SOLVED OpenVPN Cannot Access FreeNAS Jails

[ethanmcdonald]

I've setup FreeNAS with a number of Plugins/Jails and installed OpenVPN as a service.
The FreeNAS main LAN IP is 192.168.1.65/24 on Interface "bge0" and a default gateway of 192.168.1.254.
The OpenVPN service also uses the 192.168.1.65 IP to listen on port 1194, this is not in jail.
There are Four Jails bridged on to the "bge0" Interface with LAN IPs of 192.168.1.50, 51, 52 & 53.
Just for the sake of completion the separate jailed FreeNAS services are BTSync, Transmission, SickRage and Plex.

Remote Desktop to a PC, while OpenVPN'd to from the WAN to my LAN, works.
Then I can connect to the different Jailed WebUI, because I'm then on that system.
The same is true of coarse if I use my PC or my Smart Phone directly connected via Ethernet or WiFi to the my LAN.

The issue is when connecting to my LAN network remotely via an OpenVPN session I can access all of my separate systems.
This includes my gateway 192.168.1.254 and the FreeNAS WebUI at 192.168.1.65 .
However I cannot access the Jailed Plugins at the IPs of 192.168.1.50, 51, 52 & 53.
I suspect this because of a hairpin routing issue from sending and receiving the (tun0) tunneled data via the same "bge0" Interface.

To recap the problem I'm encountering.
While connected to my OpenVPN session on the FreeNAS server I cannot access any of the hosted FreeNAS plugins/Jails.
I can however access my LAN of 192.168.1.x/24.

I'm open to any suggestions and/or changes that might let me have my cake and eat to over OpenVPN. :)

Below are some of the configs for my FreeNAS server.

Code:

ifconfig
bge0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80099<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE>
        ether 00:22:19:24:7d:c1
        inet 192.168.1.65 netmask 0xffffff00 broadcast 192.168.1.255
        nd6 options=9<PERFORMNUD,IFDISABLED>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
        nd6 options=9<PERFORMNUD,IFDISABLED>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0xc
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
        nd6 options=1<PERFORMNUD>
        Opened by PID 2664
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 02:fb:13:48:01:00
        nd6 options=1<PERFORMNUD>
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: epair3a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 18 priority 128 path cost 2000
        member: epair2a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 17 priority 128 path cost 2000
        member: epair1a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 16 priority 128 path cost 2000
        member: epair0a flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 15 priority 128 path cost 2000
        member: bge0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 5 priority 128 path cost 20000
epair0a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:88:ea:00:0f:0a
        nd6 options=1<PERFORMNUD>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
epair1a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:ea:64:00:10:0a
        nd6 options=1<PERFORMNUD>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
epair2a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:00:da:00:11:0a
        nd6 options=1<PERFORMNUD>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
epair3a: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:79:5f:00:12:0a
        nd6 options=1<PERFORMNUD>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active

Code:

ipfw show
00100      24291       1778973 nat 1 ip from 10.8.0.0/24 to any out via bge0
00200   98422092   17282282298 nat 1 ip from any to any in via bge0
65535 1139024414 1590259250407 allow ip from any to any

Code:

# Sample OpenVPN 2.0 config file for
# multi-client server.
# replace x.x.x.x with freenas ip
local 192.168.1.65
port 1194
proto udp

# mssfix 1400

dev tun
ca /mnt/NAS/openvpn/keys/ca.crt
cert /mnt/NAS/openvpn/keys/server.crt
key /mnt/NAS/openvpn/keys/server.key
dh /mnt/NAS/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

#change x.x.x.x to match your network ip range
#ie 192.168.1.0 or 10.0.0.0
push "route 192.168.1.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"


push "dhcp-option DOMAIN attlocal.net"
push "dhcp-option DNS 192.168.1.254"

#replace x.x.x.x with freenas ip
route 192.168.1.65 255.255.255.0 10.8.0.1

keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3

Code:

rc.conf ...

# OpenVPN settings
gateway_enable="YES"
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/mnt/NAS/openvpn/openvpn.conf"
openvpn_dir="/mnt/NAS/openvpn"

 

[ethanmcdonald]

I was thinking of adding a second Network Interface card that I would some how dedicate to the OpenVPN service.
That it might resolve what I believe to be a hairpin routing issue.
Though after reading the following topic about Multiple Nics pointing to the same subnet that idea seems to be outside the Unix FreeBSD/NAS network functional design.

https://forums.freenas.org/index.php?threads/multiple-network-interfaces-on-a-single-subnet.20204/

 

[adrianwi]

Why did you install OpenVPN in your FreeNAS root installation?

I have it set-up in it's own jail and have no problems accessing any of the other jails.

 

[ethanmcdonald]

Why did you install OpenVPN in your FreeNAS root installation?

I have it set-up in it's own jail and have no problems accessing any of the other jails.

I would have to chalk it up to following the wrong guide.

 

[adrianwi]

I'd try this one then > https://forums.freenas.org/index.ph...emote-hosts-via-nat.22873/page-11#post-196465

Not sure if you'll have screwed something up in FreeNAS by installing it outside a jail. Might be worth backing up your config and reinstalling FreeNAS on your boot device, or you could just leave things are they are and cross your fingers :D

I've installed OpenVPN a few times using this guide without any real problems, although if you think it's set-up correctly but it's not working try a reboot.

 

[ethanmcdonald]

Well hell that worked!
No need to re-do FreeNAS I've backed out the OpenVPN Local Service.

Code:

mount -uw /

Edit /etc/rc.conf
Edit /conf/base/etc/rc.conf

mount -ur /

I have to say I learned a lot working through Joe's guide but, the fresh install with a 2048 DH keys is nice.
http://joepaetzel.com/2013/09/22/openvpn-on-freenas-9-1/

Thank you Adrian for the pointer.

 

[ethanmcdonald]

Any suggestions for split tunneling.
Since moving the OpenVPN to the jail all traffic appears to be tunneling over the VPN connection.