Step by step to install OpenVPN inside a Jail in FreeNAS 11.1-U1

[jcoffey0093]

Thanks for the scripts

 

[jcoffey0093]

I don’t understand what you mean

Hi,
i am new to this community and i decided to mix info from How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT and OpenVPN On FreeBSD 10.3 tutorials.
Please report inconsistency.

PS: i've also created a script to fully automate this process. Automatic install OpenVPN inside iocage Jail in FreeNAS all versions

change-log: 0.7 - 2020.01.29 - Added note that external LAN should be different than FreeNAS LAN.

Show : Full change log

0.7 - 2020.01.29 - Added note that external LAN should be different than FreeNAS LAN.
0.6 - 2020.01.29 - Tested on FreeNAS FreeNAS-11.2-U7.
0.5 - 2018.10.14 - Added note that full restart is required sometimes
0.4 - 2018.07.26 - Removed "comp-lzo" from configuration due to becoming obsolete
0.3 - 2018.02.18 - Minor touches and test everything from scratch following all the steps
0.2 - 2018.02.17 - Beautify code and few more details
0.1 - 2018.02.16 - First release

Legend:

1. Green text - should remain like it is
2. Blue text - you may cange it if you like
3. Red text - needs to be changed by you

Requirements:

1. FreeNAS 11.1-U1 - 11.2-U7 ( may work with other versions either )
2. FreeNAS User with ssh access and sudo
3. SSH Client ( Putty for Windows and Terminal for MAC )
4. Admin access to the router where FreeNAS exists
5. Own domain or domain updated by DDNS or a static IP
6. Please follow this step by step tutorial before ask for help

Relevant data to use later in this tutorial ( use your own, this is just for reference )

1. Home Network: 192.168.222.0/24 ( LAN where is your FreeNAS * Try to use at home different subnet than common ones to avoid conflicts when connecting from outside)
2. NAT Network: 10.8.0.0/24 ( virtual LAN between VPN clients and your LAN )
3. Domain: nas.mydomain.com
4. VPN Server Port: 1194 UDP.
5. VPN Outside Access Port: 1194 UDP
6. Certificate Authority Password: Password1
7. Bibi40k Client Certificate Password: Password2

3,2,1.. START

Use FreeNAS Web GUI
Jails -> Add Jail ( Jail Name: OpenVPN, keep default settings )

SSH to your FreeNAS box

Code:

% jls
JID     IP Address    Hostname      Path
...
4                     OpenVPN       /mnt/Vol1-Z2/jails/OpenVPN
% sudo jexec 4 sh
Password:

Get everything updated and install necessary apps

Code:

# pkg update
# pkg upgrade -y
# pkg install -y nano openvpn mpack

Create directories for OpenVPN

Code:

# mkdir /usr/local/etc/openvpn /usr/local/etc/openvpn/keys

Copy necessary files

Code:

# cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/openvpn.conf
# cp -r /usr/local/share/easy-rsa /usr/local/etc/openvpn/easy-rsa

Easy-RSA ( edit /usr/local/etc/openvpn/easy-rsa/vars )

Code:

# cd /usr/local/etc/openvpn/easy-rsa
# nano vars

Show : vars - values only

if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
echo "This is no longer necessary and is disallowed. See the section called" >&2
echo "'How to use this file' near the top comments for more details." >&2
return 1
fi
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "me@mydomain.com"
set_var EASYRSA_REQ_OU "My Organizational Unit"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 3650

Generate Keys

Code:

# ./easyrsa.real init-pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /usr/local/etc/openvpn/easy-rsa/pki

Build Certificate Authority ( follow instructions using Password1 and common name )

Code:

# ./easyrsa.real build-ca
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.......................................+++
..+++
writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/ca.key.vpfhw9orph'
Enter PEM pass phrase:Password1
Verifying - Enter PEM pass phrase:Password1
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: OpenVPN FreeNAS CA
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/usr/local/etc/openvpn/easy-rsa/pki/ca.crt

Build Server Certificates

Code:

# ./easyrsa.real build-server-full openvpn-server nopass
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...............................................+++
.................................+++
writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/openvpn-server.key.JKfgnZ3Ae8'
-----
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key:Password1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName      :ASN.1 12:'openvpn-server'
Certificate is to be certified until Feb 13 18:22:32 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated

Build Client Certificate ( use unique name for each certificate, use Bibi40k with Password2 and authorize with Password1 )

Code:

# ./easyrsa.real build-client-full Bibi40k
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.............................................................................................+++
.................+++
writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/Bibi40k.key.cd545aPaIq'
Enter PEM pass phrase: Password2
Verifying - Enter PEM pass phrase: Password2
-----
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key: Password1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName      :ASN.1 12:'Bibi40k'
Certificate is to be certified until Feb 13 18:28:59 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated

Generate Diffie Hellman Parameters ( /usr/local/etc/openvpn/easy-rsa/pki/dh.pem )

Code:

# ./easyrsa.real gen-dh
Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...........................................................................................................
...........................................................................................................
......................................................................................+...................
...........................................................................................................
.............................................................+............................................
...........................................................................................................
.............................+......................................................+...................
.......+.................................................................................................
..........................................................................................................
..............................................................................+..................+.....
...
...................................................................................+....................
.........................................................................................................
.........................................................................................................
...+....................................................................................................
..........+..........................++*++*
DH parameters of size 2048 created at /usr/local/etc/openvpn/easy-rsa/pki/dh.pem

Generate the TA key

Code:

# openvpn --genkey --secret ta.key

Copy Keys Together

Code:

# cp pki/dh.pem pki/ca.crt pki/issued/openvpn-server.crt pki/private/openvpn-server.key /usr/local/etc/openvpn/keys/
# cp ta.key /usr/local/etc/openvpn/keys/
# cp pki/issued/Bibi40k.crt pki/private/Bibi40k.key /usr/local/etc/openvpn/keys/

OpenVPN ( edit /usr/local/etc/openvpn/openvpn.conf )

Code:

# cd /usr/local/etc/openvpn/
# nano openvpn.conf

Show : openvpn.conf - values only

port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key # This file should be kept secret
dh /usr/local/etc/openvpn/keys/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.222.0 255.255.255.0"
keepalive 10 120
tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret
remote-cert-tls client
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

Client Config ( /usr/local/etc/openvpn/Bibi40k.conf )

Code:

# cp /usr/local/share/examples/openvpn/sample-config-files/client.conf /usr/local/etc/openvpn/Bibi40k.conf
# nano Bibi40k.conf

Show : Bibi40k.conf - values only

client
dev tun
proto udp
remote nas.mydomain.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert Bibi40k.crt
key Bibi40k.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.222.1
#redirect-gateway def1
verb 3

You can include everything in one file (useful on mobile and more convenient than keeping all certs appart)

Show : Bibi40k.ovpn - values only

client
client
dev tun
proto udp
remote mynas.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass

<ca>
-----BEGIN CERTIFICATE-----
add cert content here...
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
add cert content here...
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
add cert content here...
-----END ENCRYPTED PRIVATE KEY-----
</key>

key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
add cert content here...
-----END OpenVPN Static key V1-----
</tls-auth>

# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.222.1
#redirect-gateway def1

Server NAT Configuration ( create /usr/local/etc/ipfw.rules and add green text )

Code:

# nano /usr/local/etc/ipfw.rules

More configuration ( edit /etc/rc.conf and add green text at the end of the file )

Code:

# nano /etc/rc.conf

Setup Logging ( edit /etcsyslog.conf )

Code:

# nano /etc/syslog.conf

Setup log rotation ( edit /etcnewsyslog.conf )

Code:

# nano /etc/newsyslog.conf

Use FreeNAS Web GUI
Jails -> Select OpenVPN Jail -> Restart

Note: sometimes is necessary to restart whole FreeNAS server because the routes are build properly after full restart.

SSH to your FreeNAS box and make some checks

Code:

% jls
JID  IP Address   Hostname        Path
...
5                 OpenVPN         /mnt/Vol1-Z2/jails/OpenVPN
% sudo jexec 5 sh
Password:
# ipfw list
00100 nat 1 IP from 10.8.0.0/24 to any out via epair0b
00200 nat 1 IP from any to any in via epair0b
65535 allow IP from any to any
# sockstat -4 -l
USER    COMMAND  PID    FD  PROTO  LOCAL ADDRESS  FOREIGN ADDRESS
nobody  openvpn  64842  7   udp46  *:1194         *:*
root    syslogd  64803  7   udp4   *:514          *:*

Let's send our OpenVPN client files and test connection from outside

Code:

# cd /usr/local/etc/openvpn/
# tar cvf Bibi40k.tar Bibi40k.conf -C keys/ ca.crt Bibi40k.crt Bibi40k.key ta.key
a Bibi40k.conf
a ca.crt
a Bibi40k.crt
a Bibi40k.key
a ta.key
# service sendmail onestart
# mpack -s "Bibi40k OpenVPN files" Bibi40k.tar me@mydomain.com

 

[jcoffey0093]

Bibi40k,
i followed your script above, however I'm a little lost at this point. I can't tell if my openvpn is running.
1. When I run this command "ockstat -4 -l" openvpn is listed.
2. When I run Wireshark, I don't see 10.8.0.0 subnet. should see this at since openvpn is running in jail?
Please advise.

Thank you

 

[Bibi40k]

1 just run “The Watcher” from script menu
2 that subnet only exists inside jail

check autoinstaller script

 

[jcoffey0093]

Where is just run “The Watcher” located?

How do I assign Deluge plugin to running via openvpn only I created

 

[Bibi40k]

you'll see the watcher as soon as you run the script

 

[jcoffey0093]

Thanks, but I'm not following. I'll have work with it

 

[MottosX]

Hello, new to FreeNAS. I keep encountering an ipfw error at the end of the tutorial.
code:
# ipfw list
ipfw: retrieving config failed: Operation not permitted
#

Can you help me sort this out?

 

[Berkyjay]

Hi, is this for setting up your own VPN server or setting up a VPN client from another VPN service?

 

[Bibi40k]

This is for setting up your VPN server or setting up a VPN client for your VPN service or even another VPN service.

 

[Berkyjay]

This is for setting up your VPN server or setting up a VPN client for your VPN service or even another VPN service.

OK thanks I'll give it a try. I've been having a hell of a hard time getting a VPN client for my NordVPN service running on a Transmission jail.

 

[Bibi40k]

In this case won't help you, because this is for setting a VPN client on your Windows/MacOS, not in a jail.

 

[Bibi40k]

Try this, maybe you are lucky NordVPN on Linux

 

[Berkyjay]

Try this, maybe you are lucky NordVPN on Linux

Ah OK, well thanks then any ways.

 

[Arensoft]

Hello @Bibi40k. I want to thank you your effort to help us with the VPN. I have to say I was success making my own VPN and is working perfectly right now. Thanks again for your help.

Right now I have one account but I need to create more. I know step 3 on your script is not implemented yet. Have you explained in some place how to make it manually? Can I repeat the Create Client Certificates and Client Config steps again to create more accounts?

Another think I'm thinking is if when we use the script and we edit config file, we can add more than one user and the script creates the ovpn files for each user.

 

[awh3r]

Hi,
i am new to this community and i decided to mix info from How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT and OpenVPN On FreeBSD 10.3 tutorials.
Please report inconsistency.

PS: i've also created a script to fully automate this process. Automatic install OpenVPN inside iocage Jail in FreeNAS all versions

change-log: 0.7 - 2020.01.29 - Added note that external LAN should be different than FreeNAS LAN.

Show : Full change log

0.7 - 2020.01.29 - Added note that external LAN should be different than FreeNAS LAN.
0.6 - 2020.01.29 - Tested on FreeNAS FreeNAS-11.2-U7.
0.5 - 2018.10.14 - Added note that full restart is required sometimes
0.4 - 2018.07.26 - Removed "comp-lzo" from configuration due to becoming obsolete
0.3 - 2018.02.18 - Minor touches and test everything from scratch following all the steps
0.2 - 2018.02.17 - Beautify code and few more details
0.1 - 2018.02.16 - First release

Legend:

1. Green text - should remain like it is
2. Blue text - you may cange it if you like
3. Red text - needs to be changed by you

Requirements:

1. FreeNAS 11.1-U1 - 11.2-U7 ( may work with other versions either )
2. FreeNAS User with ssh access and sudo
3. SSH Client ( Putty for Windows and Terminal for MAC )
4. Admin access to the router where FreeNAS exists
5. Own domain or domain updated by DDNS or a static IP
6. Please follow this step by step tutorial before ask for help

Relevant data to use later in this tutorial ( use your own, this is just for reference )

1. Home Network: 192.168.222.0/24 ( LAN where is your FreeNAS * Try to use at home different subnet than common ones to avoid conflicts when connecting from outside)
2. NAT Network: 10.8.0.0/24 ( virtual LAN between VPN clients and your LAN )
3. Domain: nas.mydomain.com
4. VPN Server Port: 1194 UDP.
5. VPN Outside Access Port: 1194 UDP
6. Certificate Authority Password: Password1
7. Bibi40k Client Certificate Password: Password2

3,2,1.. START

Use FreeNAS Web GUI
Jails -> Add Jail ( Jail Name: OpenVPN, keep default settings )

SSH to your FreeNAS box

Code:

% jls
JID     IP Address    Hostname      Path
...
4                     OpenVPN       /mnt/Vol1-Z2/jails/OpenVPN
% sudo jexec 4 sh
Password:

Get everything updated and install necessary apps

Code:

# pkg update
# pkg upgrade -y
# pkg install -y nano openvpn mpack

Create directories for OpenVPN

Code:

# mkdir /usr/local/etc/openvpn /usr/local/etc/openvpn/keys

Copy necessary files

Code:

# cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/openvpn.conf
# cp -r /usr/local/share/easy-rsa /usr/local/etc/openvpn/easy-rsa

Easy-RSA ( edit /usr/local/etc/openvpn/easy-rsa/vars )

Code:

# cd /usr/local/etc/openvpn/easy-rsa
# nano vars

Show : vars - values only

if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
echo "This is no longer necessary and is disallowed. See the section called" >&2
echo "'How to use this file' near the top comments for more details." >&2
return 1
fi
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "me@mydomain.com"
set_var EASYRSA_REQ_OU "My Organizational Unit"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 3650

Generate Keys

Code:

# ./easyrsa.real init-pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /usr/local/etc/openvpn/easy-rsa/pki

Build Certificate Authority ( follow instructions using Password1 and common name )

Code:

# ./easyrsa.real build-ca
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.......................................+++
..+++
writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/ca.key.vpfhw9orph'
Enter PEM pass phrase:Password1
Verifying - Enter PEM pass phrase:Password1
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: OpenVPN FreeNAS CA
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/usr/local/etc/openvpn/easy-rsa/pki/ca.crt

Build Server Certificates

Code:

# ./easyrsa.real build-server-full openvpn-server nopass
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...............................................+++
.................................+++
writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/openvpn-server.key.JKfgnZ3Ae8'
-----
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key:Password1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName      :ASN.1 12:'openvpn-server'
Certificate is to be certified until Feb 13 18:22:32 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated

Build Client Certificate ( use unique name for each certificate, use Bibi40k with Password2 and authorize with Password1 )

Code:

# ./easyrsa.real build-client-full Bibi40k
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.............................................................................................+++
.................+++
writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/Bibi40k.key.cd545aPaIq'
Enter PEM pass phrase: Password2
Verifying - Enter PEM pass phrase: Password2
-----
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key: Password1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName      :ASN.1 12:'Bibi40k'
Certificate is to be certified until Feb 13 18:28:59 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated

Generate Diffie Hellman Parameters ( /usr/local/etc/openvpn/easy-rsa/pki/dh.pem )

Code:

# ./easyrsa.real gen-dh
Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...........................................................................................................
...........................................................................................................
......................................................................................+...................
...........................................................................................................
.............................................................+............................................
...........................................................................................................
.............................+......................................................+...................
.......+.................................................................................................
..........................................................................................................
..............................................................................+..................+.....
...
...................................................................................+....................
.........................................................................................................
.........................................................................................................
...+....................................................................................................
..........+..........................++*++*
DH parameters of size 2048 created at /usr/local/etc/openvpn/easy-rsa/pki/dh.pem

Generate the TA key

Code:

# openvpn --genkey --secret ta.key

Copy Keys Together

Code:

# cp pki/dh.pem pki/ca.crt pki/issued/openvpn-server.crt pki/private/openvpn-server.key /usr/local/etc/openvpn/keys/
# cp ta.key /usr/local/etc/openvpn/keys/
# cp pki/issued/Bibi40k.crt pki/private/Bibi40k.key /usr/local/etc/openvpn/keys/

OpenVPN ( edit /usr/local/etc/openvpn/openvpn.conf )

Code:

# cd /usr/local/etc/openvpn/
# nano openvpn.conf

Show : openvpn.conf - values only

port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key # This file should be kept secret
dh /usr/local/etc/openvpn/keys/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.222.0 255.255.255.0"
keepalive 10 120
tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret
remote-cert-tls client
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

Client Config ( /usr/local/etc/openvpn/Bibi40k.conf )

Code:

# cp /usr/local/share/examples/openvpn/sample-config-files/client.conf /usr/local/etc/openvpn/Bibi40k.conf
# nano Bibi40k.conf

Show : Bibi40k.conf - values only

client
dev tun
proto udp
remote nas.mydomain.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert Bibi40k.crt
key Bibi40k.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.222.1
#redirect-gateway def1
verb 3

You can include everything in one file (useful on mobile and more convenient than keeping all certs appart)

Show : Bibi40k.ovpn - values only

client
client
dev tun
proto udp
remote mynas.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass

<ca>
-----BEGIN CERTIFICATE-----
add cert content here...
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
add cert content here...
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
add cert content here...
-----END ENCRYPTED PRIVATE KEY-----
</key>

key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
add cert content here...
-----END OpenVPN Static key V1-----
</tls-auth>

# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.222.1
#redirect-gateway def1

Server NAT Configuration ( create /usr/local/etc/ipfw.rules and add green text )

Code:

# nano /usr/local/etc/ipfw.rules

More configuration ( edit /etc/rc.conf and add green text at the end of the file )

Code:

# nano /etc/rc.conf

Setup Logging ( edit /etcsyslog.conf )

Code:

# nano /etc/syslog.conf

Setup log rotation ( edit /etcnewsyslog.conf )

Code:

# nano /etc/newsyslog.conf

Use FreeNAS Web GUI
Jails -> Select OpenVPN Jail -> Restart

Note: sometimes is necessary to restart whole FreeNAS server because the routes are build properly after full restart.

SSH to your FreeNAS box and make some checks

Code:

% jls
JID  IP Address   Hostname        Path
...
5                 OpenVPN         /mnt/Vol1-Z2/jails/OpenVPN
% sudo jexec 5 sh
Password:
# ipfw list
00100 nat 1 ip from 10.8.0.0/24 to any out via epair0b
00200 nat 1 ip from any to any in via epair0b
65535 allow ip from any to any
# sockstat -4 -l
USER    COMMAND  PID    FD  PROTO  LOCAL ADDRESS  FOREIGN ADDRESS
nobody  openvpn  64842  7   udp46  *:1194         *:*
root    syslogd  64803  7   udp4   *:514          *:*

Let's send our OpenVPN client files and test connection from outside

Code:

# cd /usr/local/etc/openvpn/
# tar cvf Bibi40k.tar Bibi40k.conf -C keys/ ca.crt Bibi40k.crt Bibi40k.key ta.key
a Bibi40k.conf
a ca.crt
a Bibi40k.crt
a Bibi40k.key
a ta.key
# service sendmail onestart
# mpack -s "Bibi40k OpenVPN files" Bibi40k.tar me@mydomain.com

When i check my service "sockstat -4 -1 i am not getting any numbers. I tried to start the openvpn server and i get "failed to start"

 

[awh3r]

Is there anyone who was able to get their TrueNAS Openvpn configuration working willing to assist me? I have tried multiple iterations of the install and none have been successful. My last build is the configuration related to this site, when executing the Sockstat command, i don't see my openvpn server and i get an error message when trying to manually start the server. "WARNING failed to start openvpn. I have gone through my config files and doubled check the configs, open the OpenVPN server to port 1194 on my router. Any help would be very much appreciated.

 

[sdealmeida]

Thank you for this great tutorial!
I was struggling to get OpenVPN Server on Truenas (running as a Service), but by running it in an iocage, it works!
I'm on Truenas 12.0 U6 and I can confirm that the manual step is still working.

 

[madcow_thafirst]

Thanks for this great tutorial! Same story goes for me as the guy above me ^.
I was always running OpenVPN Access Server but this limits you to only have 2 connections at the same time. I tried several times to setup OpenVPN on Free/TRueNAS but never managed to get it to work but this guide finally helped me out.
As a bonus I know can get rid of my OpenVPN Access Server.
Thanks again for all your effort sharing this.

Cheers!

 

[Rajstopy]

Hi there,

I've been struggling for 3 days trying to get OpenVPN to work. Just a nightmare guys... Welcome to open source again.

OpenVPN is even not coming up leading to a "Cannot open TUN/TAP dev /dev/tun0: No such file or directory (errno=2)". Ifconfig shows a bunch of tun interfaces but nothing under /dev/tun* . Don't know if this is expected. For now, just tired and fed up so I will give up for the moment. I'v read thousand of message and my eyes are burning. I never thought it would be so complicated to run a simple OpenVPN instance... Anyway.
If anyone has some idea where I could start investigating, would be really helpful...

Cheers,

Edit:

My goodness, after a 15 minutes break I found the solution. The below option did the trick... :
https://www.truenas.com/community/threads/openvpn-tun-interface-issues-in-iocage.68953/post-494277