Ok, I gave it another try with dev tun0 in my openvpn.conf
Code:
root@openvpn:~ # ifconfig tun create
tun1
Restarted openvpn, but nothing:
Code:
Sep 13 15:35:59 openvpn openvpn[8925]: TUN/TAP device tun1 exists previously, keep at program end
Sep 13 15:35:59 openvpn openvpn[8925]: Cannot open TUN/TAP dev /dev/tun1: No such file or directory (errno=2)
Sep 13 15:35:59 openvpn openvpn[8925]: Exiting due to fatal error
ifconfig lists both tun0 and tun1, ll /dev/tun* lists nothing.
Your solution doesn't seem to work for me. I think I'd better wait for another FreeNAS upgrade.. :(
I did come across this post and run the command, but it didn't work for me. Then I found the solution I wrote before and it worked. Maybe this step was necessary for my solution to work and I didn't realize it. If that's the case, you should give it another shot @memel.parduin. Could you elaborate @andrea689 ? : do you have the same symptoms as us and have to use my solution ? Or is the devfs command enough for you (i.e. : you can reboot the jail / host and it works without any further steps) ?
Yes I have your same symptoms. I have stopped the jail, run the command devfs rule -s 4 add path 'tun*' unhide and restart the jail.
I have also add the command as pre-init script and post-init script, but don't work! :-(
When restart FreeNAS I have to repeat the command and restart the jail.
Right now, I restarted FreeNAS and my jail is configured with dev tun4. But since it doesn't work after restart, I applied my solution with dev tun0, and this is what I get :
Code:
# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 02:ff:60:9b:c8:80
hwaddr 02:63:10:00:0f:0b
inet 192.168.3.202 netmask 0xffffff00 broadcast 192.168.3.255
nd6 options=1<PERFORMNUD>
media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
status: active
groups: epair
tun4: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
nd6 options=1<PERFORMNUD>
groups: tun
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet 10.8.1.1 --> 10.8.1.2 netmask 0xffffff00
nd6 options=1<PERFORMNUD>
groups: tun
Opened by PID 8286
Code:
# ls /dev/
crypto fd log null ptmx pts random stderr stdin stdout tun0 urandom zero zfs
Hello there,
I struggled a long time trying to get openVPN running in a jail in FreeNAS. A friend of mine helped me get things done using a workaround (you might call it cheating), but maybe it helps somebody else:
I installed debian (netinstall, minimal) as a VM in FreeNAS, and then the openVPN Access Server within debian. Far less hassle than any other alternative I came across, and it has been running now for some months without any troubles.
I had it working in a warden jail for a number of years, and more recently in an iocage jail for the last 3-4 and it works perfectly. I'm not against running VMs (I have one running 24x7 for CrashPlan/Docker) but if it working in a jail, a VM is just unnecessary overhead.
when I do sockstat -4 -l, I get nothing about openVPN, any way to troubleshoot this? does it have to be done as root? I did it as a user because I couldn't get past the sudo command
change-log: 0.4 - 2018.07.26 - Removed "comp-lzo" from configuration due to becoming obsolete
0.4 - 2018.07.26 - Removed "comp-lzo" from configuration due to becoming obsolete
0.3 - 2018.02.18 - Minor touches and test everything from scratch following all the steps
0.2 - 2018.02.17 - Beautify code and few more details
0.1 - 2018.02.16 - First release
Legend:
Green text - should remain like it is
Blue text - you may cange it if you like
Red text - needs to be changed by you
Requirements:
FreeNAS 11.1-U1 ( may work with other versions either )
FreeNAS User with ssh access and sudo
SSH Client ( Putty for Windows and Terminal for MAC )
Admin access to the router where FreeNAS exists
Own domain or domain updated by DDNS or a static IP
Please follow this step by step tutorial before ask for help
Relevant data to use later in this tutorial ( use your own, this is just for reference )
Home Network: 192.168.1.0/24 ( LAN where is your FreeNAS )
NAT Network: 10.8.0.0/24 ( virtual LAN between VPN clients and your LAN )
Domain: nas.mydomain.com
VPN Server Port: 1194 UDP
VPN Outside Access Port: 443 UDP
Certificate Authority Password: Password1
Bibi40k Client Certificate Password: Password2
3,2,1.. START
Use FreeNAS Web GUI Jails -> Add Jail ( Jail Name: OpenVPN, keep default settings )
SSH to your FreeNAS box
Code:
% jls
JID IP Address Hostname Path
...
4 OpenVPN /mnt/Vol1-Z2/jails/OpenVPN
% sudo jexec 4 sh
Password:
if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
echo "This is no longer necessary and is disallowed. See the section called" >&2
echo "'How to use this file' near the top comments for more details." >&2
return 1
fi
set_var EASYRSA_REQ_COUNTRY "US" set_var EASYRSA_REQ_PROVINCE "California" set_var EASYRSA_REQ_CITY "San Francisco" set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" set_var EASYRSA_REQ_EMAIL "me@mydomain.com" set_var EASYRSA_REQ_OU "My Organizational Unit" set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_CA_EXPIRE 3650 set_var EASYRSA_CERT_EXPIRE 3650
Generate Keys
Code:
# ./easyrsa.real init-pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /usr/local/etc/openvpn/easy-rsa/pki
Build Certificate Authority ( follow instructions using Password1 and common name )
Code:
# ./easyrsa.real build-ca
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.......................................+++
..+++
writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/ca.key.vpfhw9orph'
Enter PEM pass phrase:Password1
Verifying - Enter PEM pass phrase:Password1
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: OpenVPN FreeNAS CA
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/usr/local/etc/openvpn/easy-rsa/pki/ca.crt
Build Server Certificates
Code:
# ./easyrsa.real build-server-full openvpn-server nopass
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...............................................+++
.................................+++
writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/openvpn-server.key.JKfgnZ3Ae8'
-----
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key:Password1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'openvpn-server'
Certificate is to be certified until Feb 13 18:22:32 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Build Client Certificate ( use unique name for each certificate, use Bibi40k with Password2 and authorize with Password1 )
Code:
# ./easyrsa.real build-client-full Bibi40k
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.............................................................................................+++
.................+++
writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/Bibi40k.key.cd545aPaIq'
Enter PEM pass phrase: Password2
Verifying - Enter PEM pass phrase: Password2
-----
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key: Password1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'Bibi40k'
Certificate is to be certified until Feb 13 18:28:59 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
# ./easyrsa.real gen-dh
Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...........................................................................................................
...........................................................................................................
......................................................................................+...................
...........................................................................................................
.............................................................+............................................
...........................................................................................................
.............................+......................................................+...................
.......+.................................................................................................
..........................................................................................................
..............................................................................+..................+.....
...
...................................................................................+....................
.........................................................................................................
.........................................................................................................
...+....................................................................................................
..........+..........................++*++*
DH parameters of size 2048 created at /usr/local/etc/openvpn/easy-rsa/pki/dh.pem
port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key # This file should be kept secret
dh /usr/local/etc/openvpn/keys/dh.pem
server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0" keepalive 10 120
tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret
remote-cert-tls client
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
client
dev tun
proto udp
remote nas.mydomain.com443 resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert Bibi40k.crt key Bibi40k.key remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.1.1
#redirect-gateway def1
verb 3
Server NAT Configuration ( create /usr/local/etc/ipfw.rules and add green text )
Code:
# nano /usr/local/etc/ipfw.rules
More configuration ( edit /etc/rc.conf and add green text at the end of the file )
Code:
# nano /etc/rc.conf
Setup Logging ( edit /etcsyslog.conf )
Code:
# nano /etc/syslog.conf
Setup log rotation ( edit /etcnewsyslog.conf )
Code:
# nano /etc/newsyslog.conf
Use FreeNAS Web GUI Jails -> Select OpenVPN Jail -> Restart
SSH to your FreeNAS box and make some checks
Code:
% jls
JID IP Address Hostname Path
...
5 OpenVPN /mnt/Vol1-Z2/jails/OpenVPN
% sudo jexec 5 sh
Password:
# ipfw list
00100 nat 1 IP from 10.8.0.0/24 to any out via epair0b
00200 nat 1 IP from any to any in via epair0b
65535 allow IP from any to any
# sockstat -4 -l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
nobody openvpn 64842 7 udp46 *:1194 *:*
root syslogd 64803 7 udp4 *:514 *:*
Let's send our OpenVPN client files and test connection from outside
Code:
# cd /usr/local/etc/openvpn/# tar cvf Bibi40k.tar Bibi40k.conf -C keys/ ca.crt Bibi40k.crt Bibi40k.key ta.key
a Bibi40k.conf
a ca.crt
a Bibi40k.crt
a Bibi40k.key
a ta.key
# service sendmail onestart# mpack -s "Bibi40k OpenVPN files" Bibi40k.tar me@mydomain.com
Could you add to the part about checks that it is sometimes necessary to restart whole FreeNAS server not only OpenVPN jail because there could be a problem with proper routes, they are build properly after restarting whole server.[/COLOR][/COLOR][/SIZE][/FONT]
Yes I have your same symptoms. I have stopped the jail, run the command devfs rule -s 4 add path 'tun*' unhide and restart the jail.
I have also add the command as pre-init script and post-init script, but don't work! :-(
When restart FreeNAS I have to repeat the command and restart the jail.
Same issue there, but I edited the /etc/defaults/devfs.rules files and added add path 'tun*' unhide. Worked but I hope they'll fix the issue, openvpn is widely used and we shoudln't need to tweet config files to make it work.
I hope you don't mind me chiming in... As I was doing my research I came across an issue (bug) that has already been reported where when the tun devices were being dynamically created, they were being created at the host system level and not within the jail itself. Meaning nothing on the jail would be able to see the tun device and why there could be upwards of 256 tun devices visible through ifconfig... The issue has been found on iocage 11.0, 11.1 and also in 11.2... Apparently it has been fixed and if I understood what I read correctly *fingers crossed*, then the fix should be included in the next FreeNAS 11.2 release. And according to the FreeNAS roadmap, the next release is due on 14 Nov 2018...
I'll be looking forward to going through the OP step by step after the next release! ;-) lol
Hello,
im total green in configuration of vpn. Can you help me with configration of vpn server. Client connects without problem, but after connection, cant see 172.16.1.0 subnet.
Regards, Stane
I just wanted to say wow and thanks for this step-by-step guide Bibi40k. It worked perfectly. Especially these last instructions on how to combine the client files into a single .ovpn file. That "key-direction 1" was very important and I missed it the first time :). I was able to build/configure an OpenVPN jail, open the .ovpn file on my iPad using the OpenVPN app and connected into my network via my external IP, awesome work Bibi40k.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.