How to Setup Native OpenVPN server?

[eewiz]

Hello All

Core 13.0-U5, 32GB Memory, Xeon E3-1200 4-core, 128K SSD boot, 12 8TB spinners in pool.

I currently have OpenVPN server running successfully on a Windows 10 box but, I prefer to have the server reside on a TrueNAS box.
The windows box gets rebooted too often to be a good OpenVPN server.

I have used easy-rsa to create a PKI, CA, certs and keys on the TrueNAS box.
root@plum[/usr/local/lib/openvpn/keys]# ls -l -rw------- 1 root wheel 1233 Jul 30 06:41 ca.crt -rw------- 1 root wheel 424 Jul 30 06:41 dh.pem -rw------- 1 root wheel 4678 Jul 30 06:41 openvpn-server.crt -rw------- 1 root wheel 1708 Jul 30 06:41 openvpn-server.key -rw------- 1 root wheel 636 Jul 30 06:42 ta.key

I followed this forum post to get this far on TrueNAS:
https://www.truenas.com/community/t...envpn-inside-a-jail-in-freenas-11-1-u1.61681/
Although, I am not doing this in a jail.
I did all the easy-rsa work in the main TrueNAS shell because TrueNAS 13.0 has a builtin OpenVPN server.
Now I need to configure that builtin OpenVPN server to use the certs and keys that I have already generated.

The OpenVPN server setup GUI shows:

I have a server certificate "openvpn-server.crt" in "/usr/local/lib/openvpn/keys" and a "CA" also in "/usr/local/lib/openvpn/keys".
I cannot enter a path in either the "Server Certificate" nor the "Root CA" boxes to point to the existing location in "/usr/local/lib/openvpn/keys".

Where do I need to copy the "openvpn-server.crt" and ca.crt files to, so that they will show up and be selectable within the GUI shown above?
Also, what should I do in the "TLS Crypt Auth" box?
It appears that that entry will take a path but, I have no idea if entering "/usr/local/lib/openvpn/keys/ta.key" is the correct thing to do.

Also what "Authentication Algorithm" should I select corresponding to the certs/keys that I have generated?

Here is the contents of my "openvpn.conf" file:
server 10.8.0.0 255.255.255.0 port 1194 proto udp4 dev tun topology subnet ca /usr/local/lib/openvpn/keys/ca.crt cert /usr/local/lib/openvpn/keys/openvpn-server.crt key /usr/local/lib/openvpn/keys/openvpn-server.key # This file should be kept secret dh /usr/local/lib/openvpn/keys/dh.pem tls-auth /usr/local/lib/openvpn/keys/ta.key 0 # This file is secret push "route 192.168.2.0 255.255.255.0" # Route to Server Network pushed to Client # Created route in Server Gateway (10.8.0.0 255.255.255.0 192.168.2.12) # Anything destined for the VPN Tunnel goes to the VPN Server Box route 192.168.3.0 255.255.255.0 # Route to Client Network used by Server # Created route in Server Gateway (192.168.3.0 255.255.255.0 192.168.2.12) # Anything destined for the Client LAN goes to the VPN Server Box client-config-dir /usr/local/lib/openvpn/ccd # Client specific push parameter files are stored here push "route 192.168.3.0 255.255.255.0" # Client Network (also "iroute 192.168.3.0 255.255.255.0" is defined for client in CCD directory) ifconfig-pool-persist /usr/local/lib/openvpn/ipp.txt keepalive 10 120 data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-128-GCM # Prefer ChaCha, it's more secure. max-clients 3 persist-key persist-tun status openvpn-status.log verb 4 mute 20 explicit-exit-notify 1
END openvpn.conf

Thank You

 

[Patrick M. Hausen]

You probably need to create the CA and all certs in the UI, then pick the objects you created in the OpenVPN setup screen. TN comes with its own integrated CA and cert management.

If you insist on using your scripts, I expect you need to at least upload the CA cert and your generated certs and keys. All of that can be found in System > CAs and System > Certificates.

 

[eewiz]

Hello Patrick
I tried your second suggestion first since I already had all of the items already created using easy-rsa.

It does not like my easyrsa created files.

So then I tried your first suggestion.

Selecting the openvpn profile appeared to select and fill in all of the items that I have no knowledge of how to set correctly.

Again selecting the openvpn profile comes to the rescue.

I don't understand why there is such latitude available when selecting the server netmask.
Wouldn't it always be /32.
How could a server have a range of addresses?
You have to set a port forward to only one address and port in the gateway router.
This makes no sense to me.

So after all of this guesswork, I get this result when I push the "DOWNLOAD CLIENT CONFIG" button:

I have no idea how to fix that error.
All it says is "certificate." Would that be the CA or the Cert?
I went back to edit both and all options are no longer available.


This was so easy on windows using easy-rsa following this tutorial.
https://adamtheautomator.com/openvpn-on-window/
Create the files. Copy them to OpenVPN's config-auto directory and reboot the windows box.
All I had to enter was a common name for the server and a common name for the client.

Without a fully detailed tutorial that explains what is needed and what is not, obtained from a fully working example, I don't feel that I would ever be successful doing this in the TN GUI.
I have searched for such a tutorial but, all I find are ones like the one I linked earlier that are based on either FreeBSD, or on FreeNAS in a jail, which most invariably detail how to use easy-rsa.
There are simply too many options to select in the TN GUI to get it correct on a trial-and-error basis.

I thought that since TN has a builtin OpenVPN server that setup would be simple.
I was mistaken. It is so difficult that I can't accomplish it.

Thank You

 

[danb35]

All it says is "certificate." Would that be the CA or the Cert?

No, that isn't all it says; it says "client certificate."

I thought that since TN has a builtin OpenVPN server that setup would be simple.

Sadly not; this is an area where iX have completely dropped the ball--both in implementation and in documentation.

 

[Davvo]

Sadly not; this is an area where iX have completely dropped the ball--both in implementation and in documentation.

That's ugly.

 

[danb35]

That's ugly.

I'm not sure if you're referring to my comment or to iX' implementation of OpenVPN in TrueNAS, but if the latter I'd agree completely. I know this isn't what happened, but I don't know that it could have been worse if they'd deliberately set out to make the worst possible UI for an OpenVPN server.

 

[eewiz]

Hello All
I have discovered that the TN certs are stored in /etc/certificates.
Although, this info is useless.
If you copy a cert to /etc/certificates it does not show up in the GUI.
Upon reboot the cert that was copied to /etc/certificates is removed.

All for now

 

[danb35]

Upon reboot the cert that was copied to /etc/certificates is removed.

Pretty much everything in /etc/ is rebuilt on boot, so this isn't a surprise.

 

[Davvo]

You can run a int script that pastes the cert at every boot. Not sure how useful that could be.

 

[mw1elf]

There were some excellent tutorials for doing this on core12. I have tried on core13 and failed miserably. I guess waiting for decent guides is what is required for me.

 

[Davvo]

I guess waiting for decent guides is what is required for me.

If you don't ask it's not likely any will come out.

 

[mw1elf]

It's the old adage isn't it. Don't ask and you will get nowt. So here goes . Can anybody point me in the direction a non jargon guide to setting up the openvpn on core 13. Managed ddns but totally failed on truenas procedure. Thanks in advance

 

[fcorbelli]

Deleted

 

[Patrick M. Hausen]

add those variables and values, type rc.conf
beware of interface name (bge0 in this example)

firewall_enable yes
firewall_type open
gateway_enable yes
natd_enable yes
natd_flags -dynamic -m
natd_interface bge0

If you do this you will probably break jail and/or VM networking. So my string and founded advice is: don't. Instead on your Internet router add a static route to your OpenVPN network with the TrueNAS IP address as the gateway. If your Internet router cannot do that, get one that can.

 

[fcorbelli]

If you do this you will probably break jail and/or VM networking. So my string and founded advice is: don't. Instead on your Internet router add a static route to your OpenVPN network with the TrueNAS IP address as the gateway. If your Internet router cannot do that, get one that can.

EDIT: does not seem possible to show how to solve the problem, even if it is a trivial level of networking knowledge, better to wait for a wizard or something like that implemented by TrueNAS

 

[Patrick M. Hausen]

If you do not enable from rc you cannot do this
Then you can connect, from Windows client, to ALL TrueNAS subnet (for example, 192.168.1.2, 192.168.1.254)

You can if you understand how IP and routing work and if you set a static route in your Internet router. This is how this should be achieved, not messing with NAT on TrueNAS in unsupported ways.

 

[fcorbelli]

You can if you understand how IP and routing work and if you set a static route in your Internet router. This is how this should be achieved, not messing with NAT on TrueNAS in unsupported ways.

OK
I delete the post, this forum is really one of the most peculiar ones I have ever posted on

I am sure you will write a very useful guide

 

[Patrick M. Hausen]

Your instructions are actively harmful.

 

[fcorbelli]

Interesting opinion
Really
I am sure you'll show to everyone the "right" way, always in your opinion, of course

 

[danb35]

He already has. The right way to do it is to forget that this "feature" exists in TrueNAS, and run the VPN server on your router instead. But you're having trouble getting past your butthurt to see it.