Bibi40k
Contributor
- Joined
- Jan 26, 2018
- Messages
- 136
Hi,
i am new to this community and i decided to mix info from How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT and OpenVPN On FreeBSD 10.3 tutorials.
Please report inconsistency.
PS: i've also created a script to fully automate this process. Automatic install OpenVPN inside iocage Jail in FreeNAS all versions
change-log: 0.7 - 2020.01.29 - Added note that external LAN should be different than FreeNAS LAN.
Legend:
Requirements:
3,2,1.. START
Use FreeNAS Web GUI
SSH to your FreeNAS box
Get everything updated and install necessary apps
Create directories for OpenVPN
Copy necessary files
Easy-RSA ( edit /usr/local/etc/openvpn/easy-rsa/vars )
Generate Keys
Build Certificate Authority ( follow instructions using Password1 and common name )
Build Server Certificates
Build Client Certificate ( use unique name for each certificate, use Bibi40k with Password2 and authorize with Password1 )
Generate Diffie Hellman Parameters ( /usr/local/etc/openvpn/easy-rsa/pki/dh.pem )
Generate the TA key
Copy Keys Together
OpenVPN ( edit /usr/local/etc/openvpn/openvpn.conf )
Client Config ( /usr/local/etc/openvpn/Bibi40k.conf )
You can include everything in one file (useful on mobile and more convenient than keeping all certs appart)
Server NAT Configuration ( create /usr/local/etc/ipfw.rules and add green text )
More configuration ( edit /etc/rc.conf and add green text at the end of the file )
Note: sometimes is necessary to restart whole FreeNAS server because the routes are build properly after full restart.
SSH to your FreeNAS box and make some checks
Let's send our OpenVPN client files and test connection from outside
i am new to this community and i decided to mix info from How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT and OpenVPN On FreeBSD 10.3 tutorials.
Please report inconsistency.
PS: i've also created a script to fully automate this process. Automatic install OpenVPN inside iocage Jail in FreeNAS all versions
change-log: 0.7 - 2020.01.29 - Added note that external LAN should be different than FreeNAS LAN.
0.7 - 2020.01.29 - Added note that external LAN should be different than FreeNAS LAN.
0.6 - 2020.01.29 - Tested on FreeNAS FreeNAS-11.2-U7.
0.5 - 2018.10.14 - Added note that full restart is required sometimes
0.4 - 2018.07.26 - Removed "comp-lzo" from configuration due to becoming obsolete
0.3 - 2018.02.18 - Minor touches and test everything from scratch following all the steps
0.2 - 2018.02.17 - Beautify code and few more details
0.1 - 2018.02.16 - First release
0.6 - 2020.01.29 - Tested on FreeNAS FreeNAS-11.2-U7.
0.5 - 2018.10.14 - Added note that full restart is required sometimes
0.4 - 2018.07.26 - Removed "comp-lzo" from configuration due to becoming obsolete
0.3 - 2018.02.18 - Minor touches and test everything from scratch following all the steps
0.2 - 2018.02.17 - Beautify code and few more details
0.1 - 2018.02.16 - First release
Legend:
- Green text - should remain like it is
- Blue text - you may cange it if you like
- Red text - needs to be changed by you
Requirements:
- FreeNAS 11.1-U1 - 11.2-U7 ( may work with other versions either )
- FreeNAS User with ssh access and sudo
- SSH Client ( Putty for Windows and Terminal for MAC )
- Admin access to the router where FreeNAS exists
- Own domain or domain updated by DDNS or a static IP
- Please follow this step by step tutorial before ask for help
- Home Network: 192.168.222.0/24 ( LAN where is your FreeNAS * Try to use at home different subnet than common ones to avoid conflicts when connecting from outside)
- NAT Network: 10.8.0.0/24 ( virtual LAN between VPN clients and your LAN )
- Domain: nas.mydomain.com
- VPN Server Port: 1194 UDP.
- VPN Outside Access Port: 1194 UDP
- Certificate Authority Password: Password1
- Bibi40k Client Certificate Password: Password2
3,2,1.. START
Use FreeNAS Web GUI
Jails -> Add Jail
( Jail Name: OpenVPN, keep default settings )SSH to your FreeNAS box
Code:
% jls
JID IP Address Hostname Path ... 4 OpenVPN /mnt/Vol1-Z2/jails/OpenVPN% sudo jexec 4 sh
Password:
Get everything updated and install necessary apps
Code:
# pkg update
# pkg upgrade -y
# pkg install -y nano openvpn mpack
Create directories for OpenVPN
Code:
# mkdir /usr/local/etc/openvpn /usr/local/etc/openvpn/keys
Copy necessary files
Code:
# cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/openvpn.conf
# cp -r /usr/local/share/easy-rsa /usr/local/etc/openvpn/easy-rsa
Easy-RSA ( edit /usr/local/etc/openvpn/easy-rsa/vars )
Code:
# cd /usr/local/etc/openvpn/easy-rsa
# nano vars
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "me@mydomain.com"
set_var EASYRSA_REQ_OU "My Organizational Unit"
set_var EASYRSA_KEY_SIZE 2048
# The default crypto mode is rsa; ec can enable elliptic curve support.
# Note that not all software supports ECC, so use care when enabling it.
# Choices for crypto alg are: (each in lower-case)
# * rsa
# * ec
#set_var EASYRSA_ALGO rsa
# Define the named curve, used in ec mode only:
#set_var EASYRSA_CURVE secp384r1
# In how many days should the root CA key expire?
set_var EASYRSA_CA_EXPIRE 3650
# In how many days should certificates expire?
set_var EASYRSA_CERT_EXPIRE 3650
if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
echo "This is no longer necessary and is disallowed. See the section called" >&2
echo "'How to use this file' near the top comments for more details." >&2
return 1
fi
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "me@mydomain.com"
set_var EASYRSA_REQ_OU "My Organizational Unit"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 3650
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
echo "This is no longer necessary and is disallowed. See the section called" >&2
echo "'How to use this file' near the top comments for more details." >&2
return 1
fi
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "me@mydomain.com"
set_var EASYRSA_REQ_OU "My Organizational Unit"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 3650
Generate Keys
Code:
# ./easyrsa.real init-pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /usr/local/etc/openvpn/easy-rsa/pki
Build Certificate Authority ( follow instructions using Password1 and common name )
Code:
# ./easyrsa.real build-ca
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.......................................+++
..+++
writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/ca.key.vpfhw9orph'
Enter PEM pass phrase:Password1
Verifying - Enter PEM pass phrase:Password1
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: OpenVPN FreeNAS CA
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/usr/local/etc/openvpn/easy-rsa/pki/ca.crt
Build Server Certificates
Code:
# ./easyrsa.real build-server-full openvpn-server nopass
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...............................................+++
.................................+++
writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/openvpn-server.key.JKfgnZ3Ae8'
-----
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key:Password1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'openvpn-server'
Certificate is to be certified until Feb 13 18:22:32 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Build Client Certificate ( use unique name for each certificate, use Bibi40k with Password2 and authorize with Password1 )
Code:
# ./easyrsa.real build-client-full Bibi40k
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.............................................................................................+++
.................+++
writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/Bibi40k.key.cd545aPaIq'
Enter PEM pass phrase: Password2
Verifying - Enter PEM pass phrase: Password2
-----
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key: Password1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'Bibi40k'
Certificate is to be certified until Feb 13 18:28:59 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Generate Diffie Hellman Parameters ( /usr/local/etc/openvpn/easy-rsa/pki/dh.pem )
Code:
# ./easyrsa.real gen-dh
Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...........................................................................................................
...........................................................................................................
......................................................................................+...................
...........................................................................................................
.............................................................+............................................
...........................................................................................................
.............................+......................................................+...................
.......+.................................................................................................
..........................................................................................................
..............................................................................+..................+.....
...
...................................................................................+....................
.........................................................................................................
.........................................................................................................
...+....................................................................................................
..........+..........................++*++*
DH parameters of size 2048 created at /usr/local/etc/openvpn/easy-rsa/pki/dh.pem
Generate the TA key
Code:
# openvpn --genkey --secret ta.key
Copy Keys Together
Code:
# cp pki/dh.pem pki/ca.crt pki/issued/openvpn-server.crt pki/private/openvpn-server.key /usr/local/etc/openvpn/keys/
# cp ta.key /usr/local/etc/openvpn/keys/
# cp pki/issued/Bibi40k.crt pki/private/Bibi40k.key /usr/local/etc/openvpn/keys/
OpenVPN ( edit /usr/local/etc/openvpn/openvpn.conf )
Code:
# cd /usr/local/etc/openvpn/
# nano openvpn.conf
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh2048.pem 2048
dh /usr/local/etc/openvpn/keys/dh.pem
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
push "route 192.168.222.0 255.255.255.0"
# The second parameter should be '0'
# on the server and '1' on the clients.
tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret
remote-cert-tls client
# You can uncomment this out on
# non-Windows systems.
user nobody
group nobody
port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key # This file should be kept secret
dh /usr/local/etc/openvpn/keys/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.222.0 255.255.255.0"
keepalive 10 120
tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret
remote-cert-tls client
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key # This file should be kept secret
dh /usr/local/etc/openvpn/keys/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.222.0 255.255.255.0"
keepalive 10 120
tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret
remote-cert-tls client
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
Client Config ( /usr/local/etc/openvpn/Bibi40k.conf )
Code:
# cp /usr/local/share/examples/openvpn/sample-config-files/client.conf /usr/local/etc/openvpn/Bibi40k.conf
# nano Bibi40k.conf
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
;remote my-server-1 1194
remote nas.mydomain.com 1194
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert Bibi40k.crt
key Bibi40k.key
# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.222.1
#redirect-gateway def1
client
dev tun
proto udp
remote nas.mydomain.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert Bibi40k.crt
key Bibi40k.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.222.1
#redirect-gateway def1
verb 3
dev tun
proto udp
remote nas.mydomain.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert Bibi40k.crt
key Bibi40k.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.222.1
#redirect-gateway def1
verb 3
client
client
dev tun
proto udp
remote mynas.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
add cert content here...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
add cert content here...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
add cert content here...
-----END ENCRYPTED PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
add cert content here...
-----END OpenVPN Static key V1-----
</tls-auth>
# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.222.1
#redirect-gateway def1
client
dev tun
proto udp
remote mynas.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
add cert content here...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
add cert content here...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
add cert content here...
-----END ENCRYPTED PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
add cert content here...
-----END OpenVPN Static key V1-----
</tls-auth>
# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.222.1
#redirect-gateway def1
Server NAT Configuration ( create /usr/local/etc/ipfw.rules and add green text )
Code:
# nano /usr/local/etc/ipfw.rules
#!/bin/sh
EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}
TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0
More configuration ( edit /etc/rc.conf and add green text at the end of the file )
Code:
# nano /etc/rc.conf
Setup Logging ( edit /etcsyslog.conf )openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
openvpn_dir="/usr/local/etc/openvpn/"
cloned_interfaces="tun"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
Code:
# nano /etc/syslog.conf
Setup log rotation ( edit /etcnewsyslog.conf )!ppp
*.* /var/log/ppp.log
!openvpn
*.* /var/log/openvpn.log
!*
Code:
# nano /etc/newsyslog.conf
Use FreeNAS Web GUI/var/log/weekly.log 640 5 * $W6D0 JN
/var/log/xferlog 600 7 100 * JC
/var/log/openvpn.log 600 30 * @T00 ZC
Jails -> Select OpenVPN Jail -> Restart
Note: sometimes is necessary to restart whole FreeNAS server because the routes are build properly after full restart.
SSH to your FreeNAS box and make some checks
Code:
% jls
JID IP Address Hostname Path ... 5 OpenVPN /mnt/Vol1-Z2/jails/OpenVPN% sudo jexec 5 sh
Password:# ipfw list
00100 nat 1 ip from 10.8.0.0/24 to any out via epair0b 00200 nat 1 ip from any to any in via epair0b 65535 allow ip from any to any# sockstat -4 -l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS nobody openvpn 64842 7 udp46 *:1194 *:* root syslogd 64803 7 udp4 *:514 *:*
Let's send our OpenVPN client files and test connection from outside
Code:
# cd /usr/local/etc/openvpn/
# tar cvf Bibi40k.tar Bibi40k.conf -C keys/ ca.crt Bibi40k.crt Bibi40k.key ta.key
a Bibi40k.conf a ca.crt a Bibi40k.crt a Bibi40k.key a ta.key# service sendmail onestart
# mpack -s "Bibi40k OpenVPN files" Bibi40k.tar me@mydomain.com
Last edited: