Step by step to install OpenVPN inside a Jail in FreeNAS 11.1-U1

[Krowvin]

A few guesses for the email option:
1. Try pinging your mail server from inside the jail (Might not even be related) i.e.

Code:

ping smtp.google.com 

2. Make sure you have the global settings for your network setup in your FreeNAS GUI. The DNS server, etc

Another method would be for you to login to your FreeNAS Box via SSH/SFTP using a program like Bitvise or WinSCP:
There are two ways to access the file, you can either:
A. SSH To FreeNAS Directly
I. Enable SSH access to your box via services > ssh gear icon, Check "Login as root with password" & "Allow password authentication"

II. Login to FreeNAS as root through Bitvise/WinSCP directly and navigate to your full path, something like:

Code:

/mnt/volume1/jails/jailname/usr/local/etc/openvpn/

B. Enable SSH in the FreeNAS jail
Should be able to (From a FreeNAS SSH terminal) type:

Code:

jls 
jexec jailID csh 
service ssh start 
ifconfig 

to find the jail's IP Address

In either of those programs I mentioned you would type in your jail/FreeNAS IP, the username, and the password

Whatever you do do NOT open the SSH port up to the outside world, you'll start getting tons of emails about brute force attempts. Use this awesome new VPN you're making instead!

 

[SeaWolfX]

Thanks for the tips Krowvin!

Email

1. Try pinging your mail server from inside the jail (Might not even be related) i.e.

No issues pinging the mails server.

Make sure you have the global settings for your network setup in your FreeNAS GUI. The DNS server, etc

Everything seems to check out with the global network settings. I am able to send an email to the same address using the 'Send Test Mail' in the System -> Email function so I guess they would have to be, right?

SSH

I am using PuTTY in Windows and I am able to navigate to the correct Jail folder both directly and through the Jail instance, however, I am not sure how to copy the files over to my local machine.

 

[gsrcrxsi]

like others, I'm having some problems here.

1. I never received the email at the end to my gmail account. nothing in normal or spam filters. nothing to secondary work email. I ended up just adding a shared volume to /mnt of the jail temporarily and manually copying the .tar file.

2. extracted the client files to my laptop and put them in the laptop's openvpn config directory, connected the laptop to my phone via wifi hotspot to get outside my network, fired up open vpn, was prompted for the client password, but it wont connect. keeps failing the TLS handshake.

Code:

Sun Apr 29 00:09:31 2018 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Apr 29 00:09:31 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Apr 29 00:09:31 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Apr 29 00:09:31 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:443
Sun Apr 29 00:09:31 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Sun Apr 29 00:09:31 2018 UDP link local: (not bound)
Sun Apr 29 00:09:31 2018 UDP link remote: [AF_INET]x.x.x.x:443
Sun Apr 29 00:09:31 2018 MANAGEMENT: >STATE:1524974971,WAIT,,,,,,
Sun Apr 29 00:10:31 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Apr 29 00:10:31 2018 TLS Error: TLS handshake failed
Sun Apr 29 00:10:31 2018 SIGUSR1[soft,tls-error] received, process restarting
Sun Apr 29 00:10:31 2018 MANAGEMENT: >STATE:1524975031,RECONNECTING,tls-error,,,,,
Sun Apr 29 00:10:31 2018 Restart pause, 5 second(s)

(ive redacted my IP, but it's correct in the config file.) at first i actually had my DDNS name there, but it was actually pointing to an incorrect IP, i guess an old one, but that another issue. I have it set to my current IP for testing the connection.

but its still wont connect even with the correct IP. It wasnt mentioned in the OP, but do i have to forward port 443 on my router? I tried it anyway, forwarded port 443 to my jails IP (192.168.1.117) and still no luck

help?

 

[gsrcrxsi]

more context.

I have a Netgear router. LAN address is 192.168.1.0, router at 192.168.1.1
PiHole VM running on FreeNAS at 192.168.1.250, PiHole getting DNS from 1.1.1.1 and 1.0.0.1
Netgear router getting DNS from PiHole at 192.168.1.250, with a backup of 1.1.1.1 (this gives me whole home ad blocking)
Netgear router forwarding internal and external port 1194 to 192.168.1.117 (im not sure why this guide has different ports between server/client, other guides have them the same, can someone explain why?)
OpenVPN jail running at 192.168.1.117

openvpn server config "openvpn.conf @ /usr/local/etc/openvpn/":

Code:

local 192.168.1.117
port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key
dh /usr/local/etc/openvpn/keys/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 192.168.1.250" #do i need this line? i thought since pihole is my DNS that i would, please advise
;push "dhcp-option DNS 1.1.1.1"
keepalive 10 120
tls-auth /usr/local/etc/openvpn/keys/ta.key 0
remote-cert-tls client
cipher AES-256-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

rc.conf @ /etc/

Code:

portmap_enable="NO"
sshd_enable="NO"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
hostname="OpenVPN"
devfs_enable="YES"
devfs_system_ruleset="devfsrules_common"
inet6_enable="YES"
ip6addrctl_enable="YES"
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
openvpn_dir="/usr/local/etc/openvpn/"
cloned_interfaces="tun"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

ipfw.rules @ /usr/local/etc/

Code:

#!/bin/sh
ipfw -q -f flush
ipfw -q nat 1 config if epair2b
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via epair2b
ipfw -q add nat 1 all from any to any in via epair2b

TUN=$(/sbin/ifconfig -l | tr " " "/n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0

output of command "/sbin/ifconfig -l | tr " " "/n" | /usr/bin/grep tun"

Code:

 # /sbin/ifconfig -l | tr " " "/n" | /usr/bin/grep tun
lo0/epair2b/tun5

output of command "ipfw list"

Code:

 # ipfw list
00100 nat 1 ip from 10.8.0.0/24 to any out via epair2b						
00200 nat 1 ip from any to any in via epair2b								  
65535 allow ip from any to any

output of command "sockstat -4 -l"

Code:

 # sockstat -4 -l
USER	 COMMAND	PID   FD PROTO  LOCAL ADDRESS		 FOREIGN ADDRESS	  
root	 syslogd	25305 7  udp4   *:514				 *:*

Client config on Windows 10 machine "Xinyi.conf @ C:\Users\Ian\OpenVPN\config\client"
ca.crt, ta.key, Xinyi.crt, Xinyi.key are also in this directory

Code:

client
dev tun
proto udp
remote 192.168.1.117 1194 # i know this is the local IP, i was trying to connect from within the network as a test, still doesnt work with the outside IP added here
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert Xinyi.crt
key Xinyi.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3

is there something wrong? please help. i dont know how much more info you need.

 

[gsrcrxsi]

ok so i deleted everything. deleted the openvpn jail, deleted pihole. reset my router to defaults.

i follow the guide exactly until the end.

but when i run the "check" commands after the reboot i get this:

Code:

[root@freenas ~]# jexec 6 tcsh												 
root@OpenVPN:/ # ipfw list													 
00100 nat 1 ip from 10.8.0.0/24 to any out via lo0/epair0b/tun				 
00200 nat 1 ip from any to any in via lo0/epair0b/tun						   
65535 allow ip from any to any												 
root@OpenVPN:/ # sockstat -4 -l												 
USER	 COMMAND	PID   FD PROTO  LOCAL ADDRESS		 FOREIGN ADDRESS	   
root	 syslogd	26830 7  udp4   *:514				 *:*				   
root@OpenVPN:/ #

i feel like there is something wrong with the ipfw.rules file, but mine literally is exactly as OPs.

 

[gsrcrxsi]

running this:

Code:

root@OpenVPN:/ # service ipfw start											
ipfw: unknown interface name lo0/epair0b/tun1								  
ifconfig: interface lo0/epair0b/tun1 does not exist							
Firewall rules loaded.

so it seems the whole /sbin/ifconfig -l | tr " " "/n" | /usr/bin/grep thing isn't working properly. I changed it back to just

Code:

#!/bin/sh
ipfw -q -f flush
ipfw -q nat 1 config if epair0b
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via epair0b
ipfw -q add nat 1 all from any to any in via epair0b

but im still not seeing the openvpn show up when i run sockstat -4 -l

 

[gsrcrxsi]

sorry for all the posts, but this is killing me.

trying to manually start openvpn:

Code:

root@OpenVPN:/ # openvpn --config /usr/local/etc/openvpn/openvpn.conf															  
Sun Apr 29 17:19:48 2018 OpenVPN 2.4.6 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Apr 26 2018
Sun Apr 29 17:19:48 2018 library versions: OpenSSL 1.0.2j-freebsd  26 Sep 2016, LZO 2.10											
Sun Apr 29 17:19:48 2018 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that th
is might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same su
bnet.																															  
Sun Apr 29 17:19:48 2018 Diffie-Hellman initialized with 2048 bit key															  
Sun Apr 29 17:19:48 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication		
Sun Apr 29 17:19:48 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication		
Sun Apr 29 17:19:48 2018 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=epair0b HWADDR=aa:77:67:44:12:06							
Sun Apr 29 17:19:48 2018 TUN/TAP device /dev/tun0 opened																			
Sun Apr 29 17:19:48 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0																
Sun Apr 29 17:19:48 2018 /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up								
ifconfig: interface tun0 does not exist																							
Sun Apr 29 17:19:48 2018 FreeBSD ifconfig failed: external program exited with error status: 1									
Sun Apr 29 17:19:48 2018 Exiting due to fatal error																				
root@OpenVPN:/ #

looks like its failing to open tun0, but my device is tun2, and every reboot it increments. i see what the /sbin/ifconfig -l | tr " " "/n" | /usr/bin/grep tun command is trying to do, but it's not working properly since it returns the entire string of "lo0/epair0b/tun2" rather than just "tun2"

i think if i can fix this command i can get it working

 

[gsrcrxsi]

with the help of an IT bro, i was able to get this working.

the problem was definitely the ipfw.rules file in the OP. i dont know if it's because I'm on 11.1-U4, or what, but his variable definitions didnt work at all for me. it seems important to setup the ipfw.rules so that it automatically finds the interface names for epair and tun, as rebooting your jail will increment the tun and can increment the epair from what i've found. so if you're on a fresh reboot while setting everything up, it will work without variable definitions, but once you reboot it and your tun interface goes to tun1, openvpn wont even start because it apparently NEEDS "tun0"

this is my working ipfw.rules file. i used cut instead of the tr junk

Code:

#!/bin/sh																	   
EPAIR=$(/sbin/ifconfig -l | cut -d' ' -f2)									 
ipfw -q -f flush																
ipfw -q nat 1 config if ${EPAIR}												
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR}				 
ipfw -q add nat 1 all from any to any in via ${EPAIR}						   
																			   
TUN=$(/sbin/ifconfig -l | cut -d' ' -f3)										
ifconfig ${TUN} name tun0

now everything works after booting, and I'm able to successfully connect

 

[gsrcrxsi]

i spoke too soon, it seems that while i can successfully make the VPN connection, I do not really have any network or internet access. any internet traffic is coming from the internet connection on my end and not through the VPN tunnel.

I want to force all network and internet traffic through the tunnel when the connection is made.

 

[gsrcrxsi]

does no one have a working openvpn server running in a jail where they can do more than simply make the connection? i want to send all traffic from the client through the tunnel.

i want it to be as if i'm "virtually" on my home network with all the access that i would normally have if i was physically there. access my 192.168.1.0 LAN and access the internet. right now i cannot do either.

from reading, it sounds like some kind of NAT issue, but i have the NAT rules setup as described in the OP.

anyone?

 

[gsrcrxsi]

ok, i thought i solved this, and it's kinda solved. but this gives me more information. i updated my BIOS to resolve a separate issue (laggy/slow POST and BIOS navigation). after the system came up, i realized i left my iphone connected to the VPN and it reconnected. i was using my phone and browsing the web, not realizing that i was on the VPN. i was able to access my network and the internet. and all traffic was successfully going through the VPN with the same configurations as above.

initially i thought the BIOS update itself was the fix, but it turns out not the case. i restarted the jail and i was back to my initial problems, could connect but no network. rebooted the entire server again and its working again.

so it appears to ONLY work on the jails' initial startup from a fresh reboot. stopping the jail and restarting it breaks it. some kind of network setting isnt persisting these soft reboots.

now true, i shouldnt need to reboot jails often, and honestly i almost never reboot my plex or transmission jails, but this is something that probably shouldnt break just from a soft reboot. does anyone know what might be breaking to make this stop working because of a jail reboot?

 

[Joe Fenton]

# sockstat -4 -l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
nobody openvpn 64842 7 udp46 *:1194 *:*
root syslogd 64803 7 udp4 *:514 *:*[/CODE]

Using this command at the end to test if it worked, I only got the root line, and not the nobody line. Any idea where to start diagnosing what went wrong? I have rebooted both the jail and the whole freeNAS server

 

[gsrcrxsi]

# sockstat -4 -l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
nobody openvpn 64842 7 udp46 *:1194 *:*
root syslogd 64803 7 udp4 *:514 *:*[/CODE]

Using this command at the end to test if it worked, I only got the root line, and not the nobody line. Any idea where to start diagnosing what went wrong? I have rebooted both the jail and the whole freeNAS server

openvpn is not starting properly. probably because of the issues with the way OP setup the ipfw.rules file.

you can test this by running from the shell within the jail (jexec [jail#] tcsh)

Code:

# openvpn --config /usr/local/etc/openvpn/openvpn.conf

and post here the output, it'll probably give you some error to tell you why it wont start.

 

[Joe Fenton]

Got it working thanks. There was a bad line in the .conf file - a comment had ended up on 2 lines.

I assume that with this example the local port is 1194, so when attempting to use it outside the local network, I port forward to that port?

 

[Joe Fenton]

I can't connect to the VPN from the client now, I get the following messages, whether trying on the local network or externally:

Thu May 10 11:43:57 2018 TLS: Initial packet from [AF_INET]VPNIP:VPNPort, sid=a36ba0dd ef6f3edf
Thu May 10 11:43:57 2018 VERIFY OK: depth=1, CN=OpenVPN FreeNAS CA
Thu May 10 11:43:57 2018 VERIFY KU OK
Thu May 10 11:43:57 2018 Validating certificate extended key usage
Thu May 10 11:43:57 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu May 10 11:43:57 2018 VERIFY EKU OK
Thu May 10 11:43:57 2018 VERIFY OK: depth=0, CN=openvpn-server
Thu May 10 11:44:57 2018 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu May 10 11:44:57 2018 TLS Error: TLS handshake failed
Thu May 10 11:44:57 2018 SIGUSR1[soft,tls-error] received, process restarting
Thu May 10 11:44:57 2018 MANAGEMENT: >STATE:1525949097,RECONNECTING,tls-error,,,,,
Thu May 10 11:44:57 2018 Restart pause, 5 second(s)
Thu May 10 11:45:02 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]VPNIP:VPNPort
Thu May 10 11:45:02 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
Thu May 10 11:45:02 2018 UDP link local: (not bound)
Thu May 10 11:45:02 2018 UDP link remote: [AF_INET]VPNIP:VPNPort
Thu May 10 11:45:02 2018 MANAGEMENT: >STATE:1525949102,WAIT,,,,,,
Thu May 10 11:45:02 2018 MANAGEMENT: >STATE:1525949102,AUTH,,,,,,
Thu May 10 11:45:02 2018 TLS: Initial packet from [AF_INET]VPNIP:VPNPort, sid=1b2ff2ab f8b54c9e
Thu May 10 11:45:02 2018 VERIFY OK: depth=1, CN=OpenVPN FreeNAS CA
Thu May 10 11:45:02 2018 VERIFY KU OK
Thu May 10 11:45:02 2018 Validating certificate extended key usage
Thu May 10 11:45:02 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu May 10 11:45:02 2018 VERIFY EKU OK
Thu May 10 11:45:02 2018 VERIFY OK: depth=0, CN=openvpn-server

 

[gsrcrxsi]

first check that openvpn is actually running. with the sockstat command. I have a recurring problem that no one seems to have an answer for (*crickets* in here), where if i reboot the jail only, "something" breaks with the networking and the VPN server will not make any connections. however if i reboot the entire system, then everything is working properly. so check if openvpn is running. and if it is, give the whole system a fresh reboot, not just the jail.

next. check your port forwarding in your router. if you used the same port numbers as the OP (443 external port, to 1194 internal port) then you need to make sure your router is setup the same way. you need to forward external port 443 to internal port 1194 to the IP of your openvpn jail. not the IP of your freenas box.

also, if your VPN server is not on an internet connection that gives you a static IP for your location, you'll need to sign up for a dynamic DNS from somewhere like No-IP (noip.com). normal residential connections IP address changes randomly. and it would be a pain to try to change the IP in the client config file every time it changes.

 

[adrianwi]

Firstly, a great guide. Very easy to follow and I'm pretty sure I have everything configured as required.

I've tried to set this up using an iocage jail, and I suspect that might be my problem, but not sure. Has anyone used this guide with an iocage jail?

My problem is that openvpn won't start and I'm getting the following error:

Code:

Cannot allocate TUN/TAP dev dynamically
Exiting due to fatal error

Thanks

 

[twsps]

How can I generate a .opvn file through this?

Thanks.

 

[Bibi40k]

If you read the first post you'll see exactly, step by step

 

[twsps]

If you read the first post you'll see exactly, step by step

I got the files from the last section. Including ca, CRT, and conf. But how can I get ovpn file?

Thanks.

Sent from my Mate 9 using Tapatalk