Resource icon

TrueNAS and OpenVPN client configuration

fre_

Cadet
Joined
May 10, 2021
Messages
4
I have fixed that problem, you need to add a dummy key. The VPN provider doesn't care about it, it will be just used for the encryption tunnel.

Can you provide us a dummy private key?
I googled for some private keys, but whatever private keys I found, the TrueNas-interface keeps telling me that "A valid private key is required, with a passphrase if one has been set."
For example this private key will not be accepted:
(can be found here: https://gist.github.com/renatolfc/f6c9e2a5bd6503005676)

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDnz0TCaFU1Dy4s
x7lmIziHkZ1lMGcIwRG9giqxUATfxqmJerifbaBcIZEDKbBId3ACc3kriJkSKYF1
H2nT0esko/mfWAW2Zgxn8lNR09PWMd0POzJxj2Orbk7jWYY7cWCsvDd46+XU9lbv
uMzVIJVvCTDdzyQ8l6ml2LTyms6vs2YI4bpjCpbpXO1o0IgWp/ocpohbnNvqTdW7
qMLjKwNayN12ycCgTbcJxuFyNT6B9J/fCRCoCdVzBW5hU18xHpZP1du3ANIFQLpG
XmG5nKWm+/ikWE9tXZFu5Pv5pnAvHGOm4cz6Jpz/as72MdzlVWYJsWfn9euO4CG8
hdpDMNUfAgMBAAECggEBANSM3INVnytzq+crivf4O5EzF5r88ry4K0gU3oiO0qlN
Q47nk/m7T1qq/Ihl5VnNCkt1Dhm4uoJIxIdcMnEi/fUu1WgiEbrZf26gZ32UOZ0h
Q4z/vpUZ4U4DaxpTsB05LGe2fTbHNoo7BiPw0wBpTBvv1XrMwHE+rzN+rQv2nqXC
nhbPb9uCxVdS6MZtc/A0WTbu8DEAyvhw4ncIADrF3xpfBr8L0+qC1NMgJvjZQPDT
9WY3/93emMaMhlESLsK0m+HEmolFUiXMJKNSG8oi4yRb2VMDcc6pMrnkNE9Uq/4T
dTeJ2Jx/3hJHvBUC//vApgO46I170sOCBqddCj41zIECgYEA/ncsdacG+KT63YTT
Dnl5bPeya+r+3oKeIcq6PWH5VdWPB6IaOlBnp4zMl+DnucTz+Uwib/l4w0hALP84
6BedeuyqmiYI5tyeDAm762M9NqvQoL1LAlgG807LtpXQzgyuM8SKarr6mtnA9oX1
tWsE7waTXik2j1RpKwe68BcybhECgYEA6TUezmRy2vCGh0VZq9wGr/7MlK2eOoHT
v5AqQHHQhY8vgQLfH5CSpl+yqDTbX5S/u9ki0rAbXFbze5HiBxagjYPIUUUJUcfV
4IaYjGdih4othHOMREOxXqLfUue1AOtXOCuNLhwZtoMWyuexbEaX9Z8t3hgW5X4l
d3VnNCXkoC8CgYEAzTlh8vUlSy0LYdJ4wUi45GgUTrL0oJHpZMlyUIUOqOoWc4qJ
6pPkNR3591ecq5crSNjdQT+K5LwFfgTMaWp6SKRMpwubzE0Lbhv/ocSkns4M8UYZ
E6fY2yumYfgLsdJKQFf3ZkKsUGzkEi5RzuGj1f6QpbVJWmkydFDEtFORCXECgYAW
FV+rb7uom+pBWQHa0mUXuWsqER7Qr4abt00o+R4j56E5+EmktY4NjzZd01OKw408
fp1bki2lGt7HrtLWlP/zJq2LdJwjUGcicdx0Pz4HU8BnsIFx3W8oZQf809BCHAcQ
XJ9r5GFS9SrtX+9fL3goXEB9rY5NgRqPK2DwgT4bJQKBgHA0f7eJ7KF25DWlU/so
E5U508g+03P19bKX/ZdjK7QLWv8HvW4wMprC+Fv2Kc1Dc/HZ0BO5nQOAJHFp0a33
I0arr3xVhS/+VC2DwFQSScWp+uSAT32SG/NihcwUfxEf8F9vKsrIVtE8hZGdPCKe
1izxoc0xwmCSz9QWDkW3ax17
-----END PRIVATE KEY-----
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,737
You need to generate a matching pair of private and public key. You can do that in the TrueNAS UI under System --> CAs and System --> Certificates.
 

fre_

Cadet
Joined
May 10, 2021
Messages
4
You need to generate a matching pair of private and public key. You can do that in the TrueNAS UI under System --> CAs and System --> Certificates.

Under system -> CA, I've created a new CA (NordVPN_CA). There I selected "import CA" and I filled in the certificate that I could extract from the ovpn-configurationfile I received from NordVPN. NordVPN does not give a Private Key in their configuration file, so I can not fill in the Private Key field under CA. (see screenshot1 attached)

Then I go to system -> Certificates -> Add -> import certificate. There I can fill in the same certificate as I filled in in the CA, but I really don't know which private key I have to fill in there. (see screenshot2 attached)

How/where exactly do you generate this private key?
 

Attachments

  • Capture.JPG
    Capture.JPG
    50.2 KB · Views: 417
  • Capture2.JPG
    Capture2.JPG
    66.7 KB · Views: 510

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,737
You need to create a new certificate and key for your client to use. Each end of an OpenVPN connection needs its own private key and the partners public one.

So you need to create your own CA, not import theirs. Then use that CA to create your own cert and matching private key.
 

fre_

Cadet
Joined
May 10, 2021
Messages
4
You need to create a new certificate and key for your client to use. Each end of an OpenVPN connection needs its own private key and the partners public one.

So you need to create your own CA, not import theirs. Then use that CA to create your own cert and matching private key.

Thank you very much for your time and effort.

I'm a little bit confused because in the overview section of this topic, the instructions for the new CA as well as for the new certificate both say to import CA / import certificate.

Nevertheless, I tried to follow your instructions, so I created:

- a new CA (Nordvpn_CA) (screenshot1)

- a new certificate where I choose "internal Certificate" and profile "openvpn client certificate". The signing Certificate Authority is the new created Nordvpn_CA. (screenshot 2)

Then under services I fill in all parameters (screenshot3)

When I turn the switch to activate the OPENVPN CLIENT service, it runs, but when I do an IP-address check (curl ifconfig.me ) it returns my ISP IP-adress, and not the IP-address of the VPN.

So something is not right in my settings, I'm still looking where exactly.
 

Attachments

  • Capture.JPG
    Capture.JPG
    60.1 KB · Views: 519
  • Capture2.JPG
    Capture2.JPG
    88.9 KB · Views: 483
  • Capture3.JPG
    Capture3.JPG
    63.2 KB · Views: 537

usergiven

Dabbler
Joined
Jul 15, 2015
Messages
47
Assuming the Openvpn client is correctly configured and up and running under Services, I assume this would only cover the Truenas network connection, not any jails that have their own DHCP assignment. Correct? If so, is there a way to configure the the jails to direct any non-LAN request through the Openvpn client?
 

paradoxiom

Patron
Joined
Jun 16, 2015
Messages
239
Is it possible to use this with PIA VPN?

Their OpenVPN config files don't contain <cert> or <key>, eg:

"client
dev tun
proto udp
remote uk-domain port
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-256-cbc
auth sha256
tls-client
remote-cert-tls server

auth-user-pass
compress
verb 1
reneg-sec 0
<crl-verify>
-----BEGIN X509 CRL-----

-----END X509 CRL-----
</crl-verify>

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>

disable-occ"
 

loupqhc

Dabbler
Joined
Jul 22, 2021
Messages
13
Hello, I get the same problem than others. My VPN provider just gives a Certificate, a OpenVPN Static Key V1, and username and password. But no PRIVATE KEY. So I can't create Certificate and the CA that i've created is only made by the Certificate give by the VPN provider. He looks like this :
1628237848752.png

What can I do for certificate now ? I need Private Key but I do not have one :
1628237956476.png

I try with a dummy private key, but its doesn't work.
HELP ME PLEASE

Assuming the Openvpn client is correctly configured and up and running under Services, I assume this would only cover the Truenas network connection, not any jails that have their own DHCP assignment. Correct? If so, is there a way to configure the the jails to direct any non-LAN request through the Openvpn client?
I also ask me the same question. All jail gonna have the same public IP provide by the VPN or just TrueNAS part ?

Thanks !o_Oo_O
 
Last edited:

indivision

Guru
Joined
Jan 4, 2013
Messages
806
I've run into the same confusion as others trying to use third party VPN providers.

Possible to get a variation of the tutorial that shows how to set up third party VPN (where user/pass is used and private key needs generation)?
 

Pitfrr

Wizard
Joined
Feb 10, 2014
Messages
1,523
That would probably be a nice addition but unfortunately, I don't have/use a third party VPN provider so I wouldn't be able to update the tutorial for that... :frown:
 

indivision

Guru
Joined
Jan 4, 2013
Messages
806
That would probably be a nice addition but unfortunately, I don't have/use a third party VPN provider so I wouldn't be able to update the tutorial for that... :frown:

No worries. Thank you for this tutorial!
 

vincentchua

Cadet
Joined
Nov 14, 2023
Messages
3
i am using pritunl openvpn server
my truenas is able to connect
but the pritunl server is showing not connected and this error
[restless-waves-1164] 2023-11-16 00:25:45 Authenticate/Decrypt packet error: packet HMAC authentication failed
[restless-waves-1164] 2023-11-16 00:25:45 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:203.125.36.22:29262

anyone can help?
 
Top