Resource icon

Automatic install OpenVPN inside iocage Jail in FreeNAS all versions 2020-09-15

cewjr9842

Cadet
Joined
Jun 3, 2020
Messages
5
Code:
----------------------------------------------------------------------------------

1. Install
2. The Updater - updates jail and it's packages
3. Add new/edit OpenVPN profile(s) and send them to e-mail box
4. Regenerate server's keys, certs and recreate profile(s)
5. The Cleaner - keeps .cfg file and removes jail and related files
6. The Keeper - backup & sends config to email
7. The Watcher - shows server configs & last 50 lines of the log
8. Edit settings
9. Exit

: 7

[info] display content of 'openvpn.conf' file:
port 1194
proto udp4
dev tun
ca /root/openvpn-configs/server/keys/ca.crt
cert /root/openvpn-configs/server/keys/openvpn-server.crt
key /root/openvpn-configs/server/keys/openvpn-server.key
dh /root/openvpn-configs/server/keys/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /root/openvpn-configs/server/ipp.txt
push "route 192.168.1.0 255.255.255.0"
keepalive 10 120
tls-auth /root/openvpn-configs/server/keys/ta.key 0
remote-cert-tls client
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

[info] display content of 'rc.conf' file:
hostname="OpenVPN"
cron_flags="$cron_flags -J 15"

# Disable Sendmail by default
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

# Run secure syslog
syslogd_flags="-c -ss"

# Enable IPv6
ipv6_activate_all_interfaces="NO"

openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/root/openvpn-configs/server/openvpn.conf"
openvpn_dir="/root/openvpn-configs/server"
cloned_interfaces="tun"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/root/openvpn-configs/server/ipfw.rules"

Stopping openvpn.
Waiting for PIDS: 6869.
Starting openvpn.

OpenVPN server log file: '/var/log/openvpn.log'
Jun  5 12:13:13 OpenVPN openvpn[65677]: ERROR: FreeBSD route delete command failed: external program exited with error status: 77
Jun  5 12:13:13 OpenVPN openvpn[65677]: Closing TUN/TAP interface
Jun  5 12:13:13 OpenVPN openvpn[65677]: /sbin/ifconfig tun0 destroy
Jun  5 12:13:13 OpenVPN openvpn[65677]: FreeBSD 'destroy tun interface' failed (non-critical): external program exited with error stat                          us: 1
Jun  5 12:13:13 OpenVPN openvpn[65677]: SIGTERM[hard,] received, process exiting
Jun  5 12:13:13 OpenVPN openvpn[6868]: OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on                           Jun  2 2020
Jun  5 12:13:13 OpenVPN openvpn[6868]: library versions: OpenSSL 1.0.2s-freebsd  28 May 2019, LZO 2.10
Jun  5 12:13:13 OpenVPN openvpn[6869]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be a                          ware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use t                          he same subnet.
Jun  5 12:13:13 OpenVPN openvpn[6869]: Diffie-Hellman initialized with 2048 bit key
Jun  5 12:13:13 OpenVPN openvpn[6869]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authenticat                          ion
Jun  5 12:13:13 OpenVPN openvpn[6869]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authenticat                          ion
Jun  5 12:13:13 OpenVPN openvpn[6869]: ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=epair0b HWADDR=ee:f4:bb:9b:c8:80
Jun  5 12:13:13 OpenVPN openvpn[6869]: TUN/TAP device /dev/tun0 opened
Jun  5 12:13:13 OpenVPN openvpn[6869]: /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
Jun  5 12:13:13 OpenVPN openvpn[6869]: /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0
Jun  5 12:13:13 OpenVPN openvpn[6869]: Socket Buffers: R=[42080->42080] S=[9216->9216]
Jun  5 12:13:13 OpenVPN openvpn[6869]: UDPv4 link local (bound): [AF_INET][undef]:1194
Jun  5 12:13:13 OpenVPN openvpn[6869]: UDPv4 link remote: [AF_UNSPEC]
Jun  5 12:13:13 OpenVPN openvpn[6869]: GID set to nobody
Jun  5 12:13:13 OpenVPN openvpn[6869]: UID set to nobody
Jun  5 12:13:13 OpenVPN openvpn[6869]: MULTI: multi_init called, r=256 v=256
Jun  5 12:13:13 OpenVPN openvpn[6869]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Jun  5 12:13:13 OpenVPN openvpn[6869]: IFCONFIG POOL LIST
Jun  5 12:13:13 OpenVPN openvpn[6869]: Initialization Sequence Completed
Jun  5 12:21:02 OpenVPN openvpn[6869]: event_wait : Interrupted system call (code=4)
Jun  5 12:21:04 OpenVPN openvpn[6869]: /sbin/route delete -net 10.8.0.0 10.8.0.2 255.255.255.0
Jun  5 12:21:04 OpenVPN openvpn[6869]: ERROR: FreeBSD route delete command failed: external program exited with error status: 77
Jun  5 12:21:04 OpenVPN openvpn[6869]: Closing TUN/TAP interface
Jun  5 12:21:04 OpenVPN openvpn[6869]: /sbin/ifconfig tun0 destroy
Jun  5 12:21:04 OpenVPN openvpn[6869]: FreeBSD 'destroy tun interface' failed (non-critical): external program exited with error statu                          s: 1
Jun  5 12:21:04 OpenVPN openvpn[6869]: SIGTERM[hard,] received, process exiting
Jun  5 12:21:04 OpenVPN openvpn[7666]: OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on                           Jun  2 2020
Jun  5 12:21:04 OpenVPN openvpn[7666]: library versions: OpenSSL 1.0.2s-freebsd  28 May 2019, LZO 2.10
Jun  5 12:21:04 OpenVPN openvpn[7667]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be a                          ware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use t                          he same subnet.
Jun  5 12:21:04 OpenVPN openvpn[7667]: Diffie-Hellman initialized with 2048 bit key
Jun  5 12:21:04 OpenVPN openvpn[7667]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authenticat                          ion
Jun  5 12:21:04 OpenVPN openvpn[7667]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authenticat                          ion
Jun  5 12:21:04 OpenVPN openvpn[7667]: ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=epair0b HWADDR=ee:f4:bb:9b:c8:80
Jun  5 12:21:04 OpenVPN openvpn[7667]: TUN/TAP device /dev/tun0 opened
Jun  5 12:21:04 OpenVPN openvpn[7667]: /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
Jun  5 12:21:04 OpenVPN openvpn[7667]: /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0
Jun  5 12:21:04 OpenVPN openvpn[7667]: Socket Buffers: R=[42080->42080] S=[9216->9216]
Jun  5 12:21:04 OpenVPN openvpn[7667]: UDPv4 link local (bound): [AF_INET][undef]:1194
Jun  5 12:21:04 OpenVPN openvpn[7667]: UDPv4 link remote: [AF_UNSPEC]
Jun  5 12:21:04 OpenVPN openvpn[7667]: GID set to nobody
Jun  5 12:21:04 OpenVPN openvpn[7667]: UID set to nobody
Jun  5 12:21:04 OpenVPN openvpn[7667]: MULTI: multi_init called, r=256 v=256
Jun  5 12:21:04 OpenVPN openvpn[7667]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Jun  5 12:21:04 OpenVPN openvpn[7667]: IFCONFIG POOL LIST
Jun  5 12:21:04 OpenVPN openvpn[7667]: Initialization Sequence Completed




Thanks @Bibi40k for you help on this. Above is what i see when I run the watcher. Sorry for the noob questions.

1.Since I already have transmission and plex setup on the server and running, and also wanted to get sickchill at some point, would I need to do anything else or am I ok using transmission as it is behind the VPN or would I need to update the config with my VPN providers info? Also how would I see what WAN IP it should be showing ?

From
 

Bibi40k

Contributor
Joined
Jan 26, 2018
Messages
136
i think you're mixing thing. I'm not very clear if i understand you but VPN gives you access to your LAN via a tunnel. You don't need to do anything to run apps.
 

mjeni

Cadet
Joined
Jun 24, 2020
Messages
2
Hello,
i try to get your script installed, after i go for
Code:
sh ./install.sh 
i get the following output (everthing before works fine):

Code:
# sh ./install.sh
./install.sh: source: not found
./install.sh: source: not found
./install.sh: CheckUser: not found

 Checking for script updates...

Already up to date.
./install.sh: source: not found
./install.sh: source: not found
./install.sh: source: not found
./install.sh: source: not found
./install.sh: source: not found
./install.sh: source: not found
 Getting fixes for FreeNAS ...
./install.sh: source: not found
./install.sh: CheckOS: not found
./install.sh: source: not found
./install.sh: source: not found
./install.sh: [[: not found
./install.sh: StartUpScreen: not found
#


I am on FreeNAS-11.3-U3.2.

Best regards
 

RSVP

Explorer
Joined
Feb 11, 2016
Messages
73
Hi,
Thanks for the work. Was able to get it to install and run in jail. If I run watcher I get errors. FreeBSD ifconfig failed: external program exited with error status: 1. I have trouble shot this going through the forum and saw a suggestion about ifconfig tun create etc. but that did not solve it. Also noticed on start of script dashboard, it does not list any external IP. I have turned off all the vpn client config on router to see if it conflicted. Did not help. Any help would be appreciated... Also, didn't get any emails. found the certs in the folder though.
 
Last edited:

Scooper

Cadet
Joined
Jul 6, 2020
Messages
2
Hi,

I successfully used your script to install openvpn in a jail. Thanks you very much for your effort!
I can connect with my phone to the vpn, but I cannot reach the rest of my network.

My situation:
ISP-Modem at 192.168.0.10. I'm using port 13188 to connect to my vpn. The modem is forwarding this port to port 1194 of my router.
My router is at 192.168.5.1. My router port forwards port 1194 to my openvpn jail at 192.168.5.66.
My Freenas server is located at 192.168.5.20.

When my phone is connected to 4G I can connect to openvpn fine. The logs of openvpn doesn't show any error. The following route is pushed to my phone by openvpn: 'PUSH_REPLY,route 192.168.5.0 255.255.255.0,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'

My openvpn.conf contains the following lines regarding the network:
server 10.8.0.0 255.255.255.0
push "route 192.168.5.0 255.255.255.0"

Any idea why I cannot navigate to my freenas server at 192.168.5.20 for example?
 

Scooper

Cadet
Joined
Jul 6, 2020
Messages
2
An update on my previous question regarding the VPN clients that can't navigate/connect to the network behind the vpn host.

It appears that after a fresh restart of FreeNAS the routing does work. The openvpn jail is set to autostart.
After stopping and starting the jail, the routing stops working. I can't get it to work until I reboot FreeNAS.
I don't know if this is caused by the jail, FreeNAS or FreeBSD. If wanted, I can help debug this issue.
 

vheine

Cadet
Joined
Nov 25, 2018
Messages
2
This made my life so much easier! Thank you for this!!! I'm just hung up on finding the configuration file for client devices. Was that supposed to be emailed? I never received the email after completing the install.

Thanks again for all of your help.
 

Lionhead

Cadet
Joined
Jul 17, 2020
Messages
1
I noticed a few comments suggesting they aren't receiving the email with the config file. I've been trying to get this running myself recently and found that the emails are sent to spam by default. It's worth checking if you aren't already.
 

xames

Patron
Joined
Jun 1, 2020
Messages
235
I try to download the script and run, but says that, how to proceed please.


Code:
1. Install
2. The Updater - updates jail and it's packages
3. Add new/edit OpenVPN profile(s) and send them to e-mail box
4. Regenerate server's keys, certs and recreate profile(s)
5. The Cleaner - keeps .cfg file and removes jail and related files
6. The Keeper - backup & sends config to email
7. The Watcher - shows server configs & last 50 lines of the log
8. Edit settings
9. Exit

: 1
/root/OpenVPN-on-FreeNAS-in-iocage/scripts/functions.sh: line 315: InstallOpenVPN: command not found


I'm running TrueNas 12.1
 

Bibi40k

Contributor
Joined
Jan 26, 2018
Messages
136
Hi,
i'm sorry but i can't help you because i don't have TrueNas at all to see what's happening there.
 

kjh

Cadet
Joined
Sep 14, 2020
Messages
2
Hi

Thanks for a great piece of work. I previously spent ages trying to create a vpn server in a jail and now this has worked perfectly!

The vpn works from my linux box and from my iPhone, and I'm now trying to install the client on my OpenWRT router. I've had vpns working on OpenWRT before so i know how to set it up.
Problem is that it needs to run on the router with no command line input, which means certificates only and no passphrase entered at client startup.
I've modified keys.sh to include the 'nopass' option in build-server-full and build-client-full.

Is this correct, and if not then how should I modify the scripts to do this?

Thanks in advance

Kevin
 

Bibi40k

Contributor
Joined
Jan 26, 2018
Messages
136
Hi, i don't know for sure, please try to find the answer on their website.

or on alternative websites

After you find the answer, i can help you implementing their solution.
 

kjh

Cadet
Joined
Sep 14, 2020
Messages
2
Hi,
Thanks. I guess I was being a little bit lazy and figured you would know the answer!

I'll research some more and let you know. Despite reading the OpenVPN docs and other stuff many times, I still haven't got a mental picture of how the certificates and keys work.

Would be really great to have the option in the scripts to create clients that don't require a passphrase or passwords at startup.
Regards, Kevin
 

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,176
I took the liberty of converting this into a Resource, since it probably deserves more visibility.

@Bibi40k, if you have any questions or need help with the Resources section, please ping me and I'll see what I can do.
 

JosephLeone

Cadet
Joined
Oct 4, 2020
Messages
2
Thank for your great work, this has been amazing!
But for some reason, the email sending fails for me.
The email bounces and I get the error

Code:
550-Verification failed for <root@localhost.my.domain>
550-Unrouteable address
550 Sender verify failed
550 5.1.1 <****@*****.***>... User unknown


Any pointers?
 

JosephLeone

Cadet
Joined
Oct 4, 2020
Messages
2
Thank for your great work, this has been amazing!
But for some reason, the email sending fails for me.
The email bounces and I get the error

Code:
550-Verification failed for <root@localhost.my.domain>
550-Unrouteable address
550 Sender verify failed
550 5.1.1 <****@*****.***>... User unknown


Any pointers?
I figured it out, my email server was blocking the email due to the "strange" source. Sent it to my gmail instead, straight into spam, but atleast I got it. Got it working! Thank you Bibi40k, amazing stuff!
 

maizat

Cadet
Joined
Nov 17, 2020
Messages
1
Hi @Bibi40k, can you help me with this is my error.

WARNING: FreeBSD 11.3-RELEASE HAS PASSED ITS END-OF-LIFE DATE.
Any security issues discovered after Wed Sep 30 08:00:00 +08 2020
will not have been corrected.
install: /mnt/POOL1/iocage/releases/11.3-RELEASE/root//usr/lib/debug/usr/sbin/local-unbound-anchor.debug: No such file or directory
install: /mnt/POOL1/iocage/releases/11.3-RELEASE/root//usr/lib/debug/usr/sbin/local-unbound-checkconf.debug: No such file or directory
install: /mnt/POOL1/iocage/releases/11.3-RELEASE/root//usr/lib/debug/usr/sbin/local-unbound-control.debug: No such file or directory
install: /mnt/POOL1/iocage/releases/11.3-RELEASE/root//usr/lib/debug/usr/sbin/local-unbound.debug: No such file or directory
Installing updates...Installing updates...Installing updates...Installing updates...Installing updates... done.
Missing default rc.conf, creating it
OpenVPN successfully created!

Testing Host DNS response to pkg.freebsd.org
Testing OpenVPN's SRV response to pkg.freebsd.org
Testing OpenVPN's DNSSEC response to pkg.freebsd.org
Testing OpenVPN's DNS response to pkg.freebsd.org


Something went wrong, exiting.
[info] Display error(s) in a sec.

Log file: /root/OpenVPN-on-FreeNAS-in-iocage/openvpn-configs/ovpn-install.log
pkg.freebsd.org's SRV record could not be verified.

pkg.freebsd.org could not be reached via DNSSEC.

pkg.freebsd.org could not be reached via DNS, check OpenVPN's network configuration
 

Santoku94116

Cadet
Joined
Dec 20, 2020
Messages
1
Hi, I am new to everything NAS and I am running into some issues. I followed all the steps to have OpenVPN installed but I have an issue with changing the settings. I enter edit settings and make my changes and finalize it, I still do not see my email showing up when it brings me back to the mainpage. I am on Version: FreeNAS-11.3-U5
 

elorimer

Contributor
Joined
Aug 26, 2019
Messages
194
Having a go at this, but ran into this error:
Code:
/root/OpenVPN-on-FreeNAS-in-iocage/scripts/functions.sh line 315: InstallOpenVPN: command not found

This is on 12U1.
 
Top