OpenVPN service failing to connect to local subnet

[PiepsC]

I'm new to both TrueNAS and OpenVPN, so if any wrong conclusion are drawn in this post it's probably due to a lack of experience with either.

On my NAS server I run a bunch of services, all occupying a local IP in the subnet 192.168.178.x. These all work fine and can be accessed while connected to the same router. My goal was to make these services available remotely (outside the local network) by introducing OpenVPN tunneling, while allowing for routes on the subnet where the services live.

Initially I followed the official Truenas documentation on OpenVPN, but it's rather sparse and did not yield the result I had hoped for. I could connect to the OpenVPN server, but was unable to reach the services in the same network (note that I hadn't even set the additional parameters at this point for I was unaware of them) outside the TrueNAS server itself. At this point I just looked around for tutorials considering I knew this probably wasn't a very esoteric requirement. I read 3 blogs and watched one youtube tutorial over 3 days with no success until I stumbled upon this video: https://www.youtube.com/watch?v=YEkfW4aC9Rk&lc=UgzJ_LeLK2k7tPFyNBV4AaABAg

This was the first one that actually got me to be able to connect to the VPN server remotely, while also allowing the connected clients to access the subnet I made available to them (192.168.178.x). However, it also broke all internet connection in all my jails. After going back step by step I found out the issue that caused the internet connection to break in the jails was the introduction of the Tunables related to natd. The Tunables in the tutorial are as follows (all rc.conf changes):

firewall_enable="YES"
firewall_type="open"
natd_enable="YES"
natd_flags="-m -dynamic"
natd_interface="re0" (name of the default interface)
gateway_enable="YES"

Removing them would restore internet connection to my jails, but once again cause remote clients to fail to connect to the individual services.

Needless to say the problem is thus related to NAT in some way; when I traceroute to the TrueNAS server's IP I get this (this is from within the local network, but DDNS has already proven itself to work):

[pieps@piepsmobile ~]$ traceroute 192.168.178.180
traceroute to 192.168.178.180 (192.168.178.180), 30 hops max, 60 byte packets
1 _gateway (192.168.178.1) 3.725 ms * *
2 192.168.178.180 (192.168.178.180) 21.645 ms 23.328 ms 23.297 ms
[pieps@piepsmobile ~]$ traceroute 192.168.178.60
traceroute to 192.168.178.60 (192.168.178.60), 30 hops max, 60 byte packets
1 192.168.179.1 (192.168.179.1) 5.601 ms 5.557 ms 6.353 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *

The OpenVPN server lives on 192.168.179.0; explaining the hop to 192.168.179.1, which is presumably assigned to the client. In the second traceroute I attempt to reach a service, but it times out as you can see.

I think I'm in over my head here but I'm a little lost on how where exactly NAT comes into play here. More so am I about the fact that natd seems to break the connection in my jails, but does allow me to connect to the individual services. If anyone could clarify what is happening here I'd at least have a good chance at tackling the issue, but right now I'm just lost.

 

[anon4324239685]

Bump and subscribed because I have the same question.

I tried adding a static route on unifi gateway pointing to the VPN subnet to no avail.

 

[wootness]

I finally figured out how to get this to work.

In my example, VPN_SERVER_IP is what goes in the "Server" setting in Services > OpenVPN Server.

Services > OpenVPN Server
Under additional parameters:

Code:

push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 1.1.1.1"

Network > Static Routes
Destination: VPN_SERVER_IP
Gateway: TRUENAS_IP

System > Tunables

Variable	Value	Type
firewall_enable	yes	rc.conf
firewall_script	/mnt/<insert pool directory>/ipfw.rules	rc.conf
firewall_type	open	rc.conf
gateway_enable	yes	rc.conf
natd_enable	yes	rc.conf
natd_flags	-dynamic -m	rc.conf
natd_interface	<insert interface name of NIC> (example: igb0)	rc.conf

Create a file under /mnt/<insert pool directory> and call it "ipfw.rules"
Here's my example where I decided to create it using nano:

Code:

nano /mnt/tank/apps/scripts/ipfw.rules

Within nano, I entered and saved the following (but make sure you make changes where applicable):

Code:

################ Start of IPFW rules file ###############################

#!/bin/sh

# Flush out the list before we begin.

ipfw -q -f flush

# Set rules command prefix

cmd="ipfw -q add"

net="<insert interface name of NIC>" # interface name of NIC attached to Internet

#################################################################

ipfw -q nat 1 config if $net

$cmd 0050 nat 1 all from VPN_SERVER_IP/24 to any out via $net
$cmd 0100 nat 1 all from any to any in via $net

Now restart the Truenas server and you will see that your VPN device can access the Truenas LAN.
One thing I noticed is that some jails require an "arp -da" command to refresh the arp mapping to allow access to the jail... it could be my network specific issue, but if you're unable to reach the jail from within the Truenas LAN you could try this.
Create a cron job to refresh every hour: iocage exec <jail name> arp -da

Give it a try and let me know if it works for you.

 

[anon4324239685]

Thanks a lot for keeping this updated @wootness. I will try this as soon as possible.

 

[anon4324239685]

Can you access other ip on your LAN? My specific problem is not really accessing jail, but accessung my Hubitat hub inside my lan. Can you ping any ip address inside your LAN when connecting through OVPN?

 

[wootness]

Can you access other ip on your LAN? My specific problem is not really accessing jail, but accessung my Hubitat hub inside my lan. Can you ping any ip address inside your LAN when connecting through OVPN?

yes, pinging my LAN IP works while on OVPN.

 

[wootness]

btw, the above config routes all internet traffic through the TRUENAS VPN server, so the IP address of your client device will reflect the server's IP address. This is because of the push "redirect-gateway def1" option. I run Heimdall using Caddy to access all of my jails with a public domain using TLS certificate, and when connecting via the VPN it would not load the website. So instead I chose to remove the redirect option above and instead added push "route 192.168.1.0 255.255.255.0" (where 192.168.1.0 is the network where the TrueNAS server exists) and push "dhcp-option DNS 192.168.1.1" (server side gateway). Now I can access everything both WAN, LAN, and Heimdall!

 

[anon4324239685]

Omg you're my savior it works! I did not have to schedule a cron job.
Now according to your last post, I could do the same modification to the route, and even use my pihole as DNS server!

Can you explain what does the parameter duplicate-cn do?

 

[wootness]

Omg you're my savior it works! I did not have to schedule a cron job.
Now according to your last post, I could do the same modification to the route, and even use my pihole as DNS server!

Can you explain what does the parameter duplicate-cn do?

It allows multiple users with the same certificate. I think I will remove that from the option as it could be a security risk.

 

[anon4324239685]

It seems I can't push my own DNS server in the config. Have you tried to push another DNS server other than the gateway (192.168.1.1)?

 

[HunorR]

i am struggling to configure openvpn to access the internet, i am receiving the DNS data from my pihole docker, but i wont receive any ping response from outside of my truenas.

My setup looks like this

Router 192.168.101.1

pihole 192.168.101.2(located in truenas docker)
Truenas server 192.168.101.5

VPN server 192.168.150.0/24

Open vpn config

the static route is not correct?

 

[anon4324239685]

i am struggling to configure openvpn to access the internet, i am receiving the DNS data from my pihole docker, but i wont receive any ping response from outside of my truenas.

My setup looks like this

Router 192.168.101.1

pihole 192.168.101.2(located in truenas docker)
Truenas server 192.168.101.5

VPN server 192.168.150.0/24

Open vpn config
View attachment 56566

View attachment 56567

View attachment 56568

the static route is not correct?

Your static route is /32 while your server is on /24