Last edited:
-
Important Announcement for The TrueNAS Community.
The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
Truenas 12 OpenVPN service testing
- Thread starter RaymondE
- Start date
mine upgraded without issues.
Thing is, i can connect and access SMB shares and GUI on windows/linux desktops(trough openvpn from remote location), but on android I can't access neither despite being able to ping in both directions, no errors or warnings in openvpn log.
Thing is, i can connect and access SMB shares and GUI on windows/linux desktops(trough openvpn from remote location), but on android I can't access neither despite being able to ping in both directions, no errors or warnings in openvpn log.
Are you able to share your client config? Did you make any changes?
Thank you for the additional server parameters. I can now ping my Freenas box that's where my access stops. I'm not able to get anywhere else on the Lan. In regards to the android issue are you using TAP? If you are it appears it's not compatible with Android or IOS.
I was able to get routing to my local network "working".
My Truenas is 10.15.207.10 on my lan, main nic is bge0
My VPN server is configured Server = 10.9.0.0/24, Device Type=TUN, Topolgy=SUBNET
Services > OpenVPN Server > Additional Parameters:
Create a file on the USB drive...Admittedly, I don't know where this should go. I put it in /data/ipfw.rules If there is a more proper place for me to store this file, please let me know.
/data/ipfw.rules
Create the following tunables
System > Tunables:
Reboot, once the machine is up, vpn in and try to access a machine on your LAN.
My Truenas is 10.15.207.10 on my lan, main nic is bge0
My VPN server is configured Server = 10.9.0.0/24, Device Type=TUN, Topolgy=SUBNET
Services > OpenVPN Server > Additional Parameters:
Code:
local 10.15.207.10 push "route 10.15.207.0 255.255.255.0" route 10.15.207.10 255.255.255.0 10.9.0.1 push "dhcp-option DNS 10.15.207.1"
Create a file on the USB drive...Admittedly, I don't know where this should go. I put it in /data/ipfw.rules If there is a more proper place for me to store this file, please let me know.
/data/ipfw.rules
Code:
ipfw -q -f flush ipfw -q nat 1 config if bge0 ipfw -q add nat 1 all from 10.9.0.0/24 to any out via bge0 ipfw -q add nat 1 all from any to any in via bge0
Create the following tunables
System > Tunables:
Code:
Variable=gateway_enable Value=yes Type=rc Description=ip forwarding Enabled=yes
Code:
Variable=firewall_enable Value=YES Type=rc Description=firewall for openvpn Enabled=yes
Code:
Variable=firewall_script Value=/data/ipfw.rules Type=rc Description=firewall rules for openvpn Enabled=yes
Reboot, once the machine is up, vpn in and try to access a machine on your LAN.
I've found bottlenecks when testing throughput of the OpenVPN. I've seen this in Freenas 11.3 as well. Scenario in Truenas is running the OpenVpn Server Service, scenario on Freenas was OpenVPN installed in an iocage jail with NAT & VNET.
LAN to LAN transfer to-from Truenas shows 105-110MB/s within my network (full utilization of my local 1gbps network).
In my testing (500/500 internet connection at my house) went to neighbor's house (500/500 internet at neighbor's house just down the street) I routinely saw 10-11MB/s on SCP of files to/from the NAS. While getting files inside a jail which has a mountpoint to the nas OR other machines on the LAN was yielding 30-35MB/s. Straight SCP using a DMZ to a computer on the LAN (bypassing VPN completely) yielded 50-55MB/s transfer.
I'm guessing there is something in the FreeBSD network tuning that just doesn't like routing files out the VPN interface faster than 100mbit...but I have no idea what the issue is. My work around is to host an iocage jail with a mountpoint. I still see vpn overhead (in theory max rates would be close to 60MB/s), but transfers are 30MB/sec which is 3X better than the 10MB/sec I see when hitting the storage pool directly over VPN .
LAN to LAN transfer to-from Truenas shows 105-110MB/s within my network (full utilization of my local 1gbps network).
In my testing (500/500 internet connection at my house) went to neighbor's house (500/500 internet at neighbor's house just down the street) I routinely saw 10-11MB/s on SCP of files to/from the NAS. While getting files inside a jail which has a mountpoint to the nas OR other machines on the LAN was yielding 30-35MB/s. Straight SCP using a DMZ to a computer on the LAN (bypassing VPN completely) yielded 50-55MB/s transfer.
I'm guessing there is something in the FreeBSD network tuning that just doesn't like routing files out the VPN interface faster than 100mbit...but I have no idea what the issue is. My work around is to host an iocage jail with a mountpoint. I still see vpn overhead (in theory max rates would be close to 60MB/s), but transfers are 30MB/sec which is 3X better than the 10MB/sec I see when hitting the storage pool directly over VPN .
tumpanaios
Cadet
- Joined
- Dec 7, 2018
- Messages
- 5
Alternatively if you do not want to do nat and enable firewalling on your freenas you can just enable the gateway_enable tunable and add a static route to your default router for the vpn network.
For your example adding :
Code:
push "route 10.15.207.0 255.255.255.0" push "dhcp-option DNS 10.15.207.1"
to Services > OpenVPN Server > Additional Parameters:
and static route
Code:
10.9.0.1/24 via 10.15.207.10
to your router will work without nating and firewalling . The source of the ip packets that local clients will receive will be of the vpn network .
This way you can add more 'pushed' networks to your ovpn clients if you have more vlans for example.
I've run into problems with this approach due to my terrible ISP provided router/gateway at the office. If I can persuade the boss to spring for a real router, I think this is certainly the way to go.
As it stands with my current fios G1100 router, I was able to get the route added and I have connectivity.
VPN clients ping LAN addresses.
LAN addresses can ping VPN clients.
LAN addresses can SSH into VPN clients
VPN clients can SSH into the NAS via the VPN subnet
VPN clients can SSH into the router/gateway
If immediately after reboot of a LAN computer, VPN clients can SSH into LAN Addresses
Aprox 30 seconds after boot, VPN clients fail to ssh into LAN addresses and receive: Connection reset by peer
I suspect the router is blocking access from my routed vpn subnet into the primary net. But, there is no packet filtering option in the "firewall" (and i use that term loosely) of the router.
ChrisChros
Patron
- Joined
- Nov 24, 2018
- Messages
- 218
Thanks for this explanation and guidance. It is exactly what I was looking for. Now I can access my Lan and Vlan's via OpenVPN connection.
albertredneck
Dabbler
- Joined
- Aug 27, 2019
- Messages
- 19
Just wanted to say that this method worked perfectly.
Add those 2 lines in the OpenVPN Server additional attributes, add the "gateway_enabled" tunable and add a static route entry in your router.
Thanks!
thierry333
Cadet
- Joined
- Dec 12, 2020
- Messages
- 8
Hi guys, I aslo have some issues with open VPN
I can connect to my VPN but I don't have acces to my local network by enterring IP adress. I can only reach Truenas on 10.8.0.1.
I would try Tumpanaios solution but I'm not sure of how to do it.
First I code the "gateway_enable" in system > Tunables
Then I code these two lignes below in Services > OpenVPN Server > Additional Parameters.
Finally I add a static route into my router parameter, is that right?
I'm not sure of the parameter like interface and metric.
Thanks in advance for the help.
ChrisChros
Patron
- Joined
- Nov 24, 2018
- Messages
- 218
What is your IP for TrueNAS and what is the Subnet for your VPN network.
thierry333
Cadet
- Joined
- Dec 12, 2020
- Messages
- 8
Truenas has IP 192.168.1.26 and the VPN 10.8.0.0
ChrisChros
Patron
- Joined
- Nov 24, 2018
- Messages
- 218
Hi @thierry333 ,
This is how I would config your system:
OpenVPN-Service Additional Parameters:
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.1"
Static Route:
Destination IP: 10.8.0.0/24
Gateway IP: 192.168.1.26
This is how I would config your system:
OpenVPN-Service Additional Parameters:
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.1"
Static Route:
Destination IP: 10.8.0.0/24
Gateway IP: 192.168.1.26
thierry333
Cadet
- Joined
- Dec 12, 2020
- Messages
- 8
Thanks forum the reply, so if I've good understood the gateway_enable is not needed.
One more point is the interface that I must choose and also the metric but auto should be good. Do you have an idea? IP_DATA?
ChrisChros
Patron
- Joined
- Nov 24, 2018
- Messages
- 218
the gateway_enable you have to enable.
regarding the interface you have to chose, i don't know. i am not familiar with your router.
regarding the interface you have to chose, i don't know. i am not familiar with your router.
