How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT

[FritVetBE]

That was it! At one point though I definitely went through the rc config and looked for the path (as well as a few other files), so I'm not sure if it got regenerated with the old path value or if I just missed it the first time through, probably the latter :) Thanks for the sanity check and all the help!

I'm happy that you got it back up and running again, you are welcome!

 

[robles]

I'm currently updating the guide for Easy-RSA 3.1, the config files may change to include the updated cyphers and 2048+ bit SSL keys.

After 6 hours fiddling with it (4 more than necessary if I'd read FritVetBE's blog post first), it is now working.

I'm collecting all of the commands and modifying the OP while doing it in a fresh install of FreeNAS 9.10.1 (d989edd) so the steps are as accurate as possible.

As always, thanks to everyone for your support on this tutorial.

 

[catnas]

Robles, I have to tell you, the changes have, I think, made it worse. You also have an instruction after the openvpn.conf code block that I think (now) contains a typo because of the changes you made to the addressing of your networks in the example. I am trying to follow your updated guide to see if it works, and I can connect but have neither VLAN nor WAN access. --- As a side note, I have a functional VPN based on the prior notes (subject to necessary changes detailed in my post on page 16), so it's not user error...

My home network is addressed as: 192.168.1.###
Like most people, my router is 192.168.1.1
My freenas box has an IP of 192.168.1.XYZ
My openVPN jail has an IP of 192.168.1.YYY

The hangup is clearly somewhere in these areas of the openvpn.conf and ipfw.rules files. In my situation -- which is the typical setup for almost all home users

1)what should the server & push lines of the .conf read?

Code:

server ___________ 255.255.255.0
push "route _________ 255.255.255.0"

2) what should the IPFW rules look like?

Code:

ipfw -q add nat 1 all from ______/24 to any out via ${EPAIR}

I look forward to seeing your answer. I think that this will prove to be the most difficult part for the newbs trying to follow your guide.

thanks for all your hard work.

I'm currently updating the guide for Easy-RSA 3.1, the config files may change to include the updated cyphers and 2048+ bit SSL keys.

After 6 hours fiddling with it (4 more than necessary if I'd read FritVetBE's blog post first), it is now working.

I'm collecting all of the commands and modifying the OP while doing it in a fresh install of FreeNAS 9.10.1 (d989edd) so the steps are as accurate as possible.

As always, thanks to everyone for your support on this tutorial.

 

[robles]

Robles, I have to tell you, the changes have, I think, made it worse. You also have an instruction after the openvpn.conf code block that I think (now) contains a typo because of the changes you made to the addressing of your networks in the example. I am trying to follow your updated guide to see if it works, and I can connect but have neither VLAN nor WAN access. --- As a side note, I have a functional VPN based on the prior notes (subject to necessary changes detailed in my post on page 16), so it's not user error...

My home network is addressed as: 192.168.1.###
Like most people, my router is 192.168.1.1
My freenas box has an IP of 192.168.1.XYZ
My openVPN jail has an IP of 192.168.1.YYY

The hangup is clearly somewhere in these areas of the openvpn.conf and ipfw.rules files. In my situation -- which is the typical setup for almost all home users

1)what should the server & push lines of the .conf read?

Code:

server ___________ 255.255.255.0
push "route _________ 255.255.255.0"

2) what should the IPFW rules look like?

Code:

ipfw -q add nat 1 all from ______/24 to any out via ${EPAIR}

I look forward to seeing your answer. I think that this will prove to be the most difficult part for the newbs trying to follow your guide.

thanks for all your hard work.

Thanks for your feedback, I'm currently actively monitoring this thread to fix the problems as soon as they're spotted. I'll update this answer later today after I get home and take a good look at it.

Thanks for your notes and efforts.

 

[OffHoursIT]

This is a very useful article. I am having trouble when I execute sockstat -4 -l

I am missing the lines for -

nobody openvpn 63758 6 udp4 *:10010 *:*
root syslogd 63726 7 udp4 *:514 *:*​

Any help would be appreciated.

 

[robles]

Robles, I have to tell you, the changes have, I think, made it worse. You also have an instruction after the openvpn.conf code block that I think (now) contains a typo because of the changes you made to the addressing of your networks in the example. I am trying to follow your updated guide to see if it works, and I can connect but have neither VLAN nor WAN access. --- As a side note, I have a functional VPN based on the prior notes (subject to necessary changes detailed in my post on page 16), so it's not user error...

My home network is addressed as: 192.168.1.###
Like most people, my router is 192.168.1.1
My freenas box has an IP of 192.168.1.XYZ
My openVPN jail has an IP of 192.168.1.YYY

The hangup is clearly somewhere in these areas of the openvpn.conf and ipfw.rules files. In my situation -- which is the typical setup for almost all home users

1)what should the server & push lines of the .conf read?

Code:

server ___________ 255.255.255.0
push "route _________ 255.255.255.0"

2) what should the IPFW rules look like?

Code:

ipfw -q add nat 1 all from ______/24 to any out via ${EPAIR}

I look forward to seeing your answer. I think that this will prove to be the most difficult part for the newbs trying to follow your guide.

thanks for all your hard work.

I did this tutorial again on a fresh jail and it does work. Your lines should read

Code:

server 172.16.8.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"

Code:

ipfw -q add nat 1 all from 172.16.8.0/24 to any out via ${EPAIR}

Remember to restart your FreeNAS server. The reason why this step is necessary still eludes me, but after restarting the whole server it does work.

 

[robles]

This is a very useful article. I am having trouble when I execute sockstat -4 -l

I am missing the lines for -

nobody openvpn 63758 6 udp4 *:10010 *:*
root syslogd 63726 7 udp4 *:514 *:*​

Any help would be appreciated.

It seems that OpenVPN is not starting. Check /etc/rc.conf to see if your openvpn.conf file's path is correct. Also try editing your openvpn.conf file, change your verbose setting from 3 to 5 and execute OpenVPN manually to see its output

Code:

openvpn --config /mnt/keys/openvpn.conf

 

[catnas]

I did this tutorial again on a fresh jail and it does work. Your lines should read

Code:

server 172.16.8.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"

Code:

ipfw -q add nat 1 all from 172.16.8.0/24 to any out via ${EPAIR}

Remember to restart your FreeNAS server. The reason why this step is necessary still eludes me, but after restarting the whole server it does work.

Thanks. So, this worked, just a couple things. In the first post you should change;

1. the ipsw list command at the end to match the newly changed IPs because that caused me some confusion
2. and then, as I mentioned above, in your comments after discussing openvpn.conf you should change "Change the 10.0.0.0 address to your yellow network." to match the fact that you changed the IP address

That should resolve the confusion about IP addresses.

I will say, that your use of unfamiliar IP addresses is somewhat confusing. I was able to follow it in the last guide because the IP addresses were consistent throughout. Because, in the updated guide, they aren't consistent, it resulted in a misconfiguration. Obviously, I know what I'm doing so I was able to identify the issue, but again, a lot of people on here are sort of muddling through and blindly following tutorials.

You've put in a lot of work on this, and it's super super helpful. Thanks for your quick reply and all your hard work.

PS -- extra special kudos for updating the cipher. That's something I'd done on my own and it's important, IMO.

PPS -- Is there any way, with the current version of OpenVPN available as a package [which, by the way, is not the most recent version] to use a newer version of TLS for auth? Currently it's using TLS 1.0 which is arguably insecure.

 

[robles]

Thanks. So, this worked, just a couple things. In the first post you should change;

1. the ipsw list command at the end to match the newly changed IPs because that caused me some confusion
2. and then, as I mentioned above, in your comments after discussing openvpn.conf you should change "Change the 10.0.0.0 address to your yellow network." to match the fact that you changed the IP address

That should resolve the confusion about IP addresses.

I will say, that your use of unfamiliar IP addresses is somewhat confusing. I was able to follow it in the last guide because the IP addresses were consistent throughout. Because, in the updated guide, they aren't consistent, it resulted in a misconfiguration. Obviously, I know what I'm doing so I was able to identify the issue, but again, a lot of people on here are sort of muddling through and blindly following tutorials.

You've put in a lot of work on this, and it's super super helpful. Thanks for your quick reply and all your hard work.

PS -- extra special kudos for updating the cipher. That's something I'd done on my own and it's important, IMO.

PPS -- Is there any way, with the current version of OpenVPN available as a package [which, by the way, is not the most recent version] to use a newer version of TLS for auth? Currently it's using TLS 1.0 which is arguably insecure.

1. All of the commands match the configuration files, but maybe you the changes in the middle of the update. As of this writing I can attest that they are correct.
2. Already taken care of in a previous edit. Are you seeing the updated version?

The IP addresses I use are the most common blocks of private IPs, so that's why they're in the examples. Also this guide uses different IP addressings in each network because OpenVPN doesn't handle gracefully the same private IP network blocks. So if you have a 192.168.1.0/24 network remotely and a 192.168.0.1/24 network locally, even though they're separate networks, I've encountered problems with them.

About TLS 1.0, I agree it's not the latest version, but I'm not knowledgeable enough on FreeBSD packages to make it on my own. I'll keep an eye on it though.

 

[OffHoursIT]

Okay, I resolved my openvpn server issue - typo. Now when I load the configuration of the client and I connect, it tries to connect and times out - see freeNAS.opvn (client file) below.

client
dev tun
proto udp
remote cdelatorre.dyndns.org 10011
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert carlos.delatorre.crt
key carlos.delatorre.key
remote-cert-tls server
cipher AES-256-CBC
tls-auth ta.key 1
#dhcp-option DNS 0.0.0.0
#redirect-gateway def1
comp-lzo
verb 3​

Again, any help resolving this issue would be much appreciated. I'm almost there! Thanks

 

[OffHoursIT]

Okay looking at the logs for my client, i am getting a "TLS Error: cannot locate HMAC in incoming packet ...." error.

I remembered, I had a hard time copying the ta.key with cp ta.key /mnt/keys
The result was file or directory not found.

Can you please tell me why I cannot copy the file? I instead used cp ta.* /mnt/keys and this worked. I believe my problem relies around the ta.key.

Thanks in advance.

 

[robles]

Okay looking at the logs for my client, i am getting a "TLS Error: cannot locate HMAC in incoming packet ...." error.

I remembered, I had a hard time copying the ta.key with cp ta.key /mnt/keys
The result was file or directory not found.

Can you please tell me why I cannot copy the file? I instead used cp ta.* /mnt/keys and this worked. I believe my problem relies around the ta.key.

Thanks in advance.

The last command of the section "Creating the User's Certificates" shows a list of your files, did you check that? are the files the same as the guide?

Try and generate your HMAC file again when in your /mnt/keys directory by running

Code:

openvpn --genkey --secret ta.key

You should copy that file to your clients too so they perform the handshake properly.

 

[OffHoursIT]

Okay, I've regenerated the ta.key.

When I tried connecting the openvpn client, it just tries to connect and doesn't progress further. Below is the contents of my client ovpn file.

client
dev tun
proto udp
remote cdelatorre.dyndns.org 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert carlos.delatorre.crt
key carlos.delatorre.key
remote-cert-tls server
cipher AES-256-CBC
tls-auth ta.key 1
#dhcp-option DNS 0.0.0.0
#redirect-gateway def1
comp-lzo
verb 3​

After I cancel the connection, I checked the client logs and see the problem below -

Sat Aug 20 18:13:29 2016 MANAGEMENT: >STATE:1471731209,WAIT,,,
Sat Aug 20 18:14:29 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Aug 20 18:14:29 2016 TLS Error: TLS handshake failed​

I was researching this error online and it states to check the logs on the server but I can't see to locate it. Do you know where the openvpn logs are kept on the server? Also, if you have any advice, I'd appreciate it. Thanks

 

[catnas]

Okay, I've regenerated the ta.key.

When I tried connecting the openvpn client, it just tries to connect and doesn't progress further. Below is the contents of my client ovpn file.

client
dev tun
proto udp
remote cdelatorre.dyndns.org 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert carlos.delatorre.crt
key carlos.delatorre.key
remote-cert-tls server
cipher AES-256-CBC
tls-auth ta.key 1
#dhcp-option DNS 0.0.0.0
#redirect-gateway def1
comp-lzo
verb 3​

After I cancel the connection, I checked the client logs and see the problem below -

Sat Aug 20 18:13:29 2016 MANAGEMENT: >STATE:1471731209,WAIT,,,
Sat Aug 20 18:14:29 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Aug 20 18:14:29 2016 TLS Error: TLS handshake failed​

I was researching this error online and it states to check the logs on the server but I can't see to locate it. Do you know where the openvpn logs are kept on the server? Also, if you have any advice, I'd appreciate it. Thanks

Execute:

Code:

tail /var/log/messages

Edit:
Actually that may not help you if OpenVPN is properly starting already.

 

[OffHoursIT]

Okay, I've run tail /var/log/message

I see there is an error below but openvpn on the server starts fine without any issues. Below is the result -

Aug 21 21:04:50 openvpn openvpn[6271]: /sbin/ifconfig tun0 172.16.8.1 172.16.8.2
mtu 1500 netmask 255.255.255.255 up
Aug 21 21:04:50 openvpn openvpn[6271]: /sbin/route add -net 192.168.0.78 10.8.0.
0 255.255.255.0
Aug 21 21:04:50 openvpn openvpn[6271]: ERROR: FreeBSD route add command failed:
external program exited with error status: 1
Aug 21 21:04:50 openvpn openvpn[6271]: /sbin/route add -net 172.16.8.0 172.16.8.
2 255.255.255.0
Aug 21 21:04:50 openvpn openvpn[6271]: UDPv4 link local (bound): [undef]
Aug 21 21:04:50 openvpn openvpn[6271]: UDPv4 link remote: [undef]
Aug 21 21:04:50 openvpn openvpn[6271]: MULTI: multi_init called, r=256 v=256
Aug 21 21:04:50 openvpn openvpn[6271]: IFCONFIG POOL: base=172.16.8.4 size=62, i
pv6=0
Aug 21 21:04:50 openvpn openvpn[6271]: IFCONFIG POOL LIST
Aug 21 21:04:50 openvpn openvpn[6271]: Initialization Sequence Completed​

At this point, I do not know what else to check.

 

[robles]

Sat Aug 20 18:14:29 2016 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)​

This means the OpenVPN client is not connecting properly to the server. Based on your logs it seems that the server is doing fine. You may want to check your Firewall settings and your router port forwarding settings.

 

[Klyoku]

Thanks for the thorough and helpful guide! The latest update seems to clarify things a bit more as well.

I have the VPN setup and in working state. Now I would like to RDP into a workstation thats running from the remote machine. I can ping the machine but RDP timesout. Any pointers?

Sent from my XT1563 using Tapatalk

 

[OffHoursIT]

I have UDP port 443 forwarded to the openvpn jail IP address. Is that incorrect? - see openvpn.conf below. Should I forward the port to my freeNAS server instead?

port 443
proto udp
dev tun
ca /mnt/openvpn_storage/ca.crt
cert /mnt/openvpn_storage/openvpn-server.crt #Server public key
key /mnt/openvpn_storage/openvpn-server.key #Server private key
dh /mnt/openvpn_storage/dh.pem #Diffie-Hellman parameters
server 172.16.8.0 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.255.255.0" #Yellow network
route 192.168.0.78 255.255.255.0 10.8.0.0
tls-auth /mnt/openvpn_storage/ta.key 0
#crl-verify /mnt/openvpn_storage/crl.pem
keepalive 10 120
#cipher AES-256-CBC
#group nobody
#user nobody
comp-lzo
persist-key
persist-tun
verb 3​

 

[robles]

I have UDP port 443 forwarded to the openvpn jail IP address. Is that incorrect? - see openvpn.conf below. Should I forward the port to my freeNAS server instead?

port 443
proto udp
dev tun
ca /mnt/openvpn_storage/ca.crt
cert /mnt/openvpn_storage/openvpn-server.crt #Server public key
key /mnt/openvpn_storage/openvpn-server.key #Server private key
dh /mnt/openvpn_storage/dh.pem #Diffie-Hellman parameters
server 172.16.8.0 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.255.255.0" #Yellow network
route 192.168.0.78 255.255.255.0 10.8.0.0
tls-auth /mnt/openvpn_storage/ta.key 0
#crl-verify /mnt/openvpn_storage/crl.pem
keepalive 10 120
#cipher AES-256-CBC
#group nobody
#user nobody
comp-lzo
persist-key
persist-tun
verb 3​

Your router's port 443 should be redirected to your jail's IP. Try poking the port from the outside internet using netcat to see if it connects, if it doesn't then something's wrong with your redirection. For that I use openbsd-netcat:

Code:

nc -vz -u 192.168.0.X 443

Replace X with your jail's IP address.

Also, have you rebooted your whole FreeNAS server?

 

[robles]

Thanks for the thorough and helpful guide! The latest update seems to clarify things a bit more as well.

I have the VPN setup and in working state. Now I would like to RDP into a workstation thats running from the remote machine. I can ping the machine but RDP timesout. Any pointers?

Sent from my XT1563 using Tapatalk

If you can ping the machine you should be able to RDP to it, since the RDP server knows how to communicate back. I have a server running Windows Server 2012 R2 and I'm able to RDP fine with this configuration.

Try changing your protocol from UDP to TCP, but I doubt that will work. You'll have to change your server and client's configuration.