Here are my notes on what I did to get things to work.
First thing is the default jail that freenas 9.10 is installing is for freebsd version 10
Code:
[root@openvpn910 /]# freebsd-version
10.3-RC2
I wasn't able to install any packages with the default pkg configuration as /usr/local/etc/pkg/repos/FreeBSD.conf pointed to a 9 repo. I updated this to the following
Code:
FreeBSD: {
url: "pkg+http://pkg.FreeBSD.org/freebsd:10:x86:64/latest",
mirror_type: "srv",
ip_version: 4,
enabled: yes
}
You'll also note i changed it so pkg preferred to use ipv4. Without this change pkg ran very very slow.
After this I ran
and I was able to install packages.
After I followed the guide the first time everything worked great! then i restarted the jail a second time and everything broke :(
After a bit of investigating I found out the tun device number changed after every jail reboot. After this I was no longer able to use the VPN to connect to my internal network or the vpn network. The ifconfig line in the first post to rename the tun interface did not appear to work as expected. I did find
https://forums.freebsd.org/threads/22143/ which outlined a way to get a consistent tun device name however I did not want to modify anything outside of the jail.
What I ended up doing was modifying the openvpn configuration to load the tunnel device from a separate file and make it so the ipfw script generates this file.
First thing I did was modify rc.conf
Code:
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/mnt/openvpn/openvpn.conf"
openvpn_dir="/mnt/openvpn"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
natd_enable="YES"
natd_interface=`/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair`
natd_flags=""
ip6addrctl_policy="ipv4_prefer" # Use IPv4 instead of IPv6
I opted for using natd so I needed fewer firewall rules. I also remove the cloned_interfaces section since I create them later on in the ipfw script.
Next, the modifications to the ipfw.rules script
Code:
#!/bin/sh
EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q add 50 divert 8668 ip4 from any to any via ${EPAIR}
OVPN_CONF_DIR="/mnt/openvpn"
TUN=$(ifconfig tun create)
echo "dev $TUN" > $OVPN_CONF_DIR/openvpn_tun.conf
Finally the modification of the openvpn configuration
Code:
port 10011
proto udp
#dev tun0
config /mnt/openvpn/openvpn_tun.conf
ca /mnt/openvpn/keys/ca.crt
cert /mnt/openvpn/keys/openvpn-server.crt #Server key
key /mnt/openvpn/keys/openvpn-server.key
dh /mnt/openvpn/keys/dh2048.pem #Diffie-Hellman parameters are now 2048 bits long
topology subnet
server 172.16.199.0 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 192.168.10.0 255.255.255.0" #Yellow network
route 192.168.10.3 255.255.255.0 172.16.199.1 #Routes traffic from the Yellow network side (192.168.10.0/24)
#to the Purple network side (172.16.199.0/24)
keepalive 10 120
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3
After that I have a fully functioning openvpn configuration. The only other change (aside from the networks) is using the 'topology subnet' configuration. I made this change while troubleshooting so the routes on the client side were easier to reason about.
I also have some configuration I excluded that allows ldap auth. Didn't post it here since the main tutorial isn't for that.
Hopefully this helps someone else!
