SOLVED openvpn issues in new jails after 11.1

[Junicast]

Can someone please verify that it works, because for me it does not.
Is it necessary to do more than just set the allow_tun flag to 1?
The jail itself seems to be on 11.2p14.

 

[ju1ion]

Hey,

had the same issue.
I was able to fix this by manually creating a tun device using ifconfig tun create:

• now start the jail and console into it and run: ifconfig tun create. That should create an interface named tunX. When you configure that specific device in your openvpn config (dev tun0) you shouldn't get the error (Couldn't ... dynamic), you may, however, get some other error message.

After adding the - in my case - /dev/tun256 to the server.conf it started without any problems

 

[emarj]

the ticket for this bug was https://redmine.ixsystems.com/issues/40872
It is fixed for tun devices in 11.2 (enable the allow_tun option in the GUI) but not for tap devices. If you need a tap device edit
/usr/local/lib/python3.6/site-packages/iocage_lib/ioc_common.py
on the host and around line 700 search for

Code:

    if conf['allow_tun'] == '1':
        devfs_dict['tun*'] = None
        devfs_dict['tap*'] = None     # add this to also enable tap devices

Was this fixed in the end? From the Jiira Issue https://jira.ixsystems.com/browse/NAS-100842 I can't really understand if it was fixed or not. Looking at the iocage code does not seem to.

I'm trying to put Zerotier in a jail and I get errors on the creation of tap interface.

 

[lopr]

Was this fixed in the end? From the Jiira Issue https://jira.ixsystems.com/browse/NAS-100842 I can't really understand if it was fixed or not. Looking at the iocage code does not seem to.

I'm trying to put Zerotier in a jail and I get errors on the creation of tap interface.

No, I still patch the code after every update
I created ticket https://jira.ixsystems.com/browse/NAS-102954 some time ago but it seems this is not planned anytime soon.

 

[mistermanko]

After updating to U3.2, tun0 vanished from my jail. Creating new tun devices messes with my ipfw rules, anybody encountered similar things after the new update?
It's really annoying to have to set-up everything again.
Just needed to remember that I configured openvpn to add tun by itself (dev tun), missing TLS handshakes were stopping it from doing so.

 

[Frikkie]

Sigh

See what you've made me do, iXsystems...

Because of this automatic TAP adapter creation nonsense I've gone ahead and bought myself an HP T620 Plus to install pfsense on and run ACME, HAProxy, OpenVPN and pfBlockerNG. Still FreeBSD based... yay!
It's definitely better to have my FreeNAS box just handle SMB, iSCSI and backups (at which it is F*cking spectacular!!) and leave the rest for dedicated hardware with software and an OS that is superior for certain jobs and hassle-free without sacrificing features and functionality.
Gone are the days when I thought I could have literally everything running well and smoothly off a single "beefy" FreeNAS system (no GPU passthrough for Plex, bad VM performance & simple things don't always work...)

It's quite sad that the Bhyve VM system hasn't seemingly been overhauled/improved upon lately. Maybe TrueNAS has something interesting to offer seeing as running VMs through HyperV Manager on a WINDOWS 10 machine is more enjoyable at the moment than VMs on FreeNAS... a bit ridiculous really.

Rant over.

 

[RSVP]

Sigh

See what you've made me do, iXsystems...

Because of this automatic TAP adapter creation nonsense I've gone ahead and bought myself an HP T620 Plus to install pfsense on and run ACME, HAProxy, OpenVPN and pfBlockerNG. Still FreeBSD based... yay!
It's definitely better to have my FreeNAS box just handle SMB, iSCSI and backups (at which it is F*cking spectacular!!) and leave the rest for dedicated hardware with software and an OS that is superior for certain jobs and hassle-free without sacrificing features and functionality.
Gone are the days when I thought I could have literally everything running well and smoothly off a single "beefy" FreeNAS system (no GPU passthrough for Plex, bad VM performance & simple things don't always work...)

It's quite sad that the Bhyve VM system hasn't seemingly been overhauled/improved upon lately. Maybe TrueNAS has something interesting to offer seeing as running VMs through HyperV Manager on a WINDOWS 10 machine is more enjoyable at the moment than VMs on FreeNAS... a bit ridiculous really.

Rant over.

I love my pfSense that runs all that too. That is how I prefer it. But I am trying to get a project done where its just the freenas box. And for the life of me I cant figure out any of the options to get a solid vpn other than VM obuntu server 18.04 and the openvpn access server installed. Problem with that is limits on connections and resources to run in VM.. But it is easy to deploy and set up users. Prefer not to run in a vm. Truenas core has openvpn server in the services section but I cant get that to start either.

 

[Frikkie]

I love my pfSense that runs all that too. That is how I prefer it. But I am trying to get a project done where its just the freenas box. And for the life of me I cant figure out any of the options to get a solid vpn other than VM obuntu server 18.04 and the openvpn access server installed. Problem with that is limits on connections and resources to run in VM.. But it is easy to deploy and set up users. Prefer not to run in a vm. Truenas core has openvpn server in the services section but I cant get that to start either.

I'd love to help you out but I haven't made the switch to TrueNAS Core yet.
What kind of options are you setting for your server?
Here is an example config from my setup of an openvpn server on Windows. Maybe you can get some ideas.
Seeing as you are on Linux for this project, the paths will look different to mine.
For e.g.
"ca \\\\path\\to\\ca.crt" becomes "ca /path/to/ca.crt"


port 1194
proto udp4
dev tap
dev-node GameServer
ca "\\\\path\\to\\ca.crt"
cert "\\\\path\\to\\server.crt"
key "\\\\path\\to\\server.key" # This file should be kept secret
dh "\\\\path\\to\\dh.pem"
status "\\\\path\\to\\openvpn-status.log"
log-append "\\\\path\\to\\openvpn.log"
#ifconfig-pool-persist "\\\\path\\to\\ipp.txt"
server-bridge <serverIP> <subnet mask> <IP start> <IP end> #IP start and end should be outside your modem/router's DHCP range.
client-to-client
duplicate-cn
keepalive 10 120
tls-auth "\\\\path\\to\\ta.key" 0
tls-version-min 1.2
cipher AES-256-CBC
auth SHA512
reneg-sec 0
compress lz4-v2
push "compress lz4-v2"
max-clients 20
persist-key
persist-tun
verb 3
explicit-exit-notify 1
remote-cert-tls client
tun-mtu 1500
mssfix 1400


ifconfig-pool-persist is uncommented because it cannot be used whilst in TAP mode.

Hope this helps!

 

[lopr]

the ticket for this bug was https://redmine.ixsystems.com/issues/40872
It is fixed for tun devices in 11.2 (enable the allow_tun option in the GUI) but not for tap devices. If you need a tap device edit
/usr/local/lib/python3.6/site-packages/iocage_lib/ioc_common.py
on the host and around line 700 search for

Code:

    if conf['allow_tun'] == '1':
        devfs_dict['tun*'] = None
        devfs_dict['tap*'] = None     # add this to also enable tap devices

and edit as above

this did not work anymore for truenas 13.0
middleware just did not start anymore, i edited the file
/usr/local/lib/python3.9/site-packages/iocage_lib/ioc_common.py at line 804

Code:

    if check_truthy(conf['allow_tun']):
        devfs_dict['tun*'] = None
    if check_truthy(conf['allow_tun']):   # add this for tap devices
        devfs_dict['tap*'] = None         # add this for tap devices

and it works again

 

[EsTaF]

The allow_tun checkbox is checked.
No result.

Code:

...
2023-01-09 11:36:26 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-01-09 11:36:26 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-01-09 11:36:26 ROUTE_GATEWAY 192.168.9.1/255.255.255.0 IFACE=epair0b HWADDR=............
2023-01-09 11:36:26 Cannot allocate TUN/TAP dev dynamically
2023-01-09 11:36:26 Exiting due to fatal error

 

[EsTaF]

cat /usr/local/lib/python3.9/site-packages/iocage_lib/ioc_common.py | grep tap
devfs_dict['tap*'] = None

jexec ... csh

Code:

openvpn --config /usr/local/etc/openvpn/plab.conf
2023-09-26 21:26:44 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
2023-09-26 21:26:44 OpenVPN 2.6.5 amd64-portbld-freebsd12.4 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD]
2023-09-26 21:26:44 library versions: OpenSSL 1.1.1q-freebsd  5 Jul 2022, LZO 2.10
2023-09-26 21:26:44 TCP/UDP: Preserving recently used remote address: [AF_INET]xxxxxxxxxxxxxxxxxxxxxxxxxxx:1194
2023-09-26 21:26:44 Socket Buffers: R=[42080->42080] S=[9216->9216]
2023-09-26 21:26:44 UDPv4 link local: (not bound)
2023-09-26 21:26:44 UDPv4 link remote: [AF_INET]xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:1194
2023-09-26 21:26:44 TLS: Initial packet from [AF_INET]1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:1194, sid=xxxxxxxxxxxxxx xxxxxxxxxxxx
2023-09-26 21:26:44 VERIFY OK: depth=1, CN=Easy-RSA CA
2023-09-26 21:26:44 VERIFY KU OK
2023-09-26 21:26:44 Validating certificate extended key usage
2023-09-26 21:26:44 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-09-26 21:26:44 VERIFY EKU OK
2023-09-26 21:26:44 VERIFY OK: depth=0, CN=server
2023-09-26 21:26:44 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-09-26 21:26:44 [server] Peer Connection Initiated with [AF_INETxxxxxxxxxxxxxxxxxxxxxxxxxxx:1194
2023-09-26 21:26:44 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-09-26 21:26:44 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-09-26 21:26:45 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2023-09-26 21:26:51 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2023-09-26 21:26:51 PUSH: Received control message: 'PUSH_REPLY,redirect–gateway def1 bypass–dhcp,dhcp-option DNS 4.2.2.1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.26 10.8.0.25,peer-id 3,cipher AES-256-GCM'
2023-09-26 21:26:51 OPTIONS IMPORT: --ifconfig/up options modified
2023-09-26 21:26:51 OPTIONS IMPORT: route options modified
2023-09-26 21:26:51 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-09-26 21:26:51 ROUTE_GATEWAY 192.168.9.1/255.255.255.0 IFACE=epair0b HWADDR=xxxxxxxxxxxxxxxxxxxxxxxx
2023-09-26 21:26:51 Cannot allocate TUN/TAP dev dynamically <<<<<<<<<<<<<<<<<<<<!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
2023-09-26 21:26:51 Exiting due to fatal error

ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1): 56 data bytes
ping: sendto: Network is unreachable
ping: sendto: Network is unreachable
ping: sendto: Network is unreachable

ping 10.8.0.25
PING 10.8.0.25 (10.8.0.25): 56 data bytes
ping: sendto: No route to host
ping: sendto: No route to host
ping: sendto: No route to host

 

[EsTaF]

this did not work anymore for truenas 13.0
middleware just did not start anymore, i edited the file
/usr/local/lib/python3.9/site-packages/iocage_lib/ioc_common.py at line 804

Code:

    if check_truthy(conf['allow_tun']):
        devfs_dict['tun*'] = None
    if check_truthy(conf['allow_tun']):   # add this for tap devices
        devfs_dict['tap*'] = None         # add this for tap devices

and it works again

Code:

ls -1 /usr/local/lib/ | grep python
libpython3.9.so
libpython3.9.so.1
libpython3.9.so.1.0
libpython3.9.so.1.0-gdb.py
python3.9

cat /usr/local/lib/python3.9/site-packages/iocage_lib/ioc_common.py | grep tap
    if check_truthy(conf['allow_tun']):   # add this for tap devices
        devfs_dict['tap*'] = None         # add this for tap devices

stop jail
umcheck and check again tun option for jail.
start one

Code:

jexec 843 bash
Code:
openvpn --config /usr/local/etc/openvpn/plab.conf
...............
2023-09-26 21:37:43 Cannot allocate TUN/TAP dev dynamically <<<<<<<<<<<<<<<<<<<<!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
2023-09-26 21:37:43 Exiting due to fatal error

 

[EsTaF]

Sigh

See what you've made me do, iXsystems...

Because of this automatic TAP adapter creation nonsense I've gone ahead and bought myself an HP T620 Plus to install pfsense on and run ACME, HAProxy, OpenVPN and pfBlockerNG. Still FreeBSD based... yay!
It's definitely better to have my FreeNAS box just handle SMB, iSCSI and backups (at which it is F*cking spectacular!!) and leave the rest for dedicated hardware with software and an OS that is superior for certain jobs and hassle-free without sacrificing features and functionality.
Gone are the days when I thought I could have literally everything running well and smoothly off a single "beefy" FreeNAS system (no GPU passthrough for Plex, bad VM performance & simple things don't always work...)

It's quite sad that the Bhyve VM system hasn't seemingly been overhauled/improved upon lately. Maybe TrueNAS has something interesting to offer seeing as running VMs through HyperV Manager on a WINDOWS 10 machine is more enjoyable at the moment than VMs on FreeNAS... a bit ridiculous really.

Rant over.

Then it’s better to compare with Linux. Both ZFS and any virtual machines have a taste and color, and not everything is as archaic as under Truenas. It's just that under Truenas everything works more predictably. There are not so many “pioneers” (about developers) who can break something.