TrueNAS Jail VPN Routing from Jail; SetFib? Proper routing and Firewalls?

[FindingFilene]

Hi there, everybody. There are a lot of conversations about this, so I'm about to throw my hat into the ring. Here's a bunch of smileys to help people who are going to come by this thread in the future to recognize it:



Ok. Moving on.

I have a TrueNAS 12 system running a jail with a torrent client. Let's not worry about the torrent client right now, because no sustained VPN traffic is making it out of the jail after the initial connection. I'll put a link (here) if I manage to progress this discussion enough to where I'm comfy getting the torrent client working.

I've been frustrated with the torrent client, because as all good internet denizens know, the last thing you want is your actual IP to be shared anywhere on the internet. It's possible to expose your actual IP using torrenting, even though it's beneficial to expose how to address youwhen torrenting since you can connect to other torrent swarms and find torrents you're looking for in those neighborly DHT nodes. Without DHT, and without seeding, it's very likely that whatever torrenting connection you're using will drain with speed, or fail to download 100% of the torrents you're looking for.

So here comes my TrueNAS 12 system. In my jail, I have an OpenVPN client that runs at start to connect to a torrent-friendly VPN. After it starts, though, the VPN shortly disconnects. This is because the VPN says no ping communication has kept the connection alive, and so it terminates the VPN tunnel.

Anybody can guess that this is a big networking headache. I have to send packets from the jail, out of the TrueNAS server, to the router, out to the VPN, and then through that VPN to the torrenting trackers and DHT nodes. Then, once I'm getting information from the VPN, it needs to make its way back in through the Router, to the TrueNAS host, and then when arriving at the TrueNAS host, gets routed into the jail properly.

I have a virtual ethernet mac address for the Jail, so the TrueNAS server is setting a custom address for the Jail service. I have "allow_raw_sockets" set, I have a setfib set to 1, I have allow_tun.

For tunables on the TrueNAS system, I have net.fibs set to 4. I don't have any other tunables.

Show : Routing Table After Connection

Code:

Routing tables (fib: 1)
Internet:
Destination        Gateway            Flags     Netif Expire
0.0.0.0/1          10.21.5.1          UGS        tun0
default            192.168.0.1        UGS     epair0b
10.21.5.0/24       10.21.5.1          UGS        tun0
10.21.5.1          link#4             UH         tun0
102.xxx.xxx.xxx/32  192.168.0.1        UGS     epair0b
localhost          link#1             UH          lo0
128.0.0.0/1        10.21.5.1          UGS        tun0

Now, my IPtables (ipfw) rule list looks like this:

Show : IPFW rules list

Code:

ipfw list
00001 allow ip from any to any via lo0
00010 allow log ip from any to any via tun0
00101 allow log ip from me to 192.168.0.0/24 uid torrentuser
00102 allow log ip from 192.168.0.0/24 to me uid torrentuser
00103 deny log ip from any to any uid torrentuser
10000 allow log ip from any to any

So, I think the routing table is what's having an issue, because none of these routes show up on the TrueNAS host containing the jail, and I'm having a hard time seeing the destination IP (102.xxx.xxx.xxx) showing up on my router *or* in the security logs of the TrueNAS server.

I really hope somebody can help me figure out what's going on. Thank you.

~Filene

Edit #1: Bolded and italicized post content to emphasize and de-emphasize text.

 

[Volts]

I have a setfib set to 1

Why? From your description I don't believe this is needed.

A common pattern is a jail with VNET enabled, VPN client in the jail, app in the jail.
That provides a simple isolated network stack from the host.

none of these routes show up on the TrueNAS host containing the jail, and I'm having a hard time seeing the destination IP (102.xxx.xxx.xxx) showing up on my router

Good!

"Inner" VPN addresses shouldn't be visible from those network locations.

Because the VPN is encrypted, it just looks like packets going between the VPN provider's IPs and the jail's LAN IP. Only the VPN provider and the jail VPN client are aware of those "inner" addresses.

After it starts, though, the VPN shortly disconnects.

Does the VPN ever work, at all? Does it work "for a while" before disconnecting?
After it connects, can you ping, from within the jail, to 10.21.5.1?

Suggestions:

1. Use VNET for the jail if you aren't already
2. Disable setfib
3. Reboot the whole host, and try again
4. Share VPN client logs and VPN client status after connecting

 

[FindingFilene]

Thank you, @Volts, I'll give all this a shot in a bit after changing the setfibs. (Setfibs was originally to configure the VPN on the host as a client, and have the jail use the setfib of the VPN routing table as the in and out. Didn't work I think, somehow.)

 

[FindingFilene]

Here you are, @Volts, and other folk visiting this post.

In the following log files, my local net has been changed to 192.168.0.1, my local jail name was changed, and my remote address has had the last 3 address points removed (to 212.0.0.0)

Before we get to the content of logs, let me repeat what I'm thinking:

1. In the routing table, I see "Foreign address" with the actual external VPN host listed. However, I don't see this host come up in any of the system logs of my router--shouldn't it show up *somewhere*?
2. I made a request to an IP-checking host. When I did, it prolonged the one-minute Ping timeout that disconnects me.
3. Checking th host running the jail, there are now IPfw logs of packets being rejected or dropped during this period.

It's my opinion that, somehow, my router is failing to keep this hole punched NAT connection going, which is why the VPN's ping keep alives don't make it through the wall. I could be mistaken, and it's the TrueNAS host itself that's doing this--I can't tell.

Code:

netstat -an

Contents:

Show : netstat -an

Code:

Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)  
tcp4       0      0 192.168.0.4.36115      212.0.0.0.443      ESTABLISHED
tcp4       0      0 192.168.0.4.8112       192.168.0.34.47532     TIME_WAIT
tcp4       0      0 192.168.0.4.8112       192.168.0.33.28789     TIME_WAIT
tcp4       0      0 127.0.0.1.58846        127.0.0.1.10004        ESTABLISHED
tcp4       0      0 127.0.0.1.10004        127.0.0.1.58846        ESTABLISHED
tcp4       0      0 *.8112                 *.*                    LISTEN    
tcp4       0      0 127.0.0.1.58846        *.*                    LISTEN    
tcp4       0      0 192.168.0.4.55331      *.*                    LISTEN    
tcp4       0      0 127.0.0.1.55331        *.*                    LISTEN    
udp4       0      0 *.6771                 *.*                  
udp4       0      0 *.6771                 *.*                  
udp4       0      0 192.168.0.4.45579      *.*                  
udp4       0      0 192.168.0.4.55331      *.*                  
udp4       0      0 127.0.0.1.55331        *.*                  
Active UNIX domain sockets
Address          Type   Recv-Q Send-Q            Inode             Conn             Refs          Nextref Addr
fffff8003932b600 stream      0      0                0 fffff80040149500                0                0
fffff80040149500 stream      0      0                0 fffff8003932b600                0                0
fffff80039d1a100 dgram       0      0                0 fffff80051cb1200                0 fffff805eb4feb00
fffff805eb4feb00 dgram       0      0                0 fffff80051cb1200                0 fffff80051c92d00
fffff80051c92d00 dgram       0      0                0 fffff80051cb1200                0                0
fffff80051cb1200 dgram       0      0 fffff8014355b960                0 fffff80039d1a100                0 /var/run/logpriv
fffff80039532100 dgram       0      0 fffff8014355bb40                0                0                0 /var/run/log

Code:

netstat -r

Contents:

Show : netstat -r

Code:

Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
0.0.0.0/1          10.16.5.1          UGS        tun0
default            192.168.0.1        UGS     epair0b
10.16.5.0/24       10.16.5.1          UGS        tun0
10.16.5.1          link#4             UH         tun0
10.16.5.216        link#4             UHS         lo0
localhost          link#1             UH          lo0
128.0.0.0/1        10.16.5.1          UGS        tun0
192.168.0.0/24     link#3             U       epair0b
192.168.0.4        link#3             UHS         lo0
212.0.0.0/32   192.168.0.1        UGS     epair0b

Internet6:
Destination        Gateway            Flags     Netif Expire
::/96              localhost          UGRS        lo0
localhost          link#1             UH          lo0
::ffff:0.0.0.0/96  localhost          UGRS        lo0
2000::/3           tun0               US         tun0
fe80::/10          localhost          UGRS        lo0
fe80::%lo0/64      link#1             U           lo0
fe80::1%lo0        link#1             UHS         lo0
ff02::/16          localhost          UGRS        lo0

Code:

cat /var/log/messages

(Limited to only the VPN messages)
Contents:

Show : /var/log/messages

Code:

Nov  8 01:53:28 torrenJail openvpn[2297]: SIGTERM[soft,ping-exit] received, process exiting
Nov  8 09:43:12 torrenJail openvpn[51707]: DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6
Nov  8 09:43:12 torrenJail openvpn[51707]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Nov  8 09:43:12 torrenJail openvpn[51707]: WARNING: file 'client.key' is group or others accessible
Nov  8 09:43:12 torrenJail openvpn[51707]: WARNING: file '/configs/vpn-data/user.conf' is group or others accessible
Nov  8 09:43:12 torrenJail openvpn[51707]: Current Parameter Settings:
Nov  8 09:43:12 torrenJail openvpn[51707]:   config = '/configs/vpn-data/openvpn.ovpn'
Nov  8 09:43:12 torrenJail openvpn[51707]:   mode = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   show_ciphers = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   show_digests = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   show_engines = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   genkey = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   genkey_filename = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   key_pass_file = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   show_tls_ciphers = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   connect_retry_max = 0
Nov  8 09:43:12 torrenJail openvpn[51707]: Connection profiles [0]:
Nov  8 09:43:12 torrenJail openvpn[51707]:   proto = tcp-client
Nov  8 09:43:12 torrenJail openvpn[51707]:   local = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   local_port = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   remote = 'XXREMOTE_HOSTXX'
Nov  8 09:43:12 torrenJail openvpn[51707]:   remote_port = '443'
Nov  8 09:43:12 torrenJail openvpn[51707]:   remote_float = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   bind_defined = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   bind_local = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   bind_ipv6_only = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   connect_retry_seconds = 5
Nov  8 09:43:12 torrenJail openvpn[51707]:   connect_timeout = 120
Nov  8 09:43:12 torrenJail openvpn[51707]:   socks_proxy_server = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   socks_proxy_port = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   tun_mtu = 1500
Nov  8 09:43:12 torrenJail openvpn[51707]:   tun_mtu_defined = ENABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   link_mtu = 1500
Nov  8 09:43:12 torrenJail openvpn[51707]:   link_mtu_defined = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   tun_mtu_extra = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   tun_mtu_extra_defined = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   mtu_discover_type = -1
Nov  8 09:43:12 torrenJail openvpn[51707]:   fragment = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   mssfix = 1450
Nov  8 09:43:12 torrenJail openvpn[51707]:   explicit_exit_notification = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   tls_auth_file = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   key_direction = not set
Nov  8 09:43:12 torrenJail openvpn[51707]:   tls_crypt_file = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   tls_crypt_v2_file = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]: Connection profiles END
Nov  8 09:43:12 torrenJail openvpn[51707]:   remote_random = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   ipchange = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   dev = 'tun'
Nov  8 09:43:12 torrenJail openvpn[51707]:   dev_type = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   dev_node = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   lladdr = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   topology = 1
Nov  8 09:43:12 torrenJail openvpn[51707]:   ifconfig_local = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   ifconfig_remote_netmask = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   ifconfig_noexec = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   ifconfig_nowarn = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   ifconfig_ipv6_local = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   ifconfig_ipv6_netbits = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   ifconfig_ipv6_remote = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   shaper = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   mtu_test = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   mlock = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   keepalive_ping = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   keepalive_timeout = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   inactivity_timeout = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   inactivity_minimum_bytes = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   ping_send_timeout = 5
Nov  8 09:43:12 torrenJail openvpn[51707]:   ping_rec_timeout = 60
Nov  8 09:43:12 torrenJail openvpn[51707]:   ping_rec_timeout_action = 1
Nov  8 09:43:12 torrenJail openvpn[51707]:   ping_timer_remote = ENABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   remap_sigusr1 = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   persist_tun = ENABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   persist_local_ip = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   persist_remote_ip = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   persist_key = ENABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   passtos = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   resolve_retry_seconds = 1000000000
Nov  8 09:43:12 torrenJail openvpn[51707]:   resolve_in_advance = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   username = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   groupname = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   chroot_dir = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   cd_dir = '/configs/vpn-data/'
Nov  8 09:43:12 torrenJail openvpn[51707]:   writepid = '/var/run/openvpn.pid'
Nov  8 09:43:12 torrenJail openvpn[51707]:   up_script = '/configs/update-resolv-conf/update-resolv-conf.sh'
Nov  8 09:43:12 torrenJail openvpn[51707]:   down_script = '/configs/update-resolv-conf/update-resolv-conf.sh'
Nov  8 09:43:12 torrenJail openvpn[51707]:   down_pre = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   up_restart = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   up_delay = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   daemon = ENABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   inetd = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   log = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   suppress_timestamps = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   machine_readable_output = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   nice = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   verbosity = 4
Nov  8 09:43:12 torrenJail openvpn[51707]:   mute = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   gremlin = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   status_file = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   status_file_version = 1
Nov  8 09:43:12 torrenJail openvpn[51707]:   status_file_update_freq = 60
Nov  8 09:43:12 torrenJail openvpn[51707]:   occ = ENABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   rcvbuf = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   sndbuf = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   sockflags = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   fast_io = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   comp.alg = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   comp.flags = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   route_script = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   route_default_gateway = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   route_default_metric = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   route_noexec = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   route_delay = 5
Nov  8 09:43:12 torrenJail openvpn[51707]:   route_delay_window = 30
Nov  8 09:43:12 torrenJail openvpn[51707]:   route_delay_defined = ENABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   route_nopull = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   route_gateway_via_dhcp = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   allow_pull_fqdn = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   [redirect_default_gateway local=0]
Nov  8 09:43:12 torrenJail openvpn[51707]:   management_addr = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   management_port = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   management_user_pass = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   management_log_history_cache = 250
Nov  8 09:43:12 torrenJail openvpn[51707]:   management_echo_buffer_size = 100
Nov  8 09:43:12 torrenJail openvpn[51707]:   management_write_peer_info_file = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   management_client_user = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   management_client_group = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   management_flags = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   shared_secret_file = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   key_direction = not set
Nov  8 09:43:12 torrenJail openvpn[51707]:   ciphername = 'AES-256-CBC'
Nov  8 09:43:12 torrenJail openvpn[51707]:   ncp_enabled = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   ncp_ciphers = 'AES-256-GCM:AES-128-GCM:AES-256-CBC'
Nov  8 09:43:12 torrenJail openvpn[51707]:   authname = 'SHA256'
Nov  8 09:43:12 torrenJail openvpn[51707]:   prng_hash = 'SHA1'
Nov  8 09:43:12 torrenJail openvpn[51707]:   prng_nonce_secret_len = 16
Nov  8 09:43:12 torrenJail openvpn[51707]:   keysize = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   engine = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   replay = ENABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   mute_replay_warnings = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   replay_window = 64
Nov  8 09:43:12 torrenJail openvpn[51707]:   replay_time = 15
Nov  8 09:43:12 torrenJail openvpn[51707]:   packet_id_file = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   test_crypto = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   tls_server = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   tls_client = ENABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   ca_file = 'ca.crt'
Nov  8 09:43:12 torrenJail openvpn[51707]:   ca_path = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   dh_file = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   cert_file = 'client.crt'
Nov  8 09:43:12 torrenJail openvpn[51707]:   extra_certs_file = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   priv_key_file = 'client.key'
Nov  8 09:43:12 torrenJail openvpn[51707]:   pkcs12_file = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   cipher_list = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   cipher_list_tls13 = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   tls_cert_profile = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   tls_verify = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   tls_export_cert = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   verify_x509_type = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   verify_x509_name = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   crl_file = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   ns_cert_type = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   remote_cert_ku = 65535
Nov  8 09:43:12 torrenJail openvpn[51707]:   remote_cert_ku = 0
Nov  8 09:43:12 torrenJail syslogd: last message repeated 14 times
Nov  8 09:43:12 torrenJail openvpn[51707]:   remote_cert_eku = 'TLS Web Server Authentication'
Nov  8 09:43:12 torrenJail openvpn[51707]:   ssl_flags = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   tls_timeout = 2
Nov  8 09:43:12 torrenJail openvpn[51707]:   renegotiate_bytes = -1
Nov  8 09:43:12 torrenJail openvpn[51707]:   renegotiate_packets = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   renegotiate_seconds = 3600
Nov  8 09:43:12 torrenJail openvpn[51707]:   handshake_window = 60
Nov  8 09:43:12 torrenJail openvpn[51707]:   transition_window = 3600
Nov  8 09:43:12 torrenJail openvpn[51707]:   single_session = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   push_peer_info = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   tls_exit = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   tls_crypt_v2_metadata = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   pkcs11_protected_authentication = DISABLED
Nov  8 09:43:12 torrenJail syslogd: last message repeated 15 times
Nov  8 09:43:12 torrenJail openvpn[51707]:   pkcs11_private_mode = 00000000
Nov  8 09:43:12 torrenJail syslogd: last message repeated 15 times
Nov  8 09:43:12 torrenJail openvpn[51707]:   pkcs11_cert_private = DISABLED
Nov  8 09:43:12 torrenJail syslogd: last message repeated 15 times
Nov  8 09:43:12 torrenJail openvpn[51707]:   pkcs11_pin_cache_period = -1
Nov  8 09:43:12 torrenJail openvpn[51707]:   pkcs11_id = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   pkcs11_id_management = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   server_network = 0.0.0.0
Nov  8 09:43:12 torrenJail openvpn[51707]:   server_netmask = 0.0.0.0
Nov  8 09:43:12 torrenJail openvpn[51707]:   server_network_ipv6 = ::
Nov  8 09:43:12 torrenJail openvpn[51707]:   server_netbits_ipv6 = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   server_bridge_ip = 0.0.0.0
Nov  8 09:43:12 torrenJail openvpn[51707]:   server_bridge_netmask = 0.0.0.0
Nov  8 09:43:12 torrenJail openvpn[51707]:   server_bridge_pool_start = 0.0.0.0
Nov  8 09:43:12 torrenJail openvpn[51707]:   server_bridge_pool_end = 0.0.0.0
Nov  8 09:43:12 torrenJail openvpn[51707]:   ifconfig_pool_defined = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   ifconfig_pool_start = 0.0.0.0
Nov  8 09:43:12 torrenJail openvpn[51707]:   ifconfig_pool_end = 0.0.0.0
Nov  8 09:43:12 torrenJail openvpn[51707]:   ifconfig_pool_netmask = 0.0.0.0
Nov  8 09:43:12 torrenJail openvpn[51707]:   ifconfig_pool_persist_filename = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   ifconfig_pool_persist_refresh_freq = 600
Nov  8 09:43:12 torrenJail openvpn[51707]:   ifconfig_ipv6_pool_defined = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   ifconfig_ipv6_pool_base = ::
Nov  8 09:43:12 torrenJail openvpn[51707]:   ifconfig_ipv6_pool_netbits = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   n_bcast_buf = 256
Nov  8 09:43:12 torrenJail openvpn[51707]:   tcp_queue_limit = 64
Nov  8 09:43:12 torrenJail openvpn[51707]:   real_hash_size = 256
Nov  8 09:43:12 torrenJail openvpn[51707]:   virtual_hash_size = 256
Nov  8 09:43:12 torrenJail openvpn[51707]:   client_connect_script = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   learn_address_script = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   client_disconnect_script = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   client_config_dir = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   ccd_exclusive = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   tmp_dir = '/tmp'
Nov  8 09:43:12 torrenJail openvpn[51707]:   push_ifconfig_defined = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   push_ifconfig_local = 0.0.0.0
Nov  8 09:43:12 torrenJail openvpn[51707]:   push_ifconfig_remote_netmask = 0.0.0.0
Nov  8 09:43:12 torrenJail openvpn[51707]:   push_ifconfig_ipv6_defined = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   push_ifconfig_ipv6_local = ::/0
Nov  8 09:43:12 torrenJail openvpn[51707]:   push_ifconfig_ipv6_remote = ::
Nov  8 09:43:12 torrenJail openvpn[51707]:   enable_c2c = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   duplicate_cn = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   cf_max = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   cf_per = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   max_clients = 1024
Nov  8 09:43:12 torrenJail openvpn[51707]:   max_routes_per_client = 256
Nov  8 09:43:12 torrenJail openvpn[51707]:   auth_user_pass_verify_script = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   auth_user_pass_verify_script_via_file = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   auth_token_generate = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   auth_token_lifetime = 0
Nov  8 09:43:12 torrenJail openvpn[51707]:   auth_token_secret_file = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   port_share_host = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   port_share_port = '[UNDEF]'
Nov  8 09:43:12 torrenJail openvpn[51707]:   vlan_tagging = DISABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   vlan_accept = all
Nov  8 09:43:12 torrenJail openvpn[51707]:   vlan_pvid = 1
Nov  8 09:43:12 torrenJail openvpn[51707]:   client = ENABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   pull = ENABLED
Nov  8 09:43:12 torrenJail openvpn[51707]:   auth_user_pass_file = '/configs/vpn-data/user.conf'
Nov  8 09:43:12 torrenJail openvpn[51707]: OpenVPN 2.5.7 amd64-portbld-freebsd12.3 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Oct 21 2022
Nov  8 09:43:12 torrenJail openvpn[51707]: library versions: OpenSSL 1.1.1l-freebsd  24 Aug 2021, LZO 2.10
Nov  8 09:43:12 torrenJail openvpn[51708]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov  8 09:43:13 torrenJail openvpn[51708]: Control Channel MTU parms [ L:1623 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Nov  8 09:43:13 torrenJail openvpn[51708]: Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
Nov  8 09:43:13 torrenJail openvpn[51708]: Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1571,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-client'
Nov  8 09:43:13 torrenJail openvpn[51708]: Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1571,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA256,keysize 256,key-method 2,tls-server'
Nov  8 09:43:13 torrenJail openvpn[51708]: TCP/UDP: Preserving recently used remote address: [AF_INET]212.0.0.0:443
Nov  8 09:43:13 torrenJail openvpn[51708]: Socket Buffers: R=[65536->65536] S=[32768->32768]
Nov  8 09:43:13 torrenJail openvpn[51708]: Attempting to establish TCP connection with [AF_INET]212.0.0.0:443 [nonblock]
Nov  8 09:43:13 torrenJail openvpn[51708]: TCP connection established with [AF_INET]212.0.0.0:443
Nov  8 09:43:13 torrenJail openvpn[51708]: TCP_CLIENT link local: (not bound)
Nov  8 09:43:13 torrenJail openvpn[51708]: TCP_CLIENT link remote: [AF_INET]212.0.0.0:443
Nov  8 09:43:13 torrenJail openvpn[51708]: TLS: Initial packet from [AF_INET]212.0.0.0:443, sid=360a5683 51b99176
Nov  8 09:43:13 torrenJail openvpn[51708]: VERIFY OK: depth=1, C=RO, L=Bucharest, O=CyberGhost S.A., CN=CyberGhost Root CA, emailAddress=info@cyberghost.ro
Nov  8 09:43:13 torrenJail openvpn[51708]: VERIFY KU OK
Nov  8 09:43:13 torrenJail openvpn[51708]: Validating certificate extended key usage
Nov  8 09:43:13 torrenJail openvpn[51708]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Nov  8 09:43:13 torrenJail openvpn[51708]: VERIFY EKU OK
Nov  8 09:43:13 torrenJail openvpn[51708]: VERIFY OK: depth=0, CN=dallas-rack409.nodes.gen4.ninja
Nov  8 09:43:14 torrenJail openvpn[51708]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1571', remote='link-mtu 1555'
Nov  8 09:43:14 torrenJail openvpn[51708]: WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Nov  8 09:43:14 torrenJail openvpn[51708]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
Nov  8 09:43:14 torrenJail openvpn[51708]: [dallas-rack409.nodes.gen4.ninja] Peer Connection Initiated with [AF_INET]212.0.0.0:443
Nov  8 09:43:14 torrenJail openvpn[51708]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,route-ipv6 2000::/3,dhcp-option DNS 10.0.0.243,route-gateway 10.16.5.1,topology subnet,ifconfig 10.16.5.216 255.255.255.0,peer-id 0'
Nov  8 09:43:14 torrenJail openvpn[51708]: WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
Nov  8 09:43:14 torrenJail openvpn[51708]: OPTIONS IMPORT: --ifconfig/up options modified
Nov  8 09:43:14 torrenJail openvpn[51708]: OPTIONS IMPORT: route options modified
Nov  8 09:43:14 torrenJail openvpn[51708]: OPTIONS IMPORT: route-related options modified
Nov  8 09:43:14 torrenJail openvpn[51708]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Nov  8 09:43:14 torrenJail openvpn[51708]: OPTIONS IMPORT: peer-id set
Nov  8 09:43:14 torrenJail openvpn[51708]: OPTIONS IMPORT: adjusting link_mtu to 1626
Nov  8 09:43:14 torrenJail openvpn[51708]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Nov  8 09:43:14 torrenJail openvpn[51708]: Outgoing Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Nov  8 09:43:14 torrenJail openvpn[51708]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Nov  8 09:43:14 torrenJail openvpn[51708]: Incoming Data Channel: Using 256 bit message hash 'SHA256' for HMAC authentication
Nov  8 09:43:14 torrenJail openvpn[51708]: ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=epair0b HWADDR=02:0e:c6:57:0d:2d
Nov  8 09:43:14 torrenJail openvpn[51708]: GDG6: remote_host_ipv6=n/a
Nov  8 09:43:14 torrenJail openvpn[51708]: GDG6: problem writing to routing socket: No such process (errno=3)
Nov  8 09:43:14 torrenJail openvpn[51708]: ROUTE6: default_gateway=UNDEF
Nov  8 09:43:14 torrenJail openvpn[51708]: TUN/TAP device /dev/tun0 opened
Nov  8 09:43:14 torrenJail openvpn[51708]: do_ifconfig, ipv4=1, ipv6=0
Nov  8 09:43:14 torrenJail openvpn[51708]: /sbin/ifconfig tun0 10.16.5.216 10.16.5.1 mtu 1500 netmask 255.255.255.0 up
Nov  8 09:43:14 torrenJail openvpn[51708]: /sbin/route add -net 10.16.5.0 10.16.5.1 255.255.255.0
Nov  8 09:43:14 torrenJail openvpn[51708]: /configs/update-resolv-conf/update-resolv-conf.sh tun0 1500 1626 10.16.5.216 255.255.255.0 init
Nov  8 09:43:19 torrenJail openvpn[51708]: /sbin/route add -net 212.0.0.0 192.168.0.1 255.255.255.255
Nov  8 09:43:19 torrenJail openvpn[51708]: /sbin/route add -net 0.0.0.0 10.16.5.1 128.0.0.0
Nov  8 09:43:19 torrenJail openvpn[51708]: /sbin/route add -net 128.0.0.0 10.16.5.1 128.0.0.0
Nov  8 09:43:19 torrenJail openvpn[51708]: WARNING: OpenVPN was configured to add an IPv6 route. However, no IPv6 has been configured for tun0, therefore the route installation may fail or may not work as expected.
Nov  8 09:43:19 torrenJail openvpn[51708]: add_route_ipv6(2000::/3 -> :: metric -1) dev tun0
Nov  8 09:43:19 torrenJail openvpn[51708]: /sbin/route add -inet6 2000::/3 -iface tun0
Nov  8 09:43:19 torrenJail openvpn[51708]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov  8 09:43:19 torrenJail openvpn[51708]: Initialization Sequence Completed
Nov  8 09:44:58 torrenJail openvpn[51708]: [ACTUAL.VPN.SUBHOST.com] Inactivity timeout (--ping-exit), exiting
Nov  8 09:44:58 torrenJail openvpn[51708]: TCP/UDP: Closing socket
Nov  8 09:44:58 torrenJail openvpn[51708]: /sbin/route delete -net 212.0.0.0 192.168.0.1 255.255.255.255
Nov  8 09:44:58 torrenJail openvpn[51708]: /sbin/route delete -net 0.0.0.0 10.16.5.1 128.0.0.0
Nov  8 09:44:58 torrenJail openvpn[51708]: /sbin/route delete -net 128.0.0.0 10.16.5.1 128.0.0.0
Nov  8 09:44:58 torrenJail openvpn[51708]: delete_route_ipv6(2000::/3)
Nov  8 09:44:58 torrenJail openvpn[51708]: /sbin/route delete -inet6 2000::/3 -iface tun0
Nov  8 09:44:58 torrenJail openvpn[51708]: Closing TUN/TAP interface
Nov  8 09:44:58 torrenJail openvpn[51708]: /sbin/ifconfig tun0 destroy
Nov  8 09:44:58 torrenJail openvpn[51708]: /configs/update-resolv-conf/update-resolv-conf.sh tun0 1500 1626 10.16.5.216 255.255.255.0 init
Nov  8 09:44:58 torrenJail openvpn[51708]: SIGTERM[soft,ping-exit] received, process exiting

 

[FindingFilene]

As a note, I do see the connection to the remote host on my active connections page of the router. I have no idea why I'm not getting responses. o_o

 

[Volts]

Everything about that looks very normal, including that it's an OpenVPN connection that comes up and then fails for no obvious reason. OpenVPN itself says "can't communicate across the VPN, disconnecting".

My first conclusion isn't that there's a FreeBSD/TrueNAS problem, but that OpenVPN is annoying to debug.

How did you create the OpenVPN config files? Download them from CyberGhost?

(Do they happen to support Wireguard?)

 

[FindingFilene]

So, yeah. I did download those from CyberGhost. I just canceled my subscription. For those of you curious why, here's one reason, but not all:

CyberGhost VPN Review - Can This VPN be Trusted?

We closely examined CyberGhost VPN and tested out everything for this CyberGhost review. This VPN did not do well in our tests.

restoreprivacy.com

Meanwhile, with another VPN provider I'm using, I'm going to start a new thread, @Volts. This is for my original problem, where traffic doesn't go out the VPN like I expect it to.

 

[Volts]

Use Mullvad and Wireguard.