OpenVPN working "Almost!!"

[Glen62]

New to the network world other than basic configs and have been trying to get OpenVPN Server up and running on Truenas 12.0-U2 for a connection to my iPhone. Followed an online tutorial recently and am now able to create the connection from my server to the iPhone from outside of my network. I am able to ping my phone from within shell of the NAS, however I can't ping anything from my phone back to the NAS. I have tried a bunch of different things found online, but so far have not hit on the correct settings to give me access into the NAS from phone. OpenVPN is not installed in a jail as it seems to be built into the v12 releases. The tunnel opens up almost immediately when I connect from phone. I can access the NAS files via my phone if I am inside my network on Wifi, which is what I would expect. When I am outside the network and I use my phones file app to scan for network devices, it sees the NAS, but can not connect to it. I'm not sure if I need to have a dedicated routing on the server, or my router, or something else. The things that I have tried so far have not worked or at least appear to have not worked. Not sure exactly what I am missing, although I am pretty certain that this is supposed to work. What else, DDNS is setup and configured and forwards as it should, 1194 port is forwarded.
Lost and stuck for the moment. Hopefully someone will have an A-ha moment and be able to direct me to the answer. I don't need access to my entire network via my phone, only the pools that are residing on Truenas. I also don't require CLI access of the NAS as anything that needs to be done for maintenance can be done local. I'm sure that I have left out vital information required for a possible solution, so if anyone needs more, please let me know. Thanks for any assistance and direction.

 

[JohnDigital]

Sounds like a networking issue. I just spent a few minutes looking at the built in Openvpn server settings, and i suspect you might be using an IP within your subnet as the server address. In this box youll want to use an IP outside of your subnet. For instance if your IP scheme for your network is 192.168.1.0/24 in the server box for Openvpn use something different such as 192.168.111.111/24. This is the network that the tunnel will use. This is just a hunch. Post your output of ifconfig with the tunnel active, and your OVPN server settings (redact any keys).

 

[Glen62]

Hi John. I ran ipconfig from one of my main computers on the internal system and there is nothing indicating that I have a tunnel connected from the Truenas out of my network. The only thing showing is the interface of the computer itself. Same report with and without the connection. Unless I'm missing something, that's what I expected. I did try ipconfig in the Truenas shell, even though I knew it wouldn't work, and it didn't. I've attached the two snips as requested and hopefully they are what you are looking for. FYI, my Truenas is sitting at 10.0.0.165, and the OpenVPN client on my iPhone is showing as 10.9.0.2 upon connection. Thanks for your assistance.

 

[JohnDigital]

When I am outside the network and I use my phones file app to scan for network devices, it sees the NAS, but can not connect to it. I'm not sure if I need to have a dedicated routing on the server, or my router, or something else.

This sounds like you are trying to browse file shares. If this is the case you might need to add the IP scheme 10.9.0.0 to the allowed list in share configuration depending on existing configuration. Are there any hints in the terminal screen? Share logs? Openvpn logs? Might just scan for the word error and warning. This could be failed connect attempts or similar.

I did try ipconfig in the Truenas shell, even though I knew it wouldn't work, and it didn't.

The command in unix is ifconfig but if your phone gets the correct 10.9.0.0 address i suspect it will check out.

 

[JohnDigital]

What happens if you open safari over 4/5g and try to go to the freenas gui with the tunnel active http://10.0.0.165? Does it produce the GUI?

 

[Glen62]

Hi John,
so the ifconfig (Thanks.) listing changes by one line when connected, see attached, it is the last line only. Yes I am trying to access the SMB shares that are on my Nas. They are fully accessible from within the network. When I use the iPhone file browser app, it does the redirect via the DDNS and gets to my external ip address and then shows "connect failed. socket timed out". Nothing else is showing as far as logs that I can find nor any other errors.
I don't have Safari on my phone as I use Google, and when I enter the NAS address, it comes back after awhile and says that it timed out. From what I have read about others having similar issues, the addition of the address sounds like it might be the answer, just not certain exactly where to stick it. So far my attempts have be useless when trying to enter re-directs/forwards. Once again thanks.

 

[JohnDigital]

Ok so this all seems legit as predicted. My last working theory is you need to get the routes pushed to the clients so it knows where to go. In additional parameters in Ovpn server do these.

local 10.0.0.165
push "route 10.0.0.0 255.255.255.0"
route 10.0.0.165 255.255.255.0 10.9.0.1
push "dhcp-option DNS 10.0.0.165"

Then regenerate your client config (or edit the existing one) deploy it and test.

After looking around the forums seems several have had the same issues as you. Where it connects but you can't get to internal lan. There are several bug reports for it. I'd tried setting it up to test and I can't get it to start, but I didn't try very hard. So it seems to be a work in progress.

 

[JohnDigital]

I did also find this, seems I was close. These fellows have worked thru the issues. You might want to have a look at the whole thread, but this post seems to nail it down. https://www.truenas.com/community/threads/truenas-12-openvpn-service-testing.85461/post-626793

 

[Glen62]

Well I had my fingers crossed, but no joy. I modified the server parameters, saved them and then regenerated the client config file. Restarted the server and then imported the config file to my iPhone. Still getting "can't find server" error. While typing this I saw your follow-up post so I will give that a try and see what results. Thanks.

 

[JohnDigital]

Yw, good luck with it. My Ovpn runs out of a jail, and it was tricky to get going too. Stick with it, you'll get it.

 

[JohnDigital]

So also, in the client config you need to edit the remote line to say your domain name it's likely your ip now.

 

[zgn]

This video worked for me, although I am unable to get more than one connection at a time to work.
Every connection assigns the exact same IP.