Unable to download Client Config from OpenVPN Server

[seblin]

I get a KeyError when I try to download the Client Certificate with the [Download Client Config] button.
The error dies not give me any hints on whats going wrong.

The overall scope is that I want to set up VPN server on my TrueNas Scale instance so I dont have to expose the GUI to the internet with ports.
I have a static IP address, added port forward to the VPN server and downloaded the OpenVPN app.

Is there any remedy for this issue with downloading the Client certificate?

I'm on the Bluefin version TrueNAS-SCALE-22.12-RC.1

 

[deeJayUA]

Hi there,
Got the same problem, maybe there is a way to create the client config file manually?

Did you find any solution, thanks.

 

[seblin]

Unfortunately, I have not. But I installed truecharts wireguard and it works out of the box, very happy with it actually.

 

[Ant385525]

Just migrated from Core and I have the same issue. Probably a bug? I had OpenVPN server set up on my previous Core setup and I have followed the exact same guide for Scale to no avail

 

[deeJayUA]

Unfortunately, I have not. But I installed truecharts wireguard and it works out of the box, very happy with it actually.

Hi there,
I guess I will give it a try. Need a temporary solution anyway.
Thanks

 

[deeJayUA]

Just migrated from Core and I have the same issue. Probably a bug? I had OpenVPN server set up on my previous Core setup and I have followed the exact same guide for Scale to no avail

Looks like its a bug. Well they are in BETA still, I think. It will be fixed eventually.

 

[Ant385525]

Looks like its a bug. Well they are in BETA still, I think. It will be fixed eventually

Look like it'll be fixed in the next release. Link

 

[Sufarry]

Look like it'll be fixed in the next release. Link

Was there a fix for this yet? I'm running into the same issue right now!

 

[Ericloewe]

As the ticket says, it's in 22.12.1

 

[Sufarry]

As the ticket says, it's in 22.12.1

Oh, my apologies. I'm very new to all of this. Is 22.12.1 available?

 

[Ericloewe]

I don't think so, but in doubt, you can see if you're offered the update in TrueNAS' GUI. I'm not following the roadmap, but someone else may have a link handy.

 

[Ant385525]

Was there a fix for this yet? I'm running into the same issue right now!

According to the roadmap it looks like it's coming in early February. Even so (I could be mistaken), the fix offered in the ticket above just leads to another error detailed in this ticket. I ended up just manually creating my client config file and everything works just fine.

 

[Sufarry]

According to the roadmap it looks like it's coming in early February. Even so (I could be mistaken), the fix offered in the ticket above just leads to another error detailed in this ticket. I ended up just manually creating my client config file and everything works just fine.

Thanks for the reply. Could you assist me in creating the client config file manually? I'm shocked I've even gotten as far as I have, no way I figure out how to create the file myself lol!

 

[Ant385525]

Figure I should offer a little more instruction since OpenVPN instructions for Scale seem to be few and far between. I am by no means a network security expert so some of what I say could be incorrect, but it's what works for my setup:

First of all, in the server certificate and all client certificates the 'Common Name' field must be filled out, but for multiple clients each common name should be different. For example, my laptop client just has 'laptop' in the common name and my desktop just has 'desktop'. to connect multiple clients with the same common name the line 'duplicate -cn' must be in the additional parameters field in the OpenVPN Server Service but this seems like a slight security risk and relatively easy to avoid.

For the config, this is the setup that works for me:

client dev tun proto **tcp OR udp** remote **DDNS/PUBLIC IP** **PORT NUMBER** (e.g. for the previous line: fakeserver.ddns.ip 1194) user nobody group nobody persist-key persist-tun <ca> **PASTE ROOT CERTIFICATE HERE** </ca> <cert> **PASTE CLIENT CERTIFICATE HERE** </cert> <key> **PASTE CLIENT PRIVATE KEY HERE** </key> verb 3 remote-cert-tls server auth **AUTHENTICATION ALGORITHM CHOSEN IN SERVER SERVICE** cipher **CIPHER CHOSEN IN SERVER SERVICE** <tls-crypt> **PASTE TLS CRYPT AUTH HERE** </tls-crypt>

For key that needs to be pasted, they can be found by clicking on the root/client certificate in the GUI then clicking 'view/download certificate' or 'view/download key'. These are to be just pasted into the config as-is (there's a copy key button). The tls crypt auth is found in the OpenVPN Server Service and is also to be pasted as-is. If it's not showing up, click save then reopen the service and it should be there.

Again, I'm completely a novice and less qualified than most of the users on here so take this with a grain of salt, but it's what works for me.

 

[Sufarry]

Figure I should offer a little more instruction since OpenVPN instructions for Scale seem to be few and far between. I am by no means a network security expert so some of what I say could be incorrect, but it's what works for my setup:

First of all, in the server certificate and all client certificates the 'Common Name' field must be filled out, but for multiple clients each common name should be different. For example, my laptop client just has 'laptop' in the common name and my desktop just has 'desktop'. to connect multiple clients with the same common name the line 'duplicate -cn' must be in the additional parameters field in the OpenVPN Server Service but this seems like a slight security risk and relatively easy to avoid.

For the config, this is the setup that works for me:

client dev tun proto **tcp OR udp** remote **DDNS/PUBLIC IP** **PORT NUMBER** (e.g. for the previous line: fakeserver.ddns.ip 1194) user nobody group nobody persist-key persist-tun <ca> **PASTE ROOT CERTIFICATE HERE** </ca> <cert> **PASTE CLIENT CERTIFICATE HERE** </cert> <key> **PASTE CLIENT PRIVATE KEY HERE** </key> verb 3 remote-cert-tls server auth **AUTHENTICATION ALGORITHM CHOSEN IN SERVER SERVICE** cipher **CIPHER CHOSEN IN SERVER SERVICE** <tls-crypt> **PASTE TLS CRYPT AUTH HERE** </tls-crypt>

For key that needs to be pasted, they can be found by clicking on the root/client certificate in the GUI then clicking 'view/download certificate' or 'view/download key'. These are to be just pasted into the config as-is (there's a copy key button). The tls crypt auth is found in the OpenVPN Server Service and is also to be pasted as-is. If it's not showing up, click save then reopen the service and it should be there.

Again, I'm completely a novice and less qualified than most of the users on here so take this with a grain of salt, but it's what works for me.

Thank you so much for all this information. I am having an issue though. When I edit the config file and try to save it, it keeps wanting to save as .txt. How can I save it as .ovpn?

 

[Ant385525]

Thank you so much for all this information. I am having an issue though. When I edit the config file and try to save it, it keeps wanting to save as .txt. How can I save it as .ovpn?

On a mac right click, get info, then under name and extension delete the .txt. Definitely possible on a windows machine too but I don't know all the steps off the top of my head

 

[Sufarry]

On a mac right click, get info, then under name and extension delete the .txt. Definitely possible on a windows machine too but I don't know all the steps off the top of my head

Thank you! I found it. I just downloaded Notepad++ and got it to work.

So I got the laptop connected to the VPN using my phone as a hotspot to "imitate" being off site. The OpenVPN GUI shows connected but I am not able to access my TrueNAS webUI or my TrueNAS network drives. If I ping my DNS with Command Prompt (windows) it returns with 100% fail.

I am able to surf the web and use the internet as normal, just unable to connect to my drives.

Any idea?

 

[Ant385525]

It really depends on your setup. I'd first make sure your VPN subnet (what you put under 'server' in the OpenVPN Server service) is different from whatever IP addresses your hotspot is giving. You can do this by typing 'ipconfig' into Windows Command Prompt while connected to the hotspot.

Also, can you ping your TrueNAS machine through the command prompt? I think that's a good starting point for troubleshooting.

You're probably able to connect to the internet from your hotspot network rather than through the VPN. To route all internet traffic through the VPN you need to include the line 'push "redirect-gateway def1 bypass-dhcp"' into your additional parameters in the server service. For reference, my 'additional parameters' section looks like this:

Code:

push "route 10.0.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"

In the first line, 10.0.0.0/24 is my home network and what I'm trying to access through the VPN.
The second line routes all traffic through the VPN
Since you're routing all internet through your TrueNAS system, you need to specify DNS server(s). You can add as many as you want and I think the OpenVPN connect app automatically chooses 8.8.8.8, but it's good to include just to be sure.

I used this video for the rest of the configuration.

I would go off of the guide in the video because it's mostly beyond my understanding. Remember to restart TrueNAS after so the changes are applied.

 

[Sufarry]

It really depends on your setup. I'd first make sure your VPN subnet (what you put under 'server' in the OpenVPN Server service) is different from whatever IP addresses your hotspot is giving. You can do this by typing 'ipconfig' into Windows Command Prompt while connected to the hotspot.

Also, can you ping your TrueNAS machine through the command prompt? I think that's a good starting point for troubleshooting.

You're probably able to connect to the internet from your hotspot network rather than through the VPN. To route all internet traffic through the VPN you need to include the line 'push "redirect-gateway def1 bypass-dhcp"' into your additional parameters in the server service. For reference, my 'additional parameters' section looks like this:

Code:

push "route 10.0.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"

In the first line, 10.0.0.0/24 is my home network and what I'm trying to access through the VPN.
The second line routes all traffic through the VPN
Since you're routing all internet through your TrueNAS system, you need to specify DNS server(s). You can add as many as you want and I think the OpenVPN connect app automatically chooses 8.8.8.8, but it's good to include just to be sure.

I used this video for the rest of the configuration.

I would go off of the guide in the video because it's mostly beyond my understanding. Remember to restart TrueNAS after so the changes are applied.

Thank you again for your help. I will try this when I get home shortly.

 

[Ant385525]

It really depends on your setup. I'd first make sure your VPN subnet (what you put under 'server' in the OpenVPN Server service) is different from whatever IP addresses your hotspot is giving. You can do this by typing 'ipconfig' into Windows Command Prompt while connected to the hotspot.

Also, can you ping your TrueNAS machine through the command prompt? I think that's a good starting point for troubleshooting.

You're probably able to connect to the internet from your hotspot network rather than through the VPN. To route all internet traffic through the VPN you need to include the line 'push "redirect-gateway def1 bypass-dhcp"' into your additional parameters in the server service. For reference, my 'additional parameters' section looks like this:

Code:

push "route 10.0.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"

In the first line, 10.0.0.0/24 is my home network and what I'm trying to access through the VPN.
The second line routes all traffic through the VPN
Since you're routing all internet through your TrueNAS system, you need to specify DNS server(s). You can add as many as you want and I think the OpenVPN connect app automatically chooses 8.8.8.8, but it's good to include just to be sure.

I used this video for the rest of the configuration.

I would go off of the guide in the video because it's mostly beyond my understanding. Remember to restart TrueNAS after so the changes are applied.

Forgot 1 thing: if you follow the video linked video and have apps installed in Kubernetes there will be a plethora of errors that show up under Alerts in the GUI. Not to worry as these can just be ignored according to this post.