OpenVPN client - upload .ovpn config file?

[danb35]

I'm looking into a scenario where I'd have a remote TrueNAS box connecting to my pfSense box via OpenVPN, so I could replicate to it from my main system. ZeroTier would have been perfect for this, but no, iX had to take that away (and never implemented it well to begin with). But no problem, TrueNAS now has an OpenVPN client, right?

Well... What I've done in the past is create the user (i.e., client) certificate in the pfSense web UI, then download the .ovpn file that contains all the relevant certs, keys, and other configuration settings. I can then import that into whatever client software I'm using, and configure the connection that way.

But I don't see a way to import such a file into TrueNAS. Instead, I see this:

Lots of manual settings, lots of ways to get it wrong. Am I missing something here?

 

[danb35]

Any way to do this? Or is manual configuration the only option?

 

[Constantin]

I started to go down the path of OpenVPN to connect two dynamic DNS sites. Then I discovered that OpenVPN doesn't enjoy on-board hardware acceleration like IPSec does for edgerouters (my current set of gateways). Thus, I reverted to IPSec, which seems to be as secure as OpenVPN and then suffered a bit until I got it all to work. OpenVPN does have the advantage of greater flexibility re: which ports to open, etc. but there isn't that much differentiating the two if your task is a simple backup.

So I wonder if you can get this working with just your gateways as opposed to with the NAS. I agree that there is improvement potential re: the GUI OpenVPN interface. I wish our respective GUIs were linked with more substantial explanations and/or direct links to relevant information - one to a general setup process (which is what iXysystems seems to envision generally) and a line-by-line item set of links to the relevant online definitions of each entry. Give the users the best of worlds, one a link to the recipe as well as a resource for each ingredient.

 

[danb35]

Well, if iX had ever implemented ZeroTier properly (and then left it there), that would have been the way to go--connect both NASs to their own network and I'm set. But they didn't, so...

At home, I have a pfSense box as my router, and it's already running an OpenVPN server--I use it for remote access to my home network when I'm traveling, and I have a couple of other remote systems permanently connected to it. It's worked well for everything I've needed it for, hence my plan to use it for this project as well. And I'm sure it's do-able, but it just looks like it'd be tedious--import the user certificate, import the pfSense CA, choose the right authentication, cipher, protocol, etc. I'm not even sure where you'd enter a username and password, but I'd be planning to use certificate authentication anyway, so that isn't as important.

I'm planning to put the remote server at my parents' house, where they have a Unifi Dream Machine. I'm not really intending to do a net-to-net connection; I don't really see a reason for them to be on my network (or vice versa). It looks like the UDM does support acting as a VPN server or client, but only using L2TP--which pfSense also supports, so I suppose that's a fall-back option.

Of course, a third option would be to install a client for whatever VPN technology I liked in a jail. But if TrueNAS has a built-in VPN client, for a technology for which I'm already running a server, that seems like the presumptive way to go.

Give the users the best of worlds, one a link to the recipe as well as a resource for each ingredient.

Heck, I'd settle for either at this point.

 

[Constantin]

The main argument for net-to-net is being able to help them troubleshoot issues as they arise or remote monitoring. For example, running a remote DVR for IP cameras, monitoring the performance of the water system, or some other infrastructure that has transitioned to IP but for which you don't hold a lot of promise re: good security. Keep it all in the "local" network and keep it from leaking.

You can always restrict the parts of your local network they can even access and vice-versa after the fact. Combine that with SSH and the potential for trouble should be rather limited. A remote site can be set up to be pretty "dumb" - i.e. the remote NAS is written to via PUSH, saves the data locally, but has no access to the password on your main server or the data being stored locally.

Since the folder holding the stored data on the remote machine can be "seen" via the GUI, there is some minimal risk having folder names exposed but I consider that pretty manageable. The data itself can be encrypted via ZFS or before it even hits the NAS.

However, I am in violent agreement that technology that *should* work, should simply work. Documentation for stuff as granular as TrueNAS is a further must-have.

 

[danb35]

The main argument for net-to-net is being able to help them troubleshoot issues as they arise or remote monitoring.

True--and that's one reason they have a UDM, so that I can check on it (and even reconfigure it, if needed) remotely. One application of this would be the iLO interface on this system--a net-to-net connection would let me use that if needed to access the server (particularly if the web GUI and SSH had gone away). Fortunately, in this case, "remote" isn't very remote--they're about 15 minutes' drive from here, so if I need to be on-site for something that isn't a great burden. But something to consider...

 

[Constantin]

The UDM is a great device, a clear successor to the Apple Extreme series of APs. I presume you didn't have cloud-configs enabled on this rig, especially in the light of Ubiquiti's online security disaster in March?

That's what I like about my present IPSEC net-net link - no central cloud accounts, etc. involved, it's PtP, I can kill the tunnel at any time, and so far no one has shown IPSec to be insecure.

 

[danb35]

So the machine is here, TrueNAS is installed, there's no way to upload the .ovpn file (unless I ignore the built-in OpenVPN client service, and build a jail myself--which I'm not ruling out). So let's try to configure this thing.

I download the .ovpn file from my pfSense router, and open it up in BBEdit. It should have all the information I need, but thanks to TrueNAS'... idiosyncratic... GUI, it takes several steps.

• Import the CA cert. Go to System -> CAs, Add, enter a name, set the type to Import CA, and paste in everything between <ca> and </ca> in the .ovpn file. Click Submit, and it saves with no errors reported.
• Import the client cert. Go to System -> Certificates, Add, enter a name, set the type to Import Certificate, paste in the contents of the <cert> and <key> sections of the .ovpn file. Click Submit, and it also saves with no reported errors.
• Now for the fun part. Go to Services -> OpenVPN Client -> Edit. Select the Client Certificate and Root CA entered before. Enter the FQDN of my pfSense box, set the auth and crypt algorithms correctly, compression, protocol, pre-shared key. Click Save, and get this:

Grrr...

 

[danb35]

And created https://jira.ixsystems.com/browse/NAS-112534, as this seems like a remarkable oversight.