How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT

[zoomzoom]

@NasKar I highly recommend taking a look at the OpenWrt wiki mentioned in my post above yours if you used Easy-RSA, as I would scrap all those and start new with an openssl.cnf, which I provide in that link, as well as the chronological steps and commands required. There's also log output in that wiki showing what the log output of a CCD enabled config should resemble.

CCD configuration would resemble this

Server config

Code:

ccd-exclusive
client-config-dir	   /etc/openvpn/clients/
ifconfig-pool-persist	   /etc/openvpn/clients/ipp.txt

• ccd-exclusive enables CCD
• client-config-dir points to the directory that will house the client files in the next section
• ifconfig-pool-persist is a file that contains the common name from the client files in the next section, followed by the static IP they were assigned

/etc/openvpn/clients

• For each VPN client, a file needs to be created which exactly mirrors the common name for the client cert
• File should contain an ifconfig command pushing a static IP to the client

Client Certificate CN: John Doe (Plex Only)

• Client File: /etc/openvpn/clients/John Doe (Plex Only)
  • File Output: ifconfig-push 10.1.0.5 255.255.255.224

/etc/openvpn/clients/ipp.txt

• For each VPN client, one per line, the CN needs to be specified, followed by the static IP

IPP File: /etc/openvpn/clients/ipp.txt

• File Output: John Doe (Plex Only),10.1.0.5

Once all that is done, start/re-start vpn server, then connect with client to test

 

[Perfn]

I have one of those stupid beginner questions.

I got my OpenVPN working and I can connect to it from my phone. But then I hit a speedbump when I want to use a SFTP client on my phone to access my files. What settings am I supposed to use on the client? Is it the local ip of my NAS or something else?

 

[zoomzoom]

Check out the OpenWrt wiki link and match your server and client configs to the options set (snd/rcv & mtu values specifically) - Server's will be under Connection Speed, Client's will be under Speed

 

[NasKar]

@zoomzoom I tried to follow the wiki but it's a little confusing.
I created a new jail to try it so I don't mess up the openvpn that's working.

pkg update ; pkg install openvpn-openssl luci-app-openvpn
cd /etc/ssl
pkg install nano
mkdir -p ca/csr crl openvpn/clients
copy openssl.cnf file to /etc/ssl change \ to / first
echo 00 > crlnumber
touch index
touch rand
Step CA OpenSSL Prerequisites- do I have to edit the openssl.cnf file? Should I change Router.1 to the name of my servers on freenas and their respective IPs? No idea about the other steps listed below.

1. Certificate Authority Clients [Line 253]
   1. Servers
      • Lines: 259 - 281
   2. Clients
      • Lines: 283 - 287
        
2. Change SAN & V3 profile names from alt_ca_main to alt_ca_openwrt [lines 233, 353, & 357]

Then enter the commands after that?

#--------------------------------------------------------------------
##----- Certificate Authorities -----##
#--------------------------------------------------------------------

# Main #
[ alt_ca_main ]
DNS.1 = Router.1
IP.1 = 127.0.0.1

# Router 2 #
[ alt_ica_router2 ]
DNS.1 = Router.2
IP.1 = 127.0.0.1

# Router 3 #
[ alt_ica_router3 ]
DNS.1 = Router.3
IP.1 = 127.0.0.1

# Router 4 #
[ alt_ica_router4 ]
DNS.1 = Router.4
IP.1 = 127.0.0.1

 

[zoomzoom]

???
Re-read what you wrote and you'll answer your own question...

"...do I have to edit the openssl.cnf file"

Change SAN & V3 profile names from

Modify the following SubjectAltNames & V3 Profiles


And yes, once you've completed the prerequisite edits, move to the commands. Also, in each step, there is a file path in burnt orange in the upper right hand corner of the prerequisites - this specifies what file is being edited, or from what directory the commands are being executed from.

Servers and clients line numbers is telling the user where to look in the openssl.cnf for the servers and clients SAN profiles for the CA. It will be easier for you to understand the openssl.cnf if you download notepad++ in Windows, then download the language profile for it from my GitHub. The directions on that page link also tell you how to import that language file into Notepad++. Once you do so, open the openssl.cnf in Notepad++ and select the Language drop down menu, and finally select "config" at the very bottom of that menu.

 

[zoomzoom]

@Steo Sorry, forget to all also tell you to add the interface name to your config in lieu of the the local directive. Below dev tun list a second dev directive with the name of your interface (for example, dev tun0).

The local directive has a special use case (IIRC, gateway-redirect), with the device name generally being sufficient. As to the keep-alive directive, FreeBSD must interpret that differently than linux systems, as normally any whitespace that's contained within an option must be contained within single, or double, quotes.

The above information is wrong... something I realized when I was updating my OpenVPN HowTo wiki on OpenWrt.

The local directive is utilized to point to a local IP that's already been assigned to an interface. Specifying the interface via dev <iface> should be utilized when the interface has no protocol assigned to it, or is configured with a static IP, but is not assigned an IP (this is how VPN wikis have always recommended OpenVPN be configured on OpenWrt). It's taken me 2 years to realize this even though I've read the OpenVPN man page and HowTo several times over... oops.

 

[NasKar]

Weird thing happed to the VPN. After working great it suddenly stopped working and I couldn't log into my freenas network. When I got home I rebooted the openvpn jail that didn't help. I check the router to see if my DDNS had updated and it said it had. I then rebooted the router and my outside IP address changed. After updating the DDNS service I still couldn't login with the VPN. Any ideas on what else to look for?

 

[NasKar]

Per the troubleshooting part of the guide I rebooted the FreeNAS box and now it works again.
1) Any ideas on what caused problem? see logs at end of post.
2) If I'm away from my computer I can't reboot the FreeNAS box without the VPN working. Is there any other way to fix this remotely if this were to happen again?

nano /var/log/messages

Code:

Oct 31 19:28:08 OpenVPN openvpn[27701]: 70.214.77.234:9727 TLS: Initial packet from [AF_INET]70.214.77.234:9727, sid=ccbfc9e8 9481fd81
Oct 31 19:28:09 OpenVPN openvpn[27701]: 70.214.77.234:9727 VERIFY OK: depth=1, CN=user1 NAS CA
Oct 31 19:28:09 OpenVPN openvpn[27701]: 70.214.77.234:9727 VERIFY OK: depth=0, CN=openvpn.user1
Oct 31 19:28:09 OpenVPN openvpn[27701]: 70.214.77.234:9727 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Oct 31 19:28:09 OpenVPN openvpn[27701]: 70.214.77.234:9727 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct 31 19:28:09 OpenVPN openvpn[27701]: 70.214.77.234:9727 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Oct 31 19:28:09 OpenVPN openvpn[27701]: 70.214.77.234:9727 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct 31 19:28:09 OpenVPN openvpn[27701]: 70.214.77.234:9727 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 4096 bit RSA
Oct 31 19:28:09 OpenVPN openvpn[27701]: 70.214.77.234:9727 [openvpn.user1] Peer Connection Initiated with [AF_INET]70.214.77.234:9727
Oct 31 19:28:09 OpenVPN openvpn[27701]: openvpn.user1/70.214.77.234:9727 MULTI_sva: pool returned IPv4=172.16.8.6, IPv6=(Not enabled)
Oct 31 19:28:09 OpenVPN openvpn[27701]: openvpn.user1/70.214.77.234:9727 MULTI: Learn: 172.16.8.6 -> openvpn.user1/70.214.77.234:9727
Oct 31 19:28:09 OpenVPN openvpn[27701]: openvpn.user1/70.214.77.234:9727 MULTI: primary virtual IP for openvpn.user1/70.214.77.234:9727: 172.16.8.6
Oct 31 19:28:09 OpenVPN openvpn[27701]: openvpn.user1/70.214.77.234:9727 PUSH: Received control message: 'PUSH_REQUEST'
Oct 31 19:28:09 OpenVPN openvpn[27701]: openvpn.user1/70.214.77.234:9727 send_push_reply(): safe_cap=940
Oct 31 19:28:09 OpenVPN openvpn[27701]: openvpn.user1/70.214.77.234:9727 SENT CONTROL [openvpn.user1]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 172.16.8.1,topology net30,ping 10,ping-restart 120,ifconfig 172.16.8.6 172.16.8.5' (status=1)

[root@OpenVPN /mnt/keys]# ipfw list

Code:

00100 nat 1 ip from 172.16.8.0/24 to any out via epair12b
00200 nat 1 ip from any to any in via epair12b
65535 allow ip from any to any

nano openvpn.conf

Code:

port 10011
proto udp
dev tun
ca ca.crt
cert openvpn-server.crt #Server public key
key openvpn-server.key #Server private key
dh dh.pem #Diffie-Hellman parameters
server 172.16.8.0 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0" #Yellow network
tls-auth ta.key 0
#crl-verify crl.pem
keepalive 10 120
cipher AES-256-CBC
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3

[root@OpenVPN /mnt/keys]# ps aux

Code:

USER	 PID %CPU %MEM   VSZ  RSS TT  STAT STARTED	TIME COMMAND
nobody 27701  0.1  0.0 22388 4524 ??  SsJ   9:18PM 0:17.79 /usr/local/sbin/openvpn --cd /mnt/keys --daemon openvpn --config /mnt/keys/openvpn.conf --writepid /var/run/openvpn.pid
root   27669  0.0  0.0 12088 1592 ??  SsJ   9:18PM 0:00.13 /usr/sbin/syslogd -s
root   27729  0.0  0.0 14184 1564 ??  IsJ   9:18PM 0:00.07 /usr/sbin/cron -s
root   88138  0.0  0.0 17464 2644  0  SJ	7:20PM 0:00.01 bash
root   89571  0.0  0.0 16296 1484  0  R+J   7:54PM 0:00.00 ps aux

[root@OpenVPN /mnt/keys]# service openvpn stop

Code:

Stopping openvpn.
Waiting for PIDS: 27701.
[root@OpenVPN /mnt/keys]# openvpn --config /mnt/keys/openvpn.conf
Mon Oct 31 19:56:38 2016 OpenVPN 2.3.12 amd64-portbld-freebsd9.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Oct 12 2016
Mon Oct 31 19:56:38 2016 library versions: OpenSSL 0.9.8za-freebsd 5 Jun 2014, LZO 2.09
Mon Oct 31 19:56:38 2016 Diffie-Hellman initialized with 4096 bit key
Mon Oct 31 19:56:38 2016 WARNING: file 'openvpn-server.key' is group or others accessible
Mon Oct 31 19:56:38 2016 WARNING: file 'ta.key' is group or others accessible
Mon Oct 31 19:56:38 2016 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Mon Oct 31 19:56:38 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Oct 31 19:56:38 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Oct 31 19:56:38 2016 Socket Buffers: R=[42080->42080] S=[9216->9216]
Mon Oct 31 19:56:38 2016 ROUTE_GATEWAY 192.168.1.1
Mon Oct 31 19:56:38 2016 TUN/TAP device /dev/tun0 opened
Mon Oct 31 19:56:38 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Oct 31 19:56:38 2016 /sbin/ifconfig tun0 172.16.8.1 172.16.8.2 mtu 1500 netmask 255.255.255.255 up
Mon Oct 31 19:56:38 2016 /sbin/route add -net 172.16.8.0 172.16.8.2 255.255.255.0
add net 172.16.8.0: gateway 172.16.8.2
Mon Oct 31 19:56:38 2016 GID set to nobody
Mon Oct 31 19:56:38 2016 UID set to nobody
Mon Oct 31 19:56:38 2016 UDPv4 link local (bound): [undef]
Mon Oct 31 19:56:38 2016 UDPv4 link remote: [undef]
Mon Oct 31 19:56:38 2016 MULTI: multi_init called, r=256 v=256
Mon Oct 31 19:56:38 2016 IFCONFIG POOL: base=172.16.8.4 size=62, ipv6=0
Mon Oct 31 19:56:38 2016 ifconfig_pool_read(), in='openvpn.user1,172.16.8.4', TODO: IPv6
Mon Oct 31 19:56:38 2016 succeeded -> ifconfig_pool_set()
Mon Oct 31 19:56:38 2016 ifconfig_pool_read(), in='user1.ipad,172.16.8.8', TODO: IPv6
Mon Oct 31 19:56:38 2016 succeeded -> ifconfig_pool_set()
Mon Oct 31 19:56:38 2016 IFCONFIG POOL LIST
Mon Oct 31 19:56:38 2016 openvpn.user1,172.16.8.4
Mon Oct 31 19:56:38 2016 user1.ipad,172.16.8.8
Mon Oct 31 19:56:38 2016 Initialization Sequence Completed

 

[robles]

Per the troubleshooting part of the guide I rebooted the FreeNAS box and now it works again.
1) Any ideas on what caused problem? see logs at end of post.
2) If I'm away from my computer I can't reboot the FreeNAS box without the VPN working. Is there any other way to fix this remotely if this were to happen again?

nano /var/log/messages

Code:

Oct 31 19:28:08 OpenVPN openvpn[27701]: 70.214.77.234:9727 TLS: Initial packet from [AF_INET]70.214.77.234:9727, sid=ccbfc9e8 9481fd81
Oct 31 19:28:09 OpenVPN openvpn[27701]: 70.214.77.234:9727 VERIFY OK: depth=1, CN=user1 NAS CA
Oct 31 19:28:09 OpenVPN openvpn[27701]: 70.214.77.234:9727 VERIFY OK: depth=0, CN=openvpn.user1
Oct 31 19:28:09 OpenVPN openvpn[27701]: 70.214.77.234:9727 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Oct 31 19:28:09 OpenVPN openvpn[27701]: 70.214.77.234:9727 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct 31 19:28:09 OpenVPN openvpn[27701]: 70.214.77.234:9727 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Oct 31 19:28:09 OpenVPN openvpn[27701]: 70.214.77.234:9727 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct 31 19:28:09 OpenVPN openvpn[27701]: 70.214.77.234:9727 Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 4096 bit RSA
Oct 31 19:28:09 OpenVPN openvpn[27701]: 70.214.77.234:9727 [openvpn.user1] Peer Connection Initiated with [AF_INET]70.214.77.234:9727
Oct 31 19:28:09 OpenVPN openvpn[27701]: openvpn.user1/70.214.77.234:9727 MULTI_sva: pool returned IPv4=172.16.8.6, IPv6=(Not enabled)
Oct 31 19:28:09 OpenVPN openvpn[27701]: openvpn.user1/70.214.77.234:9727 MULTI: Learn: 172.16.8.6 -> openvpn.user1/70.214.77.234:9727
Oct 31 19:28:09 OpenVPN openvpn[27701]: openvpn.user1/70.214.77.234:9727 MULTI: primary virtual IP for openvpn.user1/70.214.77.234:9727: 172.16.8.6
Oct 31 19:28:09 OpenVPN openvpn[27701]: openvpn.user1/70.214.77.234:9727 PUSH: Received control message: 'PUSH_REQUEST'
Oct 31 19:28:09 OpenVPN openvpn[27701]: openvpn.user1/70.214.77.234:9727 send_push_reply(): safe_cap=940
Oct 31 19:28:09 OpenVPN openvpn[27701]: openvpn.user1/70.214.77.234:9727 SENT CONTROL [openvpn.user1]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 172.16.8.1,topology net30,ping 10,ping-restart 120,ifconfig 172.16.8.6 172.16.8.5' (status=1)

[root@OpenVPN /mnt/keys]# ipfw list

Code:

00100 nat 1 ip from 172.16.8.0/24 to any out via epair12b
00200 nat 1 ip from any to any in via epair12b
65535 allow ip from any to any

nano openvpn.conf

Code:

port 10011
proto udp
dev tun
ca ca.crt
cert openvpn-server.crt #Server public key
key openvpn-server.key #Server private key
dh dh.pem #Diffie-Hellman parameters
server 172.16.8.0 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0" #Yellow network
tls-auth ta.key 0
#crl-verify crl.pem
keepalive 10 120
cipher AES-256-CBC
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3

[root@OpenVPN /mnt/keys]# ps aux

Code:

USER	 PID %CPU %MEM   VSZ  RSS TT  STAT STARTED	TIME COMMAND
nobody 27701  0.1  0.0 22388 4524 ??  SsJ   9:18PM 0:17.79 /usr/local/sbin/openvpn --cd /mnt/keys --daemon openvpn --config /mnt/keys/openvpn.conf --writepid /var/run/openvpn.pid
root   27669  0.0  0.0 12088 1592 ??  SsJ   9:18PM 0:00.13 /usr/sbin/syslogd -s
root   27729  0.0  0.0 14184 1564 ??  IsJ   9:18PM 0:00.07 /usr/sbin/cron -s
root   88138  0.0  0.0 17464 2644  0  SJ	7:20PM 0:00.01 bash
root   89571  0.0  0.0 16296 1484  0  R+J   7:54PM 0:00.00 ps aux

[root@OpenVPN /mnt/keys]# service openvpn stop

Code:

Stopping openvpn.
Waiting for PIDS: 27701.
[root@OpenVPN /mnt/keys]# openvpn --config /mnt/keys/openvpn.conf
Mon Oct 31 19:56:38 2016 OpenVPN 2.3.12 amd64-portbld-freebsd9.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Oct 12 2016
Mon Oct 31 19:56:38 2016 library versions: OpenSSL 0.9.8za-freebsd 5 Jun 2014, LZO 2.09
Mon Oct 31 19:56:38 2016 Diffie-Hellman initialized with 4096 bit key
Mon Oct 31 19:56:38 2016 WARNING: file 'openvpn-server.key' is group or others accessible
Mon Oct 31 19:56:38 2016 WARNING: file 'ta.key' is group or others accessible
Mon Oct 31 19:56:38 2016 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Mon Oct 31 19:56:38 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Oct 31 19:56:38 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Oct 31 19:56:38 2016 Socket Buffers: R=[42080->42080] S=[9216->9216]
Mon Oct 31 19:56:38 2016 ROUTE_GATEWAY 192.168.1.1
Mon Oct 31 19:56:38 2016 TUN/TAP device /dev/tun0 opened
Mon Oct 31 19:56:38 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Oct 31 19:56:38 2016 /sbin/ifconfig tun0 172.16.8.1 172.16.8.2 mtu 1500 netmask 255.255.255.255 up
Mon Oct 31 19:56:38 2016 /sbin/route add -net 172.16.8.0 172.16.8.2 255.255.255.0
add net 172.16.8.0: gateway 172.16.8.2
Mon Oct 31 19:56:38 2016 GID set to nobody
Mon Oct 31 19:56:38 2016 UID set to nobody
Mon Oct 31 19:56:38 2016 UDPv4 link local (bound): [undef]
Mon Oct 31 19:56:38 2016 UDPv4 link remote: [undef]
Mon Oct 31 19:56:38 2016 MULTI: multi_init called, r=256 v=256
Mon Oct 31 19:56:38 2016 IFCONFIG POOL: base=172.16.8.4 size=62, ipv6=0
Mon Oct 31 19:56:38 2016 ifconfig_pool_read(), in='openvpn.user1,172.16.8.4', TODO: IPv6
Mon Oct 31 19:56:38 2016 succeeded -> ifconfig_pool_set()
Mon Oct 31 19:56:38 2016 ifconfig_pool_read(), in='user1.ipad,172.16.8.8', TODO: IPv6
Mon Oct 31 19:56:38 2016 succeeded -> ifconfig_pool_set()
Mon Oct 31 19:56:38 2016 IFCONFIG POOL LIST
Mon Oct 31 19:56:38 2016 openvpn.user1,172.16.8.4
Mon Oct 31 19:56:38 2016 user1.ipad,172.16.8.8
Mon Oct 31 19:56:38 2016 Initialization Sequence Completed

I believe it has to do with FreeNAS' routing tables: the system's, not the ones inside the jails. After rebooting the tunnel interface is recognized by FreeNAS and starts automatically.

To my knowledge, you only have to reboot the first time you create the OpenVPN jail. I've haven't had any connectivity problems after that, and I'm maintaining four different servers with OVPN jails.

 

[NasKar]

I believe it has to do with FreeNAS' routing tables: the system's, not the ones inside the jails. After rebooting the tunnel interface is recognized by FreeNAS and starts automatically.

To my knowledge, you only have to reboot the first time you create the OpenVPN jail. I've haven't had any connectivity problems after that, and I'm maintaining four different servers with OVPN jails.

I thought that recommendation was only if you couldn't get the VPN running in the first place. Thanks for explaining it. I was worried it would keep happening randomly when I wasn't home <G>. Thanks again for your efforts in posting this how to. Any possibility you could post an option on how to limit a client to a particular jail instead of the entire network?

 

[robles]

I thought that recommendation was only if you couldn't get the VPN running in the first place. Thanks for explaining it. I was worried it would keep happening randomly when I wasn't home <G>. Thanks again for your efforts in posting this how to. Any possibility you could post an option on how to limit a client to a particular jail instead of the entire network?

My first guess would be to set the restricted jail's gateway to the OpenVPN jail.

There's another tutorial in this forums to setup Transmission so that it only goes through a VPN, might be worth looking.

 

[NasKar]

My first guess would be to set the restricted jail's gateway to the OpenVPN jail.

There's another tutorial in this forums to setup Transmission so that it only goes through a VPN, might be worth looking.

Thanks I'll check it out. BTW the VPN stopped working again. The messages log says "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" I'll reboot and see if it fixes it.

Addendum: Turns out this time to be no-ip ddns wasn't working properly.

 

[Suprazz]

I'm getting the error:
TLS Error: cannot locate HMAC in incoming packet from ...

I tried to comment the tls line in the config file.
I tried to regenerate the ta.key, nothing changed.
I tried locally and remotely. Port forwarding is configured correctly in the router on port 10011

What else can I try?
Thanks

 

[Suprazz]

I tried again all the steps on an other server and same issue:
TLS Error: cannot locate HMAC in incoming packet from [AF_INET]

 

[Suprazz]

If I comment the line tls-auth in the client and server, I'm able to conect to the server but I'm still having issues:
On the client:
Nov 7 11:45:06 openvpn openvpn[10695]: myuser.name/XXX.XXX.XXX.XXX:46513 Authenticate/Decrypt packet error: packet HMAC authentication failed

And on the server:
Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Nov 07 11:43:43 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Nov 07 11:43:43 2016 [openvpn-server] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:10011
Mon Nov 07 11:43:45 2016 SENT CONTROL [openvpn-server]: 'PUSH_REQUEST' (status=1)
Mon Nov 07 11:43:45 2016 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 172.16.8.1,topology net30,ping 10,ping-restart 120,ifconfig 172.16.8.6 172.16.8.5'
Mon Nov 07 11:43:45 2016 OPTIONS IMPORT: timers and/or timeouts modified
Mon Nov 07 11:43:45 2016 OPTIONS IMPORT: --ifconfig/up options modified
Mon Nov 07 11:43:45 2016 OPTIONS IMPORT: route options modified
Mon Nov 07 11:43:45 2016 ROUTE_GATEWAY 192.168.43.1/255.255.255.0 I=7 HWADDR=bc:85:56:a5:67:7b
Mon Nov 07 11:43:45 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Nov 07 11:43:45 2016 open_tun, tt->ipv6=0
Mon Nov 07 11:43:45 2016 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{E541EAC2-047A-4929-99C1-89CF48EBBA67}.tap
Mon Nov 07 11:43:45 2016 TAP-Windows Driver Version 9.21
Mon Nov 07 11:43:45 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.16.8.6/255.255.255.252 on interface {E541EAC2-047A-4929-99C1-89CF48EBBA67} [DHCP-serv: 172.16.8.5, lease-time: 31536000]
Mon Nov 07 11:43:45 2016 NOTE: FlushIpNetTable failed on interface [29] {E541EAC2-047A-4929-99C1-89CF48EBBA67} (status=5) : Access is denied.
Mon Nov 07 11:43:50 2016 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Mon Nov 07 11:43:50 2016 C:\WINDOWS\system32\route.exe ADD 192.168.1.0 MASK 255.255.255.0 172.16.8.5
Mon Nov 07 11:43:50 2016 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=29]
Mon Nov 07 11:43:50 2016 Route addition via IPAPI failed [adaptive]
Mon Nov 07 11:43:50 2016 Route addition fallback to route.exe
Mon Nov 07 11:43:50 2016 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Mon Nov 07 11:43:50 2016 ERROR: Windows route add command failed [adaptive]: returned error code 1
Mon Nov 07 11:43:50 2016 C:\WINDOWS\system32\route.exe ADD 172.16.8.1 MASK 255.255.255.255 172.16.8.5
Mon Nov 07 11:43:50 2016 ROUTE: route addition failed using CreateIpForwardEntry: Access is denied. [status=5 if_index=29]
Mon Nov 07 11:43:50 2016 Route addition via IPAPI failed [adaptive]
Mon Nov 07 11:43:50 2016 Route addition fallback to route.exe
Mon Nov 07 11:43:50 2016 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Mon Nov 07 11:43:50 2016 ERROR: Windows route add command failed [adaptive]: returned error code 1
Mon Nov 07 11:43:50 2016 Initialization Sequence Completed
Mon Nov 07 11:43:55 2016 Authenticate/Decrypt packet error: packet HMAC authentication failed
Mon Nov 07 11:44:05 2016 Authenticate/Decrypt packet error: packet HMAC authentication failed

Thanks

 

[captainkent]

Thanks for the guide robles, I'm having some difficulties though. I have to admit, I'm running this from NAS4Free, but as far as I understand, they should be more or less identical, no?

[root@OpenVPN /usr/local/share/easy-rsa]# cp pki/issued/* /mnt/keys
[root@OpenVPN /usr/local/share/easy-rsa]# cp pki/private/* /mnt/keys
[root@OpenVPN /usr/local/share/easy-rsa]# cp pki/ca.crt /mnt/keys
[root@OpenVPN /usr/local/share/easy-rsa]# cp pki/dh.pem /mnt/keys
[root@OpenVPN /usr/local/share/easy-rsa]# cp ta.key /mnt/keys
[root@openvpn /usr/local/share/easy-rsa]# cd /mnt/keys
[root@OpenVPN /mnt/keys]# ls -lah
drwxr-xr-x 2 root wheel 8B Aug 15 21:06 .
drwxr-xr-x 3 root wheel 3B Sep 29 2015 ..
-rw------- 1 root wheel 1.1k Aug 15 21:06 ca.crt
-rw------- 1 root wheel 1.7k Aug 15 21:06 ca.key
-rw------- 1 root wheel 424B Aug 15 21:16 dh.pem
-rw------- 1 root wheel 4.3k Aug 15 21:05 john.appleseed.crt
-rw------- 1 root wheel 1.7k Aug 15 21:06 john.appleseed.key
-rw------- 1 root wheel 4.3k Aug 15 21:05 openvpn-server.crt
-rw------- 1 root wheel 1.7k Aug 15 21:06 openvpn-server.key
-rw------- 1 root wheel 636B Aug 15 21:17 ta.key
​

At this part, I want to copy my files from my jail to /mnt/Disk_0/keys on my NAS. But I can't reach this directory. How do I mount this in my jail?

Server NAT Configuration
Next, we'll create the firewall rules for the server:

[root@openvpn /mnt/keys]# nano /usr/local/etc/ipfw.rules​

This will create a new file in /usr/local/etc/ named ipfw.rules. Insert the next rules in that file:

Code:

#!/bin/sh

EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 172.16.8.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0

I can't run anything which has to do with ipfw. I always get the following:

Code:

[root@openvpn /]# ipfw list
ipfw: socket: Operation not permitted

This means I can never create tun0. If I manually try to create it with ifconfig, I get the following.

Code:

[root@test /]# ifconfig tun create
ifconfig: SIOCIFCREATE2: Operation not permitted

Anybody have any suggestions?

 

[Suprazz]

take a look at this. much easier to configure: https://forums.freenas.org/index.php?threads/alternative-to-openvpn-softether-vpn.47395/

 

[captainkent]

take a look at this. much easier to configure: https://forums.freenas.org/index.php?threads/alternative-to-openvpn-softether-vpn.47395/

Hey Suprazz, thanks for your suggestion (and guide). I'm having some troubles, could you help me out, I answered on your thread.

 

[kpeng]

Thank you for this wonderful guide. I had my openvpn working for almost a year. Last week it suddenly stop working. I can still connect to it. But nothing more, cannot access anything within the freenas network, cannot access internet. I checked all the settings, I don't see any problem. The exact same setting worked for me in past year. I didn't update anything. Can someone please help take a look?

ipfw list

Code:

root@vpnserver:/ # ipfw list

00100 nat 1 ip from 172.16.8.0/24 to any out via epair6b

00200 nat 1 ip from any to any in via epair6b

65535 allow ip from any to any

root@vpnserver:/ #

ipfw.rules

Code:

root@vpnserver:/ # cat /usr/local/etc/ipfw.rules

#!/bin/sh


EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)

ipfw -q -f flush

ipfw -q nat 1 config if ${EPAIR}

ipfw -q add nat 1 all from 172.16.8.0/24 to any out via ${EPAIR}

ipfw -q add nat 1 all from any to any in via ${EPAIR}


TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)

ifconfig ${TUN} name tun1


root@vpnserver:/ #

ifconfig -a

Code:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384

	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>

	inet6 ::1 prefixlen 128

	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1

	inet 127.0.0.1 netmask 0xff000000

	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

epair6b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

	options=8<VLAN_MTU>

	ether 02:ff:70:00:0c:0b

	inet 10.0.0.9 netmask 0xffffff00 broadcast 10.0.0.255

	nd6 options=9<PERFORMNUD,IFDISABLED>

	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)

	status: active

tun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500

	options=80000<LINKSTATE>

	inet 172.16.8.1 --> 172.16.8.2 netmask 0xffffffff

	nd6 options=9<PERFORMNUD,IFDISABLED>

openvpn.conf

Code:

#local 10.0.0.9

port 10011

proto udp

dev tun1

ca /mnt/openvpn/keys/ca.crt

cert /mnt/openvpn/keys/openvpn-server.crt		#Server key created previously

key /mnt/openvpn/keys/openvpn-server.key

dh /mnt/openvpn/keys/dh2048.pem				  #Diffie-Hellman parameters are now 2048 bits long

server 172.16.8.0 255.255.255.0				  #Purple network

ifconfig-pool-persist ipp.txt

push "route 10.0.0.0 255.255.255.0"			  #Yellow network

#route 10.0.0.9 255.255.255.0 10.10.0.1		  #Routes traffic from the Yellow network side

							 #(192.168.1.0/24)

						 #to the Purple network side (10.8.0.0/24)

push "redirect-gateway def1"

push "dhcp-option DNS 10.0.0.1"

#tls-auth /mnt/openvpn/keys/auth.key 0

#crl-verify /mnt/openvpn/keys/crl.pem

keepalive 10 120

#group nobody

#user nobody

comp-lzo

persist-key

#persist-tun

verb 7

The reason I am using tun1 instead of tun0 is I have another jail running Transmission on VPN, that one takes up the tun0. But I don't think that matters. It has been like that for the past year.

 

[zoomzoom]

Change proto to tcp [server & client], set server log verbosity to 4, client verbosity to 5, restart openvpn server & client, then check the logs on both