Tunables inside TrueNAS Scale - Need to modify rc.conf for OpenVPN server access to local network

DaSnipe · Nov 20, 2021

Hi everyone,

I'm setting up OpenVPN on my TrueNAS scale box, works great to ping the TrueNAS box and access the webGUI. However my usage for OpenVPN would be to access the subnet that the router (using ISP one for now, don't have a dedicated box or pfsense) and other computers/devices.

There's a couple of great guides built for core (https://www.truenas.com/community/t...ocumentation-for-openvpn-on-truenas-12.92768/) and videos on Youtube (https://www.youtube.com/watch?v=YEkfW4aC9Rk&t=1226s), which are great but SCALE doesn't have a tunables section for rc.conf. I know I can modify sysctl but not rc.conf tunables to modify the firewall and gateway, since I'd need to modify the following options

Tunables:
firewall_enable
firewall_type
gateway_enable
natd_enable
natd_interface
natd_flags -dynamic -m

In order to route the traffic setup in the additonal parameters of the OpenVPN server:
Additional Parameters:
push "route 192.168.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 1.1.1.1"

Is there a way to do this in SCALE?

I know I can run a VM bridge that to my local network (with or without OpenVPN) but I'd love to use the built-in SCALE VPN server to access all my network.

aadje93 · Dec 27, 2021

system settings -> advanced -> tunables

wahlstedtw · Jan 28, 2022

I have the same Issue as DaSnipe. There is no tunables option in TrueNAS Scale. Do we know if this will be added?

LarsR · Jan 28, 2022

i think the equivalent of tunables in scale is the sysctl menu point under system settings -> advanced

ruiloba · Apr 10, 2022

1) You need to create a directory to locate a file with the firewall rule, so that it is persistent between restarts
Open Console (I already have a directory for FW rules)

cd /mnt/sistema/firewall

Edit a file for the rule (format: ip saddr (VPN_address) oif "(LAN_interface)" snat to (LAN_NAS_IP_address))

vi nftables_nat

INSERT

Code:

#!/usr/sbin/nft -f


table ip nat {
        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
                ip saddr 10.20.0.0/24 oif "eno1" snat to 192.168.1.4
        }
}

we leave

:WQ!

edit permissions

chmod 755 nftables_nat

we're done with the console

exit

2) enable the kernel for ipv4 forward
go to the nas management website and open

System Settings -> Advanced -> sysctl

press

Add

Insert

Variable net.ipv4.ip_forward
Value 1
Description net.ipv4.ip_forward
Enabled Marked

press

SAVE

3) enable the firewall
go to

System Settings -> Advanced -> Init/Shutdown Scripts

press

Add

Insert

Description enable nftables
Type Command
Command systemctl enable nftables
When Post Init
Enabled Marked
Timeout 10

press

SAVE

4) activate the firewall
press

Add

Insert

Description start nftables
Type Command
Command systemctl start nftables
When Post Init
Enabled Marked
Timeout 10

press

SAVE

5) insert the NAT rules
press

Add

Insert

Description nftables nat rules
Type Command
Command nft -f /mnt/sistema/firewall/nftables_nat
When Post Init
Enabled Marked
Timeout 10

press

SAVE

you have to restart the nas for the changes to be effective

Testing the fw service by console

root@NAS[~]# systemctl status nftables
● nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor pres>
Active: active (exited) since Mon 2022-04-11 00:15:36 CEST; 38min ago
Docs: man:nft(8)
http://wiki.nftables.org
Main PID: 653 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 18401)
Memory: 0B
CGroup: /system.slice/nftables.service

Apr 11 00:15:36 NAS.local systemd[1]: Finished nftables.
Warning: journal has been rotated since unit was started, output may be incompl>

root@NAS[~]# nft -a list table ip nat
table ip nat { # handle 5
chain postrouting { # handle 1
type nat hook postrouting priority srcnat; policy accept;
ip saddr 10.20.0.0/24 oif "eno1" snat to 192.168.1.4 # handle 2
}
}

Enjoy!

Saverix98 · Apr 12, 2022

ruiloba said:
1) You need to create a directory to locate a file with the firewall rule, so that it is persistent between restarts
Open Console (I already have a directory for FW rules)

cd /mnt/sistema/firewall

Edit a file for the rule (format: ip saddr (VPN_address) oif "(LAN_interface)" snat to (LAN_NAS_IP_address))

vi nftables_nat

INSERT

Code:
#!/usr/sbin/nft -f table ip nat { chain postrouting { type nat hook postrouting priority srcnat; policy accept; ip saddr 10.20.0.0/24 oif "eno1" snat to 192.168.1.4 } }

we leave

:WQ!

edit permissions

chmod 755 nftables_nat

we're done with the console

exit

2) enable the kernel for ipv4 forward
go to the nas management website and open

System Settings -> Advanced -> sysctl

press

Add

Insert

Variable net.ipv4.ip_forward
Value 1
Description net.ipv4.ip_forward
Enabled Marked

press

SAVE

3) enable the firewall
go to

System Settings -> Advanced -> Init/Shutdown Scripts

press

Add

Insert

Description enable nftables
Type Command
Command systemctl enable nftables
When Post Init
Enabled Marked
Timeout 10

press

SAVE

4) activate the firewall
press

Add

Insert

Description start nftables
Type Command
Command systemctl start nftables
When Post Init
Enabled Marked
Timeout 10

press

SAVE

5) insert the NAT rules
press

Add

Insert

Description nftables nat rules
Type Command
Command nft -f /mnt/sistema/firewall/nftables_nat
When Post Init
Enabled Marked
Timeout 10

press

SAVE

you have to restart the nas for the changes to be effective

Testing the fw service by console

root@NAS[~]# systemctl status nftables
● nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor pres>
Active: active (exited) since Mon 2022-04-11 00:15:36 CEST; 38min ago
Docs: man:nft(8)
http://wiki.nftables.org
Main PID: 653 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 18401)
Memory: 0B
CGroup: /system.slice/nftables.service

Apr 11 00:15:36 NAS.local systemd[1]: Finished nftables.
Warning: journal has been rotated since unit was started, output may be incompl>

root@NAS[~]# nft -a list table ip nat
table ip nat { # handle 5
chain postrouting { # handle 1
type nat hook postrouting priority srcnat; policy accept;
ip saddr 10.20.0.0/24 oif "eno1" snat to 192.168.1.4 # handle 2
}
}

Enjoy!

Hi, I tried to follow these steps but my OpenVPN is not working. I’m able to connect to my OpenVPN server but I can’t go on Internet and I can’t access my server services like Nextcloud. What’s wrong? Can you help me?

DaSnipe · Apr 13, 2022

Reddit - Dive into anything

www.reddit.com

This might be able to help others. I'll try to write up a guide one day lol

zlatkomajstor · May 29, 2022

I made a video where I show how can you do this in TrueNAS Scale:
Access LAN through VPN on TrueNAS Scale

DaSnipe · May 29, 2022

Nice, more resources are great.

I currently use TrueCharts docker-compose along with WireGuard (WG-easy) since it’s a lot easier to manage users/generate config files

Vincent_D · Jul 5, 2022

Hello everyone. I also have a problem like this, I can connect to the TrueNas server and my apps such as qb torrent, transmission and emby with my phone outside my network. I also have the same public ip address on my phone as on my server.
But I dont have access to the internet. The parameters I am using is this:

push "route 192.168.1.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"

I also have set the OpenVPN server address and static route to 192.168.2.0

*EDIT - I just deleted the push "redirect-gateway def1 bypass-dhcp" and then I had access to my LAN and the internet, but with different public ip addresses on the server and on the phone.

rs_taylor · Jul 9, 2022

The line you removed means you are using you VPN clients existing gateway to access Internet, not the VPN Server and its Gateway.
When you had the Gateway redirected to the VPN Server then it was NOT routing you correctly.

I had same issue, could never get the VPN server to route traffic at all, but as i only needed access to the Shares and Apps on the TrueNAS Scale/VPN Server's single IP (all apps are on its ports not their own IP's) and didn't want to use the Remote locations Internet anyway (to fool netflix for example), so took out all routing (no static routes tunables/Init Variables etc). only have the certs to get OpenVPN connected and 3 lines in the Additional Parameters of the VPN Server Service config

push "route 192.168.31.0 255.255.255.0" - The network of the TRUENAS/Open VPN server
duplicate-cn - Without this each device i connected via VPN was given the same IP, no idea why, but this fixed that.
keepalive 10 60 - keeps the connection up when not used constantly.

works great for me.

newguy123 · Jul 13, 2022

see this thread on reddit for an answer that worked for me

Reddit - Dive into anything

www.reddit.com

Important Announcement for the TrueNAS Community.

Tunables inside TrueNAS Scale - Need to modify rc.conf for OpenVPN server access to local network

DaSnipe

Explorer

aadje93

Explorer

wahlstedtw

Cadet

LarsR

Guru

ruiloba

Cadet

Saverix98

Cadet

DaSnipe

Explorer

Reddit - Dive into anything

zlatkomajstor

Cadet

DaSnipe

Explorer

Vincent_D

Cadet

rs_taylor

Explorer

newguy123

Dabbler

Reddit - Dive into anything

Similar threads