OpenVPN client

E

EnzoValenzetti

Cadet
Joined
Feb 28, 2022
Messages
1
I've tried to use the OpenVPN client built in TrueNAS SCALE to connect to a VPN provider, but I am stuck at the "Root CA must have CRL Sign set for KeyUsage extension." problem that is (was?) found in TrueNAS Core, too:

OpenVPN Service

Hi, Curious if anyone has successfully set up the server service for open vpn? I can not start the service. Not sure where I went wrong, I have the certs etc. If anyone has gotten it to work , please post some guidance. Cheers
www.truenas.com www.truenas.com
Is there any workaround to avoid this check by TrueNAS? Or is it possible to setup an OpenVPN client connection at strarup from the shell?
Just starting the connection from the shell doesn't seem to work, maybe the iptables rules need to be updated along with it?
 
T

ThreepE0

Cadet
Joined
Jun 28, 2022
Messages
4
I've got a reply pending mod approval on this thread that may help:

Configure openvpn client gives "SubjectKeyIdentifier extension" error.

Recently I install Softether VPN Server on my asus router, it accepts both l2tp and openvpn clients. I had success with l2tp clients, but appears that I have to set up openvpn client on truenas scale. Following TrueNAS and OpenVPN client configuration , I imported CA and certificate from the...
www.truenas.com www.truenas.com

Long story short, edit "/usr/lib/python3/dist-packages/middlewared/plugins/vpn.py" to remove the client cert requirement, then restart middlewared service. You should then be able to submit the client config as needed. Please note that for me, it was subjectkeyidentifier on the client cert that was erroring out, which shouldn't be needed so I was comfortable removing the requirement. As always, use your own judgement.

I hope this helps
 
S

Skoal262

Dabbler
Joined
Nov 26, 2022
Messages
10
(TrueNAS Scale 22.0.2.4) Even easier solution:
1. Try using one of the various guides to copy the info from the ovpn file into the web ui
2. it doesnt need to connect it just needs to save to the client.conf file so the ui is happy
3. copy your openvpn .ovpn file to a dataset or / or where ever.
4. open linux shell or ssh into TN
5. nano /lib/systemd/system/openvpn-client@.service
- change: "ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config client.conf"
- to: "ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config InsertFileNameHere.ovpn"
6. Reboot Truenas. (a simple systemctl restart openvpn-client@.service wont cut it - i tried; neither does toggling the gui)
I MEAN IT JUST REBOOT THE MACHINE
7. toggle the openvpn client service on
8. verify connection
 
S

Skoal262

Dabbler
Joined
Nov 26, 2022
Messages
10
Skoal262 said:
(TrueNAS Scale 22.0.2.4) Even easier solution:
1. Try using one of the various guides to copy the info from the ovpn file into the web ui
2. it doesnt need to connect it just needs to save to the client.conf file so the ui is happy
3. copy your openvpn .ovpn file to a dataset or / or where ever.
4. open linux shell or ssh into TN
5. nano /lib/systemd/system/openvpn-client@.service
- change: "ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config client.conf"
- to: "ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config InsertFileNameHere.ovpn"
6. Reboot Truenas. (a simple systemctl restart openvpn-client@.service wont cut it - i tried; neither does toggling the gui)
I MEAN IT JUST REBOOT THE MACHINE
7. toggle the openvpn client service on
8. verify connection
Click to expand...
Did some more testing and Step 1 & 2 are entirely optional. avoids any issues with certs all together :)
 
kuloch

kuloch

Cadet
Joined
Dec 19, 2022
Messages
4
@Skoal262, are you familiar with `systemctl daemon-reload` ? Systemd intentionally doesn't reread the unit definition files every time you reload a service. That reload command tells it to reread all unit files for changes. It's always required if you want to add/delete/remove a systemd service without rebooting.
 
S

Skoal262

Dabbler
Joined
Nov 26, 2022
Messages
10
kuloch said:
@Skoal262, are you familiar with `systemctl daemon-reload` ? Systemd intentionally doesn't reread the unit definition files every time you reload a service. That reload command tells it to reread all unit files for changes. It's always required if you want to add/delete/remove a systemd service without rebooting.
Click to expand...
I am. I tried this initially and caused much frustration. It loaded it showed connected but would not pass traffic. In the end I had to reboot to resolve it. I think it's something to do with how the GUI handles the services and middleware daemon.
 
You must log in or register to reply here.

Similar threads

T
OpenVPN CA from OPNsense -> "Root CA must have KeyUsage extension set."
Replies
3
Views
1K
indivision
indivision
mazdlc
Configure openvpn client gives "SubjectKeyIdentifier extension" error.
Replies
5
Views
3K
almeidatelecomlgs
A
rwendt
OpenVPN Client service failed to start.
Replies
2
Views
2K
rwendt
rwendt
mr-elephant
Can't access apps after setting up OpenVPN Client
Replies
1
Views
992
Geso71
Geso71
L
OpenVPN-Client ERREUR SubjectKeyIdentifier : A L'AIDE
Replies
4
Views
1K
loupqhc
L
Top