Sorry , but what line are you referring to when you say" Try removing that line from your server configuration"? My issue is OpenVPN is not starting
-
Important Announcement for The TrueNAS Community.
The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
Step by step to install OpenVPN inside a Jail in FreeNAS 11.1-U1
- Thread starter Bibi40k
- Start date
Sorry , but what line are you referring to when you say" Try removing that line from your server configuration"? My issue is OpenVPN is not starting
Krowvin
Explorer
- Joined
- Jul 24, 2014
- Messages
- 60
Remove
Code:
crl-verify crl.pem
It's not in OPs configuration, I just rechecked mine with what I have working. I went through each line to test them one by one until I got it working and just forgot to take that one out. Sorry!
I'm confused as what you are saying... I'm not sure where I remove crl-verify crl.pem. I get this error when I try and start OpenVPN manually (restarted my nas, have done a ton of troubleshooting, etc.)
This is what happens when I see if OpenVPN is running in the Jail... Nothing, lol.
This is me trying to start OpenVPN manually (When I get an error code)....
I just can't get OpenVPN to run at all. I'm fairly confident if I get OpenVPN to run then using everything I've read through will work. I am using your config file just with IP's that are related to what I have set-up.
Using this thread for troubleshooting:
https://forums.freenas.org/index.ph...-6-with-access-to-remote-hosts-via-nat.22873/
Here's my server configuration as well....
Code:
local 192.168.1.135 port 1194 proto udp dev tun ca /usr/local/etc/openvpn/keys/ca.crt cert /usr/local/etc/openvpn/keys/openvpn-server.crt #Server public key key /usr/local/etc/openvpn/keys/openvpn-server.key #Server private key dh /usr/local/etc/openvpn/keys/dh.pem #Diffie-Hellman parameters server 10.8.0.0 255.255.255.0 #Purple network ifconfig-pool-persist ipp.txt push "route 192.168.1.1 255.255.255.0" #Yellow network route 192.168.1.135 255.255.255.0 10.8.0.1 tls-auth /usr/local/etc/openvpn/keys/ta.key 0 crl-verify crl.pem keepalive 10 120 cipher AES-256-CBC #auth SHA256 group nobody user nobody comp-lzo persist-key persist-tun verb 3
Krowvin
Explorer
- Joined
- Jul 24, 2014
- Messages
- 60
I updated my configuration if you want to replace it,
ctrl-verify crl.pem was a line in my openvpn server configuration,
to remove it:
Code:
cd /usr/local/etc/openvpn nano openvpn.conf
Arrow key down to the line with
ctrl-verify crl.pem
and delete it, then
ctrl + x
y to save
press enter
then type
Code:
service openvpn restart
Edit:
Looks like it's line 14 of your configuration you shared, delete it and restart openvpn
Ok it appears that your a genius (not being sarcastic, I'm so freaking happy right now!!!!!)
Now I have to download my client configuration lol
What does your client configuration look like?
Krowvin
Explorer
- Joined
- Jul 24, 2014
- Messages
- 60
client
dev tun
proto udp
remote nas.krowvin.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert krowvin.crt
key krowvin.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
dhcp-option DNS 192.168.1.1
redirect-gateway def1
comp-lzo
verb 4
I can't check my other post to see if it's the same atm but this is a direct copy of what I have now working. You have to save it with the .ovpn extension
For example
android.ovpn
dev tun
proto udp
remote nas.krowvin.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert krowvin.crt
key krowvin.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
dhcp-option DNS 192.168.1.1
redirect-gateway def1
comp-lzo
verb 4
I can't check my other post to see if it's the same atm but this is a direct copy of what I have now working. You have to save it with the .ovpn extension
For example
android.ovpn
Last edited:
remote ------1194 This is either your DDNS domain (like you did) or your static IP according to https://forums.freenas.org/index.ph...-6-with-access-to-remote-hosts-via-nat.22873/
What would my static IP be?
Last edited:
IT WORKS!!!! Your a life saver my dude. Would you recommend working off the VPN for accessing school files and such or setting up an OwnCloud like you did yourself
VPN is also not as fast as I was suspecting (I have 100Mbit internet). Just transferring some files (on my mobile hotspot) to server at 355 kbps. Anyway I can increase this?
Krowvin
Explorer
- Joined
- Jul 24, 2014
- Messages
- 60
1. (I'm curious) Did you have to restart your freenas box at all?
2. If you used the IP address from Googling "what's my IP" that is not static, usually. So you will need to go to noip and make an account. Follow a guide online for that. Then open up the FreeNAS manual for how to setup a DDNS for IP changes. It will monitor your IP for changes then when it changes update your free domain from noip to the new one.
I use Nextcloud, a fork of owncloud. I don't know what has changed with owncloud since I switched, but at the time it was enterprise features enabled. I.e. Set passwords for your files.
I would think it would be great for college. You can save everything from year 1 and by the end of it have a complete 4 years of material. Be sure to enable https through LetsEncrypt encrypt if you do use a personal cloud.
I use the VPN to access my local LAN without exposing more ports than I have to. Encryption is a bonus perk
We might wanna switch to PM and stop spamming this thread.
You have Discord? Mind if you PM me on Discord?
Krowvin
Explorer
- Joined
- Jul 24, 2014
- Messages
- 60
I'll start a conversation with you on here. Check your inbox. I haven't been on discord for a bit.
Bud, thanks a million. This was the code I was missing to actually be able to access the internet and other network resources over OpenVPN. I have been wracking my brain for a couple weeks (off and on, been traveling a lot too) trying to get this to work.
My other issue is I have an EdgeMAX EdgeRouter router which I am still learning but loving so far. I had been playing with all sorts of settings, and Googling like a mad man. So now that I've mentioned it here, for those brought to this thread via Google, I am confirming that the only settings required on the EdgeRouter is setting up a static route. My setup is like so:
OpenVPN at 192.168.1.6, serving 10.8.0.0/24
Pi-Hole at 192.168.1.4, DNS and DHCP
EdgeMAX at 192.168.1.1
On OpenVPN.conf:
local 192.168.1.6 (also good idea to set the jail to this static IP, as well as leave a static IP reservation on your DHCP server)
Push DHCP-option DNS <DNS IP address, in my case I have a Pi-Hole at 192.168.1.4 which also serves DHCP>
On EdgeRouter (assuming your OpenVPN is serving on the 10.8.0.0/24 subnet)
Add static route >
- Destination 10.8.0.0/24
- Next hop 192.168.1.6 (the OpenVPN jail's IP)
- Interface switch0 (or any ethX's, depending on where your FreeNAS is connected)
- Route Type static
No need for NAT masquerade or anything of the such. On my iPhone running OpenVPN I can successfully ping all of my network resources on both subnets (192 and 10.8) as well as ping my iPhone's IP from the network.
One thing to note for the Pi-Hole users is Pi-Hole does not capture who is making requests in the logs, it simply shows the traffic as coming from the OpenVPN server's IP. However, ad-blocking and Pi-Holing and such do seem to work perfectly - this is the primary purpose for my getting OpenVPN working in conjunction with my Pi-Hole; now I can roam on my laptop and get the benefits of Pi-Hole.
TheMunk
Cadet
- Joined
- Jun 10, 2017
- Messages
- 8
Hi all! I've been trying to get openvpn working for quite some time, and this is the only tutorial that I followed all the way to the "end" without any errors.
Openvpn starts up nicely as a service, and I seem to be able to connect to it without receiving any errors in the openvpn log on the client.
I just don't really understand the "push 192.168.x.x 255.255.255.0" part of all this. Is this VPN set up to only push local traffic or is it all traffic? Cause checking my public IP (when hotspotting from mobile) it doesn't change it to the public IP of the openvpn jail. (I don't necessarily want this functionality, I just want to be able to get to my webUI's from outside my network, like sonar on "192.168.0.4:8989")
As it is now, I have set up Organizr on Nginx in a jail 192.168.0.16:80, and set all tabs to reference the local IP, (like the 192.168.0.4:8989). So when I go to 192.168.0.16:80 from my home network I get all the contents of my different jails served without issues.
Now I wanted this to be possible through the VPN as well. I have forwarded port 80 through my router to the Nginx jail, which loads up organizr when accessing over the web (through my domain and DDNS service) however, the tabs are not served (obviously because the ports aren't open and I haven't setup a reverse proxy)
So how do I route to those jails on 192.168.0.XX through the VPN?
My gateway and DHCP is on 192.168.0.1 on subnet 255.255.255.0
Jail with Open VPN is on 192.168.0.12 with external port 443 forwarded to that IP and port 1194
Here is my client config:
And server config:
The "route" and "push" parts are what I'm having trouble understanding...
PLZ HALP
EDIT: My current understanding is, that when connected to the VPN remotely if I were to enter 192.168.0.4:8989 into my address bar, the VPN would send me through to my home network and the sonarr jail overwriting routing to any potential web UI's on the "Remote-local-network" while "google.com" would be ignored by the VPN and send me straight" through the wonders of the world wide web.
EDIT 2:
ipfw.rules:
Openvpn starts up nicely as a service, and I seem to be able to connect to it without receiving any errors in the openvpn log on the client.
I just don't really understand the "push 192.168.x.x 255.255.255.0" part of all this. Is this VPN set up to only push local traffic or is it all traffic? Cause checking my public IP (when hotspotting from mobile) it doesn't change it to the public IP of the openvpn jail. (I don't necessarily want this functionality, I just want to be able to get to my webUI's from outside my network, like sonar on "192.168.0.4:8989")
As it is now, I have set up Organizr on Nginx in a jail 192.168.0.16:80, and set all tabs to reference the local IP, (like the 192.168.0.4:8989). So when I go to 192.168.0.16:80 from my home network I get all the contents of my different jails served without issues.
Now I wanted this to be possible through the VPN as well. I have forwarded port 80 through my router to the Nginx jail, which loads up organizr when accessing over the web (through my domain and DDNS service) however, the tabs are not served (obviously because the ports aren't open and I haven't setup a reverse proxy)
So how do I route to those jails on 192.168.0.XX through the VPN?
My gateway and DHCP is on 192.168.0.1 on subnet 255.255.255.0
Jail with Open VPN is on 192.168.0.12 with external port 443 forwarded to that IP and port 1194
Here is my client config:
Code:
client ;dev tap dev tun ;dev-node MyTap ;proto tcp proto udp ;remote my-server-1 1194 remote domainhidden.org 443 ;remote-random resolv-retry infinite nobind ;user nobody ;group nobody persist-key persist-tun ;mute-replay-warnings ca ca.crt cert TheLapMonk.crt key TheLapMonk.key remote-cert-tls server tls-auth ta.key 1 cipher AES-256-CBC comp-lzo verb 3 ;mute 20
And server config:
Code:
local 192.168.0.12 port 1194 ;proto tcp proto udp ;dev tap dev tun ;dev-node MyTap ca /usr/local/etc/openvpn/keys/ca.crt cert /usr/local/etc/openvpn/keys/openvpn-server.crt dh /usr/local/etc/openvpn/keys/dh.pem ;topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt ;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100 ;server-bridge ;push "route 192.168.10.0 255.255.255.0" push "route 192.168.0.0 255.255.255.0" ;client-config-dir ccd ;route 192.168.40.128 255.255.255.248 route 192.168.0.12 255.255.255.0 10.8.0.1 ;client-config-dir ccd ;route 10.9.0.0 255.255.255.252 ;learn-address ./script ;push "redirect-gateway def1 bypass-dhcp" ;push "dhcp-option DNS 208.67.222.222" ;push "dhcp-option DNS 208.67.220.220" ;client-to-client ;duplicate-cn keepalive 10 120 remote-cert-tls client cipher AES-256-CBC ;compress lz4-v2 ;push "compress lz4-v2" comp-lzo ;max-clients 100 user nobody group nobody persist-key persist-tun status openvpn-status.log ;log openvpn.log ;log-append openvpn.log verb 3 ;mute 20 explicit-exit-notify 1
The "route" and "push" parts are what I'm having trouble understanding...
PLZ HALP
EDIT: My current understanding is, that when connected to the VPN remotely if I were to enter 192.168.0.4:8989 into my address bar, the VPN would send me through to my home network and the sonarr jail overwriting routing to any potential web UI's on the "Remote-local-network" while "google.com" would be ignored by the VPN and send me straight" through the wonders of the world wide web.
EDIT 2:
ipfw.rules:
Code:
#!/bin/sh
EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}
TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0
Last edited:
Great tutorial.
I'll test it when I'll get the chance (time). :)
One security consideration.
Sending keys through email is not secure. Even with email server you control.
I recommend copying keys from your local FreeNAS jail to your local computer with something like WinSCP or some other secure means of transferring files from server to another device. ;)
I'll test it when I'll get the chance (time). :)
One security consideration.
Sending keys through email is not secure. Even with email server you control.
I recommend copying keys from your local FreeNAS jail to your local computer with something like WinSCP or some other secure means of transferring files from server to another device. ;)
SeaWolfX
Explorer
- Joined
- Mar 14, 2018
- Messages
- 65
Did you ever figure out what the problem with sending the email was? I am struggling with the same thing. It seems like the email is being sendt, but it is not received on the specified address (I have tired several). It does not end up in the Spam folder either. I have set up the System -> Email from the WebGUI and this works just fine. Are there any additional configurations to be done on order to send emails from a Jail? If I am not able to get the email functionality to work, what other options are there to retrieve the client files?
Similar threads
- Locked
