SOLVED OpenVPN Client – Only Web GUI is accessible but no ssh or ping

[ragametal]

I want to move my second TrueNAS server to a remote location and use the OpenVPN client to have it connect to my LAN. That way it can be discoverable by the devices in my LAN and use it as remote target for the replication tasks of my main TrueNAS server.

I followed the instructions on https://www.truenas.com/community/resources/truenas-and-openvpn-client-configuration.158/ and, for the most part, i think i got it set correctly.

Yesterday i was doing some testings and i connected that system to an external network. It seems that it can find and connect to the OpenVPN server in my LAN because i was able to access its web GUI from a PC in my LAN.

However, my main TrueNAS server in my LAN could not connect to the second TrueNAS server that was using the OpenVPN client. I couldn’t connect to it via SSH either nor could I ping it. Do any of you know what i may be missing? Or how can this be diagnosed better in order for me to find a solution?

My other OpenVPN clients can connect to my OpenVPN server without a problem, this is what makes me believe is something to do with the settings inside TrueNAS.
My LAN network is 10.0.0.0/24
My LAN2 network is 10.0.20.0/24 (currently unused)
My OpenVPN Tunnel network is 10.40.0.0/24

The OpenVPN server is installed on a PFSense router and is set to establish the routes of the OpenVPN server via the following custom options:
push "route 10.0.0.0 255.255.255.0"; push "route 10.0.20.0 255.255.255.0";
The following is the client’s ovpn file (created by the OpenVPN server):

Show : OpenVPN Client ovpn file

dev tun
persist-tun
persist-key
data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
data-ciphers-fallback AES-256-CBC
auth SHA256
tls-client
client
resolv-retry infinite
remote ABCDEF.duckdns.org 1194 tcp4
setenv opt block-outside-dns
nobind
verify-x509-name "router.ABCDEF.home.arpa" name
auth-user-pass
remote-cert-tls server

<ca>
-----BEGIN CERTIFICATE-----
MIIEMzCCAxugAwIBAgIBADANBgkqhkiG9w0BAQsFADBvMR4wHAYDVQQDExVSb3Nz
...
...
8UF9YbZV4c2Q9wySC/gDC3HmT3lj+08=
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIEhzCCA2+gAwIBAgIBJDANBgkqhkiG9w0BAQsFADBvMR4wHAYDVQQDExVSb3Nz
...
...
aCeihczmgMYatxVGaobP8Y/kkU/NR0oMrc4T3TU9kfgaKbrilc1yrdn7apJ27hhr
UgboHhJouQn3nwA=
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDIXiBbfPVjZTHb
...
...
d01rnP1LpudHBHJigIc0XegW0/PGmgoLqAF6c9ufMX+nXjP6J1OIUBm5q7UfXlaz
MXFBQxKX5hvm77oF5B48Ig==
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
4420ba72cb84fe1e1cdb97f3d55752ba
...
...
db5c8a58aeadcba997f57a56ac3c307d
-----END OpenVPN Static key V1-----
</tls-auth>

And this is the content of the TrueNAS OpenVPN Client conf file located at /usr/local/etc/openvpn/client/ after i manually added all the settings via the GUI

Show : openvpn_client.conf

client
dev tun
#dev-type tun -FIXME: This does not work, it is an openvpn issue in FreeBSD
proto tcp4
port 1194
remote ABCDEF.duckdns.org
user nobody
group nobody
persist-key
persist-tun
ca /etc/certificates/CA/ABCDEF-Network-CA.crt
cert /etc/certificates/Hercules-OpenVPN-user.crt
key /etc/certificates/Hercules-OpenVPN-user.key
verb 3
remote-cert-tls server
auth SHA256
cipher AES-256-GCM
nobind
auth-user-pass /root/pass.txt
tls-client
resolv-retry infinite
verify-x509-name "router.ABCDEF.home.arpa" name
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
4420ba72cb84fe1e1cdb97f3d55752ba
...
...
...
db5c8a58aeadcba997f57a56ac3c307d
-----END OpenVPN Static key V1-----
</tls-auth>

Lastly, these are my TrueNAS Client settings set via the GUI

Any suggestions are welcome.

 

[ragametal]

Turns out that it was a combination of 2 problems and none of them were related to Truenas.

The first problem was related to DHCP.
I have a setting in the OpenVPN server (PFsense) to assign a specific IP to the OpenVPN client in this TrueNAS installation (10.40.0.30).

I have also setup the Truenas network interface as DHCP so it can request/obtain a LAN IP from the gateway at the remote location when it gets connected to it.

The problem was that I had set a DHCP reservation in my PFsense router for this TrueNAS box (10.0.0.30).

When the Truenas OpenVPN client connected to the OpenVPN server from the remote LAN, the OpenVPN server would assign the IP 10.40.0.30 to it. Then my router would recognize the MAC address of this TrueNAS machine and tried to assign 10.0.0.30 to it per the DHCP reservation setting.

This would produce a scenario in where the same host was assigned 2 different IPs.

Solution: Eliminate the DHCP reservation in my router.

The second problem was related to the local LAN’s IP range VS the remote LAN IP range.
I set the OpenVPN server (PFsense) to push all the traffic from the OpenVPN tunnel (10.40.0.0/24) to my local LAN (10.0.0.0/24). The router at my local LAN uses the IP 10.0.0.1 and is the one responsible for routing this traffic.

However, the router at the remote LAN was also 10.0.0.1.
I’m guessing (because I’m not an IT professional) that this resulted in a scenario where the traffic from the TrueNAS machine could go to either the local or the remote LAN depending on which gateway responded to the traffic request at any given moment (because both gateways are visible to this TrueNAS client).

Solution: use a remote LAN that has an IP range that is different than my local LAN.

After i eliminated the DHCP reservation and i connected this TrueNAS machine to the hotspot of my cell phone (just for testing purposes), i was able to establish an OpenVPN connection to my local LAN and successfully perform a replication task from my main TrueNAS server in the LAN to this backup server in a remote LAN.