SOLVED Openvpn Jail

drinking12many

Contributor
Joined
Apr 8, 2012
Messages
148
I have been trying for a bit to get this to work and I feel like I am missing something. I followed a guide I found for 11.1 I think it was. I have it working in that I can use my S9 and connect over the cell network to my openvpn jail. I can ping anything on my network internally and they can ping me back. I can resolve and ping websites external and internal to my network. Though when I open chrome and try to load any web pages they fail internal or external. Almost like its using a proxy or something though I can find nothing to confirm that. I did add a static route to my home router which is when I started being able to ping back into my vpn from internal machines.

I had an openvpn appliance running on Debian under ESX for years and it always worked fine though it has a web interface and has been generally reliable, but I am trying to move it to a jail so I dont have to keep that Dell server on all the time yet still be able to connect hit the idrac and turn it on when needed.

1556803974653.png


openvpn.conf

Code:
port 1194
proto udp
dev tun

ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key  # This file should be kept secret
dh /usr/local/etc/openvpn/keys/dh2048.pem

topology subnet
server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.1.96"
push "dhcp-option DNS 192.168.1.98"
push "dhcp-option DOMAIN home.local"
client-to-client
keepalive 10 120
tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret
cipher AES-256-CBC
compress lz4-v2
push "compress lz4-v2"
max-clients 10

user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
 
Last edited:

drinking12many

Contributor
Joined
Apr 8, 2012
Messages
148
Ugh OK .... 5 minutes after I posted and a day and a half of work I figured it out.....

it was the compression. I am guessing the phone doesn't support lz4-v2 commented both lines out and it started working. SO then I went back and set it to just plain lz4 and that also worked so I left it as lz4.

I do wish there was a web admin packages similar to the one for the Openvpn OVA ...oh well cant have everything. :)
 
Last edited:

catnas

Explorer
Joined
Dec 12, 2015
Messages
57
Could you please share the guide you used? I'm running 11.2-RELEASE but I'm having problems, so maybe I should start from scratch and follow a different guide.

This guide works in 11.2: https://www.ixsystems.com/community...envpn-inside-a-jail-in-freenas-11-1-u1.61681/

Notes:
1. When you create the certificates and keys, you don't really need to set passwords. It starts to get really messy really quick.
2. Pay very close attention to the ports. Don't work from multiple guides because the suggested ports are not always the same.
3. Pay very close attention to where you choose to store your files. Personally, I think you should create a mount point for your OpenVPN jail so that the keys are readily accessible when you need them for your client devices. If you choose to do this, however, the rc.conf and openvpn.conf files need to reflect the location where you choose to store the keys. So don't just blindly copy. However, the advantage to this is that leaving those files in the /usr/local/etc..... location suggested in the guide doesn't make clear that these are user-created files (i.e., your cert and your key).
4. YOU MUST SET ALLOW_TUN TO TRUE OR THIS WILL NOT WORK. You can do it in the GUI or in the CLI. From the CLI/shell, you can check whether it has worked by using this command:

Code:
iocage get allow_tun jailname


If it returns 1, then you should be good to go.
 
Last edited:
Top