OpenVPN Server Routing on TrueNAS 12.0 U1.1

[lmarien]

Hi,

I am trying to setup my TrueNAS as an OpenVPN Server via "Services -> OpenVPN Server".

After creating the internal CA and all certificates I may need the service is starting sucessfully and I am able to connect to it from a remote network with the slightly modified configuration exported through the UI.

By default the OpenVPN Server does not push any routes needed to access the remote network or internet over the VPN to my client PC (running Windows 10 with OpenVPN GUI v11.20.0.0).

So I added them as Additional Parameters in the OpenVPN Server configuration:

Code:

push "route 0.0.0.0 0.0.0.0"
push "route 10.99.0.0 255.255.0.0" # My OpenVPN transfer net
push "route 192.168.10.0 255.255.255.0" # My remote network I want to connect to
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.10.1" # The DNS Server on my remote network

After adding this all the routes are getting successfully pushed to my Windows 10 pc and show up in route print.

But no matter what I am trying I am not able to connect to anything other than the TrueNAS Server itself.

My local Network is 192.168.1.0/24 and is therfore not coliding with either the transfer nor the remote subnet.

I have already tried to (without success):

- omit the last two rows of my Additional Parameters and try to ping any other resource on the remote network (which I can ping from the TrueNAS directly)
- enable ip forward as a sysctl variable

Are there additional configurations I need to do for this to work or will I need to do the manual Setup inside a Jail to access the remote subnet the TrueNAS server is in?

Thanks for your help and kind regards
Luca

 

[Raowlz]

Same Issue for me. If you have solution, don't hesitate to post it here.

Thanks !

 

[rasalone]

I just worked this out last night my self. 2 things 1 you need a way to return the route for devices in your subnet. So for me my subnet is 10.10.10.0/24 and the pool for openvpn is 192.168.0.0 So on my default gate way for 10.10.10.0 i added a static route to point back at the the IP of my nas 192.168.0.0/24 -> 10.10.10.100.
The other issue is the freebsd system won't route between interfaces unless you turn that feature on. To do this with no reboot on the nas server run sysctl net.inet.ip.forwarding=1
For it to persist reboot the freebsd docs say to add the following to /etc/rc.conf but i'm not sure that works with truenas I haven't tried nor do I know enought about the truenas config.
gateway_enable="YES" # Set to YES if this host will be a gateway

 

[lmarien]

Thank you rasalone.

It seems like I was missing the fact, that OpenVPN does not NAT and needs to know the route back to the TrueNAS System. What a noob mistake...

After adding a default route on my router (default gateway for everything in the Network) for my OpenVPN net (10.99.0.0) pointing to the TrueNAS System everything started working.

Thanks for the Help - hopefully this helps others to find the problem too.

 

[Steasenburger]

Hey I'm currently also struggling at this issue.
My local network is 192.168.0.0/24 and my OpenVpn network should be at 192.168.1.0/24.
Just like in your case, I can only access the TrueNAS system on 192.168.1.1 and also noticed that no traffic will be routed over my OpenVPN server, but instead just accesses the internet directly.

So if I understood the discussion above correctly, i first have to:

- run "sysctl net.inet.ip.forwarding=1" to enable IP forwarding(?)
- add "gateway_enable="YES" somewhere?
- adding a default route to my router that is pointing from 192.168.1.0 to 192.168.0.97 (ip address of my TrueNAS system in the LAN)? can i do this with a regular FritzBox?
- then add some extra configuration to the OpenVPN server tab:
"""
push "route 0.0.0.0 0.0.0.0"
push "route 192.168.1.0 255.255.255.0" # My OpenVPN transfer net
push "route 192.168.0.0 255.255.255.0" # My remote network I want to connect to
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.0.1" # The DNS Server on my remote network (my FritzBox)
"""


Any help would be appreciated :)

 

[lmarien]

Hi,

the Sysctl part should happen under System -> Tunables. You can add new Sysctl calls there.

The gateway_enable point is not required and it should work without it.

You can set up a static route in your FritzBox - there is an official article on AVMs webside. This is needed for your setup to work.

And the Additional Parameters are required - yes.

This setup is only required for the OpenVPN device type tun.

 

[jayecin]

question, i set this up last night and in order to route between different subnets on the TrueNAS i added the tunable gateway_enable="YES". Now my concern is does this mean the TrueNAS is now acting as a router between subnets on my TrueNAS? For example I have an internal and external vlan/subnet for servers, normally to go from the internal to the external the traffic would need to pass through my firewall, with this enabled, does the traffic get routed locally and bypass the firewall?

 

[jayecin]

So i just answered my own question through testing, and yes it appears to do what I said. With gateway_enable="YES" the truenas acts as a router between all local interfaces, bypassing other security measures in place.

 

[jayecin]

it appears the "sysctl net.inet.ip.forwarding=1" also has the same behavior in that when enabled, the truenas routes directly between interfaces. I think this is just an inherit design functionality of truenas. I was hoping that separate interfaces would have separate route tables, but that does not appear to be the case.

 

[ro55_mo]

Hi

I am trying to accomplish the same goal here and just want to double check my settings. I am nervous about potentially cutting off access to my own network.

I have the OpenVPN server setup and my client can connect but as per other posters I cannot connect to servers on the LAN which is the objective.

Details as follows

LAN

Default Gateway: 192.168.0.1
Mask: 255.255.255.0
DNS servers: 192.168.0.4 192.168.0.6
TrueNAS: 192.168.0.10

OpenVPN configuration

Tunable (TrueNAS has been rebooted)

Routes displayed on client which is connected to a mobile phone hotspot.

So in order to make this work, if I have understood all the above from other posters I need to make the following change on my router. The below route has not yet been added.

Would this be correct?

 

[dcs730]

I have taken a look at the above thread as I am also having the same issue.

I have followed the instructions and appears that your static route entry should be the other way around.

Dest IP : 172.16.0.0
SNM : 255.255.255.0
GW IP : 192.168.0.10

That's how I've interpreterred your info. (But I could be wrong)

I still have NOT got mine to work - see my post here :

TrueNAS 12.0-U4 - OpenVPN Server - Routing to LAN, Monitoring, Setup Assistance

I am a newbie with TrueNAS. I finally made the switch to TrueNAS and now decomissioned both my Netgear ReadyNAS and SBS2011 box and combined all services on a single TrueNAS Server. Server : HP ML110 G7 Server Intel(R) Xeon(R) CPU E31240 @ 3.30GHz 32 Gb RAM 128Gb Samsung SSD (Boot Disk) 4 x...

www.truenas.com

Have you managed to get your working?

 

[ro55_mo]

I did not get this to work. I was looking into it because the SSH port forwarding to my home network was being weird but I got all that sorted out.

 

[cktDesigner]

Is there a definitive answer to this? I'm running TrueNAS 12.0-U5.1 and having the same issue. Also having a problem accessing a Jail in the same system,
Thanks!

 

[bernatvm]

The ISP provided router at my parent's (where the TrueNas Server is located) is not fully unlocked, so I can't configure static routes. Are there any other optinons?

I used to have a Synology NAS and it had an OpenVPN Server that allowed me to connect to the whole local network without static routing configuration. With the TrueNas one (without the static routing) I can only connect to the Truenas server itself.

 

[Ac1dburn]

Hey everyone!
I was able to solve the lack of ability to hit websites with the open VPN server take a look at this post
Post in thread 'TrueNAS 12.0-U4 - OpenVPN Server - Routing to LAN, Monitoring, Setup Assistance'
https://www.truenas.com/community/t...monitoring-setup-assistance.93943/post-677023