SOLVED Troubleshooting installing OpenVPN in a jail

itskando

Contributor
Joined
Apr 30, 2018
Messages
172
Followed this well-established guide to start.

Since I clearly do not have remote access running (heh),
I'll post jail parameters later when I get local access.

.
.
.

With regard to:

SSH to your FreeNAS box and make some checks
Code:
% jls
JID  IP Address   Hostname        Path
...
5                 OpenVPN         /mnt/Vol1-Z2/jails/OpenVPN
% sudo jexec 5 sh
Password:
# ipfw list
00100 nat 1 IP from 10.8.0.0/24 to any out via epair0b
00200 nat 1 IP from any to any in via epair0b
65535 allow IP from any to any
# sockstat -4 -l
USER    COMMAND  PID    FD  PROTO  LOCAL ADDRESS  FOREIGN ADDRESS
nobody  openvpn  64842  7   udp46  *:1194         *:*
root    syslogd  64803  7   udp4   *:514          *:*

Should I be seeing something under the sockstat -4 -l command?
(Restarted entire system.)

Code:
[root@Deetz ~]# iocage restart openVPN
* Stopping openVPN
  + Running prestop OK
  + Stopping services OK
  + Tearing down VNET OK
  + Removing devfs_ruleset: 6 OK
  + Removing jail process OK
  + Running poststop OK
* Starting openVPN
  + Started OK
  + Configuring VNET OK
  + Starting services OK
[root@Deetz ~]# iocage console openVPN
Last login: Sat Jan  5 15:39:56 on pts/1
root@openVPN:~ # ipfw list00100 nat 1 ip from 10.8.0.0/24 to any out via epair0b
00200 nat 1 ip from any to any in via epair0b
65535 allow ip from any to any
root@openVPN:~ # sockstat -4 -l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root@openVPN:~ #


.
.
.

Additionally, the subsequent instructions:

Let's send our OpenVPN client files and test connection from outside
Code:
# cd /usr/local/etc/openvpn/
# tar cvf Bibi40k.tar Bibi40k.conf -C keys/ ca.crt Bibi40k.crt Bibi40k.key ta.key
a Bibi40k.conf
a ca.crt
a Bibi40k.crt
a Bibi40k.key
a ta.key
# service sendmail onestart
# mpack -s "Bibi40k OpenVPN files" Bibi40k.tar me@mydomain.com
[/QUOTE]

did not result in any email sent:

Code:
root@openVPN:~ # cd /usr/local/etc/openvpn/root@openVPN:/usr/local/etc/openvpn # tar cvf Bibi40k.tar Bibi40k.conf -C keys/
ca.crt Bibi40k.crt Bibi40k.key ta.key
a Bibi40k.conf
a ca.crt
a Bibi40k.crt
a Bibi40k.key
a ta.key
root@openVPN:/usr/local/etc/openvpn # service sendmail onestart
Starting sendmail.Starting sendmail_msp_queue.
root@openVPN:/usr/local/etc/openvpn # mpack -s "Bibi40k OpenVPN files" Bibi40k.tar me@mydomain.com
root@openVPN:/usr/local/etc/openvpn # mpack -s "Bibi40k OpenVPN files" Bibi40k.t
ar nate.kando@gmail.com
root@openVPN:/usr/local/etc/openvpn #


I assumed the command was to be run from the openVPN jail on the freeNAS server
and would result in an email sent to my personal email address (substituted for me@mydomain.com)

Nothing was found in my inbox or spam folder.

.
.
.

Less urgent matters, but still worth asking:

.
.
.

Relevant data to use later in this tutorial ( use your own, this is just for reference )
  1. Home Network: 192.168.1.0/24 ( LAN where is your FreeNAS )
  2. NAT Network: 10.8.0.0/24 ( virtual LAN between VPN clients and your LAN )
  3. Domain: nas.mydomain.com
  4. VPN Server Port: 1194 UDP
  5. VPN Outside Access Port: 443 UDP
  6. Certificate Authority Password: Password1
  7. Bibi40k Client Certificate Password: Password2

• How complex should Password1 and Password2 be?

8 chars? 12? 16+?
Upper and lowercase?
Numbers?
Symbols?

• What are alternative NAT addresses one might use (and why)?
• What are alternative VPN server port one might use (and why)?
• What are alternative VPN outside access port one might use (and why)?
• What are alternatives to Bibi40k (why did you choose it)?

.
.
.

Use FreeNAS Web GUI
Jails -> Add Jail ( Jail Name: OpenVPN, keep default settings )

• Is VNET necessary if DHCP is not used?
 
Last edited:

itskando

Contributor
Joined
Apr 30, 2018
Messages
172

Jopple

Cadet
Joined
Jan 22, 2019
Messages
2
Same postition for me.

Typing in the following I get:-

# service openvpn start
Starting openvpn.
# service openvpn status
openvpn is not running.

Looking at the log file I have this:-

Jan 22 22:33:13 JP openvpn[5058]: OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jan 10 2019
Jan 22 22:33:13 JP openvpn[5058]: library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10
Jan 22 22:33:13 JP openvpn[5059]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Jan 22 22:33:13 JP openvpn[5059]: Diffie-Hellman initialized with 2048 bit key
Jan 22 22:33:13 JP openvpn[5059]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 22 22:33:13 JP openvpn[5059]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 22 22:33:13 JP openvpn[5059]: ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=epair0b HWADDR=
Jan 22 22:33:13 JP openvpn[5059]: Cannot allocate TUN/TAP dev dynamically
Jan 22 22:33:13 JP openvpn[5059]: Exiting due to fatal error

Found a reference to a TUN setting in the GUI, but I can't find it.
 

itskando

Contributor
Joined
Apr 30, 2018
Messages
172
Typing in the following:

# service openvpn start
# service openvpn status

[...]

Looking at the log file:

I'm going to attempt to supplement your findings,
but first a couple of questions:

• Do you type the commands in the main shell or within the jail shell/console?
• What is the path of your log file?

• Any other debugging advice?
 
Last edited:

Jopple

Cadet
Joined
Jan 22, 2019
Messages
2
Within the jail that OpenVPN should be running in.

I'm new to freenas, so fighting my way through as well! I have created 5 jails so far making the assumption that I was doing something wrong!
 

itskando

Contributor
Joined
Apr 30, 2018
Messages
172
Typing in the following I get:-

# service openvpn start
Starting openvpn.
# service openvpn status
openvpn is not running.


Got the same things:

openVPN status:
Code:
root@openVPN:~ # service openvpn start
Starting openvpn.
root@openVPN:~ # service openvpn status
openvpn is not running.
Log 1:
./iocage/jails/openVPN/root/usr/local/etc/openvpn/openvpn-status.log
blank.
Log 2:
./iocage/jails/openVPN/root/var/log/openvpn.log

Code:
Jan 27 00:00:04 openVPN newsyslog[17181]: logfile turned over
Jan 27 18:32:14 openVPN openvpn[27113]: OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 29 2018
Jan 27 18:32:14 openVPN openvpn[27113]: library versions: OpenSSL 1.0.2o-freebsd  27 Mar 2018, LZO 2.10
Jan 27 18:32:14 openVPN openvpn[27114]: Diffie-Hellman initialized with 2048 bit key
Jan 27 18:32:14 openVPN openvpn[27114]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 27 18:32:14 openVPN openvpn[27114]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 27 18:32:14 openVPN openvpn[27114]: ROUTE_GATEWAY 192.168.86.1/255.255.255.0 IFACE=epair0b HWADDR=02:ff:60:c1:31:6f
Jan 27 18:32:14 openVPN openvpn[27114]: Cannot allocate TUN/TAP dev dynamically
Jan 27 18:32:14 openVPN openvpn[27114]: Exiting due to fatal error
 
Last edited:

itskando

Contributor
Joined
Apr 30, 2018
Messages
172
Jail parameters:
Code:
[root@Deetz ~]# iocage get all openVPN
CONFIG_VERSION:14
allow_chflags:0
allow_mlock:0
allow_mount:0
allow_mount_devfs:0
allow_mount_nullfs:0
allow_mount_procfs:0
allow_mount_tmpfs:0
allow_mount_zfs:0
allow_quotas:0
allow_raw_sockets:0
allow_set_hostname:1
allow_socket_af:0
allow_sysvipc:0
allow_tun:0
available:readonly
basejail:no
boot:on
bpf:no
children_max:0
cloned_release:11.2-RELEASE
comment:none
compression:lz4
compressratio:readonly
coredumpsize:off
count:1
cpuset:off
cputime:off
datasize:off
dedup:off
defaultrouter:192.168.86.1
defaultrouter6:none
depends:none
devfs_ruleset:4
dhcp:off
enforce_statfs:2
exec_clean:1
exec_fib:0
exec_jail_user:root
exec_poststart:/usr/bin/true
exec_poststop:/usr/bin/true
exec_prestart:/usr/bin/true
exec_prestop:/usr/bin/true
exec_start:/bin/sh /etc/rc
exec_stop:/bin/sh /etc/rc.shutdown
exec_system_jail_user:0
exec_system_user:root
exec_timeout:60
host_domainname:none
host_hostname:openVPN
host_hostuuid:openVPN
host_time:yes
hostid:d3a23a44-8bf2-11e8-badd-0cc47a90dfc3
hostid_strict_check:off
interfaces:vnet0:bridge0
ip4:new
ip4_addr:vnet0|192.168.86.8/24
ip4_saddrsel:1
ip6:new
ip6_addr:none
ip6_saddrsel:1
jail_zfs:off
jail_zfs_dataset:iocage/jails/openVPN/data
jail_zfs_mountpoint:none
last_started:2019-01-10 03:11:36
login_flags:-f root
mac_prefix:02ff60
maxproc:off
memorylocked:off
memoryuse:off
mount_devfs:1
mount_fdescfs:1
mount_linprocfs:0
mount_procfs:0
mountpoint:readonly
msgqqueued:off
msgqsize:off
nmsgq:off
notes:none
nsemop:off
nshm:off
nthr:off
openfiles:off
origin:readonly
owner:root
pcpu:off
priority:99
pseudoterminals:off
quota:none
release:11.2-RELEASE-p4
reservation:none
resolver:/etc/resolv.conf
rlimits:off
securelevel:2
shmsize:off
stacksize:off
state:up
stop_timeout:30
swapuse:off
sync_state:none
sync_target:none
sync_tgt_zpool:none
sysvmsg:new
sysvsem:new
sysvshm:new
template:no
type:jail
used:readonly
vmemoryuse:off
vnet:on
vnet0_mac:02ff60c1316e 02ff60c1316f
vnet1_mac:none
vnet2_mac:none
vnet3_mac:none
vnet_default_interface:none
vnet_interfaces:none
wallclock:off

Suggested solution: Set jail parameter allow_tun to 1
To get OpenVPN to run under iocage with default settings ("cannot create TAP dynamically" exit error) I had to run from the NAS host (not within the jail):
Code:
iocage stop <jail-name>
iocage set allow_tun=1 <jail-name>
iocage start <jail-name>

Found out more about allow_tun here:

tun is a type of UNIX virtual network device (I think it's supposed to be an abbreviation of tunnel)... so "allow_tun" is a setting which allows the jail to make/use tun devices. (which is the default way that openvpn makes the virtual network).

The alternative to "allow_tun=1" is to set openvpn to make a "tap" device instead of a tun device, but that's not generally recommended.

I had to manually create a tun device and then assign openvpn to it in the config (instead of having it autoconfigure), and the first time I had openvpn connect to the tun, it totally killed all networking on my box and I had to login to the console via ipmi and reboot.

Overall, running openvpn inside an iocage jail is way more difficult than in a warden jail.
 
Last edited:

itskando

Contributor
Joined
Apr 30, 2018
Messages
172
I tried allow_tun=1:
Code:
[root@Deetz ~]# iocage set allow_tun=1 openVPN
[root@Deetz ~]# iocage restart openVPN
* Stopping openVPN
  + Running prestop OK
  + Stopping services OK
  + Tearing down VNET OK
  + Removing devfs_ruleset: 6 OK
  + Removing jail process OK
  + Running poststop OK
* Starting openVPN
  + Started OK
  + Configuring VNET OK
  + Starting services OK
[root@Deetz ~]# iocage console openVPN

[...]

root@openVPN:~ # service openvpn status
openvpn is running as pid 47431.

This fixed the issue, but not everything:

Updated log: ./iocage/jails/openVPN/root/var/log/openvpn.log
Code:
Jan 27 00:00:04 openVPN newsyslog[17181]: logfile turned over
Jan 27 18:32:14 openVPN openvpn[27113]: OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 29 2018
Jan 27 18:32:14 openVPN openvpn[27113]: library versions: OpenSSL 1.0.2o-freebsd  27 Mar 2018, LZO 2.10
Jan 27 18:32:14 openVPN openvpn[27114]: Diffie-Hellman initialized with 2048 bit key
Jan 27 18:32:14 openVPN openvpn[27114]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 27 18:32:14 openVPN openvpn[27114]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 27 18:32:14 openVPN openvpn[27114]: ROUTE_GATEWAY 192.168.86.1/255.255.255.0 IFACE=epair0b HWADDR=02:ff:60:c1:31:6f
Jan 27 18:32:14 openVPN openvpn[27114]: Cannot allocate TUN/TAP dev dynamically
Jan 27 18:32:14 openVPN openvpn[27114]: Exiting due to fatal error

Jan 27 21:04:15 openVPN openvpn[47430]: OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 29 2018
Jan 27 21:04:15 openVPN openvpn[47430]: library versions: OpenSSL 1.0.2o-freebsd  27 Mar 2018, LZO 2.10
Jan 27 21:04:15 openVPN openvpn[47431]: Diffie-Hellman initialized with 2048 bit key
Jan 27 21:04:15 openVPN openvpn[47431]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 27 21:04:15 openVPN openvpn[47431]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 27 21:04:15 openVPN openvpn[47431]: ROUTE_GATEWAY 192.168.86.1/255.255.255.0 IFACE=epair0b HWADDR=02:ff:60:c1:31:6f
Jan 27 21:04:15 openVPN openvpn[47431]: TUN/TAP device /dev/tun0 opened
Jan 27 21:04:15 openVPN openvpn[47431]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Jan 27 21:04:15 openVPN openvpn[47431]: /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
Jan 27 21:04:15 openVPN openvpn[47431]: /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0
Jan 27 21:04:15 openVPN openvpn[47431]: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Jan 27 21:04:15 openVPN openvpn[47431]: Socket Buffers: R=[42080->42080] S=[9216->9216]
Jan 27 21:04:15 openVPN openvpn[47431]: setsockopt(IPV6_V6ONLY=0)
Jan 27 21:04:15 openVPN openvpn[47431]: UDPv6 link local (bound): [AF_INET6][undef]:1194
Jan 27 21:04:15 openVPN openvpn[47431]: UDPv6 link remote: [AF_UNSPEC]
Jan 27 21:04:15 openVPN openvpn[47431]: GID set to nobody
Jan 27 21:04:15 openVPN openvpn[47431]: UID set to nobody
Jan 27 21:04:15 openVPN openvpn[47431]: MULTI: multi_init called, r=256 v=256
Jan 27 21:04:15 openVPN openvpn[47431]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Jan 27 21:04:15 openVPN openvpn[47431]: IFCONFIG POOL LIST
Jan 27 21:04:15 openVPN openvpn[47431]: Initialization Sequence Completed
 
Last edited:

itskando

Contributor
Joined
Apr 30, 2018
Messages
172
From perspective of guide's verification step ( sockstat -4 -l ):

Expected result within jail ( iocage console openVPN ) per this guide:
Code:
# ipfw list
00100 nat 1 IP from 10.8.0.0/24 to any out via epair0b
00200 nat 1 IP from any to any in via epair0b
65535 allow IP from any to any

# sockstat -4 -l
USER    COMMAND  PID    FD  PROTO  LOCAL ADDRESS  FOREIGN ADDRESS
nobody  openvpn  64842  7   udp46  *:1194         *:*
root    syslogd  64803  7   udp4   *:514          *:*
.

.

Result before above fix ( iocage set allow_tun=1 openVPN ):
Code:
root@openVPN:~ # ipfw list
00100 nat 1 ip from 10.8.0.0/24 to any out via epair0b
00200 nat 1 ip from any to any in via epair0b
65535 allow ip from any to any

root@openVPN:~ # sockstat -4 -l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root@openVPN:~ #
Incorrect: sockstat is empty.

.

Result after above fix ( iocage set allow_tun=1 openVPN ):
Code:
root@openVPN:~ # ipfw list
00100 nat 1 ip from 10.8.0.0/24 to any out via epair0b
00200 nat 1 ip from any to any in via epair0b
65535 allow ip from any to any

root@openVPN:~ # sockstat -4 -l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
nobody   openvpn    47431 7  udp46  *:1194                *:*
Less incorrect(?): sockstat only has 1/2 users listed?
 
Last edited:

itskando

Contributor
Joined
Apr 30, 2018
Messages
172
Tried openvpn --config /usr/local/etc/openvpn/openvpn.conf:
Code:
root@openVPN:~ # openvpn --config /usr/local/etc/openvpn/openvpn.conf
Sun Jan 27 22:18:49 2019 OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 29 2018
Sun Jan 27 22:18:49 2019 library versions: OpenSSL 1.0.2o-freebsd  27 Mar 2018, LZO 2.10
Sun Jan 27 22:18:49 2019 Diffie-Hellman initialized with 2048 bit key
Sun Jan 27 22:18:49 2019 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jan 27 22:18:49 2019 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jan 27 22:18:49 2019 ROUTE_GATEWAY 192.168.86.1/255.255.255.0 IFACE=epair0b HWADDR=02:ff:60:c1:31:6f
Sun Jan 27 22:18:49 2019 TUN/TAP device /dev/tun1 opened
Sun Jan 27 22:18:49 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Jan 27 22:18:49 2019 /sbin/ifconfig tun1 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
Sun Jan 27 22:18:49 2019 /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0 add net 10.8.0.0: gateway 10.8.0.2 fib 0: route already in table
Sun Jan 27 22:18:49 2019 ERROR: FreeBSD route add command failed: external program exited with error status: 1
Sun Jan 27 22:18:49 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET6
Sun Jan 27 22:18:49 2019 Socket Buffers: R=[42080->42080] S=[9216->9216]
Sun Jan 27 22:18:49 2019 setsockopt(IPV6_V6ONLY=0)
Sun Jan 27 22:18:49 2019 TCP/UDP: Socket bind failed on local address [AF_INET6][undef]:1194: Address already in use (errno=48)
Sun Jan 27 22:18:49 2019 Exiting due to fatal error
Sun Jan 27 22:18:49 2019 Closing TUN/TAP interface
Sun Jan 27 22:18:49 2019 /sbin/ifconfig tun1 destroy

Source:
Based on OP advice from guide (to someone else):

remote nas.mydomain.com 443
nas.mydomain.com is your external IP (router's) from where you forward port 443 to your local 192.168.2.110:443

But before try to connect you should be able to run the server with
Code:
openvpn --config /usr/local/etc/openvpn/openvpn.conf
and see no error

Should I be concerned with:
Sun Jan 27 22:18:49 2019 ERROR: FreeBSD route add command failed: external program exited with error status: 1
Code:
Sun Jan 27 22:18:49 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET6
[...]
Sun Jan 27 22:18:49 2019 TCP/UDP: Socket bind failed on local address [AF_INET6][undef]:1194: Address already in use (errno=48)
Sun Jan 27 22:18:49 2019 Exiting due to fatal error

Potential solution?:
I don't have IPV6 available;
why is openVPN attempting to use IPV6?

Could I force IPV4 by changing:
/usr/local/etc/openvpn/openvpn.conf
proto udp to
proto udp4

Would this help anything?
 
Last edited:

itskando

Contributor
Joined
Apr 30, 2018
Messages
172
Any files mentioned by Bibi40k
when troubleshooting the same issue
:

Printed to text, sans comments or empty lines, using
egrep -v '^(;|#|//)|^$' <filename>
(as described here with added ^$ here)
:

.

/usr/local/etc/openvpn/openvpn.conf:
Code:
root@openVPN:~ # egrep -v '^(;|#|//)|^$' /usr/local/etc/openvpn/openvpn.conf
port 1194
proto udp
dev tun
ca   /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key  /usr/local/etc/openvpn/keys/openvpn-server.key
dh /usr/local/etc/openvpn/keys/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.86.0 255.255.255.0"
keepalive 10 120
tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret
remote-cert-tls client
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

/usr/local/etc/ipfw.rules:
Code:
root@openVPN:~ # egrep -v '^(;|#|//)|^$' /usr/local/etc/ipfw.rules
EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}
TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0

/etc/rc.conf:
Code:
root@openVPN:~ # egrep -v '^(;|#|//)|^$' /etc/rc.conf
host_hostname="openVPN"
cron_flags="$cron_flags -J 15"
sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
syslogd_flags="-c -ss"
ipv6_activate_all_interfaces="YES"
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
openvpn_dir="/usr/local/etc/openvpn/"
cloned_interfaces="tun"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

iocage list:
Not sure if previously installed plugins could affect anything,
but just for the record:

Code:
[root@Deetz ~]# iocage list
+-----+--------------+-------+--------------+---------------+
| JID |     NAME     | STATE |   RELEASE    |      IP4      |
+=====+==============+=======+==============+===============+
| -   | openVPN      | down  | 11.2-RELEASE | 192.168.86.8  |
+-----+--------------+-------+--------------+---------------+
| 1   | plex         | up    | 11.2-RELEASE | 192.168.86.10 |
+-----+--------------+-------+--------------+---------------+
| 3   | transmission | up    | 11.2-RELEASE | 192.168.86.11 |
+-----+--------------+-------+--------------+---------------+

ifconfig:
Code:
[root@Deetz ~]# ifconfig
em0: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC
>
        ether 0c:c4:7a:90:df:c3
        hwaddr 0c:c4:7a:90:df:c3
        nd6 options=9<PERFORMNUD,IFDISABLED>
        media: Ethernet autoselect
        status: no carrier
igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 15
00
        options=2400b9<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,RXCSUM_IPV6>
        ether 0c:c4:7a:90:df:c2
        hwaddr 0c:c4:7a:90:df:c2
        inet 192.168.86.3 netmask 0xffffff00 broadcast 192.168.86.255
        nd6 options=9<PERFORMNUD,IFDISABLED>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 02:f7:27:82:b9:00
        nd6 options=1<PERFORMNUD>
        groups: bridge
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: vnet0:3 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 7 priority 128 path cost 2000
        member: vnet0:2 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 6 priority 128 path cost 2000
        member: vnet0:1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 5 priority 128 path cost 2000
        member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 2 priority 128 path cost 20000
vnet0:1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: associated with jail: plex
        options=8<VLAN_MTU>
        ether 02:ff:60:14:fa:09
        hwaddr 02:1a:d0:00:05:0a
        nd6 options=1<PERFORMNUD>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        groups: epair
vnet0:2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: associated with jail: openVPN
        options=8<VLAN_MTU>
        ether 02:ff:60:c1:31:6e
        hwaddr 02:1a:d0:00:06:0a
        nd6 options=1<PERFORMNUD>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        groups: epair
vnet0:3: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: associated with jail: transmission
        options=8<VLAN_MTU>
        ether 02:ff:60:03:aa:46
        hwaddr 02:1a:d0:00:07:0a
        nd6 options=1<PERFORMNUD>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        groups: epair
Code:
root@openVPN:~ # ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:ff:60:c1:31:6f
        hwaddr 02:1a:d0:00:07:0b
        inet 192.168.86.8 netmask 0xffffff00 broadcast 192.168.86.255
        nd6 options=1<PERFORMNUD>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        groups: epair
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
        nd6 options=1<PERFORMNUD>
        groups: tun
        Opened by PID 4393
 
Last edited:

itskando

Contributor
Joined
Apr 30, 2018
Messages
172
Continuing the advice from kypdurron5:

Modified server config file: ./iocage/jails/openVPN/root/usr/local/etc/openvpn/openVPN.conf
Code:
cd /usr/local/etc/openvpn/
nano openVPN.conf #<openvpn.conf or whatever your server configuration file is...>

Add (as suggested near the top) to file:

Code:
local <IP address of the jail>

Modified client config file: ./iocage/jails/openVPN/root/usr/local/etc/openvpn/Biblio40k.conf
Code:
cd /usr/local/etc/openvpn/
nano Biblio40k.conf #<Biblio40k.conf or whatever your client configuration file is...>

Update remote <your internet domain or public (static) IP> 443 to:

Code:
remote <your internet domain or public (static) IP> 1194 # <1194 or whatever your server port number is...>

No changes.
Left both as is.

Update - I'm going to go back to 443, I think.
But I'm still leaving the local code as is.
 
Last edited:

itskando

Contributor
Joined
Apr 30, 2018
Messages
172
Performed a diff of jail parameters between the openVPN jail and the plex and transmission plugin jails:

Jail parameters:
Code:
[root@Deetz ~]# iocage get all openVPN
CONFIG_VERSION:14
allow_chflags:0
allow_mlock:0
allow_mount:0
allow_mount_devfs:0
allow_mount_nullfs:0
allow_mount_procfs:0
allow_mount_tmpfs:0
allow_mount_zfs:0
allow_quotas:0
allow_raw_sockets:0
allow_set_hostname:1
allow_socket_af:0
allow_sysvipc:0
allow_tun:1
available:readonly
basejail:no
boot:on
bpf:no
children_max:0
cloned_release:11.2-RELEASE
comment:none
compression:lz4
compressratio:readonly
coredumpsize:off
count:1
cpuset:off
cputime:off
datasize:off
dedup:off
defaultrouter:192.168.86.1
defaultrouter6:none
depends:none
devfs_ruleset:4
dhcp:off
enforce_statfs:2
exec_clean:1
exec_fib:0
exec_jail_user:root
exec_poststart:/usr/bin/true
exec_poststop:/usr/bin/true
exec_prestart:/usr/bin/true
exec_prestop:/usr/bin/true
exec_start:/bin/sh /etc/rc
exec_stop:/bin/sh /etc/rc.shutdown
exec_system_jail_user:0
exec_system_user:root
exec_timeout:60
host_domainname:none
host_hostname:openVPN
host_hostuuid:openVPN
host_time:yes
hostid:d3a23a44-8bf2-11e8-badd-0cc47a90dfc3
hostid_strict_check:off
interfaces:vnet0:bridge0
ip4:new
ip4_addr:vnet0|192.168.86.8/24
ip4_saddrsel:1
ip6:new
ip6_addr:none
ip6_saddrsel:1
jail_zfs:off
jail_zfs_dataset:iocage/jails/openVPN/data
jail_zfs_mountpoint:none
last_started:2019-01-10 03:11:36
login_flags:-f root
mac_prefix:02ff60
maxproc:off
memorylocked:off
memoryuse:off
mount_devfs:1
mount_fdescfs:1
mount_linprocfs:0
mount_procfs:0
mountpoint:readonly
msgqqueued:off
msgqsize:off
nmsgq:off
notes:none
nsemop:off
nshm:off
nthr:off
openfiles:off
origin:readonly
owner:root
pcpu:off
priority:99
pseudoterminals:off
quota:none
release:11.2-RELEASE-p4
reservation:none
resolver:/etc/resolv.conf
rlimits:off
securelevel:2
shmsize:off
stacksize:off
state:up
stop_timeout:30
swapuse:off
sync_state:none
sync_target:none
sync_tgt_zpool:none
sysvmsg:new
sysvsem:new
sysvshm:new
template:no
type:jail
used:readonly
vmemoryuse:off
vnet:on
vnet0_mac:02ff60c1316e 02ff60c1316f
vnet1_mac:none
vnet2_mac:none
vnet3_mac:none
vnet_default_interface:none
vnet_interfaces:none
wallclock:off

Code:
Coming soon.

Code:
Coming soon.

The only notable differences were that the plugins had:
basejail=1 and
allow_raw_sockets=1.
Everything else was pretty much the same,
except for naming and unique IP addresses.

I set allow_raw_sockets=1 but it didn't change anything.
What effect would setting basejail=1 have?

Someone mentioned forwarding ports on my router for the jail IP.
My router sees my freeNAS OS IP, and the plex and transmission plugin IPs.
It does not see the openVPN jail IP.
Is there some jail parameter or service that is necessary to advertise this?
 

itskando

Contributor
Joined
Apr 30, 2018
Messages
172
Someone mentioned forwarding ports on my router for the jail IP.
My router sees my freeNAS OS IP, and the plex and transmission plugin IPs.
It does not see the openVPN jail IP.
Is there some jail parameter or service that is necessary to advertise this?

.
To port forward a jail on Google Wifi,
the jail needs to be actively transmitting for the app the find it.

Enter the jail (via iocage console openVPN)
then start a ping (via ping ww.google.com).
Leave the ping running and the app should pick it up.

(Use Ctrl+C to stop/terminate the ping process.)

Forwarding internal port 443 and external port 1194 (UDP) did not fix anything.

Someone here mentioned that I need to use and reserve a DCHP address.
Didn't seem true, but I'll try it out eventually.
 
Last edited:

itskando

Contributor
Joined
Apr 30, 2018
Messages
172
Someone here mentioned that I need to use and reserve a DCHP address.
Didn't seem true, but I'll try it out eventually.

Changed static IP address of jail to an address which is reserved for DCHP.
Reserved that address for the openVPN jail.
Not sure if this is what was intended.
No effect though.

(Port forwarding remained tied to this device.)
 
Last edited:

gsrcrxsi

Explorer
Joined
Apr 15, 2018
Messages
86
have you restarted your entire freenas (not just the jail) after applying your settings?

that's what tripped me up. and it continues to be a "bug". if you ever stop and start your jail, something about the openvpn network setup breaks. I can't explain what exactly the problem is, I just know that it only works after a full server reboot.
 

itskando

Contributor
Joined
Apr 30, 2018
Messages
172
have you restarted your entire freenas (not just the jail) after applying your settings?

that's what tripped me up. and it continues to be a "bug". if you ever stop and start your jail, something about the openvpn network setup breaks. I can't explain what exactly the problem is, I just know that it only works after a full server reboot.

Hey guy, I'm totally familiar with your work. I've read every forum post in that guide thread up and down.
I definitely, after every single change I make, restart the entire system before checking for changes.
It's the only way to be sure, and with the amount of time sink I've put in,
I need to be absolutely sure, so I don't miss anything >.<

Thank you for your postings thus far.
I know whatever I'm missing, it has to be simple.

.

I started trying to connect with the client.
It goes to the nameserver and that directs it to the correct public IP.
But it never actually connects - something about a failed handshake timeout.

I tried with my macOS laptop on a separate network (using Tunnelblick).
I tried with my android phone using the OpenVPN app.

I tried consolidating my client files into one single client file, as expressed by @Bibi40k :
You generate all necessary files then you open .conf file with ovpn. If it does not recognize .conf you rename it to .ovpn

If you want, you can also copy certificates from each file into .conf instead of that link/path.

Is the same thing

Bibi40k.conf
ca.crt
Bibi40k.crt
Bibi40k.key
ta.key


Example:

client
dev tun
proto udp
remote myserver.com 11941
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass

<ca>
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIJAPZi8xHec85GMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNV
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
MIIDSTCCAjGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAdMRswGQYDVQQDDBJPcGVu
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIecU3Dsb/F/UCAggA
-----END ENCRYPTED PRIVATE KEY-----
</key>

key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
ea2e6d2f985acdcdc716b6109b284e28
-----END OpenVPN Static key V1-----
</tls-auth>

Note the addition of auth-user-pass. I don't know why this was added. I think it MIGHT have been in the case of using a dynamic DNS, but I can't be sure.

No improvements.
 
Last edited:

gsrcrxsi

Explorer
Joined
Apr 15, 2018
Messages
86
did you try the ipfw.rules file i posted?

it didnt work for me with the version posted in that install guide.

try this:

Code:
#!/bin/sh                                                                      
EPAIR=$(/sbin/ifconfig -l | cut -d' ' -f2)                                    
ipfw -q -f flush                                                               
ipfw -q nat 1 config if ${EPAIR}                                               
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR}                
ipfw -q add nat 1 all from any to any in via ${EPAIR}                          
                                                                              
TUN=$(/sbin/ifconfig -l | cut -d' ' -f3)                                       
ifconfig ${TUN} name tun0


the difference is in the second, and second to last line. use this version, then reboot your server and try.
 

gsrcrxsi

Explorer
Joined
Apr 15, 2018
Messages
86
also for your vnet questions.

in the jails setings click the VNET checkbox, and select 'vnet0' as the interface. then type whatever you want the IP address to be in the IPv4 line.

you also appear to be missing the first line of your server openvpn.conf file

Code:
local <JAIL-IP>
 
Top