Resource icon

Automatic install OpenVPN inside iocage Jail in FreeNAS all versions 2020-09-15

berislavv

Cadet
Joined
Mar 16, 2021
Messages
2
I try to download the script and run, but says that, how to proceed please.


Code:
1. Install
2. The Updater - updates jail and it's packages
3. Add new/edit OpenVPN profile(s) and send them to e-mail box
4. Regenerate server's keys, certs and recreate profile(s)
5. The Cleaner - keeps .cfg file and removes jail and related files
6. The Keeper - backup & sends config to email
7. The Watcher - shows server configs & last 50 lines of the log
8. Edit settings
9. Exit

: 1
/root/OpenVPN-on-FreeNAS-in-iocage/scripts/functions.sh: line 315: InstallOpenVPN: command not found


I'm running TrueNas 12.1

Installer gets scripts from directory based on Freenas version.
I have Truneas 12.2 which is merged with Freenas 11.3, so i renamed the OpenVPN-on-FreeNAS-in-iocage/scripts/11.3 dir to 12.2 and instalation went fine.
 

spgrvl

Dabbler
Joined
May 15, 2020
Messages
15
For anyone still struggling with it please note that in order in TrueNAS Core you need to follow the tip given by @berislavv about renaming the folder name.
Also port change does NOT work somehow, while in FreeNAS it worked just fine.
If you change it in the script the client config file will have the new port but server still runs on default 1194 port. You can change it manually in the server.conf file or just have your router forward traffic of the port you have set in client config to the default 1194.

EDIT: Spoke too soon :/
A TrueNAS system restart later, everything is broken again..
 
Last edited:

berislavv

Cadet
Joined
Mar 16, 2021
Messages
2
EDIT: Spoke too soon :/
A TrueNAS system restart later, everything is broken again..

This is something i am also struggling now. After reboot the jail changed the vnet_default_interface to none.
After i changed it in GUI back to auto and restart jail OpenVPN is working again.
Next reboot did not started the jail automatically so i am trying to investigate this.

Also for me the change of the port worked in install script.
 

spgrvl

Dabbler
Joined
May 15, 2020
Messages
15
This is something i am also struggling now. After reboot the jail changed the vnet_default_interface to none.
After i changed it in GUI back to auto and restart jail OpenVPN is working again.
Next reboot did not started the jail automatically so i am trying to investigate this.

Also for me the change of the port worked in install script.
I noticed some similar behavior as well. After some tinkering with jail's network settings, I have it running for a couple hours and I have done a couple reboots without issues.
The settings I changed are:
  • Disabled "DHCP", "NAT" and "Berkeley Packet Filter", and enabled only "VNET"
  • Set vnet_default_interface to "auto"
  • Set IPv4 Interface to "vnet0"
  • Set IPv4 Address (and IPv4 Netmask) to a custom unused address in my local network (I'm not sure why, but I was having issues with setting an address that I have used before in a jail that I was testing a manual OpenVPN installation, although it was deleted at the time. After setting one that I have never used again, it worked)
  • Set IPv4 Default Router to my router's address
My initial tests show that it's working properly, it remains to be seen if it'll keep working like that :)
As for the ports, I still have a map from my custom port to the default 1194 in my router's port forwarding settings.
 
Joined
Jan 27, 2020
Messages
577
I'm stuck at FreeBSD ifconfig failed: external program exited with error status: 1
Has maybe to do something with tun device, but I'm fishing in the dark here.
Apparently if there is already a openvpn client running on a tun device in another jail, the openvpn server in this jail won't start. I need to figure out how I can have run them both side by side, maybe by force them to use a numbered tun device
i.e.: openvpn client jail force tun1
openvpn server jail force tun2

May have found a solution thanks to another user who has had a, surprisingly, similar setup and issue. Gonna try that out later: https://www.truenas.com/community/t...orrent-conflicts-with-tun-and-ifconfig.87426/
 
Last edited:

mysticpete

Contributor
Joined
Nov 2, 2013
Messages
146
@Bibi40k Thank you for all your hard work, much appreciated, kudos to you.
 

mysticpete

Contributor
Joined
Nov 2, 2013
Messages
146
Hi all,
after i have maintained a manually step-by-step tutorial i decided to create a script to do all necessary steps for us all.

Change log: 0.4 - 2020.05.07 - Completely new script with menu
0.4 - 2020.05.07 - Completely new script with menu
0.3 - 2020.02.25 - Starting Wiki - Git-useful-commands
0.2 - 2020.02.25 - BUGFIX: Email is not read at first run
0.1 - 2020.02.18 - the first commit


What this script do:
- check for new version on each run and update itself
- create all dir structure and files on you
- store all configuration files into 'openvpn-configs'
- create iocage Jail with proper values and configurations
- build Certificate Authority
- build Server Certificates
- generate Diffie Hellman Parameters
- generate the TA key
- build Client(s) Certificate
- copy everything together and set paths to OpenVPN server config file
- creates the firewall and routing tables
- mix all certs and keys together with client(s) config files and create a single .ovpn file useful for mobile also.
- sends email with client(s) config file.


Recommended OpenVPN Clients:
Windows: OpenVPN
MacOS: Tunnelblick


What you should do:
- edit the config file
- during the installation you'll be asked to create a PASS PHRASE which you'll be using to authorize further operations like generating certificates, keys, users
- forward chosen port (default 1194) to OpenVPN iocage Jail chosen IP (default .66) on Port 1194 UDP
- keep in mind that if your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x this might create routing conflicts if you connect to the VPN server from locations that use the same subnet (work, public wi-fi, hotels, etc).


Installation steps:

SSH into Freenas

Code:
ssh your-username@your-FreeNAS-IP # Terminal for MacOS & Linux or Putty on Windows
sudo -i # we need to be root


Download installer
Code:
git clone https://github.com/Bibi40k/OpenVPN-on-FreeNAS-in-iocage.git
cd OpenVPN-on-FreeNAS-in-iocage # Enter the script dir


Start installer and follow on-screen instructions
Code:
./install.sh # run the script and enters the menu


View attachment 38331

Good luck all and i'm waiting for feed-back.
@Bibi40k Looks like the script has broken as it cannot find "InstallOpenVPN"

1636453063438.png
 

stillka

Explorer
Joined
Nov 15, 2014
Messages
55
Hi,

is this method valid for Truenas 12.0 with latest OpenVPN 2.5.4?

Regards,
Brano

update: is not, scripts for installing under 12.0 are missing, its obsolete utility
 
Last edited:

mysticpete

Contributor
Joined
Nov 2, 2013
Messages
146
Hi,

is this method valid for Truenas 12.0 with latest OpenVPN 2.5.4?

Regards,
Brano

update: is not, scripts for installing under 12.0 are missing, its obsolete utility
This was originally built for
  1. FreeNAS 11.1-U1 - 11.2-U7 ( may work with other versions either )
Think I built a jail based on 11.3 and that worked.
 

nikinp

Contributor
Joined
Sep 7, 2014
Messages
116
@Bibi40k Hope you are well and thanks again for all your support here.
Since Freenas and Truenas came together in Truenas 12.0. I wondered if this script can be adapted to work on Truenas 12.0?
Reading previous posts, looks like people have had issues.
 

sretalla

Powered by Neutrality
Moderator
Joined
Jan 1, 2016
Messages
9,702
Joined
Mar 5, 2022
Messages
224
I am running TrueNAS version 12.2 so I copied the scripts/11.3 folder to scripts/12.2... At least I didn't get a fatal error missing InstallOpenVPN.

I did get the following errors though:
1. Install
2. The Updater - updates jail and it's packages
3. Add new/edit OpenVPN profile(s) and send them to e-mail box
4. Regenerate server's keys, certs and recreate profile(s)
5. The Cleaner - keeps .cfg file and removes jail and related files
6. The Keeper - backup & sends config to email
7. The Watcher - shows server configs & last 50 lines of the log
8. Edit settings
9. Exit

: 1

[..] checking config dirs... [success]

[..] appserver jail creation in progress... appserver successfully created!

Testing Host DNS response to pkg.freebsd.org
Testing appserver's SRV response to pkg.freebsd.org
Testing appserver's DNSSEC response to pkg.freebsd.org

Installing pkg...
You may need to manually remove /usr/local/etc/pkg.conf if it is no longer needed.

Installing supplied packages:
- nano...
- openvpn...
===> Creating groups.
Creating group 'openvpn' with gid '301'.
===> Creating users
Creating user 'openvpn' with uid '301'.
=====
Message from easy-rsa-3.1.0_2:

--
NOTE: easy-rsa will require you to initialize a pki ONLY UPON FIRST USE.
The packaging itself no longer does this because that would confuse easy-rsa,
and easy-rsa expects the vars not to be per-installation, but per-PKI.

ONLY for the very first run for a new PKI, do something such as:

easyrsa --pki-dir=~/my_new_pki init-pki # DANGEROUS - DESTROYS ~/my_new_pki
which will copy vars.example both into ~/my_new_pki
and create another copy named ~/my/new_pki/vars for you to edit for this PKI.

Then, edit ~/my/new_pki/vars to set the defaults.

After upgrades, use other commands, explained by running: easyrsa help.
to explain options such as --pki-dir (see above), run: easyrsa help options
=====
Message from openvpn-2.5.7_1:

--
Edit /etc/rc.conf[.local] to start OpenVPN automatically at system
startup. See /usr/local/etc/rc.d/openvpn for details.

Connect to VPN server as a client with this command to include
the client.up/down scripts in the initialization:
openvpn-client <spec>.ovpn

For compatibility notes when interoperating with older OpenVPN
versions, please see <http://openvpn.net/relnotes.html>

Note that OpenVPN does not officially support LibreSSL.

Note that OpenVPN configures a separate user and group "openvpn",
which should be used instead of the NFS user "nobody"
when an unprivileged user account is desired.

You may want to add user openvpn and group openvpn when creating your
configuration files, the example configuration shows this only as comments.
- mpack...
* Starting appserver
+ Started OK
+ Using devfs_ruleset: 1002 (iocage generated default)
+ Configuring VNET OK
+ Using IP options: vnet
+ Starting services OK
+ Executing poststart OK

[..] make a bkp of 'server.conf' file to conf dir... [success]
[..] make a bkp of 'client.conf' file to conf dir... [success]
[..] make a bkp of 'easy-rsa/vars' file to conf dir... [fail]

[..] copy 'ipfw.rules' file to conf dir... [success]
[..] copy 'newsyslog.conf' file to conf dir... [success]
[..] copy 'syslog.conf' file to conf dir... [success]
[..] copy 'rc.conf' file to conf dir... [success]

[..] adjust values in 'rc.conf' file... [success]

[..] copy 'rc.conf|ipfw.rules|syslog.conf|newsyslog.conf' files to jail... [success]

[..] copy 'easy-rsa' dir to conf dir... [success]
[..] copy 'openvpn.conf' file to conf dir... [success]
[..] copy 'vars' file to conf dir... [success]

[..] adjust values in 'openvpn.conf' file... [success]
[..] adjust values in 'vars' file... [success]

[..] copy Easy RSA vars file to conf dir... [success]

[..] generating PKI...


Something went wrong, exiting.
[info] Display error(s) in a sec.

Log file: /tmp/OpenVPN-on-FreeNAS-in-iocage/openvpn-configs/ovpn-install.log
No default gateway found for ipv6.
cp: /mnt/pool/iocage/jails/appserver/root/usr/local/share/easy-rsa/vars: No such file or directory
/tmp/OpenVPN-on-FreeNAS-in-iocage/scripts/keys.sh: line 20: ./easyrsa.real: No such file or directory

So I assume that copying the folder didn't really help... Any suggestions?
 

yotam777

Cadet
Joined
Jan 29, 2023
Messages
9
I am running TrueNAS version 12.2 so I copied the scripts/11.3 folder to scripts/12.2... At least I didn't get a fatal error missing InstallOpenVPN.

I did get the following errors though:


So I assume that copying the folder didn't really help... Any suggestions?
Stuck on the same step exactly.
Still need this script cause the built-in service refused to load
 

Bibi40k

Contributor
Joined
Jan 26, 2018
Messages
136
I'm sorry,
i cannot test it and fix it for those versions.
As a suggestion, you can read script's content and manually execute those commands.
It probably fails at some checks.
 

yotam777

Cadet
Joined
Jan 29, 2023
Messages
9
Hi Bibi40k
Thanks for the quick response.
I can check all your versions if needed :)
The script failed in line 20 keys.sh when trying to execute:
" cd ${DSERVER}/easy-rsa && ./easyrsa.real init-pki"
I think the "DSERVER" var point to the path that doesn't exist.

Is it possible to execute line by line?
You have alot of functions and auxiliary files for var and paths.
 

Bibi40k

Contributor
Joined
Jan 26, 2018
Messages
136
I have switched to TrueNAS Scale and implemented a new script for that version.
I'm sorry but i do not have the time to add new features for stuff i don't use. It's open source so anyone could improve it.
 
Top