How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT

[Segarra]

Hello to everyone, I'm new in this world :) I run Freenas 9.3
I installed Plex, Trasnmission, MiniDLNA... and everything works perfect....
I tried to install OpenVPN, I followed the directions and when I try to start the service, it doesnt works

"Starting openvpn.
/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn"

No error, just failed to start openvpn...

I'm not sure if the error is in config file, my network is:
Router: 192.168.0.254
HP MicroServer IP: 192.168.0.4
OpenVPN Jail: 192.168.0.203

And I'm not sure how to setup up config file:

1. port 10011
2. proto udp
3. dev tun
4. ca /mnt/openvpn/keys/ca.crt
5. cert /mnt/openvpn/keys/openvpn-server.crt
6. key /mnt/openvpn/keys/openvpn-server.key
7. dh /mnt/openvpn/keys/dh1024.pem
8. server XX.XX.XX.XX 255.255.255.0
9. ifconfig-pool-persist ipp.txt
10. push "route XX.XX.XX.XX 255.255.255.0"
11. route XX.XX.XX.XX 255.255.255.0 XX.XX.XX.XX
12. keepalive 10 120
13. comp-lzo
14. persist-key
15. persist-tun
16. verb 3

Anyone could help me, how to setup ip's???

After that I'll try again to start service and see what it happens...

Thanks a lot

 

[nello]

I tried to install OpenVPN, I followed the directions and when I try to start the service, it doesnt works

Starting openvpn.
/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn​

Try starting OpenVPN this way:

openvpn --config /mnt/openvpn/openvpn.conf​

When I did this I saw that I'd copied/pasted the example openvpn.conf file without renaming the server key and certificate (from openvpn-server to the name I'd used).

If no errors are displayed, then try looking at the OpenVPN Server Log Messages

[root@openvpn /]# cat /var/log/messages

​

 

[Segarra]

Try starting OpenVPN this way:

openvpn --config /mnt/openvpn/openvpn.conf​

When I did this I saw that I'd copied/pasted the example openvpn.conf file without renaming the server key and certificate (from openvpn-server).

If no errors are displayed, then try looking at the OpenVPN Server Log Messages

[root@openvpn /]# cat /var/log/messages

​

Thanks I'll try and I'll comment

Enviado desde mi Nexus 5 mediante Tapatalk

 

[Segarra]

Try starting OpenVPN this way:

openvpn --config /mnt/openvpn/openvpn.conf​

When I did this I saw that I'd copied/pasted the example openvpn.conf file without renaming the server key and certificate (from openvpn-server).

If no errors are displayed, then try looking at the OpenVPN Server Log Messages

[root@openvpn /]# cat /var/log/messages

​

And with IP config file, anyone could help me with correct IPs

Thanks

 

[Segarra]

Thanks I'll try and I'll comment

Enviado desde mi Nexus 5 mediante Tapatalk

Now OpenVPN starts... but I've to figure out how to setup IP's in config files

Thanks

 

[Tutti21]

Hello I have openvpn installed and I get the WAN IP of the openvpn server, but I can't access the network eg 192.168.0.X in whitch the freenas and the openvpn server is. What can I change so that I can access my freeNAS.


PS: solved, don't know but it work now seem like is was my firewall

 

[swbartley]

I have been searching for a solution and I thought I found one but im hoping im still in luck however once i get to the certificate creation stage i get this error and i ran the pkg upgrade. I need a little help getting over this hump.


root@openvpn:/ # cd /usr/local/share/easy-rsa
root@openvpn:/usr/local/share/easy-rsa # source ./vars
export: Command not found.
export: Command not found.
export: Command not found.
export: Command not found.
EASY_RSA: Undefined variable.
export: Command not found.
EASY_RSA: Undefined variable.
root@openvpn:/usr/local/share/easy-rsa #

----------------------------------
FreeNAS-9.3-Nightlies-201502060400
Intel Xeon CPU X3430 @ 2.40GHz
(3) 2TB WD RED
(1) 1TB WD GREEN

 

[swbartley]

I made it all the way to this point I must be missing something?

[root@openVPN /usr/local/share/easy-rsa]# mkdir /mnt/openVPN/keys
mkdir: /mnt/openVPN: No such file or directory
[root@openVPN /usr/local/share/easy-rsa]#

 

[nello]

root@openvpn:/usr/local/share/easy-rsa # source ./vars
export: Command not found.

I'm guessing that you either aren't using bash or that there is something wrong with your bash installation.

 

[nello]

[root@openVPN /usr/local/share/easy-rsa]# mkdir /mnt/openVPN/keys
mkdir: /mnt/openVPN: No such file or directory
[root@openVPN /usr/local/share/easy-rsa]#

Maybe try creating one directory at a time, e.g.:

mkdir /mnt/openVPN
mkdir /mnt/openVPN/keys
​

Personally, I use all lowercase for directory names so that I don't have to remember the case when I go to use it somewhere else. Also, using the exact name (including case) as the tutorial means that you can copy/paste the commands from the tutorial without having to (remember to) edit them to work on your system. These are just my idea of best practices as I try teaching myself something from a tutorial.

 

[nello]

For those of you interested in learning more about OpenVPN's configuration file options, I found these sources very useful:

• OpenVPN Documentation
  https://openvpn.net/index.php/open-source/documentation/howto.html
  
  Hey, when all else fails, read the directions! The detail here is quite overwhelming for first-timers. So, skip directly to the samples for server.conf and client.conf. The comments in these samples are very good and will help you understand most of the available options and how they work.
  
  
  
• OpenVPN Man Page
  https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
  
  If you're still curious or have questions about the conf options, then dive into the OpenVPN man page.
  
  
  
• Options to Harden OpenVPN
  https://community.openvpn.net/openvpn/wiki/Hardening
  
  The site explains ways to improve the security of your OpenVPN service. My personal concern is thwarting Man-in-the-middle Attacks and this site shows how use the tls-auth option to do this.
  
  
  
• Other Options to Improve Security
  In addition to tls-auth, consider adding these options to the appropriate conf file. (For information about these options, see either the server.conf, client.conf, or man page mentioned previously.)
  • group nobody
  • user nobody
  • remote-cert-tls server
  • tls-remote
  • verify-x509-name
    
    
• Other Options to Keep Your Log Neat
  Keeping unimportant information out of your log log will help you find errors that need attention. Consider adding these options:
  • mute
  • mute-replay-warnings
    
    
• iPhone OpenVPN Tutorial
  http://blog.remibergsma.com/2013/03...phoneipad-using-openvpn-and-the-raspberry-pi/
  
  This tutorial explains how to set up OpenVPN (client) configuration files for your iPhone. These files are used by the free OpenVPN app for iOS.

Many thanks to @robles for creating this tutorial and to everyone who helped me get my installation working. Please accept this post as my way of giving back to the community. It is not a criticism of anyone's work.

Thank you again @robles!



Updates:

Feb 9, 2015
Here are other good sites regarding ideas for hardening OpenVPN:

• http://darizotas.blogspot.com/2014/04/openvpn-hardening-cheat-sheet.html
• https://blog.g3rt.nl/openvpn-security-tips.html
• http://security.stackexchange.com/questions/45917/tls-v1-0-best-cipher-for-openvpn-setup

May 28, 2015
Another good explanation of hardening options:

• https://openvpn.net/index.php/open-source/documentation/howto.html#security

 

[robles]

Firstly I would like to thanks for your effort to write this guide. It work perfectly without any hassle. However, I have a problem when I restart the jail. The epair interface change randomly which caused the ipfw block my connection.

Any idea how to prevent the change of the epair interface even restart the jail?

I made a dirty workaround for this, here's my ipwf.rules that automatically grabs the first epair interface it finds and uses that to relay all traffic through it:

Code:

#!/bin/sh

EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}

Hope this helps!

 

[nanopete]

Thank you for a great guide robles!
While UDP seems to be the optimum protocol for OpenVPN you are often blocked if not using TCP over 443, which I never had blocked.
Therefore it would be optimal having both options always, is there an easy way to have this setup listening in for both UDP and TCP?

Regards the Happy Freenas Newbie

 

[THX]

Thanks for the guide. I just wanted to adjust one thing.
I wanted to restrict connections to only 1 IP (for example my owncloud jail @ 192.168.1.100). Am I right to assume that I need to change my ipfw settings like this:

ipfw -q add nat 1 all from 10.8.0.0/24 to 192.168.1.100 out via epair0b
ipfw -q add nat 1 all from 192.168.1.100 to any in via epair0b

edit: Works perfect.

 

[robles]

Thank you for a great guide robles!
While UDP seems to be the optimum protocol for OpenVPN you are often blocked if not using TCP over 443, which I never had blocked.
Therefore it would be optimal having both options always, is there an easy way to have this setup listening in for both UDP and TCP?

Regards the Happy Freenas Newbie

From the OpenVPN Documentation:

If you want your OpenVPN server to listen on a TCP port instead of a UDP port, use proto tcpinstead of proto udp (If you want OpenVPN to listen on both a UDP and TCP port, you must run two separate OpenVPN instances).

Please don't take this the wrong way, I don't mind helping people, but this is very easy to find in the documentation. Please try and do some research beforehand, I'll be happy to help you in anything that goes wrong afterwards.

Thanks for the guide. I just wanted to adjust one thing.
I wanted to restrict connections to only 1 IP (for example my owncloud jail @ 192.168.1.100). Am I right to assume that I need to change my ipfw settings like this:

ipfw -q add nat 1 all from 10.8.0.0/24 to 192.168.1.100 out via epair0b
ipfw -q add nat 1 all from 192.168.1.100 to any in via epair0b

Yes, that should work, IPFW is a "first match wins" firewall, that means that rules are processed top to bottom, and if there's no match, it discards the packet. If you find that this configuration doesn't work, remember to add a static route from your other jail (192.168.1.100) so that it knows that the other side network is accessible through your jail's IP (192.168.1.x).

The FreeBSD doc on IPFW is a great documentation, and for agood starting point on, I really recommend the DummyNet tutorial.

 

[whatnissan]

I really need help i Have been reading and trying to figure this out... If config shows this

Code:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair1b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:35:5e:00:09:0b
    inet 10.0.0.22 netmask 0xffffff00 broadcast 10.0.0.255
    nd6 options=9<PERFORMNUD,IFDISABLED>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
tun1: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    nd6 options=9<PERFORMNUD,IFDISABLED>

Its trying to use tun0 when it connects and as you can see mine is tun1 how do you choose that.. I have tried in the config but i got nothing.

Code:

Feb 18 10:26:56 vpn2 openvpn[16514]: OpenVPN 2.3.6 amd64-portbld-freebsd9.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Feb 12 2015
Feb 18 10:26:56 vpn2 openvpn[16514]: library versions: OpenSSL 0.9.8za-freebsd 5 Jun 2014, LZO 2.09
Feb 18 10:26:56 vpn2 openvpn[16514]: Diffie-Hellman initialized with 1024 bit key
Feb 18 10:26:56 vpn2 openvpn[16514]: Socket Buffers: R=[42080->65536] S=[9216->65536]
Feb 18 10:26:56 vpn2 openvpn[16514]: ROUTE_GATEWAY 10.0.0.1
Feb 18 10:26:56 vpn2 openvpn[16514]: TUN/TAP device /dev/tun0 opened
Feb 18 10:26:56 vpn2 openvpn[16514]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Feb 18 10:26:56 vpn2 openvpn[16514]: /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
Feb 18 10:26:56 vpn2 openvpn[16514]: FreeBSD ifconfig failed: external program exited with error status: 1
Feb 18 10:26:56 vpn2 openvpn[16514]: Exiting due to fatal error
Feb 18 10:26:56 vpn2 root: /usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn

Help please....

 

[nello]

This tutorial will show you how to configure OpenVPN inside a jail …

@robles, please consider adding the following topics to your tutorial:

1. Certificate Revocation
   How to revoke a client certificate, including modifications to the server conf to ensure that revoked certificates are denied access
   
   
2. Maintenance
   How to upgrade OpenVPN, EasySSL, and other components as new versions become available.

Thank you.

 

[whatnissan]

nello do you have any idea whats going on in my setup? I just need to know where i can choose the correct tun interface .. Then im sure ill be on to the next issue with this..

 

[nello]

nello do you have any idea whats going on in my setup? I just need to know where i can choose the correct tun interface ..

Sorry, I don't know much about this.

Perhaps if you increased the verbosity in the server configuration you could get a better idea of what is happening and why.

For debugging, I suggest verb 6

 

[whatnissan]

Im sorry im really new to this im not completely sure how to do that..