Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

SOLVED Is openVPN a standalone VPN or a tool for FreeNAS to connect to VPN?

itskando

FreeNAS Experienced
Joined
Apr 30, 2018
Messages
145
I assume there's no free lunch with VPNs,
that one must pay a VPN provider for use.

I wanted to enable remote SSH and Plex use and
it's been recommended that I setup a VPN.

This is not something that freeNAS handles on its own, correct?
 

kdragon75

FreeNAS Expert
Joined
Aug 7, 2016
Messages
2,448
A "vpn" is just a secure connection between two computers. Depending on how you connect when you outside your network, the two computers could be your laptop and your FreeNAS.

Most paid VPN services are to hide your home internet traffic from your internet service provider.
 

fracai

FreeNAS Guru
Joined
Aug 22, 2012
Messages
1,205
Regarding OpenVPN and your thread title question, it's both.
You can run your own OpenVPN server and then connect to that when you're outside of your home.
You can also use OpenVPN as a client to connect to many paid VPN services.

FreeNAS could run OpenVPN in a jail (there are a few tutorials on this forum). I prefer to run it on my router, but not all will support that.
 

itskando

FreeNAS Experienced
Joined
Apr 30, 2018
Messages
145
FreeNAS could run OpenVPN in a jail.
(There are a few tutorials on this forum).
I prefer to run it on my router, (but not all will support that).
• Are you running openVPN or something different on your router?
• Are you running a VPN client on your router or a VPN server?

• If I run openVPN (as your are) from my router, does that mean that
all connections through that router MUST go through the VPN
(guaranteeing slowdown for roommates' connections)?

• Is it possible to send some connections through the router
via VPN and for others to bypass the VPN completely in the cases of:

- router installed with client VPN
- router installed with server VPN
- freeNAS installed with server VPN

(I have roommates who don't care about a VPN and won't want the slowdown.)

.
You can run your own OpenVPN server and then connect to that when you're outside of your home.
You can also use OpenVPN as a client to connect to many paid VPN services.
What about when you're inside of your home?

• If 2 devices are connected on a local network and
are each also connected to the same VPN
(via client installations at the device level),
will they bypass the VPN connection in favor of
the faster/more open local connection?
I assume two LAN connected devices
communicate freely with each other via LAN,
even if they are both connected to the same VPN, and
even if one of the two is acting as the VPN server.

• If 2 devices are connected on a local network and
are each also connected to the same VPN
(via a client or server installation at the router level),
will they bypass the VPN connection in favor of
the faster/more open local connection?
I assume two LAN connected devices
communicate freely with each other via LAN,
even if they are both connected to the same router
which is connected to or hosting a VPN.

.
You can run your own OpenVPN server and then connect to that when you're outside of your home.
You can also use OpenVPN as a client to connect to many paid VPN services.
• If I understand correctly:

openVPN (freeNAS is self-server): free.
openVPN (freeNAS is client to paid server): anonymous from ISP as well.

Are there any other pros or cons to be aware of?

.

• Does running openVPN as a self-service VPN server on
a freeNAS server intended for home use (thus minimal simultaneous users)
tend to be processing intensive?

[Would processing increase significantly with additional simultaneous users?]

.

• Somewhat unrelated: Does "tor" effectively function by amassing
many home servers into one big crowdsourced vpn?
 

fracai

FreeNAS Guru
Joined
Aug 22, 2012
Messages
1,205
• Are you running openVPN or something different on your router?
• Are you running a VPN client on your router or a VPN server?
I'm running OpenVPN server on my router.

• If I run openVPN (as your are) from my router, does that mean that
all connections through that router MUST go through the VPN
(guaranteeing slowdown for roommates' connections)?
That is possible, you could run the client on your router and connect to a remote VPN server somewhere to hide your data from your ISP. I'm running the server on my router so I can connect to my home network when I'm away.

• Is it possible to send some connections through the router
via VPN and for others to bypass the VPN completely in the cases of:

- router installed with client VPN
- router installed with server VPN
- freeNAS installed with server VPN

(I have roommates who don't care about a VPN and won't want the slowdown.)
That's absolutely possible, though I'm not doing it and I don't have any experience with it. You would need to run something like pfSense so you could direct traffic to different paths. Another option is to run the client closer to the data that you want to protect. Say on your laptop so that traffic is routed over the VPN, but your roommates' data is not.

What about when you're inside of your home?
For me, I'm already on my home network so I don't use the VPN. I'm not currently running any VPN clients on my home network.

• If 2 devices are connected on a local network and
are each also connected to the same VPN
(via client installations at the device level),
will they bypass the VPN connection in favor of
the faster/more open local connection?
I assume two LAN connected devices
communicate freely with each other via LAN,
even if they are both connected to the same VPN, and
even if one of the two is acting as the VPN server.
That's going to be all about what paths you have setup and whether the devices are reachable. If those two devices are reachable you could absolutely set up a rule that forces the two to communicate via the VPN. Usually you would allow LAN traffic to stick within the LAN. I think my router server is set up to force all client device traffic over the VPN and also tells clients how to reach the LAN devices so I can use it to access my home network and also protect my traffic when I'm away.


• If 2 devices are connected on a local network and
are each also connected to the same VPN
(via a client or server installation at the router level),
will they bypass the VPN connection in favor of
the faster/more open local connection?
I assume two LAN connected devices
communicate freely with each other via LAN,
even if they are both connected to the same router
which is connected to or hosting a VPN.
If I'm reading you correctly, the LAN traffic would most likely not even know about the VPN. They'd communicate directly. Even if you forced all traffic to hit the router I can't think of a network configuration that would force the traffic out to the VPN and back in.

• If I understand correctly:

openVPN (freeNAS is self-server): free.
openVPN (freeNAS is client to paid server): anonymous from ISP as well.

Are there any other pros or cons to be aware of?
Sounds like you've got it. The only cons I can think of are the speed hit that you might encounter and the effort required to set it up. Some routers will handle this for you.

• Does running openVPN as a self-service VPN server on
a freeNAS server intended for home use (thus minimal simultaneous users)
tend to be processing intensive?

[Would processing increase significantly with additional simultaneous users?]
I wouldn't expect there to be any issues. Certainly additional traffic needs to be encrypted, decrypted, routed, etc. but I wouldn't anticipate a noticeable impact.

• Somewhat unrelated: Does "tor" effectively function by amassing
many home servers into one big crowdsourced vpn?
There are some similarities, where both can be used to hide traffic content, but Tor is more about hiding traffic, where a VPN is more about accessing networks. Paid VPNs get closer to hiding traffic by routing multiple users through the same hardware.
Take a look from the perspective of an outsider. Without any protection, they can see where your traffic is going and what is being carried. With a VPN they know where the server is and can try to eavesdrop there as well to see the data after it comes out. With Tor they'll know you're connecting to the service, but they won't know where to look for the data exiting the Tor network. (unless they control most of the exit nodes and can observe everything. But that's equivalent to owning the VPN server. You can only mitigate so much.)
 

itskando

FreeNAS Experienced
Joined
Apr 30, 2018
Messages
145
If those two devices are reachable
you could absolutely set up a rule that
forces the two to communicate via the VPN.
Is setting up such a rule handled by openVPN, pfSense, or something else entirely?

I wouldn't expect there to be any issues. Certainly additional traffic needs to be encrypted, decrypted, routed, etc. but I wouldn't anticipate a noticeable impact.
Are encryption and decryption handled automatically by openVPN,
or do I need an additional tool in the process to handle this?
(I assume the routing is handled by pfSense for you,
or in my case, what I believe to be IPFW.)

There are some similarities, where both can be used to hide traffic content,
but Tor is more about hiding traffic, where a VPN is more about accessing networks.
Paid VPNs get closer to hiding traffic by routing multiple users through the same hardware.
If I understand correctly:

• Insecure connection: Completely insecure.
• Home-hosted VPN: Some security.
-Some slowdown.
• Paid VPN: Security now insulates ISP (but opens you to VPN provider).
- Additional server location increases route distance: increased slowdown
- Has cost.
• Paid VPN: security now insulates ISP and "VPN" provider (in theory),
since no single VPN server gets more than a part of the information.
- Additional server locations are global: severely increased slowdown.

So, increased security comes with slowdown and perhaps financial fees; thus:

• Never use insecure connection.
• Beyond this, keep security to the minimum necessary level.

.
.
.

Based on the general answers which you are providing,
I believe I am more able to narrow down
the general setup I should use based on:

• I have roommates that do not care about VPN.
I believe that they would not be satisfied with installing anything
which could affect (obstruct/slow/complicate/fail) their connections.
• I have a "google wifi" router.
I do not believe that anything may be installed on it, at least,
not without 'rooting' it, (which is a can of worms I'll save for another day).

Thus:

• I believe that the installation of openVPN (and/or pfSense/ddwrt) on the router,
whether as a server or as a client are precluded.

.
.
.

Ultimately, based on this, I believe that
the general setup I should use is as follows:

• I must avoid installing openVPN on my router; therefore,
I should install openVPN on my freeNAS server (in a jail) as follows:

- If just protecting personal files (assuming that they are intrinsically worthless),
I should install openVPN as a server and thus host my own VPN for free.

- If using a peer to peer plugin (such as Transmission),
I should install openVPN as a client and link it to a paid VPN service (such as PIA).

• Since I am precluded from installing pfSense on my router,
in areas where you mentioned the use of pfSense,
I should look into installing freeNAS/freeBSD's IPFW as
an alternative to pfSense to
control the flow connections to and from the server.

• I should also install openVPN onto any clients
which will interface with freeNAS outside of the local network
(laptop accessing files, backup replication server, etcetera).

In the case of Plex, is a VPN needed when choosing to use remote use,
or does Plex pass data through its own VPN, simplifying the process for the user?

I ask because I can't imagine it would be convenient to
install client openVPN on a Roku such that it could talk to the Plex media server.

Still, if installing openVPN (for a self or a paid VPN) on
a freeNAS server which is also a Plex media server enabled for remote use,
would IPFW be necessary to configure
the local network streams versus the remote Plex streams versus the VPN streams?
 

fracai

FreeNAS Guru
Joined
Aug 22, 2012
Messages
1,205
Is setting up such a rule handled by openVPN, pfSense, or something else entirely?
It'd depend on your network (possibly handled by OpenVPN itself), but I can't see why you'd ever want this when the two could just talk directly over the LAN.

Are encryption and decryption handled automatically by openVPN,
or do I need an additional tool in the process to handle this?
(I assume the routing is handled by pfSense for you,
or in my case, what I believe to be IPFW.)
I'm not actually using pfSense. Just the router, whatever it uses for a firewall, and OpenVPN.
OpenVPN handles the crypto for you.

If I understand correctly:

....

So, increased security comes with slowdown and perhaps financial fees; thus:

• Never use insecure connection.
• Beyond this, keep security to the minimum necessary level.
Seems reasonable. Security involves tradeoffs.

Based on the general answers which you are providing,
I believe I am more able to narrow down
...
the general setup I should use is as follows
:

• I must avoid installing openVPN on my router; therefore,
I should install openVPN on my freeNAS server (in a jail) as follows:

- If just protecting personal files (assuming that they are intrinsically worthless),
I should install openVPN as a server and thus host my own VPN for free.

- If using a peer to peer plugin (such as Transmission),
I should install openVPN as a client and link it to a paid VPN service (such as PIA).
Sounds good

• Since I am precluded from installing pfSense on my router,
in areas where you mentioned the use of pfSense,
I should look into installing freeNAS/freeBSD's IPFW as
an alternative to pfSense to
control the flow connections to and from the server.
I don't think you'll need it. In the case of Transmission there are tutorials on how to install OpenVPN inside the jail to cover all traffic from that jail.

• I should also install openVPN onto any clients
which will interface with freeNAS outside of the local network
(laptop accessing files, backup replication server, etcetera).
Yep, there are plenty of GUI OpenVPN clients that make PC usage simple enough.

In the case of Plex, is a VPN needed when choosing to use remote use,
or does Plex pass data through its own VPN, simplifying the process for the user?

I ask because I can't imagine it would be convenient to
install client openVPN on a Roku such that it could talk to the Plex media server.

Still, if installing openVPN (for a self or a paid VPN) on
a freeNAS server which is also a Plex media server enabled for remote use,
would IPFW be necessary to configure
the local network streams versus the remote Plex streams versus the VPN streams?
Plex can be set to only use encrypted connections.
You shouldn't need to make any firewall changes to support Plex.
I've connected to my home network over VPN and streamed or synced Plex files without issue. I've done the same without the VPN as well.
 

itskando

FreeNAS Experienced
Joined
Apr 30, 2018
Messages
145
It'd depend on your network (possibly handled by OpenVPN itself), but I can't see why you'd ever want this when the two could just talk directly over the LAN.
Oops. I read that backwards. I was thinking to get the two to communicate via the LAN instead of the VPN, I needed to set a rule. (I agree - I don't need devices on my own network communicating via VPN.)
 

danb35

FreeNAS Wizard
Joined
Aug 16, 2011
Messages
10,801
I'd just note here that if you're in any way concerned about privacy, you probably don't want anything with Google's name on it on your network at all, and especially not with all your traffic flowing through it. Their business model, after all, is monetizing your personal information. Before you worry about what your ISP might do with what they know (when they may or may not have any interest in doing so), deal with the party that you know perfectly well has a great interest in selling every scrap of your information they can gather.

A number of us like pfSense for a router, as you've no doubt already seen. Another option could be Ubiquiti; their Unifi gear is pretty nice, and you can run the controller software to run the whole network in a jail on your FreeNAS box.
 

itskando

FreeNAS Experienced
Joined
Apr 30, 2018
Messages
145
You probably don't want anything with Google's name on it on your network.
Isn't Microsoft similarly guilty, which (in theory)
precludes any use of Windows 10?

I hear what you're saying though, and based what I could find:

• Google's privacy policy for the router didn't seem malicious,
so any collection is at least kept to secrecy.

• Google's default use of its own DNS servers (8.8.8.8 and 8.8.8.4)
was mentioned as the major collector of information of sites visited,
and question was thrown at needing to use a Google account to administer:

A Google [...] router can only be configured by someone with a Google account. This means that Google not only knows who you are, but also where you are (based on both the public IP address of the router and nearby Wi-Fi networks). For the most privacy, create a new Google account that is used solely for administering the router and nothing else. Still, you have to assume that Google can get into the router at any time, so these devices are not for anyone who cares about their privacy.
As you would expect, the routers default to using Google's DNS servers which gives them an audit trail of every visited website. You can, however, change the DNS servers and I suggest doing so on the theory that Google knows enough about us already.
Do you recommend any specific alternative DNS servers?
I found that:

- Cloudflare primary 1.1.1.1 and secondary 1.0.0.1
were mentioned on a couple sites (such as here).

- openDNS primary 208.67.222.222 and secondary 208.67.222.220
was also mentioned (such as here).

.
.
.

A number of us like pfSense for a router, as you've no doubt already seen.
It's complicated but I'm somewhat locked into the hardware setup.
I'll keep pfSense in mind when I move and setup my own network hardware.

You can run the controller software to run the whole network in a jail on your FreeNAS box.
In such a case, if the server goes down, does this fail all internet?
 
Last edited:

danb35

FreeNAS Wizard
Joined
Aug 16, 2011
Messages
10,801
Do you recommend any specific alternative DNS servers?
Cloudflare is said to be pretty good. My preference (and practice) is to run my own DNS resolver on my pfSense router (or before that, on my Koozali SME server which served as my router). That way, I'm resolving to the authoritative nameservers directly rather than relying on someone else's cache, and there's no other single point that could tell a curious party what names I've tried to resolve.
In such a case, if the server goes down, does this fail all internet?
No, the Unifi gear will run just fine without the controller in most cases. You need the controller running to set up new gear (WAPs/switches/router/etc.), but once it's configured you can take down the controller.
 

itskando

FreeNAS Experienced
Joined
Apr 30, 2018
Messages
145
Plex can be set to only use encrypted connections.
I assume that Plex encrypts connections automatically
(without added effort needed from the user); so,
why isn't [Encryption: Required] the default setting?

Cloudflare is said to be pretty good.
Set this up without a hitch : j

.
.
.

Now I'm trying to add openVPN to my freeNAS server;
I'll host an openVPN server for at the very least the learning experience and
I'll switch over to a private VPN later, if desired.

If I understand correctly:

• Create a jail and install the openVPN server on it.
• Install openVPN client on all plugin jails and connect them to that server.
• Install openVPN client on any PCs which will remotely access the server.


.

So:

What about remote file access?

If I want to access files remotely, is the correct method to
create a jail and then, for all directories I'd want to access,
mount the associated top-level directory to the jail?

Sounds fairly straightforward actually - but what about when
true root access is desired, for remote server management?
Is this a security concern and thus not recommended?

.

What about connecting to the freeNAS GUI itself remotely?

I believe when I tried
installing the openVPN client files to freeNAS main (and not a jail)
via the command shell,
freeNAS blocked installation of openVPN.
(I believe this was by design.)

What is the correct method?
 
Last edited:

itskando

FreeNAS Experienced
Joined
Apr 30, 2018
Messages
145
Sidenote:

Realized why freeNAS documentation is so sparse with openVPN documentation:
that's all on the openVPN site. [ oof, so stupid >.< ]

Been trucking through that.
 

fracai

FreeNAS Guru
Joined
Aug 22, 2012
Messages
1,205
I assume that Plex encrypts connections automatically
(without added effort needed from the user); so,
why isn't [Encryption: Required] the default setting?
Because encryption was added not too long ago and some users might have a mix of servers or devices that do or do not support encryption.

• Create a jail and install the openVPN server on it.
• Install openVPN client on all plugin jails and connect them to that server.
• Install openVPN client on any PCs which will remotely access the server.
I don't see why you'd need the client in your jails if they're connecting to a server that is on the same network.
This is different from my setup (VPN running on the router), but that seems like it should be fine. At most you might need to define a rule that tells VPN clients and LAN clients how to address each other.
What about remote file access?

If I want to access files remotely, is the correct method to
create a jail and then, for all directories I'd want to access,
mount the associated top-level directory to the jail?
Nope, you'd connect to the VPN and then mount the same share that you'd connect to when on your network locally.

Sounds fairly straightforward actually - but what about when
true root access is desired, for remote server management?
Is this a security concern and thus not recommended?
You'd connect to the VPN and then SSH. This is the preferred method. Here you're only exposing the VPN to the outside world. Otherwise you'd need to expose SMB, SSH, etc. each with their own vulnerabilities.

What about connecting to the freeNAS GUI itself remotely?

I believe when I tried
installing the openVPN client files to freeNAS main (and not a jail)
via the command shell,
freeNAS blocked installation of openVPN.
(I believe this was by design.)

What is the correct method?
You connect to the VPN and then open the FreeNAS web page.

The server running in the jail needs to be able to address the rest of your LAN, which may require routing rules, but there shouldn't be a need to put a client on every asset that you want to reach inside your LAN.
 
Top