How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT

[whatnissan]

Code:

#!/bin/sh

EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if {EPAIR}
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via {EPAIR}
ipfw -q add nat 1 all from any to any in via {EPAIR}

I was thinking its the tun1 interface that showed up randomly but i cant delete it
I made that change and now it wont even connect am i missing something??

Update got it to connect again but its still not routing. the issue is my tun interface keeps changing ex tun0 is now tun3 everytime i restart the jail. Any ideas robbles? I had this working last night and this morning from work and it just stopped.. no clue why

ifconfig now shows this... UGH this is so frustrating..

Code:

[root@vpn2 /]# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:35:5e:00:09:0b
    inet 10.0.0.22 netmask 0xffffff00 broadcast 10.0.0.255
    nd6 options=9<PERFORMNUD,IFDISABLED>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
tun3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
    nd6 options=9<PERFORMNUD,IFDISABLED>
    Opened by PID 17661

 

[robles]

@whatnissan don't worry about your tun interfaces, they will be handled by OpenVPN and don't mind changing numbers, what will be a problem is if your epair changes, your firewall won't know where to route your packets if your rules (ipfw.rules) don't match with your interfaces (ifconfig -l).

Your tun interface will only show if your OpenVPN instance is running, so if you see it in your interfaces it means that OpenVPN is creating your tunnel correctly. Check if your firewall rules are being applied correctly:

[root@openvpn /mnt/openvpn]# ipfw list

Also check that you've redirected your local traffic to the remote OpenVPN server in your client configuration:

Code:

dhcp-option DNS 10.0.0.254
redirect-gateway def1

 

[whatnissan]

Code:

[root@vpn2 /]# ipfw list                                                       
00100 nat 1 ip from 10.8.0.0/24 to any out via {EPAIR}                         
00200 nat 1 ip from any to any in via {EPAIR}                                  
65535 allow ip from any to any                                                 
[root@vpn2 /]#                   

and my client config..

Code:

client
dev tun
proto udp
remote 50.162.13.48 10011
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert john.appleseed.crt
key john.appleseed.key
#tls-auth auth.key 1
ns-cert-type server
comp-lzo
verb 3
dhcp-option DNS 10.0.0.1
redirect-gateway def1

 

[whatnissan]

i can access anything on my local network.. Kinda i say kinda cause it will be quick and then it slows down and stops loading
my port forwarding setup up .22 is my jail .15 is the freenas server its self which is also set as the dmz

Code:

OwnCloud6    TCP & UDP    8080    8080    10.0.0.15    EDIT    X
ssl    TCP & UDP    22    22    10.0.0.15    EDIT    X
vpn    TCP & UDP    10011    10011    10.0.0.22    EDIT    X
vpn    TCP & UDP    1194    1194    10.0.0.22

 

[robles]

@whatnissan well there's a problem, your ipfw list shouldn't say {EPAIR}. Go to your ipfw.rules and double-check that the script is the same as my previous post. Your ipfw list should read something like:

[root@openvpn /]# ipfw list
00100 nat 1 ip from 10.8.0.0/24 to any out via epair0b
00200 nat 1 ip from any to any in via epair0b
65535 allow ip from any to any

 

[whatnissan]

what do you mean i copied your script thats supposed to do that automaticly?? here is the rules i have

Code:

#!/bin/sh

EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if {EPAIR}
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via {EPAIR}
ipfw -q add nat 1 all from any to any in via {EPAIR}

 

[robles]

what do you mean i copied your script thats supposed to do that automaticly?? here is the rules i have

Code:

#!/bin/sh

EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if {EPAIR}
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via {EPAIR}
ipfw -q add nat 1 all from any to any in via {EPAIR}

Aha! there's the problem, it's not {EPAIR}, it's ${EPAIR}. Copy and paste can save you lots of headaches.

 

[whatnissan]

now it wont connect at all... but i have this

Code:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:35:5e:00:09:0b
    inet 10.0.0.22 netmask 0xffffff00 broadcast 10.0.0.255
    nd6 options=9<PERFORMNUD,IFDISABLED>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
tun4: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    nd6 options=9<PERFORMNUD,IFDISABLED>

Code:

[root@vpn2 /]# ipfw list
00100 nat 1 ip from 10.8.0.0/24 to any out via epair0b
00200 nat 1 ip from any to any in via epair0b
65535 allow ip from any to any

I really think it has to do with the tun interface that keeps changing every dam time

Code:

[root@vpn2 /]# service openvpn start
Starting openvpn.
ifconfig: interface tun3 does not exist
/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn

Update i fixed that in the openvpn.conf it uses tun4 now but its still not routing after all that

Code:

[root@vpn2 /]# service openvpn start
Starting openvpn.
route: writing to routing socket: File exists
add net 10.0.0.22: gateway 10.8.0.1 fib 0: route already in table
add net 10.8.0.0: gateway 10.8.0.2

 

[whatnissan]

The thing that gets me is that it was working. I even tried this on a different network with the same results.. I can access my router home page while connected 10.0.0.1 and my nas 10.0.0.15 and even printed but i can not get out to the internet ... What do you think @robles

 

[whatnissan]

im thinking it has to be my client config what do you think???
client
dev tun
proto udp
remote 50.162.13.48 10011
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert john.appleseed.crt
key john.appleseed.key
#tls-auth auth.key 1
ns-cert-type server
comp-lzo
verb 3
dhcp-option DNS 10.0.0.1
redirect-gateway def1

 

[THX]

I had the problem with my tun interface (changing from tun0 to tun1, tun2 after every jail restart). So I figured to upgrade my freenas firmware. After that no changing tun names anymore.

@robles: Is there a way to add client keys? I made 2 clients at start but need some more. I successless tried to use the command:
sh
./build-key client3

Also OpenVPN uses standart key sizes (like 1024 bit tls key) with the options in this guide provided. What command would be necessary to increase key size for RSA and tls key?

edit1: I found the answers to my questions myself. For anyone interested:
If you want to generate a stronger key (for example the master certificate with 2048bit instead of 1024bit) you can just add the keysize command when creating your keys for the first time:
sh
. ./vars
./build-ca --keysize 2048

adding clients is almost equally simple, you just need to cd to your easy-rsa directory:
sh
. ./vars
./build-key newclient

edit2: To increase dh to 2048 the above mentioned keysize command doesnt work.
You can use this command outside of bash instead:
openssl dhparam -out keys/dh2048.pem 2048

 

[whatnissan]

yea thats not my problem anymore. THX did you have any routing issues? I can see my local network but i cant get out on my vpn..

 

[whatnissan]

those last 2 lines appeard in the log when I tried to refresh a web page. anyone know what that problem could be?

Code:

2015-02-19 14:15:56 MANAGEMENT: >STATE:1424376956,ADD_ROUTES,,,
2015-02-19 14:15:56 /sbin/route add -net 10.0.0.0 10.8.0.5 255.255.255.0
                                        add net 10.0.0.0: gateway 10.8.0.5
2015-02-19 14:15:56 /sbin/route add -net 10.8.0.1 10.8.0.5 255.255.255.255
                                        add net 10.8.0.1: gateway 10.8.0.5
2015-02-19 14:15:56 Initialization Sequence Completed
2015-02-19 14:15:56 MANAGEMENT: >STATE:1424376956,CONNECTED,SUCCESS,10.8.0.6,50.162.13.48
2015-02-19 14:16:29 *Tunnelblick process-network-changes: A system configuration change was ignored
2015-02-19 14:16:32 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host's name after connecting.
2015-02-19 14:17:03 *Tunnelblick: After 30.0 seconds, gave up trying to fetch IP address information using the ipInfo host's IP address after connecting.

im going to add this traceroute

Code:

Traceroute has started…

traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 72 byte packets
1  10.8.0.1 (10.8.0.1)  20.805 ms  21.232 ms  20.741 ms
2  10.0.0.1 (10.0.0.1)  21.624 ms  23.685 ms  22.505 ms
3  96.120.16.1 (96.120.16.1)  29.726 ms  29.182 ms  30.126 ms
4  68.85.250.189 (68.85.250.189)  79.845 ms  29.775 ms  30.734 ms
5  68.85.246.69 (68.85.246.69)  30.925 ms  30.270 ms  30.150 ms
6  4.68.71.109 (4.68.71.109)  36.096 ms  31.690 ms  29.676 ms
7  * 4.69.145.214 (4.69.145.214)  35.438 ms  37.530 ms
8  4.69.145.214 (4.69.145.214)  37.402 ms  35.012 ms  35.769 ms
9  72.14.214.210 (72.14.214.210)  36.310 ms  36.224 ms  35.866 ms
10  209.85.245.145 (209.85.245.145)  36.126 ms  36.173 ms  44.691 ms
11  8.8.8.8 (8.8.8.8)  43.468 ms  38.565 ms  35.754 ms

 

[whatnissan]

Ugh stupid I figured it out you need to on osx anyway set a public dns server i did 8.8.8.8
https://forums.openvpn.net/topic18043.html#p48808

 

[JJT211]

Ughhhhh.....

Ok, Ive tried this 3 seperate times, from start to finish triple checked everything, but I cannot get my openvpn to start. Everything goes as it should, up to the point where IO restart the jail and try to start the openvpn service.

Code:

[root@openvpn /]# ipfw list
00100 nat 1 ip from 192.168.11.0/24 to any out via epair2b
00200 nat 1 ip from any to any in via epair2b
65535 allow ip from any to any

[root@openvpn /]# service openvpn start
Starting openvpn.
/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn

Here's my ifconfig, im pretty confident I got all the ip addressing correct for my network

Code:

[root@openvpn /]# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair2b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:d5:a0:00:11:0b
        inet 192.168.0.204 netmask 0xffffff00 broadcast 192.168.0.255
        nd6 options=9<PERFORMNUD,IFDISABLED>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
tun5: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        nd6 options=9<PERFORMNUD,IFDISABLED>

One thing I noticed though, is that when I restart my jail, the jls number changes up one. I configured everything and it was 13. When I restart and sudo back into openvpn, it wont let me sudo to the same number. When I jls, the number has changed to 14. I double check the epair # and that is all the same.

I havent configured my router yet for the port forwarding.....but it doesnt seem like im even to the point yet.

Anyone have any idea?

 

[THX]

Did you notice your tun device going up every restart? From tun4 to tun5 for example?
I had this issue and renamed tun back to tun0:
ifconfig tun5 name tun0

 

[JJT211]

Yea, it is moving up every restart. I didnt take notice of where it was when I originally configured it though. Tried renaming and still a no-go

EDIT:

Dohhh! Nevermind, I realized I forgot to comment out # a few lines when cutting and pasting in nano.openvpn.conf

I tried starting service then got that tun0 error. Changed back tun0 and it started! Thx!!!

 

[adrianwi]

First off, thanks for a fantastic guide. After deleting the 1st attempt, I quickly spotted the stupid mistakes in v2 and can connect the openvpn server & client :D

Don't think I've got the openvpn.conf file set-up correctly through as when I connect I don't see any of the network devices, and was expecting things to look the same as if I was connecting locally. This is probably just my lack of understanding of IP addresses, NAT and a whole bag of other things!

I was struggling to translate the IP range in the example with my IP range at home, so tried to create a similar graphical example and have pasted my conf file below. Hopefully someone can quickly spot my schoolboy error ;)

Code:

port 444
proto udp
dev tun
ca /mnt/openvpn/keys/ca.crt
cert /mnt/openvpn/keys/openvpn-server.crt
key /mnt/openvpn/keys/openvpn-server.key
dh /mnt/openvpn/keys/dh1024.pem
server 192.168.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.8.0 255.255.255.0"
route 192.168.168.75 255.255.255.0 192.168.8.1
#tls-auth /mnt/openvpn/keys/auth.key 0
#crl-verify /mnt/openvpn/keys/crl.pem
keepalive 10 120
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 6

As I said, I'm connecting OK so am assuming the port forwarding is set-up fine and "mydomain" is directing to my static IP address. I'm guessing it's something to do with getting from the purple to the yellow network, but I've gone through it several times and other than changing all my IP addresses to 10.x.x.x am at somewhat of a loss.

Thanks

 

[JJT211]

You made a mistake in line 10, it should be your yellow network (192.168.168.0)

 

[adrianwi]

Thanks, but that hasn't fixed it either!

After connecting to vpn I get a warning in the client saying "internet does not appear to be reachable" and I can't ping any of the devices in the yellow network, although I can ping 192.168.168.75.

UPDATE

Ah, so after a little more digging my ipfw.rules were wrong as it appears after I'd rebooted freenas it has assigned different internal interface! Changed this, and I can now ping the other devices in the yellow network and even through I'm still getting the "internet does not appear to be reachable" message I appear to be getting internet requests down the vpn (as I've set 'route all traffic through vpn' on client)

As you might have guessed from the diagram, my network is mainly made up for Apple devices. Connecting through a vpn I was expecting to see the same shared options in Finder as I would connected locally, but I'm not. Might be beyond the realms of this forum, but anyone have any ideas?