OpenVPN please help with client connection

D

dgs2001

Dabbler
Joined
Oct 28, 2012
Messages
26
Hello,

Please can somebody help me with OpenVPN client connection. I have read lots of threads and cant seem to get the last bit sorted!

Running 11.2-U4 I have used the emby plugin and created an emby jail which works as expected.
I have followed numerous threads and installed to the emby jail OpenVPN server.
I have managed to get the openVPN server running and all seems good.
root@emby:/ # sockstat -4 -l USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS emby mono-sgen 16420 17 tcp46 *:8096 *:* emby mono-sgen 16420 20 tcp46 *:8920 *:* emby mono-sgen 16420 24 udp4 *:1900 *:* emby mono-sgen 16420 25 udp4 *:33210 *:* emby mono-sgen 16420 26 udp4 *:7359 *:* nobody openvpn 16388 6 udp4 192.168.1.138:1194 *:* root natd 16335 3 div4 *:8668 *:*
also ifconfig looks ok to me
root@emby:/ # ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe**:******o0 prefixlen 64 scopeid 0x1 inet 127.0.0.1 netmask 0xff000000 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> groups: lo epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8<VLAN_MTU> ether d0:**:**:**:**:60 hwaddr 02:**:**:**:**:0b inet 192.168.1.138 netmask 0xffffff00 broadcast 192.168.1.255 nd6 options=1<PERFORMNUD> media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>) status: active groups: epair tun6: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500 options=80000<LINKSTATE> inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffff00 nd6 options=1<PERFORMNUD> groups: tun Opened by PID 16388
I have a dyndns service running and can ping my public ip address from outside my network.
I have added a port forward in the router which is the 'emby jail ip address' start/ end port 1194 to internal port 1194

My client is a windows machine with openvpn client running on it.
I do not think there is any problem with certs and this is my client.conf
client tls-client pull dev tun proto udp remote mydynIPaddress 1194 udp resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun key-direction 1 comp-lzo verb 3 auth SHA512 remote-cert-tls server <ca> -----BEGIN CERTIFICATE----- MIIDQTCCAimgAwIBAgIJANayYsJ9kpufMA0GCSqGSIb3DQEBCwUAMBoxGDAWBgNV BLAH 16ihwv0tEmzzsYPfeZAiU6Jj4IAw -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- MIIDUjCCAjqgAwIBAgIRAIyDygpySpgCYlu65vkbQN8wDQYJKoZIhvcNAQELBQAw BLAH pXDskJOtZf1P+0Ze8vJznNRKdzwY+q200dK3kw5PPoaXiKyhjnU= -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCbTQ9VfS3e9j0C BLAH vgvmZzXoZGOWoRc4r7TPqwsW -----END PRIVATE KEY----- </key> key-direction 1 <tls-auth> -----BEGIN OpenVPN Static key V1----- 18b3ea19c141a8f92d69b719cada3099 BLAH 94a1c6bbc6bbef8e13e5597fe200b46e -----END OpenVPN Static key V1-----service </tls-auth>

Server.conf
local 192.168.1.138 port 1194 proto udp dev tun ca /usr/local/etc/openvpn/server/ca.crt cert /usr/local/etc/openvpn/server/issued/server.crt key /usr/local/etc/openvpn/server/private/server.key dh /usr/local/etc/openvpn/server/dh.pem topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.1.138 255.255.255.0" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" keepalive 10 120 tls-auth /usr/local/etc/openvpn/server/ta.key 0 # This file is secret cipher AES-256-CBC comp-lzo user nobody group nobody persist-key persist-tun status /var/log/openvpn/openvpn-status.log log-append /var/log/openvpn/openvpn.log verb 3 explicit-exit-notify 1 auth sha512 remote-cert-tls client



rc.conf

ifconfig_epair0b="DHCP" hostname="emby" cron_flags="$cron_flags -J 15" # Disable Sendmail by default sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" # Run secure syslog syslogd_flags="-c -ss" # Enable IPv6 ipv6_activate_all_interfaces="YES" emby_server_enable="YES" firewall_enable="YES" firewall_type="open" gateway_enable="YES" natd_enable="YES" natd_interface="em1" natd_flags="-dynamic -m" openvpn_enable="YES" openvpn_configfile="/usr/local/etc/openvpn/server/server.conf"

I have also tried adding the following to rc.conf

firewall_script="/usr/local/etc/ipfw.rules"

with the following ipfw.rules file (both options tried)
# Bibi40k method: #!/bin/sh #EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair) ##ipfw -q -f flush #ipfw -q nat 1 config if ${EPAIR} #ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR} #ipfw -q add nat 1 all from any to any in via ${EPAIR} #TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun) #ifconfig ${TUN} name tun0 # gsrcrxsi method: !/bin/sh EPAIR=$(/sbin/ifconfig -l | cut -d' ' -f2) ipfw -q -f flush ipfw -q nat 1 config if ${EPAIR} ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR} ipfw -q add nat 1 all from any to any in via ${EPAIR} TUN=$(/sbin/ifconfig -l | cut -d' ' -f3) ifconfig ${TUN} name tun0

I have been tinkering all day but with no success, my openvpn client log shows a failed TLS handshake.

Can anybody help as I really have fried my brain today trying to sort this!

As a side note when I started this morning if I attempted to reach my public IP address in a browser window from outside my network The response was 'The server refused the connection'
Since tinkering today that response has now changed to 'took to long to respond'

Any pointers gratefully recieved !!

This has totally fried my brain today.

Thanks
 
Last edited:
silverback

silverback

Contributor
Joined
Jun 26, 2016
Messages
134
dgs2001 said:
Hello,

Please can somebody help me with OpenVPN client connection. I have read lots of threads and can't seem to get the last bit sorted!

Running 11.2-U4 I have used the emby plugin and created an emby jail which works as expected.
I have followed numerous threads and installed to the emby jail OpenVPN server.
I have managed to get the openVPN server running and all seems good.
root@emby:/ # sockstat -4 -l USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS emby mono-sgen 16420 17 tcp46 *:8096 *:* emby mono-sgen 16420 20 tcp46 *:8920 *:* emby mono-sgen 16420 24 udp4 *:1900 *:* emby mono-sgen 16420 25 udp4 *:33210 *:* emby mono-sgen 16420 26 udp4 *:7359 *:* nobody openvpn 16388 6 udp4 192.168.1.138:1194 *:* root natd 16335 3 div4 *:8668 *:*
also ifconfig looks ok to me
root@emby:/ # ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> inet6 ::1 prefixlen 128 inet6 fe**:******o0 prefixlen 64 scopeid 0x1 inet 127.0.0.1 netmask 0xff000000 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> groups: lo epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8<VLAN_MTU> ether d0:**:**:**:**:60 hwaddr 02:**:**:**:**:0b inet 192.168.1.138 netmask 0xffffff00 broadcast 192.168.1.255 nd6 options=1<PERFORMNUD> media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>) status: active groups: epair tun6: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500 options=80000<LINKSTATE> inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffff00 nd6 options=1<PERFORMNUD> groups: tun Opened by PID 16388
I have a dyndns service running and can ping my public IP address from outside my network.
I have added a port forward in the router which is the 'emby jail IP address' start/ end port 1194 to internal port 1194

My client is a windows machine with openvpn client running on it.
I do not think there is any problem with certs and this is my client.conf
client tls-client pull dev tun proto udp remote mydynIPaddress 1194 udp resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun key-direction 1 comp-lzo verb 3 auth SHA512 remote-cert-tls server <ca> -----BEGIN CERTIFICATE----- MIIDQTCCAimgAwIBAgIJANayYsJ9kpufMA0GCSqGSIb3DQEBCwUAMBoxGDAWBgNV BLAH 16ihwv0tEmzzsYPfeZAiU6Jj4IAw -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- MIIDUjCCAjqgAwIBAgIRAIyDygpySpgCYlu65vkbQN8wDQYJKoZIhvcNAQELBQAw BLAH pXDskJOtZf1P+0Ze8vJznNRKdzwY+q200dK3kw5PPoaXiKyhjnU= -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCbTQ9VfS3e9j0C BLAH vgvmZzXoZGOWoRc4r7TPqwsW -----END PRIVATE KEY----- </key> key-direction 1 <tls-auth> -----BEGIN OpenVPN Static key V1----- 18b3ea19c141a8f92d69b719cada3099 BLAH 94a1c6bbc6bbef8e13e5597fe200b46e -----END OpenVPN Static key V1-----service </tls-auth>

Server.conf
local 192.168.1.138 port 1194 proto udp dev tun ca /usr/local/etc/openvpn/server/ca.crt cert /usr/local/etc/openvpn/server/issued/server.crt key /usr/local/etc/openvpn/server/private/server.key dh /usr/local/etc/openvpn/server/dh.pem topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.1.138 255.255.255.0" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" keepalive 10 120 tls-auth /usr/local/etc/openvpn/server/ta.key 0 # This file is secret cipher AES-256-CBC comp-lzo user nobody group nobody persist-key persist-tun status /var/log/openvpn/openvpn-status.log log-append /var/log/openvpn/openvpn.log verb 3 explicit-exit-notify 1 auth sha512 remote-cert-tls client



rc.conf

ifconfig_epair0b="DHCP" hostname="emby" cron_flags="$cron_flags -J 15" # Disable Sendmail by default sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" # Run secure syslog syslogd_flags="-c -ss" # Enable IPv6 ipv6_activate_all_interfaces="YES" emby_server_enable="YES" firewall_enable="YES" firewall_type="open" gateway_enable="YES" natd_enable="YES" natd_interface="em1" natd_flags="-dynamic -m" openvpn_enable="YES" openvpn_configfile="/usr/local/etc/openvpn/server/server.conf"

I have also tried adding the following to rc.conf

firewall_script="/usr/local/etc/ipfw.rules"

with the following ipfw.rules file (both options tried)
# Bibi40k method: #!/bin/sh #EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair) ##ipfw -q -f flush #ipfw -q nat 1 config if ${EPAIR} #ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR} #ipfw -q add nat 1 all from any to any in via ${EPAIR} #TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun) #ifconfig ${TUN} name tun0 # gsrcrxsi method: !/bin/sh EPAIR=$(/sbin/ifconfig -l | cut -d' ' -f2) ipfw -q -f flush ipfw -q nat 1 config if ${EPAIR} ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR} ipfw -q add nat 1 all from any to any in via ${EPAIR} TUN=$(/sbin/ifconfig -l | cut -d' ' -f3) ifconfig ${TUN} name tun0

I have been tinkering all day but with no success, my openvpn client log shows a failed TLS handshake.

Can anybody help as I really have fried my brain today trying to sort this!

As a side note when I started this morning if I attempted to reach my public IP address in a browser window from outside my network The response was 'The server refused the connection'
Since tinkering today that response has now changed to 'took to long to respond'

Any pointers gratefully recieved !!

This has totally fried my brain today.

Thanks
Click to expand...

I'm no expert but, I noticed your ifconfig in the jail reference tun6 and your ipfw rules reference tun0. Could be a problem.
 
You must log in or register to reply here.

Important Announcement for the TrueNAS Community.

The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums.

Related topics on forums.truenas.com for thread: "OpenVPN please help with client connection"

Similar threads

J
Can connect to OpenVPN from the web, can't access home LAN.
Replies
9
Views
10K
jailnoob
J
V
  • Locked
SOLVED OpenVPN says Starting but status says it has not.
Replies
7
Views
4K
Vince
V
P
TrueNAS and OpenVPN client configuration
2
Replies
31
Views
21K
vincentchua
V
Xaint
  • Locked
Problem with OpenVPN and FreeNAS 11 - where did I make a mistake?
Replies
10
Views
8K
gsrcrxsi
G
K
OpenVPN Server Firewall Settings
Replies
1
Views
3K
li_chang
L
Top