How to set up OpenVPN server on FreeNAS 9.3+

[FreeNASBob]

I have been trying to follow several guides posted on these forums, but they all appear to have been written for previous versions of FreeNAS or OpenVPN. For example, following this guide dies at:

Code:

[root@OpenVPN /usr/local/share/easy-rsa]# source ./vars
You appear to be sourcing an Easy-RSA 'vars' file.
This is no longer necessary and is disallowed. See the section called
'How to use this file' near the top comments for more details.

After some investigating I discovered that OpenVPN includes an easyrsa script that you call with various parameters, but that fails as well:

Code:

[root@OpenVPN /usr/local/share/easy-rsa]# easyrsa build-ca

Note: using Easy-RSA configuration from: /usr/local/share/easy-rsa/vars

Easy-RSA error:

The OpenSSL config file cannot be found.
Expected location: /usr/local/share/easy-rsa/openssl-1.0.cnf

This guide, appears designed to set up OpenVPN as a client so there's no info about setting up server keys, etc. Even the OpenVPN documentation says:

Code:

On Linux/BSD/Unix:

    . ./vars
    ./clean-all
    ./build-ca

But, when you try that you get:

Code:

[root@OpenVPN /usr/local/share/easy-rsa]# . ./vars
You appear to be sourcing an Easy-RSA 'vars' file.
This is no longer necessary and is disallowed. See the section called
'How to use this file' near the top comments for more details.

The 'How to use this file' section states:

Code:

# It is not necessary to use this config file unless you wish to change
# operational defaults. These defaults should be fine for many uses without the
# need to copy and edit the 'vars' file.

I was going to edit the vars file to point to the OpenSSL config located at /etc/ssl in the OpenVPN jail, but the documentation states:

Code:

# Normally this file is auto-detected from a file named openssl-1.0.cnf from the
# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA
# specific and you cannot just use a standard config file, so this is an
# advanced feature.

So, there's a step or 10 that are now missing from every source I can find.

Has anybody else figured it out?

Thanks.

 

[FreeNASBob]

Making progress. The openssl-1.0.cnf is not installed with pkg install openvpn (or at least not in the easy-rsa directory). I got a copy from the openVPN github and I was able to get as far as building DH parameters. That's still working.

 

[TheAliw1]

Making progress. The openssl-1.0.cnf is not installed with pkg install openvpn (or at least not in the easy-rsa directory). I got a copy from the openVPN github and I was able to get as far as building DH parameters. That's still working.

Let me know what exactly you did so far, please post the associated commands, if you made any progress. I'm trying to do the same thing and got stuck today at the same step. Have you been able to go ahead and finish the configuration of OpenVPN according to the article after copying over the openssl-1.0.cnf file? Looking forward to hear back from you!

 

[iniazi]

I still haven't tested the client config yet, but if this may help:

• Get the openssl-1.0.cnf from https://raw.githubusercontent.com/OpenVPN/easy-rsa/master/easyrsa3/openssl-1.0.cnf
• instead of sourcing the vars (i'll start from beginning):
  • cp -a /usr/local/share/easy-rsa ~
  • cd easy-rsa
  • Edit the vars file (not sure if this is needed or not) and uncomment & update the country/province, etc. and ca/cert expire as needed
  • create openssl-1.0.cnf (from above url)
  • ./easyrsa.real clean-all
  • ./easyrsa.real build-ca
  • ./easyrsa.real build-server-full openvpn-server nopass
  • ./easyrsa.real show-cert openvpn-server
    • Just to verify that its signed
  • ./easyrsa.real build-client-full YOURNAME
    • This is the client cert so put your name (no spaces)
  • ./easyrsa.real gen-dh
  • openvpn --genkey --secret auth.key
  • mv auth.key pki
  • cp -a pki /mnt/openvpn/keys
    • I was following the directions from https://forums.freenas.org/index.ph...-6-with-access-to-remote-hosts-via-nat.22873/ which were old, not sure if you were following them. But /mnt/openvpn/ is the storage mounted into the jail from tank so its safe from jail delete
  • Another change is that some of the keys, instead of being in 'keys/*' are actually in 'keys/issued/*', so you have to modify your openvpn.conf accordingly
  • Also, i generated the auth.key which is the HMAC (from the same setup)... so uncomment, and copy it to client etc.

Hopefully this helps. I'm going to test out the client in a day or two when I have time

 

[iniazi]

and I had some errors when trying to connect:
VERIFY nsCertType ERROR: CN=openvpn-server, require nsCertType=SERVER

I was following that old guide, but the client config needs to be tweaked:

replace:
ns-cert-type server

with:
remote-cert-tls server

This allowed me to connect (internally, though, going to do an external test prob next week)

 

[TheAliw1]

Thank you guys very much! I got it up and running! Both internally and externally, it works perfectly!

 

[marian78]

hi i try also setup openvpn server in jail on freenas 9.10 with old jail template (after upgrade from 9.3 i dont recreate all jails). I use this post as source "https://forums.freenas.org/index.ph...-6-with-access-to-remote-hosts-via-nat.22873/" for setup openvpn server and openvpn client config file, edit rc.conf and make ipfw.rules.
Than i create certificate as "iniazi" wrote, but not use "openssl-1.0.cnf" from gitHub:

1. Create standard jail
2. Login to jail
3. Install openvpn with openssl: pkg upgrade, pkg update, pkg install openvpn
4. generate certificate (use this as source - google "EasyRSA3-OpenVPN-Howto")
cd /usr/local/share/easy-rsa
sh ./easyrsa.real init-pki – this prepare pki folder. Always do this before start new creation of all
Server and client must not have same CN when create it
sh ./easyrsa.real build-ca – this create CA keypair/cert
sh ./easyrsa.real gen-req “servername” nopass – this generate unencrypted keypair and request for server.
sh ./easyrsa.real gen-req “clientname” - this generate encrypted keypait and request for server with password (2 factor login from client = password + certificate)
sh ./easyrsa.real sign client “clientname” – sign client
sh ./easyrsa.real sign server “servername” – sign server
sh ./easyrsa.real gen-dh – create DH
5. all crt, dh, key are located in /usr/local/share/easy-rsa/pki
6. server files in pki: ca.crt, ca.key, dh.pem, servername.crt, servername.key
7. client files in pki: ca.crt, ca.key, clientname.crt, clientname.key
8. configure rc.conf, ipfw.rules, server.conf, client.ovpn

 

[KEvinn]

I still haven't tested the client config yet, but if this may help:

• Get the openssl-1.0.cnf from https://raw.githubusercontent.com/OpenVPN/easy-rsa/master/easyrsa3/openssl-1.0.cnf
• instead of sourcing the vars (i'll start from beginning):
  • cp -a /usr/local/share/easy-rsa ~
  • cd easy-rsa
  • Edit the vars file (not sure if this is needed or not) and uncomment & update the country/province, etc. and ca/cert expire as needed
  • create openssl-1.0.cnf (from above url)
  • ./easyrsa.real clean-all
  • ./easyrsa.real build-ca
  • ./easyrsa.real build-server-full openvpn-server nopass
  • ./easyrsa.real show-cert openvpn-server
    • Just to verify that its signed
  • ./easyrsa.real build-client-full YOURNAME
    • This is the client cert so put your name (no spaces)
  • ./easyrsa.real gen-dh
  • openvpn --genkey --secret auth.key
  • mv auth.key pki
  • cp -a pki /mnt/openvpn/keys
    • I was following the directions from https://forums.freenas.org/index.ph...-6-with-access-to-remote-hosts-via-nat.22873/ which were old, not sure if you were following them. But /mnt/openvpn/ is the storage mounted into the jail from tank so its safe from jail delete
  • Another change is that some of the keys, instead of being in 'keys/*' are actually in 'keys/issued/*', so you have to modify your openvpn.conf accordingly
  • Also, i generated the auth.key which is the HMAC (from the same setup)... so uncomment, and copy it to client etc.

Hopefully this helps. I'm going to test out the client in a day or two when I have time

Yo, this helped allot but unfortunately im stuck, it seems that my OpenVPN is not listening to the port. After doing the last step on NAT configuration on the old guide to check if its listening to the port i get this:

Code:

[root@OpenVPN /]# sockstat -4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS     
root     syslogd    46610 7  udp4   *:514                 *:*

As u can see the USER "nobody" is not showing up for me with the according port. I have forwarded the port 10011 on my router to the jail's IP and I've this port also listed in the openvpn.conf file. So where did I go wrong and what do I have to do to fix this issue.