6 minute read.Last Modified 2021-04-02 09:29 EDT
A virtual private network (VPN) is an extension of a private network over public resources. It allows clients to securely connect to a private network even when they are remotely using a public network. TrueNAS provides OpenVPN as a system level service to provide VPN Server or Client functionality. This means TrueNAS can act as a primary VPN server to allow remote clients access to data stored on the system using a single TCP or UDP port. Alternately, TrueNAS can integrate into a private network, even when the system is in a separate physical location or only has access to publicly visible networks.
Before configuring TrueNAS as either an OpenVPN Server or Client, you will need an existing public key infrastructure (PKI) with Certificates and Certificate Authorities created in or imported to TrueNAS.
The general process to configure OpenVPN (server or client) on TrueNAS is to select the networking credentials, set the connection details, and choose any additional security or protocol options.
Go to the Services page and find the OpenVPN Client entry. Click the edit to configure the service.
Choose the certificate to use as an OpenVPN client. This certificate must exist in TrueNAS and be in an active (unrevoked) state. Enter the host name or IP address of the Remote OpenVPN server.
Continue to review and choose any other Connection Settings that fit with your network environment and performance requirements. The Device Type must match with the OpenVPN server Device Type. Nobind prevents using a fixed port for the client. By default, this is enabled to allow the OpenVPN client and server to run concurrently.
Finally, review the Security Options and choose settings that meet your network security requirements. When the OpenVPN server is using TLS Encryption, copy the static TLS encryption key and paste into the TLS Crypt Auth field.
Go to the Services page and find the OpenVPN Server entry. Click the edit to configure the service.
Choose a Server Certificate for this OpenVPN server. The certificate must both exist on the TrueNAS system and be in an active (unrevoked) state.
Now define a IP address and netmask for the OpenVPN Server. Continue to choose the remaining Connection Settings that fit with your network environment and performance requirements. When a TUN Device Type is selected, you can choose a virtual addressing Topology for the server:
- NET30: Use one /30 subnet per client in a point-to-point topology. Designed for use when connecting clients are Windows systems.
- P2P: Point-to-point topology that points the local server and remote client endpoints to each other. Each client is given one IP address. This is only recommmended when none of the clients are a Windows system.
- SUBNET: the interface uses an IP address and subnet. Each client is given one IP address. Windows clients require the TAP-Win32 driver version 8.2 or newer. TAP devices always use the SUBNET Topology.
The Topology selection is automatically applied to any connected clients.
When TLS Crypt Auth Enabled is set, TrueNAS generates a static key for the TLS Crypt Auth field after saving the options. To change this key, click RENEW STATIC KEY. This key is required for any clients connecting to the server. Keys are stored in the system database and are automatically included in a generated client config file, but a good practice is to back up keys in a secure location.
Finally, review the Security Options and choose settings that meet your network security requirements.
After configuring and saving your OpenVPN Server, generate client configuration files for importing to any OpenVPN client systems that are connecting to this server. You need the certificate from the client system already imported on the system. To generate the configuration file, click DOWNLOAD CLIENT CONFIG and select the Client Certificate.
The Additional Parameters field manually sets any of the core OpenVPN config file options. See the OpenVPN Reference Manual for descriptions of each option.
- Root CA: The Certificate Authority (CA) must be the root CA that was used to sign the Client and Server certificates.
- Port: This is the port that will be used for the OpenVPN connection.
- Compression: Choose a compression algorithm for traffic. Leave the field empty for data to be sent uncompressed. LZO is a standard compression algorithm that is backwards compatible with previous (pre-2.4) versions of OpenVPN. LZ4 is a newer option that is typically faster with less system resources required.
- Protocol: Choose between UDP or TCP protocols for OpenVPN.
UDP sends packets in a continuous stream while TCP sends packets sequentially.
UDP is generally faster and less strict about dropped packets than TCP.
To force the connection to be IPv4 or IPv6, choose one of the
6UDP or TCP options.
- Device Type: use a TUN or TAP virtual networking device and layer with OpenVPN. This must be identical between the OpenVPN Server and any clients.
Because using a VPN involves connecting to a private network while still sending data over less secure public resources, OpenVPN includes several security options. While not required, these security options help protect the data being sent into or out of the private network.
- Authentication Algorithm: This is used to validate packets that are sent over the network connection. Your network environment might require a specific algorithm. If no specific algorithm is required, SHA1 HMAC is a good standard algorithm to use.
- Cipher: This is an algorithm to encrypt data packets sent through the connection. While not required, choosing a Cipher can increase connection security. You might need to verify which ciphers are required for your networking environment. If there are no specific cipher requirements, AES-256-GCM is a good default choice.
- TLS Encryption: When TLS Crypt Auth Enabled is set, all TLS handshake messages are encrypted to add another layer of security. This requires a static key that is shared between OpenVPN server and clients.
When finished configuring the Server or Client service, click SAVE. Start the service by clicking the related toggle in Services. To check the current state of the service, hover over the toggle.
Setting Start Automatically means the service starts whenever TrueNAS completes booting and the network and data pools are running.