Truenas 12 OpenVPN service testing

[VladimirTurunen]

3) input the following line by line into the shell. Change 10.8.8.0/24 to whatever you configured OpenSSH to use for VPN devices and NAME_OF_POOL to the correct location of your ipfwrules.sh that you decided above in the Tunables.

Hello, should i change "10.8.8.0/24" to my open VPN server ip? Maybe i misunderstood you.

 

[invar]

Put your own IP subnet in there.

 

[cascer1]

Hmm is there are way to delete/edit my post above? Made some changes/fixes to my post and want to update as follows:


Sharing to all my personal experience:
So based on input from this thread and others, I think everything is working the way I want where ALL traffic goes through the VPN. I've tried signing into my VPN via my mobile wireless (LTE) connection from my Samsung Galaxy S10+ using Android OpenVPN and it appears to be working. I had to do the following to get it to work:

1) Setup the OpenVPN CA using the OpenVPN CA template.

2) Setup the OpenVPN Server Certificate using the OpenVPN Server template.

3) Setup the OpenVPN Client Certificate using the OpenVPN Client template.
(There is a video walkthrough guide for steps 1-3 above on YouTube.)

4) Forward the appropriate port from your router to your TrueNAS server IP. 1194 is the default port so I just stuck with that. My TrueNAS server's IP on my LAN is 192.168.0.2 (yes, I know, I should change it to something else that is unlikely to be used in the outside world... I will in due time.

Once I confirmed the above was working and I could connect from my phone to my VPN, I disconnected and got to the real work, namely routing everything through the VPN, which is where I think most people get the hangup.

1) From TrueNAS WebGUI, go to System->Tunables and add the following 3 tunables:

Code:

Variable: firewall_enable
Value: yes
Type: rc.conf
Description: enable firewall

Code:

Variable: gateway_enable
Value: yes
Type: rc.conf
Description: enable gateway

Code:

Variable: firewall_script
Value: /mnt/NAME_OF_POOL/ipfwrules.sh
Type: rc.conf
Description: ipfw script to execute at boot time. I put it in the pool to ensure that it carries should I have to reinstall and restore from a config.

2) Open a console/shell. Personally, I SSH in with PuTTY as root. But the WebGUI Shell will suffice.

3) input the following line by line into the shell. Change 10.8.8.0/24 to whatever you configured OpenSSH to use for VPN devices and NAME_OF_POOL to the correct location of your ipfwrules.sh that you decided above in the Tunables.

Code:

cd /mnt/NAME_OF_POOL
echo ipfw -q -f flush > ipfwrules.sh
echo ipfw -q nat 1 config if re0  >> ipfwrules.sh
echo ipfw -q add nat 1 all from 10.8.8.0/24 to any out via re0  >> ipfwrules.sh
echo ipfw -q add nat 1 all from any to any in via re0  >> ipfwrules.sh
chmod 755 ipfwrules.sh

4) Under the OpenVPN server settings, put the following in additional parameters:

Code:

push "redirect-gateway def1"
push "remote-gateway vpn_server_ip"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
duplicate-cn

The last line for "duplicate-cn" is only if you want to have the same user client/certificate be used simultaneously by multiple devices. (i.e. I use the same client configuration for my laptop and my smartphone, so this option must be included. Otherwise, OpenVPN will assign the same IP address to both devices and cause a conflict and cease working correctly.)

5) Save and download the new Client Configuration, choosing the correct Certificate.

6) Restart the TrueNAS server

7) EDIT the client configuration file with a text editor and change the line that starts with "remote" to reflect the correct address whether it is a static IP address or the Dynamic DNS you have setup. I use dynamic DNS so mine looks like so:

Code:

remote "mydomain.privatedns.org"

8) Test connect. Hopefully it works for you!

Note how I did NOT make any configuration changes to my router other than the port forwarding. I do NOT have any static routes setup anywhere, and I believe this should work fine as the TrueNAS server is performing NAT for anything originating to and going back to a VPN device.

Good luck!

Hi!

After setting this up, all the vpn clients show up as originating from the primary TrueNAS IP in my network. I tried setting up the nat to use a different IP (by adding "ip 192.168.1.30" to the nat config line). Now my vpn clients show up as originating from that IP, but jails are no longer able to connect to each other.

Is there some way to make the nat only apply to vpn clients?

Thanks!

 

[Piereligio]

Hmm is there are way to delete/edit my post above? Made some changes/fixes to my post and want to update as follows:


Sharing to all my personal experience:
So based on input from this thread and others, I think everything is working the way I want where ALL traffic goes through the VPN. I've tried signing into my VPN via my mobile wireless (LTE) connection from my Samsung Galaxy S10+ using Android OpenVPN and it appears to be working. I had to do the following to get it to work:

1) Setup the OpenVPN CA using the OpenVPN CA template.

2) Setup the OpenVPN Server Certificate using the OpenVPN Server template.

3) Setup the OpenVPN Client Certificate using the OpenVPN Client template.
(There is a video walkthrough guide for steps 1-3 above on YouTube.)

4) Forward the appropriate port from your router to your TrueNAS server IP. 1194 is the default port so I just stuck with that. My TrueNAS server's IP on my LAN is 192.168.0.2 (yes, I know, I should change it to something else that is unlikely to be used in the outside world... I will in due time.

Once I confirmed the above was working and I could connect from my phone to my VPN, I disconnected and got to the real work, namely routing everything through the VPN, which is where I think most people get the hangup.

1) From TrueNAS WebGUI, go to System->Tunables and add the following 3 tunables:

Code:

Variable: firewall_enable
Value: yes
Type: rc.conf
Description: enable firewall

Code:

Variable: gateway_enable
Value: yes
Type: rc.conf
Description: enable gateway

Code:

Variable: firewall_script
Value: /mnt/NAME_OF_POOL/ipfwrules.sh
Type: rc.conf
Description: ipfw script to execute at boot time. I put it in the pool to ensure that it carries should I have to reinstall and restore from a config.

2) Open a console/shell. Personally, I SSH in with PuTTY as root. But the WebGUI Shell will suffice.

3) input the following line by line into the shell. Change 10.8.8.0/24 to whatever you configured OpenSSH to use for VPN devices and NAME_OF_POOL to the correct location of your ipfwrules.sh that you decided above in the Tunables.

Code:

cd /mnt/NAME_OF_POOL
echo ipfw -q -f flush > ipfwrules.sh
echo ipfw -q nat 1 config if re0  >> ipfwrules.sh
echo ipfw -q add nat 1 all from 10.8.8.0/24 to any out via re0  >> ipfwrules.sh
echo ipfw -q add nat 1 all from any to any in via re0  >> ipfwrules.sh
chmod 755 ipfwrules.sh

4) Under the OpenVPN server settings, put the following in additional parameters:

Code:

push "redirect-gateway def1"
push "remote-gateway vpn_server_ip"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
duplicate-cn

The last line for "duplicate-cn" is only if you want to have the same user client/certificate be used simultaneously by multiple devices. (i.e. I use the same client configuration for my laptop and my smartphone, so this option must be included. Otherwise, OpenVPN will assign the same IP address to both devices and cause a conflict and cease working correctly.)

5) Save and download the new Client Configuration, choosing the correct Certificate.

6) Restart the TrueNAS server

7) EDIT the client configuration file with a text editor and change the line that starts with "remote" to reflect the correct address whether it is a static IP address or the Dynamic DNS you have setup. I use dynamic DNS so mine looks like so:

Code:

remote "mydomain.privatedns.org"

8) Test connect. Hopefully it works for you!

Note how I did NOT make any configuration changes to my router other than the port forwarding. I do NOT have any static routes setup anywhere, and I believe this should work fine as the TrueNAS server is performing NAT for anything originating to and going back to a VPN device.

Good luck!

Thanks so much for these steps. I can connect to my VPN but for some reason I can't connect to the internet while connected. I set up everything you said, I only have one doubt. I didn't set any OpenVPN SSH up, is that needed? How do I do that? I did all I see in your steps, nothing more, and in the ipfwrules.sh I put my OpenVPN local subnet address instead of 10.8.8.0/24. Thanks in advance, it's some days that I'm fighting with it.

 

[Piereligio]

Thanks so much for these steps. I can connect to my VPN but for some reason I can't connect to the internet while connected. I set up everything you said, I only have one doubt. I didn't set any OpenVPN SSH up, is that needed? How do I do that? I did all I see in your steps, nothing more, and in the ipfwrules.sh I put my OpenVPN local subnet address instead of 10.8.8.0/24. Thanks in advance, it's some days that I'm fighting with it.

UPDATE: I noticed that using ipfw list command, it's exactly the same if I load the ipfwrules.sh file (from the tunables) or not. Doesn't seem to add the values I set. That would explain why it doesn't work. Weird...

 

[Piereligio]

UPDATE: I noticed that using ipfw list command, it's exactly the same if I load the ipfwrules.sh file (from the tunables) or not. Doesn't seem to add the values I set. That would explain why it doesn't work. Weird...

[really sorry about multiposting, but I can't find any edit button]
UPDATE2: now it works, by executing manually the script from the WebUI shell, but looks like for some reason it won't execute automatically on boot. I don't know what to do, everything looks correct in the tunables section, unless I need to change something from when those instructions were posted. I'm on TrueNAS CORE 12.0 RELEASE.

 

[invar]

Check path and casing, spaces, etc. for the firewall_script tunable.... That's all I can suggest.

 

[Piereligio]

Check path and casing, spaces, etc. for the firewall_script tunable.... That's all I can suggest.

Sadly even running a cat of the copy paste of the path from the tunable, it will open just fine. So weird. I kinda worked it around by scheduling a cron job of the script, running every day at 8AM. Running that cron job manually works, so it should also automatically. Sadly it's not the same thing though. I even tried with a init script setting, but even in that case it doesn't work.

 

[invar]

Is the tunable enabled individually?

 

[Piereligio]

Is the tunable enabled individually?

What do you mean by individually? All the three tunables are enabled

 

[Piereligio]

What do you mean by individually? All the three tunables are enabled

Final update: turning DHCP off and setting a static IP local address (which I didn't before because I did that on the router side) fixed the issue. I believe that now the script isn't needed at all, to be honest.

 

[Piereligio]

Final update: turning DHCP off and setting a static IP local address (which I didn't before because I did that on the router side) fixed the issue. I believe that now the script isn't needed at all, to be honest.

Ok FINAL FINAL update, this time for real:
the tunables were indeed necessary and working, the solution was to disable DHCP and set static IP. Basically DHCP for some reason would change the IP inside the ipfw config. @invar thanks a lot for your steps, the script and availability.

 

[Glen62]

So I've just been directed to this thread in the hopes that it will solve my problem accessing Truenas SMB shares via OpenVPN tunnel on iPhone. I've gone through the first steps above as per Invar's post (adding in the tuneables) and did a restart just for the fun of it, and then opened a shell from my main computer into the Truenas system. As soon as I try to change directory I get hit with a "no file or directory found" error. The pool is there as it is one of three that are fully searchable via any of my systems on the network. I am new to this Linux type OS so maybe I'm missing something totally obvious, but not sure what.
I've tacked on a snip of my pools and of my root directory if anyone can offer any idea(s). Thanks.

 

[invar]

So I've just been directed to this thread in the hopes that it will solve my problem accessing Truenas SMB shares via OpenVPN tunnel on iPhone. I've gone through the first steps above as per Invar's post (adding in the tuneables) and did a restart just for the fun of it, and then opened a shell from my main computer into the Truenas system. As soon as I try to change directory I get hit with a "no file or directory found" error. The pool is there as it is one of three that are fully searchable via any of my systems on the network. I am new to this Linux type OS so maybe I'm missing something totally obvious, but not sure what.
I've tacked on a snip of my pools and of my root directory if anyone can offer any idea(s). Thanks.

Case sensitive maybe? Media is not the same as media.

cd /mnt
ls

 

[Glen62]

You nailed it. I did not know that I had to be case sensitive, although I should have known.
Thanks.

 

[Sasquatch]

now comes the tricky question:
how to stop OpenVpn client service from stopping on any sign of troubles.
Every time my dynamic ip changes there is around a minute delay before dns updates
That's enough for service to stop, and I have to restart manually - pain in the ass if you ask me.
Is there a way to make iclient retry connection indefinitely?

 

[awh3r]

Hmm is there are way to delete/edit my post above? Made some changes/fixes to my post and want to update as follows:


Sharing to all my personal experience:
So based on input from this thread and others, I think everything is working the way I want where ALL traffic goes through the VPN. I've tried signing into my VPN via my mobile wireless (LTE) connection from my Samsung Galaxy S10+ using Android OpenVPN and it appears to be working. I had to do the following to get it to work:

1) Setup the OpenVPN CA using the OpenVPN CA template.

2) Setup the OpenVPN Server Certificate using the OpenVPN Server template.

3) Setup the OpenVPN Client Certificate using the OpenVPN Client template.
(There is a video walkthrough guide for steps 1-3 above on YouTube.)

4) Forward the appropriate port from your router to your TrueNAS server IP. 1194 is the default port so I just stuck with that. My TrueNAS server's IP on my LAN is 192.168.0.2 (yes, I know, I should change it to something else that is unlikely to be used in the outside world... I will in due time.

Once I confirmed the above was working and I could connect from my phone to my VPN, I disconnected and got to the real work, namely routing everything through the VPN, which is where I think most people get the hangup.

1) From TrueNAS WebGUI, go to System->Tunables and add the following 3 tunables:

Code:

Variable: firewall_enable
Value: yes
Type: rc.conf
Description: enable firewall

Code:

Variable: gateway_enable
Value: yes
Type: rc.conf
Description: enable gateway

Code:

Variable: firewall_script
Value: /mnt/NAME_OF_POOL/ipfwrules.sh
Type: rc.conf
Description: ipfw script to execute at boot time. I put it in the pool to ensure that it carries should I have to reinstall and restore from a config.

2) Open a console/shell. Personally, I SSH in with PuTTY as root. But the WebGUI Shell will suffice.

3) input the following line by line into the shell. Change 10.8.8.0/24 to whatever you configured OpenSSH to use for VPN devices and NAME_OF_POOL to the correct location of your ipfwrules.sh that you decided above in the Tunables.

Code:

cd /mnt/NAME_OF_POOL
echo ipfw -q -f flush > ipfwrules.sh
echo ipfw -q nat 1 config if re0  >> ipfwrules.sh
echo ipfw -q add nat 1 all from 10.8.8.0/24 to any out via re0  >> ipfwrules.sh
echo ipfw -q add nat 1 all from any to any in via re0  >> ipfwrules.sh
chmod 755 ipfwrules.sh

4) Under the OpenVPN server settings, put the following in additional parameters:

Code:

push "redirect-gateway def1"
push "remote-gateway vpn_server_ip"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
duplicate-cn

The last line for "duplicate-cn" is only if you want to have the same user client/certificate be used simultaneously by multiple devices. (i.e. I use the same client configuration for my laptop and my smartphone, so this option must be included. Otherwise, OpenVPN will assign the same IP address to both devices and cause a conflict and cease working correctly.)

5) Save and download the new Client Configuration, choosing the correct Certificate.

6) Restart the TrueNAS server

7) EDIT the client configuration file with a text editor and change the line that starts with "remote" to reflect the correct address whether it is a static IP address or the Dynamic DNS you have setup. I use dynamic DNS so mine looks like so:

Code:

remote "mydomain.privatedns.org"

8) Test connect. Hopefully it works for you!

Note how I did NOT make any configuration changes to my router other than the port forwarding. I do NOT have any static routes setup anywhere, and I believe this should work fine as the TrueNAS server is performing NAT for anything originating to and going back to a VPN device.

Good luck!

Thank you for your instructions, I can get my internet traffic to route through the VPN server however i cannot reach any of my local IPs addresses.
I have tried multiple configurations and i get the same result.

 

[Sethz]

TrueNAS-12.0-U7
OK. Strange issue I am trying to work out.

push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 1.1.1.1"
duplicate-cn ---- (really only added to test a one certificate client setup)

Static routes IP/gateway set (VPN Server IP) -- VPN GATEWAY ROUTE
All CA/Certificates done
All Tunables done

4 Client Certificates setup as well..
Port forwarding done etc
Edit to add internet facing IP etc

ALL connects remotely and works.. IP given x.x.5.2

Local access/ internet access all good.

The issue starts when I connect 2 (second or more) machine (using the same client certificate or even a different client certificate)

The 2 &/or 3rd machine get an IP x.x.5.3 x.x.5.4 etc. So yay, one would think all good. BUT.

Only the first machine with x.x.5.2 works the 2 &/or 3 rd machine on x.x.5.3 etc can not get out to the internet and local network only kind of works.

So in short all works, as long as only one damned machine is connected.. What am I doing wrong do you think?

 

[huseyinozsut]

Hmm is there are way to delete/edit my post above? Made some changes/fixes to my post and want to update as follows:


Sharing to all my personal experience:
So based on input from this thread and others, I think everything is working the way I want where ALL traffic goes through the VPN. I've tried signing into my VPN via my mobile wireless (LTE) connection from my Samsung Galaxy S10+ using Android OpenVPN and it appears to be working. I had to do the following to get it to work:

1) Setup the OpenVPN CA using the OpenVPN CA template.

2) Setup the OpenVPN Server Certificate using the OpenVPN Server template.

3) Setup the OpenVPN Client Certificate using the OpenVPN Client template.
(There is a video walkthrough guide for steps 1-3 above on YouTube.)

4) Forward the appropriate port from your router to your TrueNAS server IP. 1194 is the default port so I just stuck with that. My TrueNAS server's IP on my LAN is 192.168.0.2 (yes, I know, I should change it to something else that is unlikely to be used in the outside world... I will in due time.

Once I confirmed the above was working and I could connect from my phone to my VPN, I disconnected and got to the real work, namely routing everything through the VPN, which is where I think most people get the hangup.

1) From TrueNAS WebGUI, go to System->Tunables and add the following 3 tunables:

Code:

Variable: firewall_enable
Value: yes
Type: rc.conf
Description: enable firewall

Code:

Variable: gateway_enable
Value: yes
Type: rc.conf
Description: enable gateway

Code:

Variable: firewall_script
Value: /mnt/NAME_OF_POOL/ipfwrules.sh
Type: rc.conf
Description: ipfw script to execute at boot time. I put it in the pool to ensure that it carries should I have to reinstall and restore from a config.

2) Open a console/shell. Personally, I SSH in with PuTTY as root. But the WebGUI Shell will suffice.

3) input the following line by line into the shell. Change 10.8.8.0/24 to whatever you configured OpenSSH to use for VPN devices and NAME_OF_POOL to the correct location of your ipfwrules.sh that you decided above in the Tunables.

Code:

cd /mnt/NAME_OF_POOL
echo ipfw -q -f flush > ipfwrules.sh
echo ipfw -q nat 1 config if re0  >> ipfwrules.sh
echo ipfw -q add nat 1 all from 10.8.8.0/24 to any out via re0  >> ipfwrules.sh
echo ipfw -q add nat 1 all from any to any in via re0  >> ipfwrules.sh
chmod 755 ipfwrules.sh

4) Under the OpenVPN server settings, put the following in additional parameters:

Code:

push "redirect-gateway def1"
push "remote-gateway vpn_server_ip"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
duplicate-cn

The last line for "duplicate-cn" is only if you want to have the same user client/certificate be used simultaneously by multiple devices. (i.e. I use the same client configuration for my laptop and my smartphone, so this option must be included. Otherwise, OpenVPN will assign the same IP address to both devices and cause a conflict and cease working correctly.)

5) Save and download the new Client Configuration, choosing the correct Certificate.

6) Restart the TrueNAS server

7) EDIT the client configuration file with a text editor and change the line that starts with "remote" to reflect the correct address whether it is a static IP address or the Dynamic DNS you have setup. I use dynamic DNS so mine looks like so:

Code:

remote "mydomain.privatedns.org"

8) Test connect. Hopefully it works for you!

Note how I did NOT make any configuration changes to my router other than the port forwarding. I do NOT have any static routes setup anywhere, and I believe this should work fine as the TrueNAS server is performing NAT for anything originating to and going back to a VPN device.

Good luck!

Hi,

Thank you for your efforts. I was able to establish a connection between server and client; but I was having an interesting problem and I couldn't find any solution. So I implemented your solution. I beleive I did something wrong; because I could not able to connect after I implemented your way.

My problem: The openvpn client was disconnecting and connecting in every 42 seconds (exactly 42 seconds). I tried a few things; but could not solve it.

Now, I want to roll back your settings. I removed the tunables. Then I removed the OpenVPN additional parameters. But I don't know how to rollback the codes I entered to Powershell... I am a total noob about Linux so... By the way I didn't have a backup for my settings; but I can re-install Truenas if needed.

If you can help me out I will appreciate very much

 

[zgn]

Hi,

Thank you for your efforts. I was able to establish a connection between server and client; but I was having an interesting problem and I couldn't find any solution. So I implemented your solution. I beleive I did something wrong; because I could not able to connect after I implemented your way.

My problem: The openvpn client was disconnecting and connecting in every 42 seconds (exactly 42 seconds). I tried a few things; but could not solve it.

Now, I want to roll back your settings. I removed the tunables. Then I removed the OpenVPN additional parameters. But I don't know how to rollback the codes I entered to Powershell... I am a total noob about Linux so... By the way I didn't have a backup for my settings; but I can re-install Truenas if needed.

If you can help me out I will appreciate very much

I'm having the same issue. were you able to resolve it? I would be willing to pay someone to assist if they have time. Thanks