electricsquid
Cadet
- Joined
- Dec 30, 2022
- Messages
- 2
I've been using TrueNAS Scale 22.02.4 for a little bit and so far it's been great. However It's time I get a VPN connection setup so that my traffic will go through that instead. I've purchased a VPN connection and have a working .ovpn config file that I can use. My question is, What are the best practices for putting TrueNAS and/or Docker Container traffic through a VPN, while still retaining local access to services like Homer?
From what I've gathered so far, there are a few options:
After doing some digging, I gathered that the CA provided to me would need to be regenerated to include this KeyUsage extension. seeing as how I'm just importing them and not generating them myself. Since this is out of my control I presume I won't be able to fix this unless someone knows otherwise. The first error I'm still not sure about, but haven't found much documentation surrounding this to begin with, and my knowledge of OpenVPN is rather limited.
This worked, in that it connected to the VPN, however the docker containers were no longer reachable from my LAN network, although curiously the TrueNAS GUI was still available. I've been scratching my head on this one, and have not found a solution to allow access to those containers from LAN while maintaining the VPN connection. The closest I've found is that I need to allow access to my LAN subnet from the VPN connection but I am unsure how to do so.
My question is, out of these options which is the best solution, or is there another that I've not yet found. Additionally, if the best solution is one that I've had errors with, is it possible to get some insight into what I could do to fix things?
Thank you for your time!
From what I've gathered so far, there are a few options:
- Setup an OpenVPN connection through the OpenVPN Client service found under System Settings > Services > OpenVPN Client
- Setup a script to connect the machine to OpenVPN using the provided config file and launching it through System Settings > Advanced > Init/Shutdown Scripts
- Configure the VPN manually for each docker container, Either through:
- A built in OpenVPN instance within the container
- TrueCharts VPN connection solution
- Have a docker container that connects to the VPN, then have the containers use the network stack from that VPN container
OpenVPN Client Service
This was my first thought for setting things up. I imported the Certificate and Certificate Authority under Credentials > Certificates, and then configured the service, but received errors saying that the "client certificate chain could not be verified with specified root CA" and that the CA from the configuration file "must have CRL Sign set for KeyUsage extension."After doing some digging, I gathered that the CA provided to me would need to be regenerated to include this KeyUsage extension. seeing as how I'm just importing them and not generating them myself. Since this is out of my control I presume I won't be able to fix this unless someone knows otherwise. The first error I'm still not sure about, but haven't found much documentation surrounding this to begin with, and my knowledge of OpenVPN is rather limited.
OpenVPN Startup Script
My next approach was to simply run a command on the booting of the server, and have it connect to OpenVPN using the config that was provided. I ran the following command during the PostInit phase of the boot sequence:Code:
nohup openvpn --config <path to config>
This worked, in that it connected to the VPN, however the docker containers were no longer reachable from my LAN network, although curiously the TrueNAS GUI was still available. I've been scratching my head on this one, and have not found a solution to allow access to those containers from LAN while maintaining the VPN connection. The closest I've found is that I need to allow access to my LAN subnet from the VPN connection but I am unsure how to do so.
Built in OpenVPN Instances
This way relies on an OpenVPN service running within the container alongside the program you initially wanted to run. This way seems simple though relies on the maintaining of another docker image. Additionally it requires manual configuration for each service I'd want to run through the VPN, and would take up several connection slots, not a fan of this idea but is certainly an option if all else fails.TrueCharts VPN configuration
Probably the simplest way is to install the desired app through a TrueCharts helm chart, and configure the container to use a VPN that way. While this is certainly easy, It will require reconfiguration of all my services that I'd like to avoid, and also will require seperate connections for each service which I'm not a fan of.Docker OpenVPN Instance shared to other containers
This solution intrigues me as being a very flexible solution, and is supported by docker with the '--network container:id' run option. However it seems that TrueNAS doesn't really support this sort of configuration. If there is a way to do this however I think it would be a good way to go about this.My question is, out of these options which is the best solution, or is there another that I've not yet found. Additionally, if the best solution is one that I've had errors with, is it possible to get some insight into what I could do to fix things?
Thank you for your time!