OpenVPN in jail on FreeNAS 11; Connects, but...

Status
Not open for further replies.

cktDesigner

Cadet
Joined
Aug 30, 2017
Messages
5
I installed OpenVPN in a jail on FreeNAS 11 using the many guides/posts/etc. available by Googling.

After a lot of reading and experimentation, I got the OpenVPN server to run in the jail and was able to connect from a Windows 10 client.

My local network is using 192.168.1.x with the appropriate netmask.
So the FreeNAS box and the OpenVPN jail have addresses in the 192.168.1.N range.
OpenVPN assigns addresses from 10.8.0.x

The OpenVPN server config file contains the statements:

push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"

My ipfw.rules file contains the statements:

ipfw -q nat 1 config if epairN
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via epairN
ipfw -q add nat 1 all from any to any in via epairN

(where the N in epairN has the correct number)...


My testing (so far) has been with my client on the same local network as the FreeNAS server (that contains the OpenVPN jail).

So if I simply connect the Windows 10 client (with no OpenVPN tunnel), I can browse the internet and connect FreeNAS shares.

When I connect the Windows 10 client via OpenVPN, if the:
push "redirect-gateway def1 bypass-dhcp"
statement in the server config file is enabled (not commented), the Windows 10 client can not see the internet.
If that statement is commented out, the Windows 10 client can see the internet.

I suspect that packets showing up at the OpenVPN server (with 10.8.0.x addresses) are not making it out of the server...
But I thought that the "redirect..." statement sent the internet traffic to the openvpn server, and that the ipfw statement that has 10.8.0.0 in it forwarded that traffic through the server (and then back...)

If the OpenVPN connection is disconnected, I can attach the FreeNAS shares on the client.
If the OpenVPN connection is connected, I can not attach the FreeNAS shares on the client.

While I realize that the intent of OpenVPN (or any VPN) is for use from outside the local network, I would still expect it to work inside the local network. I thought the statements handled that, but obviously I'm missing something...

Any suggestions are appreciated! Thanks!
 

cktDesigner

Cadet
Joined
Aug 30, 2017
Messages
5
Yes...
I ended up using "subnet" mode for the OpenVPN server (this allows you to allocate part of the local subnet to OpenVPN to assign to clients). I then had to change the ipfw statements to forward the "OpenVPN allocated range" "to any out via epairN". Things seem to be working now. Thanks!
 
Status
Not open for further replies.
Top