Step by step to install OpenVPN inside a Jail in FreeNAS 11.1-U1

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,211
This guide is completely different from how I set up openvpn before. There were no keys to monkey with. Is this set up to be a VPN host or something rather than a client connecting to a commercial VPN service?

That said, I'm doing it now (basically like I did before, but for an iocage jail) and I'm having the same problem - openvpn can't set up tun. "Allow_tun" is checked in the GUI, and iocage get allow_tun transmission (done outside the jail) returns "1". But it doesn't work:
Code:
[root@transmission /]# openvpn --config /usr/local/etc/openvpn/openvpn.conf
Sat Jun 15 07:22:37 2019 WARNING: file '/usr/local/etc/openvpn/pass.txt' is group or others accessible
Sat Jun 15 07:22:37 2019 OpenVPN 2.4.7 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 16 2019
Sat Jun 15 07:22:37 2019 library versions: OpenSSL 1.0.2o-freebsd  27 Mar 2018, LZO 2.10
Sat Jun 15 07:22:37 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]172.98.67.15:1198
Sat Jun 15 07:22:37 2019 UDP link local: (not bound)
Sat Jun 15 07:22:37 2019 UDP link remote: [AF_INET]172.98.67.15:1198
Sat Jun 15 07:22:37 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Jun 15 07:22:37 2019 [c9e61282bd3890094fe6963204d16803] Peer Connection Initiated with [AF_INET]172.98.67.15:1198
Sat Jun 15 07:22:38 2019 GDG: problem writing to routing socket
Sat Jun 15 07:22:38 2019 Cannot allocate TUN/TAP dev dynamically
Sat Jun 15 07:22:38 2019 Exiting due to fatal error
 

Bigsby

Dabbler
Joined
Jun 11, 2019
Messages
17
This guide is completely different from how I set up openvpn before. There were no keys to monkey with. Is this set up to be a VPN host or something rather than a client connecting to a commercial VPN service?...

Yes this is to run a VPN server (host) on your freenas box in order to let clients connect in
 

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,211
Ahh, that explains it, thanks. It would be good if the OP started with that, otherwise newbies may try to follow it to set up a VPN client.
 

Bigsby

Dabbler
Joined
Jun 11, 2019
Messages
17
Ahh, that explains it, thanks. It would be good if the OP started with that, otherwise newbies may try to follow it to set up a VPN client.
Yer to be fair it isn't made clear in the original post so I can see how it could be confusing
 

TidalWave

Explorer
Joined
Mar 6, 2019
Messages
51
Hey guys,

I've got the OpenVPN server setup on the freenas jail. I've configured everything and it works! My only problem is that I want my server to be able to see the devices behind my client computer. Right now I have tunnel blick on a mac laptop which is connected to a switch and wifi.

I can ping the laptop on the 10.8.0.6 address and I can even ping the laptop on the 172.35.10.33 address (which is the LAN network) But I can't ping the 172.35.10.100 (HP switch) which is directly connected to the laptop.

I've turned on the iroute statements in the ccd file, and added the route and push route commands correctly, I've also added the client-to-client configuration to make sure that the OpenVPN server allows the request through.

I can see from wireshark that my laptop is recieving the ping requests from 10.8.0.1 to 172.35.10.100 but there is no response. I assume because I need to setup some sort of route, or configuration file (maybe firewall nat rule?) I don't know. But I need my OpenVPN server to be able to see the switch behind my Mac Laptop which is hardwired into a switch and connected to the VPN via WIFI. Please help!!! Everything else works great, just need to see the switch from the VPN network.

*EDIT* So I was able to get this working. I had to enable the firewall on the mac mini and add a rule to push traffic from the interface which the HP swith is located on from the 10.8 network.

Now I'm just trying to get the syslog working. Also it says the log is set to a weekly rotation, what does that mean?

I'm running version 11.2 and I had to do some crazy stuff to get the open VPN service to start, I think it was related to the tun vitrual interface, I had to add a line of code which must have changed from version 11.1 to 11.2

Anyways, does anyone know how to get the syslog to work on version 11.2? When I run sockstat I only see the openvpn server running and not the syslog service.

EDIT: I got everything to work, but boy oh boy, did it take a lot of determination.
 
Last edited:

Mikelo88

Cadet
Joined
Jul 28, 2019
Messages
1
Hi,
Thank you for your details.
I am trying to setup the OpenVPN server accordingly but I am frustrated for what I should put it down in terms of the "virtual LAN between VPN Clients and my LAN". Below is what you did put it down for this value which is 10.8.0.0/24.

NAT Network: 10.8.0.0/24 ( virtual LAN between VPN clients and your LAN


My current home network setup is pretty simple which is just to connect the router and modem and that's all!. No switch and other stuffs are in between.

Please advise and your support is much appreciated. Thank you
 
Joined
Oct 22, 2019
Messages
1
Awesome, got it working on 11.2. And here's what was driving me nuts, apparently from a change in this version. The trick is:
In the GUI, go to Jails > Edit > Custom Properties, and check the box for allow_tun. Fixed!

And thanks very much for your awesome guide!
 

nikinp

Contributor
Joined
Sep 7, 2014
Messages
116
Dear FreeNasers
I'm trying to follow this tutorial to the letter from the beginning and have spent several hours thus far. I have got to the part:
SSH to your FreeNAS box and make some checks

I get the same output for # ipwf list:
00100 nat 1 IP from 10.8.0.0/24 to any out via epair0b
00200 nat 1 IP from any to any in via epair0b
65535 allow IP from any to any

But my root entry for the other command isnt showing:
# sockstat -4 -l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
nobody openvpn 8321 7 udp46 *:1194 *:*

OpenVPN jail is up and I have tried rebooting several times in the hope to reproduce the sockstat with root included in the original post, but to no success.
I would be very grateful of the support of you all in helping me getting this working. I'm happy to follow any and all instructions!
nikinp
 
Last edited:

Bibi40k

Contributor
Joined
Jan 26, 2018
Messages
136
root syslogd - this shouldn't affect OpenVPN, is the logging service. OpenVPN seems to be good to go.

Have you tried connecting ?
 

nikinp

Contributor
Joined
Sep 7, 2014
Messages
116
Hi Bibi40k - great to have your reply here. Much appreciated, I know you are busy.

I am using OPVN windows client. I copied all emailed files (nikinp.conf renamed to nikinp.opvn) to the suggested folder.
This is message from opvn client.

Tue Jan 21 05:45:00 2020 OpenVPN 2.4.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2019
Tue Jan 21 05:45:00 2020 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Jan 21 05:45:00 2020 library versions: OpenSSL 1.1.0l 10 Sep 2019, LZO 2.10
Tue Jan 21 05:45:00 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Jan 21 05:45:00 2020 Need hold release from management interface, waiting...
Tue Jan 21 05:45:01 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Jan 21 05:45:01 2020 MANAGEMENT: CMD 'state on'
Tue Jan 21 05:45:01 2020 MANAGEMENT: CMD 'log all on'
Tue Jan 21 05:45:01 2020 MANAGEMENT: CMD 'echo all on'
Tue Jan 21 05:45:01 2020 MANAGEMENT: CMD 'bytecount 5'
Tue Jan 21 05:45:01 2020 MANAGEMENT: CMD 'hold off'
Tue Jan 21 05:45:01 2020 MANAGEMENT: CMD 'hold release'
Tue Jan 21 05:45:15 2020 MANAGEMENT: CMD 'password [...]'
Tue Jan 21 05:45:15 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Jan 21 05:45:15 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 21 05:45:15 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 21 05:45:15 2020 MANAGEMENT: >STATE:1579585515,RESOLVE,,,,,,
Tue Jan 21 05:45:15 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]86.186.84.232:443
Tue Jan 21 05:45:15 2020 Socket Buffers: R=[65536->65536] S=[64512->64512]
Tue Jan 21 05:45:15 2020 UDP link local: (not bound)
Tue Jan 21 05:45:15 2020 UDP link remote: [AF_INET]86.186.84.232:443
Tue Jan 21 05:45:15 2020 MANAGEMENT: >STATE:1579585515,WAIT,,,,,,
Tue Jan 21 05:46:15 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Jan 21 05:46:15 2020 TLS Error: TLS handshake failed
Tue Jan 21 05:46:15 2020 SIGUSR1[soft,tls-error] received, process restarting

And continues in this loop.
Just one aside, In the setup I included a ddns as the domain; but I realised that I havent put that ddns anywhere into my router setup. I am now wondering if this is the problem, but if my router doesnt support ddns what I need to go back and change in the config?
 

Bibi40k

Contributor
Joined
Jan 26, 2018
Messages
136
You're trying to connect to port 443, TLS key negotiation failed (misconfigured).
So, i don't know what are your settings and how did you follow this tutorial.

Try to compare your server openvpn.conf file with this one
port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key # This file should be kept secret
dh /usr/local/etc/openvpn/keys/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
keepalive 10 120
tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret
remote-cert-tls client
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

and your openvpn client with this one:
client
dev tun
proto udp
remote nas.mydomain.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert Bibi40k.crt
key Bibi40k.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.1.1
#redirect-gateway def1
verb 3

And generate certs as suggested and make sure you include them when connecting and it should work
 

nikinp

Contributor
Joined
Sep 7, 2014
Messages
116
You're trying to connect to port 443, TLS key negotiation failed (misconfigured).
So, i don't know what are your settings and how did you follow this tutorial.

Try to compare your server openvpn.conf file with this one
port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key # This file should be kept secret
dh /usr/local/etc/openvpn/keys/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
keepalive 10 120
tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret
remote-cert-tls client
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

and your openvpn client with this one:
client
dev tun
proto udp
remote nas.mydomain.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert Bibi40k.crt
key Bibi40k.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.1.1
#redirect-gateway def1
verb 3

And generate certs as suggested and make sure you include them when connecting and it should work
This is what I have for openvpn.conf

port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key # This file should be kept secret
dh /usr/local/etc/openvpn/keys/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
keepalive 10 120
tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret
remote-cert-tls client
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1


Only difference I can see is in the that I have this which I thought I was supposed to use the ip address for my LAN:
push "route 192.168.0.0 255.255.255.0"


For client file I have:
client
dev tun
proto udp
remote nikin.duckdns.org 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert nikinp.crt
key nikinp.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3

On this, the differences I see are:
1. the use of my dns address - which as I say, I havent put that ddns anywhere into my router setup. I am now wondering if this is the problem, but if my router doesnt support ddns what I need to go back and change in the config?
2. The commented out lines:
# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.1.1
#redirect-gateway def1

Otherwise they look the same to me and these were used to do the certificates. Your continued help much appreciated
 

Bibi40k

Contributor
Joined
Jan 26, 2018
Messages
136
you should use "remote nikin.duckdns.org 1194" because your server runs on 1194. Did you forward this port on your router ?
 

nikinp

Contributor
Joined
Sep 7, 2014
Messages
116
you should use "remote nikin.duckdns.org 1194" because your server runs on 1194. Did you forward this port on your router ?

Hi bib40k
I am confused with your last message. I have been following your original instructions and in that, I thought on the router you forwarded local port UDP 1194 to external port UDP 443 (which I have done).

So for that reason your openvpn server file references 1194, and client file has "remote nikin.duckdns.org 443"; which I thought is exactly that you have in your client file.
Thanks again for your help here
 

Bibi40k

Contributor
Joined
Jan 26, 2018
Messages
136
i've never used port 443, it was copied from the source tutorial. I use 1194 on both sides.

as a user said:
"For the port I am not doing what the other authors are doing, they have the right idea for security. This also might let them use their VPN behind a corporate firewall that doesn't have as many blocks on the common HTTPS port 443.

They choose to open 443 and redirect it from the router to an internal port of say 11001 or 1194 in the router configuration. This depends on your router but nothing is stopping you from setting the external port to 1194 and the internal port to 1194 as well."

Another thing ... do you have all those keys and certs you reference in client config ? Are they in the same location so they can be read ?
ca ca.crt
cert nikinp.crt
key nikinp.key
tls-auth ta.key 1

You can also include them in one single file (that you can use it also in your mobile phone)

client
dev tun
proto udp
remote mynas.com 11941
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass

<ca>
-----BEGIN CERTIFICATE-----
kjnijnin..
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
jnjnijnin...
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
ojjkjnkjn...
-----END ENCRYPTED PRIVATE KEY-----
</key>

key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
jnnknkjnknh...
-----END OpenVPN Static key V1-----
</tls-auth>

# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.1.1
#redirect-gateway def1
 

nikinp

Contributor
Joined
Sep 7, 2014
Messages
116
i've never used port 443, it was copied from the source tutorial. I use 1194 on both sides.

as a user said:


Another thing ... do you have all those keys and certs you reference in client config ? Are they in the same location so they can be read ?


You can also include them in one single file (that you can use it also in your mobile phone)
I started again from scratch. Port fwding external UDP 1194 to internal 1194
dns on Freenas using nikin.duckdns.org

This is what I have for openvpn.conf

port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key # This file should be kept secret
dh /usr/local/etc/openvpn/keys/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
keepalive 10 120
tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret
remote-cert-tls client
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

For client file (nikinp.conf) I have:

client
dev tun
proto udp
remote nikin.duckdns.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert nikinp.crt
key nikinp.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
verb 3

I emailed the files and put them all in the config folder for OpenVPN (windows client) to read. The files are:
ca.crt
nikinp.crt
nikinp.key
nikinp.ovpn (renamed from conf file)
ta.key

Here is the messaging from OpenVPN:
Sun Jan 26 21:47:04 2020 OpenVPN 2.4.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2019
Sun Jan 26 21:47:04 2020 Windows version 6.1 (Windows 7) 64bit
Sun Jan 26 21:47:04 2020 library versions: OpenSSL 1.1.0l 10 Sep 2019, LZO 2.10
Sun Jan 26 21:47:04 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Jan 26 21:47:04 2020 Need hold release from management interface, waiting...
Sun Jan 26 21:47:05 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Jan 26 21:47:05 2020 MANAGEMENT: CMD 'state on'
Sun Jan 26 21:47:05 2020 MANAGEMENT: CMD 'log all on'
Sun Jan 26 21:47:05 2020 MANAGEMENT: CMD 'echo all on'
Sun Jan 26 21:47:05 2020 MANAGEMENT: CMD 'bytecount 5'
Sun Jan 26 21:47:05 2020 MANAGEMENT: CMD 'hold off'
Sun Jan 26 21:47:05 2020 MANAGEMENT: CMD 'hold release'
Sun Jan 26 21:47:08 2020 MANAGEMENT: CMD 'password [...]'
Sun Jan 26 21:47:08 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Jan 26 21:47:08 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jan 26 21:47:08 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jan 26 21:47:08 2020 MANAGEMENT: >STATE:1580075228,RESOLVE,,,,,,
Sun Jan 26 21:47:09 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]86.186.84.232:1194
Sun Jan 26 21:47:09 2020 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jan 26 21:47:09 2020 UDP link local: (not bound)
Sun Jan 26 21:47:09 2020 UDP link remote: [AF_INET]86.186.84.232:1194
Sun Jan 26 21:47:09 2020 MANAGEMENT: >STATE:1580075229,WAIT,,,,,,
Sun Jan 26 21:48:09 2020 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Jan 26 21:48:09 2020 TLS Error: TLS handshake failed
Sun Jan 26 21:48:09 2020 SIGUSR1[soft,tls-error] received, process restarting

What am I doing wrong?
 
Last edited:

Bibi40k

Contributor
Joined
Jan 26, 2018
Messages
136
Yes, looks like it has connected.
You access shares like you are on local network on the protocol you set, smb, afp, ftp, etc
 

Bibi40k

Contributor
Joined
Jan 26, 2018
Messages
136
Anyway... it was proved again this tutorial was working but you don't read, like others and you like others to read for you.
This is not a "how to use computer" learning class... what are those questions ??? How do I now access shares etc.?

Please respect others personal time and START READING!
 

nikinp

Contributor
Joined
Sep 7, 2014
Messages
116
Anyway... it was proved again this tutorial was working but you don't read, like others and you like others to read for you.
This is not a "how to use computer" learning class... what are those questions ??? How do I now access shares etc.?

Please respect others personal time and START READING!
Dear bibi40k
Thank you for your support to get to this point. I did read your post very carefully, but I think I got tripped up by the difference in ports in your original post.

Sometimes you spend so many hours trying to get to a point that you then just want to see daylight by getting some use (eg accessing shares).
thanks again for you and others continued contribution to this community.
 
Top