to fix the errors that prevent OpenVPN from starting by getting more detail about what is going wrong. You get more detail by changing the verbosity level in the the OpenVPN server configuration file.

What follows assumes that you've used the names and locations suggested in the tutorial.

The OpenVPN server configuration file is at this location in the FreeNAS Jail you created:

/mnt/openvpn/openvpn.conf

At the bottom of the file is the option: verb 3

I suggest that you change the 3 to a 6 so that you get more details about what OpenVPN is doing when it encounters an error as it attempts to start.

To edit openvpn.conf using nano, use this command:

nano /mnt/openvpn/openvpn.conf

If you are really having a problem with the network interface or firewall configurations, then someone else will have to help you as I don't know anything about these.

Good luck.

 

[nello]

I hadn't considered the upgrading options, but that's as easy as just using pkg update. I'll include something about this in the future.

Since OpenVPN is in a Jail, I presume that the updates won't be included as part of the automated, FreeNAS update process (that's new in 9.3.x).

 

[whatnissan]

Ok i figured it out!!! it started on the server but when i try to connect from my client it just says waiting for server to respond.. Im guessing its something with the portfowarding on my router./?? any hints i know it uses 1194 but i dont think its listing on that port. its not connecting anywat

 

[nello]

@robles

Regarding hardening …

I think that ns-cert-type server is deprecated and has been replaced by remote-cert-tls server . For details, see:

• https://www.openssl.org/docs/apps/x509v3_config.html#netscape_certificate_type
• http://darizotas.blogspot.com/2014/04/openvpn-hardening-cheat-sheet.html

Other thoughts:

• Certificate Key Length
  Is there a reason not to make them 2048?
  
  
• OpenVPN Client Configuration
  Is there a reason not to include these options?
  • mute-replay-warnings
  • tls-remote
  • verify-x509-name
• OpenVPN Server Configuration
  Is there a reason not to include these options?
  • remote-cert-tls client

These are suggestions I've gleaned from reading a variety of sources. Please accept my apology if they aren't applicable.

Thank you again for the tutorial.

- nello




UPDATE 2015.05.24

Looks like Diffie–Hellman key exchange may be vulnerable to attack with key lengths less than 2048:

http://blog.cryptographyengineering.com/2015/05/attack-of-week-logjam.html?

 

[whatnissan]

Code:

2015-02-18 15:19:01 *Tunnelblick: No 'connected.sh' script to execute
2015-02-18 15:19:01 /sbin/route add -net 50.162.13.48 10.116.52.1 255.255.255.255
                                        add net 50.162.13.48: gateway 10.116.52.1
2015-02-18 15:19:01 /sbin/route add -net 0.0.0.0 10.8.0.5 128.0.0.0
                                        add net 0.0.0.0: gateway 10.8.0.5
2015-02-18 15:19:01 /sbin/route add -net 128.0.0.0 10.8.0.5 128.0.0.0
                                        add net 128.0.0.0: gateway 10.8.0.5
2015-02-18 15:19:01 MANAGEMENT: >STATE:1424294341,ADD_ROUTES,,,
2015-02-18 15:19:01 /sbin/route add -net 10.0.0.0 10.8.0.5 255.255.255.0
                                        add net 10.0.0.0: gateway 10.8.0.5
2015-02-18 15:19:01 /sbin/route add -net 10.8.0.1 10.8.0.5 255.255.255.255
                                        add net 10.8.0.1: gateway 10.8.0.5
2015-02-18 15:19:01 Initialization Sequence Completed
2015-02-18 15:19:01 MANAGEMENT: >STATE:1424294341,CONNECTED,SUCCESS,10.8.0.6,50.162.13.48
2015-02-18 15:19:06 *Tunnelblick process-network-changes: A system configuration change was ignored
2015-02-18 15:19:36 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host's name after connecting.

ok update.... I changed the port in my client config to 10011 and bam it connected... Only problem is that the internet isnt reachable now... One step closer.. i cant quite figure out why..

 

[nello]

Im guessing its something with the portfowarding on my router.

Are you doing your testing from outside of your LAN? Routers can get confused if your client's Internet connection is inside of your LAN, e.g., WiFi, and you are trying to connect to a WAN port.

Try these steps:

• Make sure that OpenVPN is running.
  From within the Jail, use this command and you should see something like this:
  
  Code:

  ps aux
  USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
  ...
  root 29605 0.0 0.0 22392 6532 ?? SsJ 23Jan15 35:03.30 /usr/local/sbin/openvp
  ...
  root 28746 0.0 0.0 16300 2108 0 R+J 3:12PM 0:00.00 ps aux
  

  
  
  
  
• Make sure that OpenVPN is listening
  From within the Jail, use this command and you should see something like this:
  
  Code:

  sockstat -4 -l
  USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
  root openvpn 29605 6 udp4 *:443 *:*
  root syslogd 29570 7 udp4 *:514 *:*
  

  
  

Now that you've verified that OpenVPN is running and listening were it should be, let's take port-forwarding out of the process by changing the remote option within your client configuration file to point to the local IP address and port of your FreeNAS Jail.

For example, if your FreeNAS Jail is 10.10.10.2 and you have the server listening on port 443, then make your remote option within your client configuration file look like this:

remote 10.10.10.2 443

Now, try connecting from WITHIN your LAN. If the connection doesn't work, then check the logs on your client and server (cat /var/log/messages).

Hopefully these messages will give you ideas for corrections.

Once you get OpenVPN connecting within your LAN, then put your remote command back the way it was to make a WAN connection. Take your client computer outside of your LAN and give it a try. If it doesn't make the connection, you've isolated the problem to be port forwarding on your LAN/WAN firewall.

Good luck.

 

[adrianwi]

Have been thinking of setting a VPN up for a while, and this looks like a great guide. Hopefully won't have too many noob questions :D

Thanks!

 

[Fiatt]

Hi. Thanks for this great How To.

The VPN access works fine but i had one issue: no web connection. I could access to Freenas web interface and to owncloud jail. But no forums.freenas.org...
To solve this i had to add "redirect-gateway def1" in the client conf file ovpn.

Now i got another issue i can't solve. I want to access my main dataset like i do at home: through Windows explorer, as a network drive. I only see clients on the real network i am connected to, but none on the distant network (where the NAS is).
In other words, i try to have clients on the yellow network and clients on the purple network see eachothers.

Thanks for help.

 

[whatnissan]

No i was testing everything from work... Trying that I can see its listing on 10011 but it wont even connect on my local lan it just says waiting for server I have my port forwarding set to 10011 to my jail and nothing.. I have no lan cant figure this out at all.

 

[whatnissan]

ok this first one is going from inside the network it doesnt connect Trying from outside connects but doesnt route traffic..

Code:

*Tunnelblick: OS X 10.10.2; Tunnelblick 3.4.3 (build 4055.4198); Admin user






2015-02-18 19:54:36 Tunnelblick[558] Converting/Installing /Users/Obsidian/Desktop/vpn keys/vpnconfig.ovpn at line 9: Copied ca.crt
2015-02-18 19:54:36 Tunnelblick[558] Changed permissions from 644 to 740 on /private/var/folders/mw/5p5lm69d3ts54_z4m05qx5jr0000gn/T/Tunnelblick-0bp2wB/vpnconfig.tblk/Contents/Resources/ca.crt
2015-02-18 19:54:36 Tunnelblick[558] Converting/Installing /Users/Obsidian/Desktop/vpn keys/vpnconfig.ovpn at line 10: Copied john.appleseed.crt
2015-02-18 19:54:36 Tunnelblick[558] Changed permissions from 644 to 740 on /private/var/folders/mw/5p5lm69d3ts54_z4m05qx5jr0000gn/T/Tunnelblick-0bp2wB/vpnconfig.tblk/Contents/Resources/john.appleseed.crt
2015-02-18 19:54:36 Tunnelblick[558] Converting/Installing /Users/Obsidian/Desktop/vpn keys/vpnconfig.ovpn at line 11: Copied john.appleseed.key
2015-02-18 19:54:36 Tunnelblick[558] Changed permissions from 722 to 740 on /private/var/folders/mw/5p5lm69d3ts54_z4m05qx5jr0000gn/T/Tunnelblick-0bp2wB/vpnconfig.tblk/Contents/Resources/john.appleseed.key
2015-02-18 19:54:36 Tunnelblick[558] Converting/Installing /Users/Obsidian/Desktop/vpn keys/vpnconfig.ovpn: Converted OpenVPN configuration
2015-02-18 19:54:41 Tunnelblick[558] Beginning installation or repair
2015-02-18 19:54:41 authexec[2025] executing /Applications/Tunnelblick.app/Contents/Resources/installer
2015-02-18 19:54:41 Tunnelblick[558] Installation or repair succeeded; Log:
                                       Tunnelblick installer started 2015-02-18 19:54:41. 3 arguments: 0x0001 /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk /private/var/folders/mw/5p5lm69d3ts54_z4m05qx5jr0000gn/T/Tunnelblick-0bp2wB/vpnconfig.tblk
                                       Copied /private/var/folders/mw/5p5lm69d3ts54_z4m05qx5jr0000gn/T/Tunnelblick-0bp2wB/vpnconfig.tblk to /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk.temp
                                       Moved /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk.temp to /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk
                                       Changed ownership of /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk and its contents from 501:20 to 0:0
                                       Changed permissions from 740 to 700 on /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk/Contents/Resources/ca.crt
                                       Changed permissions from 740 to 700 on /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk/Contents/Resources/config.ovpn
                                       Changed permissions from 740 to 700 on /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk/Contents/Resources/john.appleseed.crt
                                       Changed permissions from 740 to 700 on /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk/Contents/Resources/john.appleseed.key
2015-02-18 19:55:26 Tunnelblick[558] currentIPInfo(Name): IP address info could not be fetched within 30.0 seconds
2015-02-18 19:55:56 Tunnelblick[558] currentIPInfo(Address): IP address info could not be fetched within 30.0 seconds
2015-02-18 19:57:58 Tunnelblick[558] Converting/Installing /Users/Obsidian/Desktop/vpn keys/vpnconfig.ovpn at line 9: Copied ca.crt
2015-02-18 19:57:58 Tunnelblick[558] Changed permissions from 644 to 740 on /private/var/folders/mw/5p5lm69d3ts54_z4m05qx5jr0000gn/T/Tunnelblick-LNm7ax/vpnconfig.tblk/Contents/Resources/ca.crt
2015-02-18 19:57:58 Tunnelblick[558] Converting/Installing /Users/Obsidian/Desktop/vpn keys/vpnconfig.ovpn at line 10: Copied john.appleseed.crt
2015-02-18 19:57:58 Tunnelblick[558] Changed permissions from 644 to 740 on /private/var/folders/mw/5p5lm69d3ts54_z4m05qx5jr0000gn/T/Tunnelblick-LNm7ax/vpnconfig.tblk/Contents/Resources/john.appleseed.crt
2015-02-18 19:57:58 Tunnelblick[558] Converting/Installing /Users/Obsidian/Desktop/vpn keys/vpnconfig.ovpn at line 11: Copied john.appleseed.key
2015-02-18 19:57:58 Tunnelblick[558] Changed permissions from 722 to 740 on /private/var/folders/mw/5p5lm69d3ts54_z4m05qx5jr0000gn/T/Tunnelblick-LNm7ax/vpnconfig.tblk/Contents/Resources/john.appleseed.key
2015-02-18 19:57:58 Tunnelblick[558] Converting/Installing /Users/Obsidian/Desktop/vpn keys/vpnconfig.ovpn: Converted OpenVPN configuration
2015-02-18 19:58:02 Tunnelblick[558] Beginning installation or repair
2015-02-18 19:58:02 authexec[2291] executing /Applications/Tunnelblick.app/Contents/Resources/installer
2015-02-18 19:58:02 Tunnelblick[558] Installation or repair succeeded; Log:
                                       Tunnelblick installer started 2015-02-18 19:58:02. 3 arguments: 0x0001 /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk /private/var/folders/mw/5p5lm69d3ts54_z4m05qx5jr0000gn/T/Tunnelblick-LNm7ax/vpnconfig.tblk
                                       Copied /private/var/folders/mw/5p5lm69d3ts54_z4m05qx5jr0000gn/T/Tunnelblick-LNm7ax/vpnconfig.tblk to /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk.temp
                                       Moved /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk.temp to /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk
                                       Changed ownership of /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk and its contents from 501:20 to 0:0
                                       Changed permissions from 740 to 700 on /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk/Contents/Resources/ca.crt
                                       Changed permissions from 740 to 700 on /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk/Contents/Resources/config.ovpn
                                       Changed permissions from 740 to 700 on /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk/Contents/Resources/john.appleseed.crt
                                       Changed permissions from 740 to 700 on /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk/Contents/Resources/john.appleseed.key
2015-02-18 19:58:59 Tunnelblick[558] Converting/Installing /Users/Obsidian/Desktop/vpn keys/vpnconfig.ovpn at line 9: Copied ca.crt
2015-02-18 19:58:59 Tunnelblick[558] Changed permissions from 644 to 740 on /private/var/folders/mw/5p5lm69d3ts54_z4m05qx5jr0000gn/T/Tunnelblick-3njf40/vpnconfig.tblk/Contents/Resources/ca.crt
2015-02-18 19:58:59 Tunnelblick[558] Converting/Installing /Users/Obsidian/Desktop/vpn keys/vpnconfig.ovpn at line 10: Copied john.appleseed.crt
2015-02-18 19:58:59 Tunnelblick[558] Changed permissions from 644 to 740 on /private/var/folders/mw/5p5lm69d3ts54_z4m05qx5jr0000gn/T/Tunnelblick-3njf40/vpnconfig.tblk/Contents/Resources/john.appleseed.crt
2015-02-18 19:58:59 Tunnelblick[558] Converting/Installing /Users/Obsidian/Desktop/vpn keys/vpnconfig.ovpn at line 11: Copied john.appleseed.key
2015-02-18 19:58:59 Tunnelblick[558] Changed permissions from 722 to 740 on /private/var/folders/mw/5p5lm69d3ts54_z4m05qx5jr0000gn/T/Tunnelblick-3njf40/vpnconfig.tblk/Contents/Resources/john.appleseed.key
2015-02-18 19:58:59 Tunnelblick[558] Converting/Installing /Users/Obsidian/Desktop/vpn keys/vpnconfig.ovpn: Converted OpenVPN configuration
2015-02-18 19:59:03 Tunnelblick[558] Beginning installation or repair
2015-02-18 19:59:03 authexec[2311] executing /Applications/Tunnelblick.app/Contents/Resources/installer
2015-02-18 19:59:03 Tunnelblick[558] Installation or repair succeeded; Log:
                                       Tunnelblick installer started 2015-02-18 19:59:03. 3 arguments: 0x0001 /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk /private/var/folders/mw/5p5lm69d3ts54_z4m05qx5jr0000gn/T/Tunnelblick-3njf40/vpnconfig.tblk
                                       Copied /private/var/folders/mw/5p5lm69d3ts54_z4m05qx5jr0000gn/T/Tunnelblick-3njf40/vpnconfig.tblk to /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk.temp
                                       Moved /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk.temp to /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk
                                       Changed ownership of /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk and its contents from 501:20 to 0:0
                                       Changed permissions from 740 to 700 on /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk/Contents/Resources/ca.crt
                                       Changed permissions from 740 to 700 on /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk/Contents/Resources/config.ovpn
                                       Changed permissions from 740 to 700 on /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk/Contents/Resources/john.appleseed.crt
                                       Changed permissions from 740 to 700 on /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk/Contents/Resources/john.appleseed.key
2015-02-18 19:59:46 Tunnelblick[558] Converting/Installing /Users/Obsidian/Desktop/vpn keys/vpnconfig.ovpn at line 9: Copied ca.crt
2015-02-18 19:59:46 Tunnelblick[558] Changed permissions from 644 to 740 on /private/var/folders/mw/5p5lm69d3ts54_z4m05qx5jr0000gn/T/Tunnelblick-gDefBs/vpnconfig.tblk/Contents/Resources/ca.crt
2015-02-18 19:59:46 Tunnelblick[558] Converting/Installing /Users/Obsidian/Desktop/vpn keys/vpnconfig.ovpn at line 10: Copied john.appleseed.crt
2015-02-18 19:59:46 Tunnelblick[558] Changed permissions from 644 to 740 on /private/var/folders/mw/5p5lm69d3ts54_z4m05qx5jr0000gn/T/Tunnelblick-gDefBs/vpnconfig.tblk/Contents/Resources/john.appleseed.crt
2015-02-18 19:59:46 Tunnelblick[558] Converting/Installing /Users/Obsidian/Desktop/vpn keys/vpnconfig.ovpn at line 11: Copied john.appleseed.key
2015-02-18 19:59:46 Tunnelblick[558] Changed permissions from 722 to 740 on /private/var/folders/mw/5p5lm69d3ts54_z4m05qx5jr0000gn/T/Tunnelblick-gDefBs/vpnconfig.tblk/Contents/Resources/john.appleseed.key
2015-02-18 19:59:46 Tunnelblick[558] Converting/Installing /Users/Obsidian/Desktop/vpn keys/vpnconfig.ovpn: Converted OpenVPN configuration
2015-02-18 19:59:52 Tunnelblick[558] Beginning installation or repair
2015-02-18 19:59:52 authexec[2334] executing /Applications/Tunnelblick.app/Contents/Resources/installer
2015-02-18 19:59:52 Tunnelblick[558] Installation or repair succeeded; Log:
                                       Tunnelblick installer started 2015-02-18 19:59:52. 3 arguments: 0x0001 /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk /private/var/folders/mw/5p5lm69d3ts54_z4m05qx5jr0000gn/T/Tunnelblick-gDefBs/vpnconfig.tblk
                                       Copied /private/var/folders/mw/5p5lm69d3ts54_z4m05qx5jr0000gn/T/Tunnelblick-gDefBs/vpnconfig.tblk to /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk.temp
                                       Moved /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk.temp to /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk
                                       Changed ownership of /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk and its contents from 501:20 to 0:0
                                       Changed permissions from 740 to 700 on /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk/Contents/Resources/ca.crt
                                       Changed permissions from 740 to 700 on /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk/Contents/Resources/config.ovpn
                                       Changed permissions from 740 to 700 on /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk/Contents/Resources/john.appleseed.crt
                                       Changed permissions from 740 to 700 on /Library/Application Support/Tunnelblick/Shared/vpnconfig.tblk/Contents/Resources/john.appleseed.key

================================================================================

Non-Apple kexts that are loaded:

Index Refs Address            Size       Wired      Name (Version) <Linked Against>
  130    3 0xffffff7f8374a000 0x56000    0x56000    org.virtualbox.kext.VBoxDrv (4.3.14) <7 5 4 3 1>
  134    0 0xffffff7f837a0000 0x32000    0x32000    com.paragon-software.filesystems.ntfs (62.1.12) <7 5 4 1>
  135    0 0xffffff7f837d2000 0x8000     0x8000     org.virtualbox.kext.VBoxUSB (4.3.14) <130 85 39 7 5 4 3 1>
  136    0 0xffffff7f837da000 0x5000     0x5000     org.virtualbox.kext.VBoxNetFlt (4.3.14) <130 7 5 4 3 1>
  137    0 0xffffff7f837df000 0x6000     0x6000     org.virtualbox.kext.VBoxNetAdp (4.3.14) <130 5 4 1>

 

[whatnissan]

Ok I got it all working now.. ONly problem is that I cant see my shares on my local network when on my vpn. How can I fix this anyone? Buler? I thought I saw a line to add to the config file somewhere that fixes this but now i can not seem to find it.

 

[whatnissan]

update... I added the things i needed to the config file. I can ping my server 10.0.0.15 but i cant see my shares. I must be doing something wrong. Also my internet connection isnt stable at all. Any ideas at all would be helpful to help me figure this out...

OK now it completely stopped routing traffic again... Ugh.. i can see eveything on my local network though

 

[Fiatt]

I had the same issue, as i explained some messages before you. The problem was the firewall. As i'm using my work's computer, i had to add an exception on the firewall rules to force the network shares.

 

[whatnissan]

I can see the network shares now and connect to them.. Although im having user and permission problems and its not working quite how i want it to.. Im sure Ill figure it out. But what i cant figure out is this routing issue it was just working last night and this morning. There is a problem everytime i reboot my freenas server the tun interface will dissapear or the jail numbers will change or the erb interface changes.. I just checked and re checked everything and i know its all right but it refuses to route traffic. help please

 

[robles]

@robles

Regarding hardening …

I think that ns-cert-type server is deprecated and has been replaced by remote-cert-tls server . For details, see:

• https://www.openssl.org/docs/apps/x509v3_config.html#netscape_certificate_type
• http://darizotas.blogspot.com/2014/04/openvpn-hardening-cheat-sheet.html

Other thoughts:

• Certificate Key Length
  Is there a reason not to make them 2048?
  
  
• OpenVPN Client Configuration
  Is there a reason not to include these options?
  • mute-replay-warnings
  • tls-remote
  • verify-x509-name
• OpenVPN Server Configuration
  Is there a reason not to include these options?
  • remote-cert-tls client

These are suggestions I've gleaned from reading a variety of sources. Please accept my apology if they aren't applicable.

Thank you again for the tutorial.

- nello

Correct, the ns extensions are non-standard but not deprecated. The reason I didn't include it is that I've seen instances in other platforms (ARM debian) where remote-cert-tls wasn't compatible with older versions of Easy RSA, but considering this is a guide that asumes the latest FreeBSD packages, it's safe to asume that might work.

I test every configuration in the tutorial beforehand, so I haven't had an opportunity to check your client configurations. As soon as I do I'll surely include them in the tutorial.
Also, key length is up to everyone, of course 2048 will be safer. If your server doesn't mind a little more computation, increase it.

Thanks.

 

[robles]

I can see the network shares now and connect to them.. Although im having user and permission problems and its not working quite how i want it to.. Im sure Ill figure it out. But what i cant figure out is this routing issue it was just working last night and this morning. There is a problem everytime i reboot my freenas server the tun interface will dissapear or the jail numbers will change or the erb interface changes.. I just checked and re checked everything and i know its all right but it refuses to route traffic. help please

Please see this post regarding the changing epair numbers.

 

[whatnissan]

Yea i changed the epair numbers that was the problem the first time now they are set correctly and its still not routing

Code:

[root@vpn2 /]# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:35:5e:00:09:0b
    inet 10.0.0.22 netmask 0xffffff00 broadcast 10.0.0.255
    nd6 options=9<PERFORMNUD,IFDISABLED>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
tun1: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    nd6 options=9<PERFORMNUD,IFDISABLED>
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
    nd6 options=1<PERFORMNUD>
    Opened by PID 12466

Code:

ipfw -q -f flush
ipfw -q nat 1 config if epair0b
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via epair0b
ipfw -q add nat 1 all from any to any in via epair0b