Get a Quote   (408) 943-4100               TrueNAS Discord      VendOp_Icon_15x15px   Commercial Support Toggle between Light and Dark mode

OpenVPN Screen

  5 minute read.

Last Modified 2022-05-11 11:36 EDT

There two OpenVPN services on TrueNAS, the OpenVPN Client and OpenVPN Server screens.

OpenVPN Client

Use OpenVPN Client to configure the client settings.

ServicesOpenVPNClientOptions

General Options

SettingDescription
Client CertificateSelect a valid client certificate from the dropdown list. The option is freenas_default. A certificate must exists on this system and one that is cureent and not revoked. Find more about generating certificates and CAs for OpenVPN here.
Root CASelect the root Certificate Authority used to sign the Client and Server certificates. Find more about generating certificates and CAs for OpenVPN here.
RemoteEnter a valid IP address or domain name to which OpenVPN connects.
PortEnter a port number to use for the connection.
Authentication AlgorithmSelect an algorithm to authenticate packets. The dropdown list provides a list of alogorithms to choose from. This is used to validate packets that are sent over the network connection. Your network environment might require a specific algorithm. If no specific algorithm is required, select SHA1 HMAC which is a good standard algorithm to use.
CipherSelect a cipher algorithm to encrypt data channel packets sent through the connection. While not required using a cipher increases connection security. Verify if your networking environment requires a particular cipher but if not choose AES-256-GCM which is a good default choice. The dropdown list provides a list of encryptiong ciphers to choose from.
CompressionSelect a compression algorithm from the dropdown list. Dropdown list options are LZ0 or LZ4. Leave the field empty to send data uncompressed. LZ0 is the standard compression algorithm that is backwards compatible with previous (pre-2.4) versions of OpenVPN. LZ4 is a newer option that is typically faster with less system resources required.
ProtocolSelect the protocol to use when connecting with the remote system. Select from the dropdown list options UDP, UDP4, UDP6, TCP, TCP4 or TCP6. Choose UDP or TCP. UDP sends packets in a continuous stream and generally faster and less strict about dropped packets than TCP. TCP sends packets sequentially. To force the connection to be IPv4 or IPv6 choose the UDP or TCP version with the 4 or 6 respectively.
Device TypeSelect a virtual network interface from the dropdown list. Options are TUN or TAP. The client and server Device Type must be the same. For information see here.
NobindSelect to enable and to prevent binding to local address and port. Required if running OpenVPN client and server concurrently.
TLS Crypt Auth EnabledSelect to enable or clear checkbox to disable TLS Web Client Authentication.
Additional ParametersEnter any additional parameters for the client. This manually sets any of the core OpenVPN config file options.
Refer to the OpenVPN Reference Manual for descriptions of each option.
TLS Crypt AuthAll TLS handshake messages are encrypted to add another layer of security. This requires a static key that is shared between OpenVPN server and clients. Enter the static key for authentication/encryption of all control channel packets when tls_crypt_auth_enabled is enabled.

OpenVPN Server

Use OpenVPN Server to configure the server settings.

ServicesOpenVPNServerOptions

Use DOWNLOAD CLIENT CONFIG to generate the cetificate file you need from the client system after configuring and saving your OpenVPN server settings.

Use Client Certificate to generate the configuraion file you need from the client system already imported on the system.

General Options

SettingsDescription
Server CertificateSelect a valid server certificate from the dropdown list. The option is freenas_default. A certificate must exists on this system and one that is cureent and not revoked. Find more about generating certificates and CAs for OpenVPN here.
Root CASelect the root Certificate Authority used to sign the Client and Server certificates. Find more about generating certificates and CAs for OpenVPN here.
ServerEnter the IP address and netmask of the server.
PortEnter a port number to use for the connection.
Authentication AlgorithmSelect an algorithm to authenticate packets. The dropdown list provides a list of alogorithms to choose from. Your network environment might require a specific algorithm. If no specific algorithm is required, select SHA1 HMAC which is a good standard algorithm to use.
CipherSelect a cipher algorithm to encrypt data channel packets sent through the connection. While not required using a cipher increases connection security. Verify if your networking environment requires a particular cipher but if not choose AES-256-GCM which is a good default choice. The dropdown list provides a list of encryptiong ciphers to choose from.
CompressionSelect a compression algorithm from the dropdown list. Dropdown list options are LZ0 or LZ4. Leave the field empty to send data uncompressed. LZ0 is the standard compression algorithm that is backwards compatible with previous (pre-2.4) versions of OpenVPN. LZ4 is a newer option that is typically faster with less system resources required.
ProtocolSelect the protocol to use when connecting with the remote system. Select from the dropdown list options UDP, UDP4, UDP6, TCP, TCP4 or TCP6. Choose UDP or TCP. UDP sends packets in a continuous stream and generally faster and less strict about dropped packets than TCP. TCP sends packets sequentially. To force the connection to be IPv4 or IPv6 choose the UDP or TCP version with the 4 or 6 respectively.
Device TypeSelect a virtual network interface from the dropdown list. Options are TUN or TAP. The client and server Device Type must be the same. For more information see here.
TopologySelect to configure virtual addressing topology when running in TUN mode. Dropdown options are NET30, P2P or SUBNET. TAP mode always uses a SUBNET topology.
TLS Crypt Auth EnabledSelect to enable or clear checkbox to disable TLS Web Client Authentication.
Additional ParametersEnter any additional parameters.
TLS Crypt AuthAll TLS handshake messages are encrypted to add another layer of security. This requires a static key that is shared between OpenVPN server and clients. When tls_crypt_auth_enabled is enabled and tls_crypt_auth is not provided, a static key is automatically generated to use with OpenVPN client. Enter that key here.

See Configuring OpenVPN