How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT

[nello]

Also, key length is up to everyone, of course 2048 will be safer. If your server doesn't mind a little more computation, increase it.

Noobs who are cutting/pasting your instructions may not be aware of key length considerations. It might be worth mentioned these considerations in your tutorial.

 

[robles]

Thanks, but that hasn't fixed it either!

After connecting to vpn I get a warning in the client saying "internet does not appear to be reachable" and I can't ping any of the devices in the yellow network, although I can ping 192.168.168.75.

UPDATE

Ah, so after a little more digging my ipfw.rules were wrong as it appears after I'd rebooted freenas it has assigned different internal interface! Changed this, and I can now ping the other devices in the yellow network and even through I'm still getting the "internet does not appear to be reachable" message I appear to be getting internet requests down the vpn (as I've set 'route all traffic through vpn' on client)

As you might have guessed from the diagram, my network is mainly made up for Apple devices. Connecting through a vpn I was expecting to see the same shared options in Finder as I would connected locally, but I'm not. Might be beyond the realms of this forum, but anyone have any ideas?

Apple uses zeroconf (bonjour) to discover devices on the same network without using the TCP/IP layer. This requires using the access layer (layer 2 in the OSI model) to broadcast to the main switch its services using the MAC broadcast address. Since OpenVPN is configured as a tunnel, the jail doesn't extend the broadcast domain, as any router would do (unlike a switch) a router separates broadcast domains.

To discover remote devices through OpenVPN you would have to either configure it to do Ethernet Bridging (using dev tap0) to forward everything in the access layer as if it were directly connected to the same switch or use Wide Area Bonjour, which relies on a DNS server and modifying some DHCP arguments.

I've successfully done an Ethernet Bridging configuration, but it has a serious impact on performance because it has to transmit so much more data, and unless you're setting up an AirPrint server or an OS X Server Active Directory, it's not worth it.

If you want to access any other devices, I suggest to setup some DHCP reservations for those devices so they get the same IP each time they connect to your wireless network and then try connecting to them remotely using the finder "Connect to Server" option (⌘K).

 

[adrianwi]

Apple uses zeroconf (bonjour) to discover devices on the same network without using the TCP/IP layer. This requires using the access layer (layer 2 in the OSI model) to broadcast to the main switch its services using the MAC broadcast address. Since OpenVPN is configured as a tunnel, the jail doesn't extend the broadcast domain, as any router would do (unlike a switch) a router separates broadcast domains.

To discover remote devices through OpenVPN you would have to either configure it to do Ethernet Bridging (using dev tap0) to forward everything in the access layer as if it were directly connected to the same switch or use Wide Area Bonjour, which relies on a DNS server and modifying some DHCP arguments.

I've successfully done an Ethernet Bridging configuration, but it has a serious impact on performance because it has to transmit so much more data, and unless you're setting up an AirPrint server or an OS X Server Active Directory, it's not worth it.

If you want to access any other devices, I suggest to setup some DHCP reservations for those devices so they get the same IP each time they connect to your wireless network and then try connecting to them remotely using the finder "Connect to Server" option (⌘K).

Thanks for that. I would have wasted hours trying to get something to work that was never going to :D

All my devices have reserved IP addresses so just tried using the ⌘K through openvpn and that works a treat. I was hoping I would be able to remote control my iMac (using screen sharing) but at least having access to the drives is good start!

 

[robles]

Thanks for that. I would have wasted hours trying to get something to work that was never going to :D

All my devices have reserved IP addresses so just tried using the ⌘K through openvpn and that works a treat. I was hoping I would be able to remote control my iMac (using screen sharing) but at least having access to the drives is good start!

You can open Screen Sharing (Macintosh HD ▸ System ▸ Library ▸ CoreServices ▸ Applications) and enter your iMac's IP, this should work.

 

[adrianwi]

Fantastic! Thank you!!

 

[citizen.lambda]

Hi, I'm trying to set up OpenVPN to be able to access my jails halfway securely outside of my home, as well as get iPlayer access when I'm travelling. I've followed the setup instructions above, and I've tested connecting locally to the vpn, and best I can tell, it works. I've set up port forwarding on my router and Dynamic DNS, but any time I try to access the server via the external IP it fails. I'd be very grateful if anyone could help, as I'm utterly stuck regarding the way forward.
Of note: It looks like Plex Media Server will happily connect using the exact same port using the same port forwarding rule (allowing TCP as well as UDP), so it would appear that the router is at least port forwarding correclty.

I've attached the output from the OpenVPN client when it tries to connect.
And yes.. I am an absolute newbie to FreeNAS/OpenVPN.

 

[Tutti21]

Hello,

on my FreeNAS I have 2 OpenVPN jails and I can only connect to the on that was first powered on, and If I only have one powered on it works to.

I saw that every time I powered on the OpenVPN jail the tun adapter changes and I can't connect anymore so where do I must change it in the config that I get always the same and /or where in the config must I change the tun number so it work again.

It only works when tun is on number 0 so tun0 if I type ifconfig

 

[rumdr19]

This is a really good tutorial/thread. Thank you to the OP and everyone who has participated. I have two questions. how do I determine the IP of the purple network? Do we just make it whatever we like? I have looked around and have not been able to answer them.

Thank you in advance!

 

[tonyp1983]

Brilliant tutorial, I finally have a working VPN connection to my FreeNAS whilst allowing me to keep it separate from the main server config. Thre is one thing I'd like to be able to do which I haven't been able to find an answer for (most likely because I lack the appropriate terminology to search for it).

I have OpenVPN setup with the ability for VPN clients to communicate with each other and access the rest of my network at home but want to be able to access my VPN clients (via IP) from any device on my home network. Currently if I try to do this, the connections fail, I assume because the subnet being used by the VPN clients isn't known to my home gateway/router (as routing between clients and home network is all done within the OpenVPN jail using NAT?).

Can anyone suggest what I would need to do to configure this? Any help appreciated!

Subnets/IPs are:
Home Network: 10.0.0.x
Gateway (router): 10.0.0.1
OpenVPN Jail IP: 10.0.0.10
OpenVPN internal (clients designated in this range): 10.8.0.x

 

[beltet]

First of, thanks for the guide! Got my openvpn started but realized that I want a bridged setup(tap). So started to dig in the openvpn documentation. But they lack some info.
Anyone knows what command to use to get the bridge-utils?

 

[nello]

Anyone knows what command to use to get the bridge-utils?

I don't know the answer to your question. However, I imagine that it's covered in this book:

OpenVPN 2 Cookbook
Paperback: 356 pages
Publisher: Packt Publishing (February 17, 2011)
Language: English
ISBN-10: 1849510105
ISBN-13: 978-1849510103

You can buy it from Amazon:
http://www.amazon.com/dp/1849510105/?tag=ozlp-20

Or, find a library that has a copy:
http://www.worldcat.org/title/openv...power-of-the-openvpn-2-network/oclc/754874280

Finally, you can try downloading it as a PDF from:
http://filepi.com/i/eFkBMZw

 

[JJT211]

Brilliant tutorial, I finally have a working VPN connection to my FreeNAS whilst allowing me to keep it separate from the main server config. Thre is one thing I'd like to be able to do which I haven't been able to find an answer for (most likely because I lack the appropriate terminology to search for it).

I have OpenVPN setup with the ability for VPN clients to communicate with each other and access the rest of my network at home but want to be able to access my VPN clients (via IP) from any device on my home network. Currently if I try to do this, the connections fail, I assume because the subnet being used by the VPN clients isn't known to my home gateway/router (as routing between clients and home network is all done within the OpenVPN jail using NAT?).

Can anyone suggest what I would need to do to configure this? Any help appreciated!

Subnets/IPs are:
Home Network: 10.0.0.x
Gateway (router): 10.0.0.1
OpenVPN Jail IP: 10.0.0.10
OpenVPN internal (clients designated in this range): 10.8.0.x

This is just a guess , but I think it would have something to do with the vpn's firewall rules config

This will create a new file in /usr/local/etc/ named ipfw.rules. Insert the next rules in that file:
Code (text):

1. ipfw -q -f flush
2. ipfw -q nat 1 config if epair0b
3. ipfw -q add nat 1 all from 10.8.0.0/24 to any out via epair0b
4. ipfw -q add nat 1 all from any to any in via epair0b

A couple of notes about this configuration:

• The first line flushes any previous configuration in the firewall
• The second one, creates the purple network.
• The third one, creates a rule saying that all traffic from the purple network should be translated and outputted through the epair0b interface.
• The last one accepts any traffic from the epair0b interface back into the jail.

Or, creating a static route from your unsecure LAN to your vpn LAN. Although it may be a security risk, I dunno, seems to be a more general networking question.

See below

The FreeBSD doc on IPFW is a great documentation, and for a good starting point on, I really recommend the DummyNet tutorial.

 

[diskdiddler]

Will this tutorial allow me to ensure that my FreeNAS Jails for Qbittorrent, Couchpotato, SabNZBD, Sickbeard are all using the internet through a VPN?
Yet still allow me to connect to them locally from within my network to administer them?

 

[THX]

@ diskdiddler
Your question shows that you haven't even read the first post.
This HOWTO is about server-sided cofiguration. You are talking about a client-sided configuration where you connect to a vpn server.

 

[JJT211]

In n00binese (as it was still a bit unclear to me the difference at first), that means its only for connecting from outside your home network to your FreeNAS machine. If you want to use a VPN for the internet, youre going to have to purchase a VPN service like PIA

 

[JJT211]

This is a really good tutorial/thread. Thank you to the OP and everyone who has participated. I have two questions. how do I determine the IP of the purple network? Do we just make it whatever we like? I have looked around and have not been able to answer them.

Thank you in advance!

Yea or just keep it the same as in the tutorial. Doesnt really matter cuz on your freenas and your client will have ip's un the purple network....everything will be the dsame

 

[JJT211]

Ive been though this tutorial several times already. I can connect to the VPN just fine, but im unable to reach anything on the lan netowrk, and havent been able to ping anything on the openvpn network either even with me showing a 10.8.0.6 vpn network ip.....I have no idea what else to try

Whats really odd is when I do a ipconfig from windows, it appears I dont have a default gateway in my openvpn side. Isnt that what 10.8.0.1 is supposed to be? Why isnt it there? I tired pinging it with no answer

Here's everything else

openvpn.conf

Code:

port 10011
proto udp
dev tun
ca /mnt/openvpn/keys/ca.crt
cert /mnt/openvpn/keys/openvpn-server.crt
key /mnt/openvpn/keys/openvpn-server.key
dh /mnt/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
route 192.168.0.205 255.255.255.0 10.8.0.1
#tls-auth /mnt/openvpn/keys/auth.key 0
#crl-verify /mnt/openvpn/keys/crl.pem
keepalive 10 120
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 4

nano /usr/local/etc/ipfw.rules

Code:

ipfw -q -f flush
ipfw -q nat 1 config if epair8b
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via epair8b
ipfw -q add nat 1 all from any to any in via epair8b

rc.conf

Code:

portmap_enable="NO"
sshd_enable="NO"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
hostname="openvpn"
hostname="openvpn"
devfs_enable="YES"
devfs_system_ruleset="devfsrules_common"
inet6_enable="YES"
ip6addrctl_enable="YES"
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/mnt/openvpn/openvpn.conf"
openvpn_dir="/mnt/openvpn"
cloned_interfaces="tun"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

ipfw list

Code:

[root@openvpn /mnt/openvpn]# ipfw list
00100 nat 1 ip from 10.8.0.0/24 to any out via epair8b
00200 nat 1 ip from any to any in via epair8b
65535 allow ip from any to any

client config

Code:

client
dev tun
proto udp
remote [my ddns address] 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert jeff.crt
key jeff.key
#tls-auth auth.key 1
ns-cert-type server
comp-lzo
verb 4

'

ifconfig

Code:

[root@openvpn /]# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair8b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:5b:11:00:14:0b
        inet 192.168.0.205 netmask 0xffffff00 broadcast 192.168.0.255
        nd6 options=9<PERFORMNUD,IFDISABLED>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
        nd6 options=9<PERFORMNUD,IFDISABLED>

 

[Jag_Five-O]

JJT211, I have a similar problem. After having been through the guide multiple times, I can connect via OpenVPN but I cannot access anything on the network. I think I have something messed up with my IPs but I'm not sure. I hope they can solve your situation because I'm in the same boat.

 

[JJT211]

Wow, I FINALLLY got it working!! I kept everything as close to the tutorial as possible, even the john.appleseed part with the key names. I'm not sure exactly what it was but here are a few things that I did that might have made the difference.

- Dont spend too much time trying to fix your config, delete everything and start over. That includes the openvpn dataset you create as well. After you've been through the tutorial a few times, it doesnt take long at all to set up.

- Definitely add the below to your client config file. I think not routing all of your traffic through the VPN can potentially be confusing to your client on how to direct traffic.

1. dhcp-option DNS 10.0.0.254
2. redirect-gateway def1

- Instead of doing the 443 to 10011 port forward, I did 443 to 443. (Router issue?)

- Change to 10.0.8.0/24

- Just try and simplify as much as possible. Also, everytime you restart your jail, double check ifconfig to make sure your epair or tun #'s dont change on you. Mine did almost everytime. Make sure you're on the latest Freenas update. Reboot your server if it hasnt been restarted in a while.

Delete everything and start over, and if you're getting same results, post your config

 

[JJT211]

One thing that also might have been a problem now I think of it, I had Transmission connected to PIA using openvpn in that single jail for a while. I recently turned it off and stopped the jail for something else.

EDIT: Nope, nevermind