Problem with OpenVPN and FreeNAS 11 - where did I make a mistake?

[Xaint]

Hi,

Recently I use this guide to install OpenVPN insiede a jail --> https://forums.freenas.org/index.ph...-6-with-access-to-remote-hosts-via-nat.22873/
I don't see why I can't connect from my PC to my VPN. Could you help me please?

My setup:
Modem: 192.168.1.254
FreeNAS: 192.168.1.70
OpenVPN Jail: 192.168.1.69
My PC: 192.168.1.65

My openvpn.conf file

Code:

port 10011
proto udp
dev tun
ca ca.crt
cert openvpn-server.crt #Server public key
key openvpn-server.key #Server private key
dh dh.pem #Diffie-Hellman parameters

server 172.16.8.0 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0" #Yellow network

tls-auth ta.key 0
#crl-verify crl.pem
keepalive 10 120
cipher AES-256-CBC
auth SHA256
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3

My ipfw.rules file

Code:

!/bin/sh

EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 172.16.8.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0

My client config for OpenVPN

Code:

client
dev tun
proto udp
remote 2.xxx.xx.xxx 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert myname.crt
key myname.key
remote-cert-tls server
cipher AES-256-CBC
tls-auth ta.key 1
dhcp-option DNS 192.168.1.254
redirect-gateway def1
comp-lzo
verb 3

---------------------------------------------------------------------------

If I check ipfw list

Code:

00100 nat 1 ip from 172.16.8.0/24 to any out via epair0b
00200 nat 1 ip from any to any in via epair0b
65535 allow ip from any to any

and sockstat -4 -l

Code:

USER	 COMMAND	PID		FD	PROTO	LOCAL ADDRESS		 FOREIGN ADDRESS
nobody   openvpn	 54714	6	  udp46	 *:10011					  *:*
root		syslogd		54675	7	  udp4	   *:514						  *:*

ps aux

Code:

root   53571  0.0  0.0 10592 1832  -  IsJ  16:22   0:00.00 dhclient: epair0b [priv] (dhclient)
_dhcp  53636  0.0  0.0 10592 1872  -  IsJ  16:22   0:00.00 dhclient: epair0b (dhclient)
root   54675  0.0  0.0 10472 1880  -  IsJ  16:22   0:00.01 /usr/sbin/syslogd -s
nobody 54714  0.0  0.0 20412 4052  -  SsJ  16:22   0:00.01 /usr/local/sbin/openvpn --cd /mnt/keys --daemon openvpn --config /mnt/keys/openvpn.conf --writepid /var/run/openvpn.pid
root   54746  0.0  0.0 12564 1792  -  IsJ  16:22   0:00.00 /usr/sbin/cron -s
root   56138  0.0  0.0 13972 2892  0  SJ   16:54   0:00.01 bash
root   57792  0.0  0.0 21244 1964  0  R+J  17:26   0:00.00 ps aux

------------------------------------------------------------------------------
My Router fw

And my OpenVPN log error:

Code:

Thu Feb 01 17:03:48 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 01 17:03:48 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Feb 01 17:03:48 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]2.xxx.xx.xxx:443
Thu Feb 01 17:03:48 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu Feb 01 17:03:48 2018 UDP link local: (not bound)
Thu Feb 01 17:03:48 2018 UDP link remote: [AF_INET]2.xxx.xx.xxx:443
Thu Feb 01 17:03:48 2018 MANAGEMENT: >STATE:1517501028,WAIT,,,,,,
Thu Feb 01 17:04:48 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Feb 01 17:04:48 2018 TLS Error: TLS handshake failed
Thu Feb 01 17:04:48 2018 SIGUSR1[soft,tls-error] received, process restarting

---------------------------------------------------------------------------------
If you have some ideas... please help me :)

 

[Gabi]

Hi, I faced a similar issue a few months ago. Try to remove the comments in the openvpn.conf and restart the service. Other than that, your config seems correct. That guide is a bit tricky though and quite old. Oh, and I hope you are not keeping your keys in the server or the jail. Good luck, let me know if there's some improvement.

 

[Xaint]

Hi, I faced a similar issue a few months ago. Try to remove the comments in the openvpn.conf and restart the service. Other than that, your config seems correct. That guide is a bit tricky though and quite old. Oh, and I hope you are not keeping your keys in the server or the jail. Good luck, let me know if there's some improvement.

The first problem was that I have to specify the keys directory. Now I have to do this in openvpn.conf

Code:

...
ca /mnt/keys/ca.crt
cert /mnt/keys/openvpn-server.crt #Server public key
key /mnt/keys/openvpn-server.key #Server private key
dh /mnt/keys/dh.pem #Diffie-Hellman parameters
...
tls-auth /mnt/keys/ta.key 0

"I hope you are not keeping your keys in the server or the jail" you mean the personal keys? Or other?

 

[joebad1]

Same errors on my part. Similar set-up as yours. Same TLS handshake negotiation failed error

 

[joebad1]

The first problem was that I have to specify the keys directory. Now I have to do this in openvpn.conf

Code:

...
ca /mnt/keys/ca.crt
cert /mnt/keys/openvpn-server.crt #Server public key
key /mnt/keys/openvpn-server.key #Server private key
dh /mnt/keys/dh.pem #Diffie-Hellman parameters
...
tls-auth /mnt/keys/ta.key 0

"I hope you are not keeping your keys in the server or the jail" you mean the personal keys? Or other?

Found this on the wiki.archlinux.org OpenVPN website last night. I haven't had a chance to try it, but you might give these two items a try:
1) "tls-crypt ta.key" replaces "tls-auth ta.key 0" (make sure you replace it in both the server and client)
2) Due to a bug in OpenVPN 2.4.0, "persist-tun" should NOT be used.

I won't be able to get to my server work until late tonight. If you get a chance to try it, let me know if it works!!!

 

[joebad1]

Tried it tonight. Neither of those fixes worked for me.

 

[adrianwi]

Did you rebooted your FreeNAS server after configuring everything? I struggled to get OpenVPN running in a jail, but after a reboot it all worked fine.

 

[captainkent]

I would suggest to use SoftEther, VPN speed is a lot faster and it is much easier to set up. You can even serve OpenVPN through it if you would prefer.

 

[Xaint]

Tried it tonight. Neither of those fixes worked for me.

I follow another guide and works for me!
https://www.kirkg.us/posts/running-an-openvpn-server-in-a-freenas-910-jail/

 

[joebad1]

Found this new post by Bibi40k. It worked perfectly:

https://forums.freenas.org/index.php?posts/440783/

 

[gsrcrxsi]

i'm having the same problem as OP. gettng the TLS-auth timeout.

i followed the guides in both previous posts with no solution.

current setup:

I have a Netgear router. LAN address is 192.168.1.0, router at 192.168.1.1
PiHole VM running on FreeNAS at 192.168.1.250, PiHole getting DNS from 1.1.1.1 and 1.0.0.1
Netgear router getting DNS from PiHole at 192.168.1.250, with a backup of 1.1.1.1 (this gives me whole home ad blocking)
Netgear router forwarding internal and external port 1194 to 192.168.1.117 (im not sure why this guide has different ports between server/client, other guides have them the same, can someone explain why?)
OpenVPN jail running at 192.168.1.117

openvpn server config "openvpn.conf @ /usr/local/etc/openvpn/":

Code:

local 192.168.1.117
port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key
dh /usr/local/etc/openvpn/keys/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.250" #do i need this line? i thought since pihole is my DNS that i would, please advise
;push "dhcp-option DNS 1.1.1.1"
keepalive 10 120
tls-auth /usr/local/etc/openvpn/keys/ta.key 0
remote-cert-tls client
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

rc.conf @ /etc/

Code:

portmap_enable="NO"
sshd_enable="NO"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
hostname="OpenVPN"
devfs_enable="YES"
devfs_system_ruleset="devfsrules_common"
inet6_enable="YES"
ip6addrctl_enable="YES"
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
openvpn_dir="/usr/local/etc/openvpn/"
cloned_interfaces="tun"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

ipfw.rules @ /usr/local/etc/

Code:

#!/bin/sh
ipfw -q -f flush
ipfw -q nat 1 config if epair2b
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via epair2b
ipfw -q add nat 1 all from any to any in via epair2b

TUN=$(/sbin/ifconfig -l | tr " " "/n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0

output of command "/sbin/ifconfig -l | tr " " "/n" | /usr/bin/grep tun"

Code:

 # /sbin/ifconfig -l | tr " " "/n" | /usr/bin/grep tun
lo0/epair2b/tun5

output of command "ipfw list"

Code:

 # ipfw list
00100 nat 1 ip from 10.8.0.0/24 to any out via epair2b						
00200 nat 1 ip from any to any in via epair2b								 
65535 allow ip from any to any

output of command "sockstat -4 -l"

Code:

 # sockstat -4 -l
USER	 COMMAND	PID   FD PROTO  LOCAL ADDRESS		 FOREIGN ADDRESS	 
root	 syslogd	25305 7  udp4   *:514				 *:*

it does not show openvpn here. but i do not know why.

Client config on Windows 10 machine "Xinyi.conf @ C:\Users\Ian\OpenVPN\config\client"
ca.crt, ta.key, Xinyi.crt, Xinyi.key are also in this directory

Code:

client
dev tun
proto udp
remote 192.168.1.117 1194 # i know this is the local IP, i was trying to connect from within the network as a test, still doesnt work with the outside IP added here
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert Xinyi.crt
key Xinyi.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3