Need help to make sense of what adresses goes where in my vpn configuration

Cirshiss

Cadet
Joined
Mar 20, 2019
Messages
7
Hi, really new user to this VPN stuff, and NAS aswell to be honest.
I've managed to install everything, it's up and running, but now I feel just lost. (I'm using this guide)
When I come to this section in the guide, OpenVPN Server Configuration, I dont know what settings I should use and it's this part I need help with because when I run this command sockstat -4 -l nothing comes up.

The thing is we have about 20 sister organisations around the country that need to have access to the file-server.
Am I going about this problem the right way with setting up this VPN or should I go for some other solution and what kind in that case?

This is my environment that I work in:
Modem (No control what so ever, its managed by the ISP)

Behind that modem stands our router:
DreyTek Vigor2920 - Security Router
This has a static ip, provided by the ISP, 195.67.133.123, the gateway is 195.67.133.121 with 255.255.255.248 as netmask

Behind that we have a sisco switch with ip 192.168.123.13 bound by mac-address
To that switch our NAS is connected, also bound by mac (192.168.123.17), and all the other computers in our network.

When the OpenVPN jail is up it get this ip via DHCP 192.168.123.29

This is my [root@OpenVPN /]# /keys/openvpn-server.conf
Code:
port 10011
proto udp
dev tun
ca ca.crt
cert openvpn-server.crt #Server public key
key openvpn-server.key #Server private key
dh dh.pem #Diffie-Hellman parameters
server 192.168.123.29 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 195.67.133.121 255.255.255.248" #Yellow network
tls-auth ta.key 0
#crl-verify crl.pem
keepalive 10 120
cipher AES-256-CBC
auth SHA256
group nobody
user nobody
comp-lzo
persist-key

This is my [root@OpenVPN /]# /usr/local/etc/ipfw.rules
Code:
#!/bin/sh

EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 192.168.123.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0

This is my [root@OpenVPN /]# /etc/rc.conf
Code:
ifconfig_epair0b="DHCP"
hostname="OpenVPN"
cron_flags="$cron_flags -J 15"

# Disable Sendmail by default
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

# Run secure syslog
syslogd_flags="-c -ss"

# Enable IPv6
ipv6_activate_all_interfaces="YES"

openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/keys/openvpn.conf"
openvpn_dir="/keys"
cloned_interfaces="tun"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

EDIT 1: the IP of OpenVPN had changed from 192.168.123.28->29 when I restarted the jail. It's corrected in the conf (openvpn-server.conf), the jail is up and now they match.
EDIT 2: The path to the conf-file and openvpn_dir was incorrect, it's corrected now.
 
Last edited:

garm

Wizard
Joined
Aug 19, 2017
Messages
1,555
If this is anything other then a hobby project, don’t do it.. you open yourself up to all kinds of liable if you do it wrong. And the way you ask tells me you don’t know what you are doing. Let FreeNAS be a NAS and buy a SOHO solution, e.g. https://www.pfsense.org/products/ and have someone with professional level skills set things up, it dosent need to be an IT consultant but it should be the benchmark..
 

Cirshiss

Cadet
Joined
Mar 20, 2019
Messages
7
This is public stuff, there are no organization secrets.
Lets get this up, thank you.
 

Cirshiss

Cadet
Joined
Mar 20, 2019
Messages
7
Your welcome ,
What do you mean? You have not answered the question? I mean this is like a hobby project. There are no organization sensitive stuff to be hosted there.
 

garm

Wizard
Joined
Aug 19, 2017
Messages
1,555
Du öppnade med att säga att du inte förstod dig på VPN eller NASen och att NASen skulle ges åtkomst åt 20 systerorganisationer. Jag antar det är för RFHLs räkning du sätter upp detta. Det faktum att du över huvud taget överväger VPN säger mig att det finns skyddsvärd information ni vill dela.
Det språk du använder (modem) säger mig oxå att du inte är helt införstådd i eran infrastruktur. Så, mitt råd står jag för, kanske får du mer hjälp av någon annan..
 

Cirshiss

Cadet
Joined
Mar 20, 2019
Messages
7
Du öppnade med att säga att du inte förstod dig på VPN eller NASen och att NASen skulle ges åtkomst åt 20 systerorganisationer. Jag antar det är för RFHLs räkning du sätter upp detta. Det faktum att du över huvud taget överväger VPN säger mig att det finns skyddsvärd information ni vill dela.
Det språk du använder (modem) säger mig oxå att du inte är helt införstådd i eran infrastruktur. Så, mitt råd står jag för, kanske får du mer hjälp av någon annan..

I'm new to it this yes. But the NAS it's up and running and has been for about a month. Here at the chancellery all have access to it and have had from day 1. Now when it comes to VPN I'm totally fresh. But every search I do for reaching the file-server from outside the office network, we have no AD and there is no warrant for it either, comes up with VPN, and reach it from outside the office is the whole point of this whole endeavour.

I understand your skepisism, it's technically a router, yes. But it's actually Telia, the ISP, who refer to it a modem. I think it's because of the nature of the service "mobile broadband", it's connected to a cellphone number, I don't correct them. I'm not even sure if it would be accurate to refer to it as a router since the client (us) is not allowed access to it, so I can't really check out the features on it. but whatevv ...
The result is the same. Only Telia technicians have access to that perticular piece of hardware. The rest is managed by us.

Of course it would be much easier if all sister organizations was part of an AD, but thats not the case of the reality. Some of our connected organizations are as few as 3 members and it would not be economicly viable. Especially when this is an opt-in situation. They are first and foremost their own organisation. This is a bonus feature where the organisations can come closer and share scientific studies, research reports, logotypes, letterheads. Our (RFHL) history will be there as well. We have routines for how to handle sensitive information. This is not a part of that.

But grandstand all you want. It's pretty rich to claim to know my environment and our needs better then me.
There is no warrant for a secure file-server because of the nature of the contents we are gonna host on it.

Now if you don't want to help me understand this VPN stuff, fine, but your denegrading tone is not appreciated.
And I remind you that this is the forum for FreeNAS and it's componants. This is supposed to be the place to go when we want to learn new stuff, right?
 
Last edited:

Cirshiss

Cadet
Joined
Mar 20, 2019
Messages
7
Fvck it. We'll do it via FTP.

If someone in the future stumbles over this thread, feel free to continue this. I'm still interessed in how to set up a VPN, and like I said earlier in the thread, this is like a hobby project.
 
Top