TrueNAS 12.0-U4 - OpenVPN Server - Routing to LAN, Monitoring, Setup Assistance

[dcs730]

I am a newbie with TrueNAS.

I finally made the switch to TrueNAS and now decomissioned both my Netgear ReadyNAS and SBS2011 box and combined all
services on a single TrueNAS Server.

Server : HP ML110 G7 Server
Intel(R) Xeon(R) CPU E31240 @ 3.30GHz
32 Gb RAM
128Gb Samsung SSD (Boot Disk)
4 x 6Tb (RAIDZ2) = Approx 11Tb of avail space in a single DATA pool

So far so good and all is setup and functioning across my LAN. Base LAN : 192.168.20.0/24

Services configured and working so far are : SMB, PlexServer and Virtual VMs, and WebDAV for a particular Windows share which I want accessible
remotely in READ ONLY mode.

I am running Platform: Generic
Version: TrueNAS-12.0-U4

** Slight issue - With OpenVPN Server **

I have managed to setup the native OpenVPN Server Service and have a Windows Client connecting via the Windows X64 OpenVPN client.
CA Cert and Clients Certs were generated and followed most steps from the following YouTube link.

Setup OpenVPN Server on TrueNAS | 4K TUTORIAL

VPN servers allow you to securely connect back to your home network in order to connect to local assets. This means that you can connect to your TrueNAS Shar...

www.youtube.com

And all working correctly with the remote windows client pc being allocated an IP Address in the 192.168.1.0/24 range.

I have a couple of Q's.

There are numerous articles with setup of OpenVPN server on FreeNAS 11.3 inside a jail with various methods.
The OpenVPN Server setup which is built into TrueNAS 12.0-U4 appears and fairly straight forward.

Q1. Once the VPN Tunnel is established, I can ping services direct on the TrueNAS Server via the OpenVPN gateway.
In my case, pc the is given a remote IP : 192.168.1.2 and the gateway across the VPN = 192.168.1.1

So I can easily connect to services direct on : 192.168.1.1

SMB shares work ok ect.

FROM THE REMOTE PC VPN CONNECTED CLIENT
- I cannot route any traffic across the VPN (192.168.1.2) to my 192.168.20.0/24 network.
- The TrueNAS Server has an internal IP Address of : 192.168.20.22
- I can however connect to the TrueNAS Web GUI on 192.168.1.1, then open a SHELL prompt and able to ping 192.168.20.x devices.

I would like the ability to connect to any 192.168.20.0/x network device within my LAN once the OpenVPN is established.

What changes are required, to what device (TrueNAS, Internet Router or local endpoint pc)?

I have tried to add a static route on the local pc pre an OpenVPN Client connection as follows :

cmd.exe (Run as administrator)
route add 192.168.20.0/24 192.168.1.2
Then launch an OpenVPN connection and still unable to getto 192.168.20.x devices. 192.168.1.1 (NAS IP services still ok)

Do I need to add a static route into the routing table on my Internet Router?
Or is there some other FreeBSD file with the TrueNAS OS that needs editting for the routing to work between the 192.168.1.x and 192.168.20.x network?

Appears lots of people having a similar problem with routing and their needs to be a simple soln to this.

This is a simple single C CLASS 1x subnet network on the LAN, then Open VPN uses a 2nd Subnet.
Need to be able to route traffic between the two?

Q2. Once an OpenVPN client connection is established to the TrueNAS server, is there a way to monitor which clients or attempted
VPN connections are being made on the TrueNAS server.

I have tried to research this and have NOT found a TrueNAS add-in, GUI that will show this.

So with the OpenVPN Server Service is running - How can remote connections be monitored / disconnected etc.. on TrueNAS or from the
TrueNAS Web GUI?


Q3. In addition to the built in OpenVPN Server Service which is included into 12.0-U4, there is an addin OpenVPN Server.

I have not yet installed this, but thinking it's not required.
Or will this plug in provide further functionality and monitoring?

If installed, will it break the built in OpenVPN Server Service. (Which is already running and working)

 

[jgreco]

This doesn't have anything to do with FreeNAS/TrueNAS. This is "how does networking with multiple subnets work".

Q1. Once the VPN Tunnel is established, I can ping services direct on the TrueNAS Server via the OpenVPN gateway.
In my case, pc the is given a remote IP : 192.168.1.2 and the gateway across the VPN = 192.168.1.1

Yup.

So I can easily connect to services direct on : 192.168.1.1

SMB shares work ok ect.

FROM THE REMOTE PC VPN CONNECTED CLIENT
- I cannot route any traffic across the VPN (192.168.1.2) to my 192.168.20.0/24 network.

This is (probably) INcorrect. traceroute just to be certain, but as long as you are seeing a first hop that shows the NAS, you are in fact routing traffic across the VPN **TO** your 192.168.20.0/24 network.

Note that I say **TO**. It's the "from" that is killing you.

- The TrueNAS Server has an internal IP Address of : 192.168.20.22
- I can however connect to the TrueNAS Web GUI on 192.168.1.1, then open a SHELL prompt and able to ping 192.168.20.x devices.

I would like the ability to connect to any 192.168.20.0/x network device within my LAN once the OpenVPN is established.

What changes are required, to what device (TrueNAS, Internet Router or local endpoint pc)?

Very good, you haven't assumed a particular device to be at fault.

So the problem here is that the devices on your 192.168.20.*/24 network do not know how to return traffic to your VPN network -- EXCEPT for the NAS host itself, which naturally knows this because it set up the circuit.

I have tried to add a static route on the local pc pre an OpenVPN Client connection as follows :

cmd.exe (Run as administrator)
route add 192.168.20.0/24 192.168.1.2
Then launch an OpenVPN connection and still unable to getto 192.168.20.x devices. 192.168.1.1 (NAS IP services still ok)

The local PC with the OpenVPN client? Wrong place. You have sort-of the right idea though.

You need to make sure that the VPN client traffic heads to the NAS. If you can ping both 192.168.20.22 and 192.168.1.1 from the client, your client is probably just fine. Do not create any additional routes that you do not actually need to, this is more likely to mess things up than to help.

Do I need to add a static route into the routing table on my Internet Router?

YES.

Or is there some other FreeBSD file with the TrueNAS OS that needs editting for the routing to work between the 192.168.1.x and 192.168.20.x network?

No. That's not how static routing works. It IS how dynamic routing works; those of us who do network design professionally would indeed announce the route from the host that can provide the route, but this assumes a lot of working bits on your network like an interior gateway protocol, that don't exist on your network. You don't need to know this, but I just wanted you to get the gist that this isn't a bad idea conceptually. Unfortunately FreeNAS/TrueNAS do not support dynamic routing protocols. Most things don't. This isn't shocking but it is unfortunate.

Appears lots of people having a similar problem with routing and their needs to be a simple soln to this.

YES! This has got to be one of the most basic OpenVPN implementation issues.

This is a simple single C CLASS 1x subnet network on the LAN, then Open VPN uses a 2nd Subnet.
Need to be able to route traffic between the two?

That is correct. So what is happening to you is that your VPN client is sending a packet to, let's say, 192.168.20.50, it goes to the NAS host, the NAS host sends it to 192.168.20.50, 192.168.20.50 then generates a response. 192.168.20.50 has a default route that points to, I'm guessing here, 192.168.20.1, which is your NAT gateway to the Internet (the device people mistakenly call a "router"). The NAT gateway goes "huh whadooidowiththis" and drops it.

So there are two possible fixes here, both subpar (but also not exclusive choices).

One is to configure 192.168.20.50 to send its reply traffic for 192.168.1.0/24 to 192.168.20.22. This is optimal for reply traffic, but ONLY works for this one host. You'd need to do it manually for each host on 192.168.20.0/24

The other is to configure 192.168.20.1 (the NAT gateway) to route 192.168.1.0/24 to 192.168.20.22. This is suboptimal for reply traffic, because it means that the traffic will go from 192.168.20.50->192.168.20.1->192.168.20.22. This is a "hairpin fix" and will cause additional load on the NAT gateway.

In a dynamic interior routing environment, each node learns its routing and optimizes it, but you don't really have that option.

 

[dcs730]

Thanks JGRECO.

I have made little progress, and still not working.

I have found reference to the following post :
https://www.truenas.com/community/threads/openvpn-server-routing-on-truenas-12-0-u1-1.90723/

WRT your comments, makes perfect sense.

The details and changes required from the above post are shown below.

In more detail further below with some results.

My LAN

Default Gateway: 192.168.20.250 (This is my Internet Router – Sagecom Modem)
Mask: 255.255.255.0
DNS servers: 192.168.20.250
TrueNAS: 192.168.20.22

I have the OpenVPN server setup and my client can connect OK.

I still cannot connect to other devices on the LAN.

Once the OpenVPN Client connection is established, I can ping and get to services on IP : 192.168.1.1 and now also on 192.168.20.22.

BUT I STILL CANNOT GET TO ANYTHING past the TrueNAS Box on the LAN side (192.168.20.0/24)

My PC - Once an OpenVPN Client connection is established (Via HotSpot)

IP Address given : 192.168.1.2
Gateway : 192.168.1.1

My OpenVPN SERVER configuration

The additional parameters added as follows : (as suggested in the other post)

push "route 0.0.0.0 0.0.0.0"
push "route 192.168.1.0 255.255.255.0" # My OpenVPN transfer net
push "route 192.168.20.0 255.255.255.0" # My remote network I want to connect to
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.20.250" # The DNS Server on my remote network (my Optus Modem)

Tunable (TrueNAS has been rebooted)

Variable Value Type Desc Enable

net.inet.ip.forwarding 1 SYSCTL Enable IP Forwarding betweeb LAN-OpenVPN Yes

Routes displayed on client pc which is connected to a mobile iPhone Hotspot.

ROUTE PRINT OUTPUT
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 175.40.20.1 175.40.20.6 35
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.2 281
0.0.0.0 128.0.0.0 192.168.1.1 192.168.1.2 281
42.162.201.11 255.255.255.255 175.40.20.1 175.40.20.6 291
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
128.0.0.0 128.0.0.0 192.168.1.1 192.168.1.2 281
175.40.20.0 255.255.255.240 On-link 175.40.20.6 291
175.40.20.6 255.255.255.255 On-link 175.40.20.6 291
175.40.20.15 255.255.255.255 On-link 175.40.20.6 291
192.168.1.0 255.255.255.0 On-link 192.168.1.2 281
192.168.1.0 255.255.255.0 192.168.1.1 192.168.1.2 281
192.168.1.2 255.255.255.255 On-link 192.168.1.2 281
192.168.1.255 255.255.255.255 On-link 192.168.1.2 281
192.168.20.0 255.255.255.0 192.168.1.1 192.168.1.2 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.1.2 281
224.0.0.0 240.0.0.0 On-link 175.40.20.6 291
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.1.2 281
255.255.255.255 255.255.255.255 On-link 175.40.20.6 291
===========================================================================

IPCONFIG /ALL
(From a Windows 10 Client PC once the OpenVPN Client Session is established)

Unknown adapter Local Area Connection 2: (THIS IS THE OPENVPN IP DETAILS)

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Windows Adapter V9
Physical Address. . . . . . . . . : 00-FF-91-60-35-12
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe90::4d2a:4136:ae10:dab8%14(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.2(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, 27 June 2021 2:49:23 PM
Lease Expires . . . . . . . . . . : Monday, 27 June 2022 2:49:22 PM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.254
DHCPv6 IAID . . . . . . . . . . . : 436273022
DHCPv6 Client DUID. . . . . . . . : 00-01-01-00-28-2D-6A-09-BE-A6-CF-30-C7-25
DNS Servers . . . . . . . . . . . : 192.168.20.250
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet 5: (INTERNET GATEWAY IP via iPhone Smart Phone)

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Apple Mobile Device Ethernet #3
Physical Address. . . . . . . . . : FE-48-CA-25-A1-2F
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fa80::bc3b:66a3:3206:793f%13(Preferred)
IPv4 Address. . . . . . . . . . . : 175.40.20.6(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Lease Obtained. . . . . . . . . . : Sunday, 27 June 2021 2:20:15 PM
Lease Expires . . . . . . . . . . : Monday, 28 June 2021 2:05:50 PM
Default Gateway . . . . . . . . . : 175.40.20.1
DHCP Server . . . . . . . . . . . : 175.40.20.1
DHCPv6 IAID . . . . . . . . . . . : 872313476
DHCPv6 Client DUID. . . . . . . . : 00-01-01-00-04-2D-5A-09-FE-66-CF-30-C7-25
DNS Servers . . . . . . . . . . . : 175.40.20.1
NetBIOS over Tcpip. . . . . . . . : Enabled


Static Route Entered on my Internet Modem (Sagecom) = 192.168.20.250 (LAN)

(Showing the Route Table on the Modem

RESULTS
With the VPN Established on the Client PC via iPhone HotSpot.

I can ping : 192.168.1.1
I can ping : 192.168.20.22
I can access services on the TrueNAS box : \\192.168.20.22\xxx

I still CANNOT access anything outside the NAS IP : 192.168.20.22.

Cannot ping 192.168.20.250 or print to : 192.168.20.55

What I am missing?
Or have I made an error somewhere in my config and changes?

 

[dcs730]

Thought I'd also add the client .OVPN file contents below.

Do I need to add anything towards the top of the .OVPN file.

client
dev tun
proto udp
port 1194
remote "remote.dnsname.com.au"
user nobody
group nobody
persist-key
persist-tun

<ca>
-----BEGIN CERTIFICATE-----
blahblah
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
blahblah
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
blahblah
-----END PRIVATE KEY-----
</key>

verb 3
remote-cert-tls server
auth SHA1
cipher AES-256-CBC

<tls-crypt>
# 2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
blahblah
-----END OpenVPN Static key V1-----
</tls-crypt>

 

[dcs730]

Hi all - Thought I'd share the following 2x youtube videos. They are excellent and has worked a treat!

How to configure OpenVPN on TrueNas 12 - Setup you own Home VPN
Part 1

How to Configure OpenVPN on TrueNas 12 - Setup your own Home VPN - Part 1

Configure and setup OpenVPN without a Jail on TrueNas 12 and allow remote access connections to the TrueNas Subnet or just to the TrueNas system itself safel...

www.youtube.com

**
Part 2

How to Configure OpenVPN on TrueNas 12 - Setup your own Home VPN - Part 2

Part 2 of the TrueNAS OpenVPN Server. We look at how to limit access to the VPN servers Subnet / Network, Allow Internet access through the VPN and Limit sub...

www.youtube.com

All configured in Part 1 - static route + tunables are required.
Then if all LAN traffic via VPN is ok and Internet browsing via the remote PC Internet gateway is required (Not routed via the OpenVPN gateway), then you need to remove the line

push "redirect-gateway def1 bypass-dhcp"

in the TrueNAS WebGui - Services - OpenVPN server - Click the pencil and in the Additional parameters section - remove the above line.

Download the xxx.ovpn file, and import into OpenVPN GUI. - LAN traffic and local internet PC traffic also works ok.
If you are using OpenVPN Connect Client - Then LAN traffic works, but no internet traffic.

I found that the OpenVPN GUI works for both LAN and Internet traffic (With the exported xxx.ovpn file)
The same xxx.ovpn file - only LAN traffic works and no internet traffic with the OpenVPN Client Connect Application.

Have posted this in the OpenVPN.net forum and not had a soln to this issue yet.

 

[awh3r]

Hi all - Thought I'd share the following 2x youtube videos. They are excellent and has worked a treat!

How to configure OpenVPN on TrueNas 12 - Setup you own Home VPN
Part 1

How to Configure OpenVPN on TrueNas 12 - Setup your own Home VPN - Part 1

Configure and setup OpenVPN without a Jail on TrueNas 12 and allow remote access connections to the TrueNas Subnet or just to the TrueNas system itself safel...

www.youtube.com

**
Part 2

How to Configure OpenVPN on TrueNas 12 - Setup your own Home VPN - Part 2

Part 2 of the TrueNAS OpenVPN Server. We look at how to limit access to the VPN servers Subnet / Network, Allow Internet access through the VPN and Limit sub...

www.youtube.com

All configured in Part 1 - static route + tunables are required.
Then if all LAN traffic via VPN is ok and Internet browsing via the remote PC Internet gateway is required (Not routed via the OpenVPN gateway), then you need to remove the line

push "redirect-gateway def1 bypass-dhcp"

in the TrueNAS WebGui - Services - OpenVPN server - Click the pencil and in the Additional parameters section - remove the above line.

Download the xxx.ovpn file, and import into OpenVPN GUI. - LAN traffic and local internet PC traffic also works ok.
If you are using OpenVPN Connect Client - Then LAN traffic works, but no internet traffic.

I found that the OpenVPN GUI works for both LAN and Internet traffic (With the exported xxx.ovpn file)
The same xxx.ovpn file - only LAN traffic works and no internet traffic with the OpenVPN Client Connect Application.

Have posted this in the OpenVPN.net forum and not had a soln to this issue yet.

I followed these instructions and i can get to my TrueNas server and only the TrueNas server, no internet traffic and i can't reach my resources on my internat LAN subnet. Any thoughts?
This has been the most frustrating setup with TrueNas i have ever encountered, any help would be greatly appreciated.

 

[dcs730]

I followed these instructions and i can get to my TrueNas server and only the TrueNas server, no internet traffic and i can't reach my resources on my internat LAN subnet. Any thoughts?
This has been the most frustrating setup with TrueNas i have ever encountered, any help would be greatly appreciated.

I followed most of the instructions in PART 1, cert setup, but instead of installing OpenVPN Client Connect, I downloaded and installed the OpenVPN GUI software and used the xxx.ovpn file.
Changes to the turnables require a reboot of the truenas box.
The static route is also required.

I had a similar scenario to you with other possible solutions I followed in these forums - Then it wasn't until I came across the PART1 YouTube video which makes the TrueNAS box the gateway for the OpenVPN connection. These are reasons why turnables and static route is required. And as mentioned, these changes require a truenas reboot.

The OpenVPN Client Connect Software on the client pc fails to browse the internet, but local LAN resources are ok.

Hope this helps.

 

[Ac1dburn]

@dcs730 @awh3r
I have an update which i hope helps everyone running into this issue. I also had problems connecting to the internet with openvpn server on truenas after following the setup from - https://www.youtube.com/watch?v=YEkfW4aC9Rk

After hours of trial an error it seems at least on my end that it was due to a routing issue.

As you can see in this screenshot after running Netstat -r I have two different IP’s :
one being 192.168.2.10 and 172.16.0.0



As directed by the video we all in the additional peramerters:

Code:

push "route 192.168.2.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

This obviously like everyone else made you run into the wall of not being able to connect to the internet.
However, there is one line missing to complete the routing on my end at least.
after adding:

server 172.16.0 255.255.255.0

Note: do not use a capatal “S” as it will not work

Hope this helps !

 

[Ac1dburn]

There is one last thing i forget to mention. This allows you to connect to the internet however, there is still an issue with connecting with certain plugins. I am still working on this but it seems as though is there is a box with a NAT connection you would not be able to connect to that plugin. There is a workaround that I’ve been using. Instead of having that Jail set up as NAT i went into the settings and change it to DHCP.

If you know a way to correct the NAT problem let me know .

 

[awh3r]

There is one last thing i forget to mention. This allows you to connect to the internet however, there is still an issue with connecting with certain plugins. I am still working on this but it seems as though is there is a box with a NAT connection you would not be able to connect to that plugin. There is a workaround that I’ve been using. Instead of having that Jail set up as NAT i went into the settings and change it to DHCP.

If you know a way to correct the NAT problem let me know .

I rebuilt my Truenas server, went through the entire setup and still i cannot connect.

 

[Ac1dburn]

@awh3r can you share you’re whole set up? Show me your OpenVPN server setup,static ip, turntables, screenshot of interfaces and netstat -r

 

[diegod]

Has anyone been able to have this working? I can access my TrueNas GUI but nothing else. I need to tunnel the internet traffic through the VPN server.

 

[carol]

@dcs730 @awh3r
I have an update which i hope helps everyone running into this issue. I also had problems connecting to the internet with openvpn server on truenas after following the setup from - https://www.youtube.com/watch?v=YEkfW4aC9Rk

After hours of trial an error it seems at least on my end that it was due to a routing issue.

As you can see in this screenshot after running Netstat -r I have two different IP’s :
one being 192.168.2.10 and 172.16.0.0

View attachment 52215

As directed by the video we all in the additional peramerters:

Code:

push "route 192.168.2.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

This obviously like everyone else made you run into the wall of not being able to connect to the internet.
However, there is one line missing to complete the routing on my end at least.
after adding:



Note: do not use a capatal “S” as it will not work
View attachment 52217
Hope this helps !

Thank you so much, after hours of trying and wandering, that did the trick. Great stuff!
Thanks a million.

 

[carol]

Thank you so much, after hours of trying and wandering, that did the trick. Great stuff!
Thanks a million.

Celebrated to fast, only one ip address has access to internet, the first one, all subsequent addresses (client) are blocked.
So back to square one.

 

[Ac1dburn]

what do you mean by only one IP has access?

Celebrated to fast, only one ip address has access to internet, the first one, all subsequent addresses (client) are blocked.
So back to square one.

 

[carol]

what do you mean by only one IP has access?

Let say that the first client (certificate) get's an ip address of 17.16.0.2. He can successfully connect to the server from inside or outside network.
The second client (certificate) get's an ip address of 17.16.0.3, that address connect but disconnect after while with the error " Session invalidated: KEEPALIVE_TIMEOUT "
Only one ip works regardless of the settings or ip adresses.
Attached is the client openvpn.log

 

[Ac1dburn]

ya I wasn’t about to correct that but I haven’t really attempted. This fix was specially for users that could not o
Get any internet access at all due to a routing issue. Your issue if im understanding correctly is for multiple vpn connections which would be a separate issue .