Step by step to install OpenVPN inside a Jail in FreeNAS 11.1-U1

[Bibi40k]

Of course the IP has not been changed because i set that on purpose. I don't want to route all my traffic through my home, i just want to access resources via a secure tunnel. If you need that you must add some settings to openvpn.conf. You need to read documentation for that.

Your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.

 

[Iong Wong]

Of course the IP has not been changed because i set that on purpose. I don't want to route all my traffic through my home, i just want to access resources via a secure tunnel. If you need that you must add some settings to openvpn.conf. You need to read documentation for that.

Oh, i get it. What should i need to add into the .conf?

 

[Bibi40k]

You need to read documentation for that.

 

[Iong Wong]

Holy shit, i did ittt!!!!!!
Thank you so much!!!
Thank you!!

 

[Bibi40k]

Glad to hear that. If you found the solution for your problem, please share it so i could add it to the script (some time later)

 

[Iong Wong]

Glad to hear that. If you found the solution for your problem, please share it so i could add it to the script (some time later)

Traffic all data:
Add
push "redirect-gateway def1"
To openvpn.conf from server
Then add
redirect-gateway def1
To your OVPN profile

 

[Bibi40k]

Thanks

 

[Marcelofs1]

Hello @Bibi40k - Fantastic work. it worked almost great :) on the first attempt. I mean I might have not noticed but when creating the jail, I have done by CLI and I missed the TUN enable. It took me a while to identify but going on JAILS--> Custom I clicked on allow_tun, restart and voilá.

I am now facing some challenges to route all web traffic over it but this is not my main goal so I will read more (also test the setup just above) and, if suscesfull, I will inform here.

Once again, thank you so much for you patience on putting this guide together.

Marcelo

 

[Bibi40k]

Routing config is just 2 posts above :)

 

[Marcelofs1]

Routing config is just 2 posts above :)

Yeah, I saw it and tested. didn't work :( . As mentioned this is not critical to me but now I became curious. I will learn a bit more on this configuration - I am sure I have missed something :)

 

[Bibi40k]

if you find another settings that works, please post them here.

 

[Marcelofs1]

Still unable to reach internet when connected. I might be interpreting some documentation in a incorect way but here is my understanding (also note I am new on this Freenas world):
Once you are connected, your device get the IP 10.0.8.x and is able to reach anything on the 192.168.0.x (yes, I know this is not recommended and I plan to change this setup later). To reach internet, the client must be redirected to 192.168.0.1 (default gatway) and reach DNS and etc.
I do not know exactly where the IPFW is placed (I assume this frewall is placed between port 1194 (entry point) and the network. It seems it is working as expected.
When my profile Marcelo.ovpn reaches the box, the server configuration openvpn.conf gives the overall setup while the the Marcelo.conf will make the specifics for this particular user.
Below is my configuration. I am running it into a Freenas Jail 11.3 and I just keep the values active (not commented) as example as @Bibi40k have done on the guide.

Openvpn.conf	Marcelo.conf	Marcelo.ovpn
port 1194​ proto udp dev tun ca /usr/local/etc/openvpn/keys/ca.crt cert /usr/local/etc/openvpn/keys/openvpn-server.crt key /usr/local/etc/openvpn/keys/openvpn-server.key # This file should be kept secret dh /usr/local/etc/openvpn/keys/dh.pem server 10.8.0.0 255.255.255.0 push "route 192.168.0.0 255.255.255.0" push "redirect-gateway def1" push "redirect-gateway def1 bypass-dhcp" keepalive 10 120 tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret remote-cert-tls client cipher AES-256-CBC user nobody group nobody persist-key persist-tun verb 3 explicit-exit-notify 1	client dev tun proto udp remote mydomainXYZ.com 1194 nobind persist-key persist-tun ca ca.crt cert Marcelo.crt key Marcelo.key tls-auth ta.key 1 cipher AES-256-CBC push "redirect-gateway def1" verb 3	client client dev tun proto udp remote mydomainXYZ.com 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-256-CBC redirect-gateway def1 verb 3 auth-user-pass <ca> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </cert> <key> -----BEGIN ENCRYPTED PRIVATE KEY----- -----END ENCRYPTED PRIVATE KEY----- </key> key-direction 1 <tls-auth> -----BEGIN OpenVPN Static key V1----- -----END OpenVPN Static key V1----- </tls-auth> # Act as Gateway: Uncomment only if you need this dhcp-option DNS 192.168.0.1 redirect-gateway def1

I have tried a few combination between openvpn.conf and Marcelo.conf. Every change an jail restart is done and also a full server restart. While I was putting this table together I noticed on openvpn.conf it has push "route 192.168.0.0 255.255.255.0" and I will also try with push "route 192.168.0.1 255.255.255.0" to see if works.

By the way, I have destroyed this jail and create a new using the automatic script. I was unable even to connect as I was getting HMAC error. After a couple days trying, i decided to destroy it again and build a new one item by item as per this original guidea and it worked perfectly. I am 100% secure the automatic script works and it might be something on my machine that caused the failure but I am not yet at the level to do such investigation to find the problem.
Any guidance/help or documentation to read will be welcome.
Thanks.

 

[Bibi40k]

What do you mean "Still unable to reach internet when connected" ? I thought you want to route everything through home IP via VPN.

You can put IPFW anywhere you like inside jail (default /usr/local/etc/ipfw.rules ) as long as you load it in /etc/rc.conf with firewall_script="/usr/local/etc/ipfw.rules"

 

[Marcelofs1]

What do you mean "Still unable to reach internet when connected" ? I thought you want to route everything through home IP via VPN.

You can put IPFW anywhere you like inside jail (default /usr/local/etc/ipfw.rules ) as long as you load it in /etc/rc.conf with firewall_script="/usr/local/etc/ipfw.rules"

Yes, I have done that and the IPFW seems ok.

root@OpenVPN:/usr/local/etc/openvpn # ipfw list
00100 nat 1 ip from 10.8.0.0/24 to any out via epair0b
00200 nat 1 ip from any to any in via epair0b
65535 allow ip from any to any
root@OpenVPN:/usr/local/etc/openvpn # sockstat -4 -l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
nobody openvpn 44644 7 udp46 *:1194 *:*
root@OpenVPN:/usr/local/etc/openvpn #

When I connect from my mobile, I can reach my internal network without a problem however if I try to reach google.com for example from my phone, I got "this site cannot be reached" on the browser. System is assigning 10.8.0.4 to my device when connected. What seems to be missing is a "route" from nwk 10.8.0.x to nwk 192.168.0.x so the traffice can flow back and forth.

 

[Bibi40k]

run this inside jail: tail -f /var/log/openvpn.log
then connect to vpn and try to access google.com and check the log to see what happens


also please export jail config (from FreeNAS) and post it here:
iocage get --all OpenVPN

 

[Marcelofs1]

run this inside jail: tail -f /var/log/openvpn.log
then connect to vpn and try to access google.com and check the log to see what happens


also please export jail config (from FreeNAS) and post it here:
iocage get --all OpenVPN

root@OpenVPN:/usr/local/etc/openvpn # tail -f /var/log/openvpn.log
Mar 22 15:05:36 OpenVPN openvpn[44644]: Marcelo/72.47.31.156:47828 MULTI_sva: pool returned IPv4=10.8.0.6, IPv6=(Not enabled)
Mar 22 15:05:36 OpenVPN openvpn[44644]: Marcelo/72.47.31.156:47828 MULTI: Learn: 10.8.0.6 -> Marcelo/72.47.31.156:47828
Mar 22 15:05:36 OpenVPN openvpn[44644]: Marcelo/72.47.31.156:47828 MULTI: primary virtual IP for Marcelo/72.47.31.156:47828: 10.8.0.6
Mar 22 15:05:36 OpenVPN openvpn[44644]: Marcelo/72.47.31.156:47828 PUSH: Received control message: 'PUSH_REQUEST'
Mar 22 15:05:36 OpenVPN openvpn[44644]: Marcelo/72.47.31.156:47828 SENT CONTROL [Marcelo]: 'PUSH_REPLY,route 192.168.0.1 255.255.255.0,redirect-gateway def1 bypass-dhcp,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)
Mar 22 15:05:36 OpenVPN openvpn[44644]: Marcelo/72.47.31.156:47828 Data Channel: using negotiated cipher 'AES-256-GCM'
Mar 22 15:05:36 OpenVPN openvpn[44644]: Marcelo/72.47.31.156:47828 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 22 15:05:36 OpenVPN openvpn[44644]: Marcelo/72.47.31.156:47828 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 22 15:05:59 OpenVPN openvpn[44644]: Marcelo/72.47.31.156:47828 SIGTERM[soft,remote-exit] received, client-instance exiting
Mar 22 15:39:44 OpenVPN openvpn[44644]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET6]::ffff:185.200.118.68:48705

root@MarceloFlix[~]# iocage get --all OpenVPN
CONFIG_VERSION:26
allow_chflags:0
allow_mlock:0
allow_mount:0
allow_mount_devfs:0
allow_mount_fusefs:0
allow_mount_nullfs:0
allow_mount_procfs:0
allow_mount_tmpfs:0
allow_mount_zfs:0
allow_quotas:0
allow_raw_sockets:1
allow_set_hostname:1
allow_socket_af:0
allow_sysvipc:0
allow_tun:1
allow_vmm:0
assign_localhost:0
available:readonly
basejail:0
boot:1
bpf:0
children_max:0
cloned_release:11.3-RELEASE
comment:none
compression:lz4
compressratio:readonly
coredumpsize: off
count:1
cpuset: off
cputime: off
datasize: off
dedup: off
defaultrouter:192.168.0.1
defaultrouter6:auto
depends:none
devfs_ruleset:5
dhcp:0
enforce_statfs:2
exec_clean:1
exec_created:/usr/bin/true
exec_fib:0
exec_jail_user:root
exec_poststart:/usr/bin/true
exec_poststop:/usr/bin/true
exec_prestart:/usr/bin/true
exec_prestop:/usr/bin/true
exec_start:/bin/sh /etc/rc
exec_stop:/bin/sh /etc/rc.shutdown
exec_system_jail_user:0
exec_system_user:root
exec_timeout:60
host_domainname:none
host_hostname:OpenVPN
host_hostuuid:OpenVPN
host_time:1
hostid:a0f41863-2cb8-11e5-b42e-d05099785ff9
hostid_strict_check:0
interfaces:vnet0:bridge0
ip4:new
ip4_addr:192.168.0.15/24
ip4_saddrsel:1
ip6:new
ip6_addr:none
ip6_saddrsel:1
ip_hostname:0
jail_zfs:0
jail_zfs_dataset:iocage/jails/OpenVPN/data
jail_zfs_mountpoint:none
last_started:2020-03-22 20:05:08
localhost_ip:none
login_flags:-f root
mac_prefix:02ff60
maxproc: off
memorylocked: off
memoryuse: off
mount_devfs:1
mount_fdescfs:1
mount_linprocfs:0
mount_procfs:0
mountpoint:readonly
msgqqueued: off
msgqsize: off
nat:0
nat_backend:ipfw
nat_forwards:none
nat_interface:none
nat_prefix:172.16
nmsgq: off
notes:none
nsem: off
nsemop: off
nshm: off
nthr: off
openfiles: off
origin:readonly
owner:root
pcpu: off
plugin_name:none
plugin_repository:none
priority:99
pseudoterminals: off
quota:none
readbps: off
readiops: off
release:11.3-RELEASE-p6
reservation:none
resolver:/etc/resolv.conf
rlimits: off
rtsold:0
securelevel:2
shmsize: off
stacksize: off
state:up
stop_timeout:30
swapuse: off
sync_state:none
sync_target:none
sync_tgt_zpool:none
sysvmsg:new
sysvsem:new
sysvshm:new
template:0
type:jail
used:readonly
vmemoryuse: off
vnet:1
vnet0_mac:02ff609bc87f 02ff609bc880
vnet1_mac:none
vnet2_mac:none
vnet3_mac:none
vnet_default_interface:auto
vnet_interfaces:none
wallclock: off
writebps: off
writeiops: off

 

[Bibi40k]

You said you used the script, i don't know which one because you definitely didn't use mine. You would have had other settings.

So there are 2 options:
1. try these settings first

iocage stop OpenVPN
iocage set bpf=yes OpenVPN
iocage set allow_mount=on OpenVPN
iocage set allow_mount_devfs=on OpenVPN
iocage set devfs_ruleset=6 OpenVPN
iocage start OpenVPN

2. use my script to proper install and configure everything

Bibi40k/OpenVPN-on-FreeNAS-in-iocage

Automatic install OpenVPN inside iocage Jail in FreeNAS all versions - Bibi40k/OpenVPN-on-FreeNAS-in-iocage

github.com

 

[galantis]

I just configured an OpenVPN jail on FreeNAS 11.3-U1 and I might suffer from the same issue as in post #249.

I can connect to the VPN server but am unable to reach other devices that are on the same LAN as the jail. I made sure to use the push route option.

First I got the infamous "cannot allocate tun/tap dev dynamically" but got rid of this by modifying the jail settings to:
Basic Properties:

--> Check VNET​

--> Check Berkeley Packet Filter​

--> IPv4 Interface --> leave blank​

--> IPv4 Address --> 192.168.1.102​

--> IPv4 Netmask --> 24​

--> IPv4 Default Router --> 192.168.1.1​

Custom Properties:

--> Check allow_tun​

However my impression is that this 'fix' creates new networking issues that might be related, as I noticed this:

• With the VNET/Berkeley Packet Filter options checked, I can ping other LAN devices from the jail, but cannót ping the jail from other LAN devices.
• With the VNET/Berkeley Packet Filter options unchecked, I can ping and also be pinged.

Also want to add here that I got OpenVPN fully working on a tiny stand-alone Linux machine, so including proper routing to other devices in the server network. The config I used for this machine and for the FreeNAS jail are the same.

I'll continue my quest in finding the root cause and update this thread if I did.

 

[Marcelofs1]

You said you used the script, i don't know which one because you definitely didn't use mine. You would have had other settings.

So there are 2 options:
1. try these settings first

2. use my script to proper install and configure everything

Bibi40k/OpenVPN-on-FreeNAS-in-iocage

Automatic install OpenVPN inside iocage Jail in FreeNAS all versions - Bibi40k/OpenVPN-on-FreeNAS-in-iocage

github.com

Hello @Bibi40k - I did used your script and, as I could not connect to the VPN any longer I removed the jail and create another one following the original thread (manual steps) and that one wrked.
The output from the item 1 is below:

# iocage stop OpenVPN
* Stopping OpenVPN
+ Executing prestop OK
+ Stopping services OK
+ Tearing down VNET OK
+ Removing devfs_ruleset: 5 OK
+ Removing jail process OK
+ Executing poststop OK
root@mynas[~]# iocage set bpf=yes OpenVPN
bpf: 0 -> 1
root@mynas[~]# iocage set allow_mount=on OpenVPN
allow_mount: 0 -> 1
root@mynas[~]# iocage set allow_mount_devfs=on OpenVPN
allow_mount_devfs: 0 -> 1
root@mynas[~]# iocage set devfs_ruleset=6 OpenVPN
devfs_ruleset: 4 -> 6
root@mynas[~]# iocage start OpenVPN
No default gateway found for ipv6.
* Starting OpenVPN
+ Started OK
+ Using devfs_ruleset: 6
+ Configuring VNET OK
+ Using IP options: vnet
+ Starting services OK
+ Executing poststart OK
Here the things got interesting. After the change, I was no longer able to access the VPN - my connection didn't go through. I then changed on parameter back to the original as follow

root@mynas[~]# iocage stop OpenVPN
* Stopping OpenVPN
+ Executing prestop OK
+ Stopping services OK
+ Tearing down VNET OK
+ Removing devfs_ruleset: 6 OK
+ Removing jail process OK
+ Executing poststop OK
root@mynas[~]# iocage set devfs_ruleset=4 OpenVPN
devfs_ruleset: 6 -> 4
root@mynas[~]# iocage start OpenVPN
No default gateway found for ipv6.
* Starting OpenVPN
+ Started OK
+ Using devfs_ruleset: 5
+ Configuring VNET OK
+ Using IP options: vnet
+ Starting services OK
+ Executing poststart OK

Doing that change I was able to connect back to the VPN (but no internet on browser). Note I have restarted the jail and also rebooted the NAS.

I tried to run the automatic script again but noticed that all the values I have put once I created it for the first time get populated. To ensure I am not doing anything wrong, how I "clean" all those entries so I can create with only the default values?

Thank you

 

[Bibi40k]

The script is keeping all those settings on purpose, in a config file to save you time. You can overwrite any settings during all those steps.
You cannot do anything wrong.