How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT

[Jag_Five-O]

Yeah I can't get this figure out. Outside remapping my entire network because I am on 192.168.1.1 to match 10.0.0.0 I am pretty lost. I think my biggest problem is I'm having a hard time figure out what the Gateway (10.0.0.254) is on my system I think it's 192.168.1.1 but I'm not 100% sure. Here is my config:

Code:

port 10011
proto udp
dev tun
ca /mnt/openvpn/keys/ca.crt
cert /mnt/openvpn/keys/openvpn-server.crt
key /mnt/openvpn/keys/openvpn-server.key
dh /mnt/openvpn/keys/dh1024.pem
server 10.0.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.1 255.255.255.0"
route 192.168.1.5 255.255.255.0 10.0.8.1
#tls-auth /mnt/openvpn/keys/auth.key 0
#crl-verify /mnt/openvpn/keys/crl.pem
keepalive 10 120
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3

 

[Krowvin]

@Jag_Five-O

Looking at your config Jag, I noticed you switched class B and C

A . B .C .D

Does creating a private network on 10.0.8.0 vs 10.8.0.0 change anything?

 

[JJT211]

^^^ Changing to a class B 10.0.8.0 is correct.

In your config,
njj
Line 10 is incorrect, it should be your network (192.168.1.0), not (192.168.1.1) which I assume is your gateway

Add these 2 lines at the end,

Code:

dhcp-option DNS (your gateway ip)
redirect-gateway def1

Sorry, I meant to say add the above to your ovpn.conf (client)!!

 

[Krowvin]

Is this added to the ovpn file (client) or the server file, openvpn.conf ?

Code:

dhcp-option DNS (your gateway ip)
redirect-gateway def1

robles suggests adding it to the ovpn client file, but Jag is reffering to his server conf?

I did my own bit of outside research on this, from what I read if you place these two lines in the server conf they'll look something like push "redirect-gateway def1"

Also, I'm able to connect to my Freenas vpn, and I still get internet traffic. However, I can't access my local network and it doesn't show up has having the same WAN IP as my FreeNAS box?

Perhaps i'm missing something fundamental here.

I have an R6000 router with VPN software, i'm able to connect to the home network with it.
It's limited to just the home network though, and it doesn't support mobile devices.

I lost count how many times i've started this jail from scratch/ rebooted due to previously mentioned tun error.

 

[JJT211]

Dude, trust me, I lost count myself.

Just to double check, as I haven't stressed it in my recent posts, you are trying to connect to the VPN outside your local network correct?

Anyways, It's definitely the client ovpn file only.

Just think about it, those commands are telling the client to redirect all of its traffic through the VPN and out of your home internet connection. Your server already has that information, its already been configured and its literally in physical proximity of that gateway ip. So why would the server file or openvpn.conf need that info? You're right, its already been "pushed" in the other files.

Your client on the other hand isnt required to direct all of its traffic through the VPN. It's also the only 1 of the 3 that doesnt have that information. Therefore, thats the key piece of information thats missing from the equation. As I've written this out, I'm really starting to think that was my problem. In previous attempts, I would change other things before I added that to my client config and those other small changes prob threw everything off by the time I would try it again.

The only thing your router is doing is forwarding a port. VPN software has nothing to do with it. Especially if you're able to connect, then it has nothing to do with your router. The problem lies in the server/client configuration

Post up your config files.

EDIT: crap you are right!! No he shouldnt be adding that to the end of his posted conf file!

 

[Krowvin]

But JJ! It gets better.

For giggles I moved my .ovpn client config, ca, crt, and key for my laptop over to my phone. Just to see, and my phone was able to connect AND able to see the local network at home. (i.e. able to access local ips that I don't have port forwarded)

I'm not at home, about 20 miles away from my house. Using my phone as a tether, so I can confirm it isn't the same LAN.

I am making sure to disconnect from my other VPN (router) before connecting to the FreeNAS vpn.

Here are my config files:

Client

Code:

client
dev tun
proto udp
remote mywebsite.com 23323
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert lenovo.laptop.crt
key lenovo.laptop.key
#tls-auth auth.key 1
ns-cert-type server
comp-lzo
verb 3
dhcp-option DNS 192.168.1.1
redirect-gateway def1

Server /mnt/openvpn/openvpn.conf

Code:

port 23323
proto udp
dev tun
ca /mnt/openvpn/keys/ca.crt
cert /mnt/openvpn/keys/openvpn-server.crt
key /mnt/openvpn/keys/openvpn-server.key
dh /mnt/openvpn/keys/dh1024.pem
server 10.0.8.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
route 192.168.1.101 255.255.255.0 10.0.8.1
#tls-auth /mnt/openvpn/keys/auth.key 0
#crl-verify /mnt/openvpn/keys/crl.pem
keepalive 10 120
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3

Firewall Rules (ipfw)

Code:

ipfw -q -f flush
ipfw -q nat 1 config if epair0b
ipfw -q add nat 1 all from 10.0.8.0/24 to any out via epair0b
ipfw -q add nat 1 all from any to any in via epair0b

These conf files work on my phone (with the exception of it being a different port and different domain), it connects on my laptop but i'm unable to view the local network.
Shouldn't I also be able to use my home IP address with this config?

 

[JJT211]

In your firewall rules, you sure epair0b is correct?

Thats exactly from the tutorial but you are supposed to change the epair number according to what you get from the below command

Code:

ifconfig | grep epair

Everybody's epair # is different, depends on how many jails you are running, here's mine

Code:

[root@openvpn /mnt/openvpn]# ifconfig | grep epair
epair2b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

So my ipfw.rules looks like this:

Code:

ipfw -q -f flush
ipfw -q nat 1 config if epair2b
ipfw -q add nat 1 all from 10.0.8.0/24 to any out via epair2b
ipfw -q add nat 1 all from any to any in via epair2b

Which leads to me this, when you restart your jail, sometimes your epair #, or your tun # will change. Thats where I said you need to ifconfig after the jail restart and double check those numbers stayed the same.

If the epair # changes, then just edit the ipfw.rules. If the tun # changes, (i.e from tun1 to tun 2) you can change it back to the tun1 using this command.

Code:

ifconfig tun2 name tun1

 

[Krowvin]

It was epair4b at first, because I do have a handful of jails running. However, when I restarted my system because of the tun error. (I got this error while trying to place

1. dhcp-option DNS 192.168.1.1
2. redirect-gateway def1

in the server config.)

I changed the files to what I have shown now, but that's after I bothered to check what my epair was again. For whatever reason my system moved my openvpn jail up the list, when I type jls it's number 2. I believed I read a post in here about someone else having a similar problem with epair changing. I checked again, it's still epair0.

 

[JJT211]

Just finished reading the rest of your post. If everything is working from your phone, but not your laptop, then your laptop is definitely the problem.

 

[JJT211]

It was epair4b at first, because I do have a handful of jails running. However, when I restarted my system because of the tun error. (I got this error while trying to place

1. dhcp-option DNS 192.168.1.1
2. redirect-gateway def1

in the server config.)

I changed the files to what I have shown now, but that's after I bothered to check what my epair was again. For whatever reason my system moved my openvpn jail up the list, when I type jls it's number 2. I believed I read a post in here about someone else having a similar problem with epair changing. I checked again, it's still epair0.

I dont see the error youre talking about

And dont worry about the jls number, doesnt mean anything. It will fix itself when you reboot your server. Just pay attention to your epair and tun #'s

 

[Krowvin]

then your laptop is definitely the problem.

Indeed. May I ask how you have your OpenVPN GUI setup on your remote computer? That might be a better suited question for the OpenVPN forum. However, when I set it up the first time my router (R6000) had some cheesy instructions about renaming the hardware adapter to "NETGEAR-VPN".

Might be time to try this on another remote windows machine and see if it connects.

 

[JJT211]

Indeed. May I ask how you have your OpenVPN GUI setup on your remote computer? That might be a better suited question for the OpenVPN forum. .

haha.....dont worry I wont bark at ya!

Sounds like a problem with the openvpn driver with your laptop didnt install correctly. Try compelety removing and reinstalling the Openvpn client. Pay close attention to the driver.

 

[Krowvin]

I got the exact same problem. I have followed your guide and double checked everything.
I get this error:

Code:

[root@openvpn /]# service openvpn start
Starting openvpn.
ifconfig: interface tun0 does not exist
/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn

If I run "ifconfig" I have no interface called "tun0", but I got a "tun2".

Code:

[root@openvpn /]# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair3b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:82:7c:00:0b:0b
        inet 192.168.0.5 netmask 0xffffff00 broadcast 192.168.0.255
        nd6 options=9<PERFORMNUD,IFDISABLED>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
tun2: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        nd6 options=9<PERFORMNUD,IFDISABLED>

Tried to create a new interface but ended up with "tun03" that can't be uses (not tun02 either). Tried to create it named tun0 but then it say it already exist.

How should I do? Can you help me with it?
Let me know if you need to see any config files or something!

This fellow a few pages back. He went through several posts trying to figure it out. I could have sworn someone somewheres said they were gone for a while, but came back restarted their server and the problem fixed itself. (In reference to tun0 not existing)

If someone else comes along and gets this error,

Code:

 ifconfig: interface tun0 does not exist 

try rolling back whatever you just did. Then restarting your server.

 

[JJT211]

The GUI is pretty straight forward, just make sure when you make changes to your ovpn file, you delete the old one and import the new one.

 

[JJT211]

Yea, but if you're able to connect from your phone, it works, your server is fine. It's your laptop. Which is a MUCH easier problem to troubleshoot.

 

[Krowvin]

I dont see the error youre talking about

Yeppers, just clarifying what I was referring to. In case someone else came along with the same error.


Thanks again for all the help!

 

[Krowvin]

So I got it working (able to view and use local IPs) on a Windows7 machine on another remote network. (I used teamviewer)
I've established that I theoretically should be able to fix it if I (like you were saying) reinstall the software on my laptop. edit: I reinstalled OpenVPN on my laptop. It's working as intended. (Minus the bit about True VPN below)

But i'm still trying to create the "True VPN" mentioned by adding the two code lines below to the OVPN client file.
With an end goal of changing the IP address of the remote computer to the server's IP: (I mean that is what will happen, as well as routing all traffic through that server correct?)

Code:

dhcp-option DNS 10.0.0.254
redirect-gateway def1

Replace 10.0.0.254 with your local DNS server (almost always your gateway's IP address).

Not to complicate things more, but is this the same gateway as the client or the server? Seeing as the OP posted with 10.0.0.254 I'd assume the server gateway.

 

[JJT211]

I believe its just the router on the local network.

Where you may be getting confused, and I was as well, is when you ipconfig from windows, you see the normal ip address and you're like WTF, this is a True VPN right? Well scroll up some more and you'll see a whole separate interface called "TAP Win 32 adapter" or something like that and there will be your ip on the 10.0.8.0 network. Thats the openvpn driver I was refering to as well.

Check the pic in my post a page back.

Here ya go

 

[Krowvin]

I was under the impression adding those two extra lines to the client config would change my WAN IP on my remote client to the WAN IP of my server? Also giving me access to the geo-location of my server.

ipconfig shows as having the assigned private network on the adapter, but if I am to Google "What's my IP", for example, I still have the same IP as I would if I wasn't connected to the VPN.

Sorry, having a hard time conveying what I mean

I've accomplished what I really wanted, access to my LAN for both my phone and laptop using one VPN.

But man oh man, would it be fun to use my home IP too.

 

[JJT211]

Oh yea, forgot about that. I was just so happy I was finally able to connect to my home LAN, I havvent given it much thought since.

I have no idea but would really like to know myself.