Step by step to install OpenVPN inside a Jail in FreeNAS 11.1-U1

gsrcrxsi · Jul 25, 2018

i dont know how to do that. i know i should do stuff like that but i dont know where to start haven't had time to look into it. also, wont the snapshot backup my "bad" configuration if i didnt notice i broke something? like now. im sure i borked the permissions over a month ago, but it didnt impact my jails because i never turn this system off, so i was unaware of the problem. the backup isnt useful if it gets backed up "broken"

but i got it back up without too much trouble. copying the proper files over worked.

1. created new jail "OpenVPN_2"
2. changed OpenVPN_2's IP to old jail's IP
3. installed openvpn in the jail

Code:

pkg update
pkg upgrade -y
pkg install -y nano openvpn mpack

4. make openvpn directory

Code:

mkdir /usr/local/etc/openvpn

5. exit jail shell, back to root freenas shell
6. copy entire old openvpn directory to new openvpn directory, recursive, copies all the keys and certs and openvpn.conf

Code:

cp -r /mnt/Media/jails/OpenVPN/usr/local/etc/openvpn/* /mnt/Media/jails/OpenVPN_2/usr/local/etc/openvpn

7. copy ipfw.rules file

Code:

cp -r /usr/local/etc/ipfw.rules /usr/local/etc

8. copy rc.conf file

Code:

cp -r /etc/rc.conf /etc

9. copy syslog.conf file

Code:

cp -r /etc/syslog.conf /etc

10. copy newsyslog.conf file

Code:

cp -r /etc/newsyslog.conf /etc

11. restart jail

then it all worked again. i made sure to double check the contents of the directories and config files to verify they all copied correctly.

Bibi40k · Jul 25, 2018

Thats great news, congrats!
Well, it depends on how long you set to keep the snapshot, it's supposed to realize when you break/delete something :)

gsrcrxsi · Jul 25, 2018

i just created a manual snapshot of the openvpn jail. since i shouldnt ever change anything now, that will suffice to restore it correct? i dont need to do anything else?

Bibi40k · Jul 25, 2018

should be enough

twsps · Jul 26, 2018

I believe I got stuck on ports… it keeps telling me the port is already being used. Also when I test port 443, it shows the port is closed, which means openVPN isn't running properly

Sent from my Mate 9 using Tapatalk

Bibi40k · Jul 26, 2018

443 is a common ssh port, i chose not to use it. why don't you stay with default 1194 ?

adrianwi · Jul 26, 2018

I had some free time this afternoon, so thought I'd give this another shot. Great tutorial that's super easy to follow, but I'm hitting the same problem I did last time in that openvpn won't start.

Code:

root@vpn:/usr/local/etc # openvpn --config /usr/local/etc/openvpn/openvpn.conf

Thu Jul 26 14:09:07 2018 OpenVPN 2.4.6 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jul  3 2018

Thu Jul 26 14:09:07 2018 library versions: OpenSSL 1.0.2k-freebsd  26 Jan 2017, LZO 2.10

Thu Jul 26 14:09:07 2018 Diffie-Hellman initialized with 2048 bit key

Thu Jul 26 14:09:07 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Thu Jul 26 14:09:07 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Thu Jul 26 14:09:07 2018 ROUTE_GATEWAY 192.168.168.1/255.255.255.0 IFACE=epair0b HWADDR=02:ff:60:49:46:d2

Thu Jul 26 14:09:07 2018 TUN/TAP device /dev/tun1 opened

Thu Jul 26 14:09:07 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0

Thu Jul 26 14:09:07 2018 /sbin/ifconfig tun1 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up

ifconfig: interface tun1 does not exist

Thu Jul 26 14:09:07 2018 FreeBSD ifconfig failed: external program exited with error status: 1

Thu Jul 26 14:09:07 2018 Exiting due to fatal error

root@vpn:/usr/local/etc #

Any ideas? Thanks

Bibi40k · Jul 26, 2018

Hi,
in my case it shows tun0, so i suppose you're missing something.

Code:

# openvpn --config /usr/local/etc/openvpn/openvpn.conf
Thu Jul 26 16:31:09 2018 OpenVPN 2.4.5 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 15 2018
Thu Jul 26 16:31:09 2018 library versions: OpenSSL 1.0.2j-freebsd  26 Sep 2016, LZO 2.10
Thu Jul 26 16:31:09 2018 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Thu Jul 26 16:31:09 2018 Diffie-Hellman initialized with 2048 bit key
Thu Jul 26 16:31:09 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 26 16:31:09 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jul 26 16:31:09 2018 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=epair2b HWADDR=c2:44:b1:ed:f4:f2
Thu Jul 26 16:31:09 2018 TUN/TAP device /dev/tun0 opened
Thu Jul 26 16:31:09 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Thu Jul 26 16:31:09 2018 /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
Thu Jul 26 16:31:09 2018 /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0
add net 10.8.0.0: gateway 10.8.0.2
Thu Jul 26 16:31:09 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET6
Thu Jul 26 16:31:09 2018 Socket Buffers: R=[42080->42080] S=[9216->9216]
Thu Jul 26 16:31:09 2018 setsockopt(IPV6_V6ONLY=0)
Thu Jul 26 16:31:09 2018 UDPv6 link local (bound): [AF_INET6][undef]:1194
Thu Jul 26 16:31:09 2018 UDPv6 link remote: [AF_UNSPEC]
Thu Jul 26 16:31:09 2018 GID set to nobody
Thu Jul 26 16:31:09 2018 UID set to nobody
Thu Jul 26 16:31:09 2018 MULTI: multi_init called, r=256 v=256
Thu Jul 26 16:31:09 2018 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Thu Jul 26 16:31:09 2018 ifconfig_pool_read(), in='Bibi40k,10.8.0.4', TODO: IPv6
Thu Jul 26 16:31:09 2018 succeeded -> ifconfig_pool_set()
Thu Jul 26 16:31:09 2018 IFCONFIG POOL LIST
Thu Jul 26 16:31:09 2018 Bibi40k,10.8.0.4
Thu Jul 26 16:31:09 2018 Initialization Sequence Completed

Bibi40k · Jul 26, 2018

Ah,
try to remove/comment out
";comp-lzo" from both /usr/local/etc/openvpn/openvpn.conf and youruser.conf
It become obsolete since the tutorial. I'll change it now.

adrianwi · Jul 26, 2018

I was convinced I'd got the configuration right, so decided to give a system reboot a try, making sure the old warden vpn jail wasn't running, and voila! Need to do a little more testing but OpenVPN starts, I can connect using the client config and it looks to be passing all requests through the VPN. Never 100% convinced until I've tested everything outside my LAN though.

Thanks for the excellent guide and now all my jails have been iocaged :D

Bibi40k · Jul 26, 2018

so it was just the reboot or also "comp-lzo" ? I'm asking because twsps have the same error ?

adrianwi · Jul 26, 2018

No, I didn't change the configuration from your OP

gsrcrxsi · Jul 26, 2018

adrianwi said:
I was convinced I'd got the configuration right, so decided to give a system reboot a try, making sure the old warden vpn jail wasn't running, and voila! Need to do a little more testing but OpenVPN starts, I can connect using the client config and it looks to be passing all requests through the VPN. Never 100% convinced until I've tested everything outside my LAN though.

Thanks for the excellent guide and now all my jails have been iocaged :D

I had/have this problem. I mentioned it a few pages back but no one ever commented on it.

If i reboot the jail only. the VPN stops working.
rebooting the whole system and letting the jail start on its own from a fresh boot. it works.

this is repeatable for me. im not sure what's getting broken from a jail reboot, but it definitely breaks it.

adrianwi · Jul 26, 2018

Now it's running, not sure I'd need to stop the jail unless I was rebooting the server, so not too worried about this. Sorry!

twsps · Jul 26, 2018

This is the result when I use port 1194,

Code:

# openvpn --config /usr/local/etc/openvpn/openvpn.conf

Fri Jul 27 10:06:26 2018 OpenVPN 2.4.6 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 26 2018

Fri Jul 27 10:06:26 2018 library versions: OpenSSL 1.0.2j-freebsd  26 Sep 2016, LZO 2.10

Fri Jul 27 10:06:26 2018 Diffie-Hellman initialized with 2048 bit key

Fri Jul 27 10:06:26 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Fri Jul 27 10:06:26 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Fri Jul 27 10:06:26 2018 ROUTE_GATEWAY 192.168.2.1/255.255.255.0 IFACE=epair1b HWADDR=xx:xx:xx:xx:xx:xx

Fri Jul 27 10:06:26 2018 TUN/TAP device /dev/tun1 opened

Fri Jul 27 10:06:26 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0

Fri Jul 27 10:06:26 2018 /sbin/ifconfig tun1 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up

Fri Jul 27 10:06:26 2018 /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0

add net 10.8.0.0: gateway 10.8.0.2 fib 0: route already in table

Fri Jul 27 10:06:26 2018 ERROR: FreeBSD route add command failed: external program exited with error status: 1

Fri Jul 27 10:06:26 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET6

Fri Jul 27 10:06:26 2018 Socket Buffers: R=[42080->42080] S=[9216->9216]

Fri Jul 27 10:06:26 2018 setsockopt(IPV6_V6ONLY=0)

Fri Jul 27 10:06:26 2018 TCP/UDP: Socket bind failed on local address [AF_INET6][undef]:1194: Address already in use (errno=48)

Fri Jul 27 10:06:26 2018 Exiting due to fatal error

Fri Jul 27 10:06:26 2018 Closing TUN/TAP interface

Fri Jul 27 10:06:26 2018 /sbin/ifconfig tun1 destroy

Also I realized mine is epair1b, not epair0b

Code:

# ipfw list

00100 nat 1 ip from 10.8.0.0/24 to any out via epair1b

00200 nat 1 ip from any to any in via epair1b

65535 allow ip from any to any

I'll update my result with other ports like 1193 just for testing purposes.

p.s. I also commented out comp-lzo for both files

twsps · Jul 26, 2018

For this time, I only changed my openvpn.conf file to port 1193, and remaining my user.conf port still as 443. What I set up on my router is external port: 443, internal port 1193/1194. But all these were shown port closed, I believe my VPN isn't set up correctly.
Here is the result with port 1193 in openvpn.conf:

Code:

# ipfw list

00100 nat 1 ip from 10.8.0.0/24 to any out via epair1b

00200 nat 1 ip from any to any in via epair1b

65535 allow ip from any to any

# openvpn --config /usr/local/etc/openvpn/openvpn.conf

Fri Jul 27 10:15:52 2018 OpenVPN 2.4.6 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 26 2018

Fri Jul 27 10:15:52 2018 library versions: OpenSSL 1.0.2j-freebsd  26 Sep 2016, LZO 2.10

Fri Jul 27 10:15:52 2018 Diffie-Hellman initialized with 2048 bit key

Fri Jul 27 10:15:52 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Fri Jul 27 10:15:52 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication

Fri Jul 27 10:15:52 2018 ROUTE_GATEWAY 192.168.2.1/255.255.255.0 IFACE=epair1b HWADDR=xx:xx:xx:xx:xx:xx

Fri Jul 27 10:15:52 2018 TUN/TAP device /dev/tun1 opened

Fri Jul 27 10:15:52 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0

Fri Jul 27 10:15:52 2018 /sbin/ifconfig tun1 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up

Fri Jul 27 10:15:52 2018 /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0

add net 10.8.0.0: gateway 10.8.0.2 fib 0: route already in table

Fri Jul 27 10:15:52 2018 ERROR: FreeBSD route add command failed: external program exited with error status: 1

Fri Jul 27 10:15:52 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET6

Fri Jul 27 10:15:52 2018 Socket Buffers: R=[42080->42080] S=[9216->9216]

Fri Jul 27 10:15:52 2018 setsockopt(IPV6_V6ONLY=0)

Fri Jul 27 10:15:52 2018 TCP/UDP: Socket bind failed on local address [AF_INET6][undef]:1193: Address already in use (errno=48)

Fri Jul 27 10:15:52 2018 Exiting due to fatal error

Fri Jul 27 10:15:52 2018 Closing TUN/TAP interface

Fri Jul 27 10:15:52 2018 /sbin/ifconfig tun1 destroy

twsps · Jul 27, 2018

I solved it by changing the ports to an unusual one, e.g. over here I got interrupted by next cloud's port. Also under router settings, port forwarding ip must be set to jail's ip, not freenas ip.

twsps · Jul 28, 2018

I figured out that not all my connections are send through my VPN.
I found I need to set up something like this: https://askubuntu.com/questions/462533/route-all-traffic-through-openvpn
However, I don't know what should I fill in for my DNS and vpn_server_ip

Thanks for all the help!

twsps · Jul 29, 2018

Over here I tried to comment out

Code:

push "redirect-gateway def1 bypass-dhcp"

in my openvpn.conf. But I'm not able to connect to any internet connection by this setting. I found out that I need to set up something like

Code:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

to forward from 10.8.0.0 to my freenas ethernet port. However, I believe this is being set up by ipfw rules covered in the first post. Am I correct? If so, why am I not able to connect to any internet?

twsps · Jul 30, 2018

@Bibi40k , I hope you can help me figure this out. I'm finding a solution for this but I can't solve it. Thanks

Sent from my Mate 9 using Tapatalk

Important Announcement for the TrueNAS Community.

Step by step to install OpenVPN inside a Jail in FreeNAS 11.1-U1

Explorer

Contributor

Explorer

Contributor

Contributor

Contributor

Guru

Contributor

Contributor

Guru

Contributor

Guru

Explorer

Guru

Contributor

Contributor

Contributor

Contributor

Contributor

Contributor

Similar threads