Step by step to install OpenVPN inside a Jail in FreeNAS 11.1-U1

[andrea689]

Ok, I gave it another try with dev tun0 in my openvpn.conf

Code:

root@openvpn:~ # ifconfig tun create
tun1

Restarted openvpn, but nothing:

Code:

Sep 13 15:35:59 openvpn openvpn[8925]: TUN/TAP device tun1 exists previously, keep at program end
Sep 13 15:35:59 openvpn openvpn[8925]: Cannot open TUN/TAP dev /dev/tun1: No such file or directory (errno=2)
Sep 13 15:35:59 openvpn openvpn[8925]: Exiting due to fatal error

ifconfig lists both tun0 and tun1, ll /dev/tun* lists nothing.

Your solution doesn't seem to work for me. I think I'd better wait for another FreeNAS upgrade.. :(

I have found the solution!!
https://forums.freenas.org/index.ph...es-in-new-jails-after-11-1.59828/#post-426724

 

[Scentle5S]

I did come across this post and run the command, but it didn't work for me. Then I found the solution I wrote before and it worked. Maybe this step was necessary for my solution to work and I didn't realize it. If that's the case, you should give it another shot @memel.parduin. Could you elaborate @andrea689 ? : do you have the same symptoms as us and have to use my solution ? Or is the devfs command enough for you (i.e. : you can reboot the jail / host and it works without any further steps) ?

 

[andrea689]

Yes I have your same symptoms. I have stopped the jail, run the command devfs rule -s 4 add path 'tun*' unhide and restart the jail.
I have also add the command as pre-init script and post-init script, but don't work! :-(
When restart FreeNAS I have to repeat the command and restart the jail.

 

[Scentle5S]

I just tried to run the command and restart the jail but no luck...

 

[andrea689]

in the jail what is the output of
ifconfig
and
ls /dev

 

[Scentle5S]

Right now, I restarted FreeNAS and my jail is configured with dev tun4. But since it doesn't work after restart, I applied my solution with dev tun0, and this is what I get :

Code:

# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
	inet 127.0.0.1 netmask 0xff000000
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	groups: lo
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:ff:60:9b:c8:80
	hwaddr 02:63:10:00:0f:0b
	inet 192.168.3.202 netmask 0xffffff00 broadcast 192.168.3.255
	nd6 options=1<PERFORMNUD>
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	groups: epair
tun4: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	nd6 options=1<PERFORMNUD>
	groups: tun
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	inet 10.8.1.1 --> 10.8.1.2  netmask 0xffffff00
	nd6 options=1<PERFORMNUD>
	groups: tun
	Opened by PID 8286

Code:

# ls /dev/
crypto	fd	log	null	ptmx	pts	random	stderr	stdin	stdout	tun0	urandom	zero	zfs

 

[andrea689]

I don't known.. Your solution not working for me..

 

[Scentle5S]

I don't complain : my solution works for me so I can stay with 11.2 BETA3 until this is fixed. Thanks for sharing you experience though.

 

[diskdiddler]

How much of this install could be scripted to make a plugin (or a half plugin, that does 2/3 of the work?)

 

[Bob_vdH]

Don't know how to make a plugin, but I try to keep a "log" on how I create jails.
Thanks to this excellent writeup, I used the "script" below.

Did some search-replace to remove my settings and use the examples in the writeup.

I would say that more then 2/3 can be scripted :)

Code:

pkg update
pkg install -y pkg
pkg upgrade -y

pkg install -y openvpn mpack

mkdir -p /usr/local/etc/openvpn/keys

cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/openvpn.conf
cp -r /usr/local/share/easy-rsa /usr/local/etc/openvpn/easy-rsa

sed -i ''  's/^#set_var EASYRSA_REQ_COUNTRY.*$/set_var EASYRSA_REQ_COUNTRY	 "US"/' /usr/local/etc/openvpn/easy-rsa/vars
sed -i '' 's/^#set_var EASYRSA_REQ_PROVINCE.*$/set_var EASYRSA_REQ_PROVINCE	"California"/' /usr/local/etc/openvpn/easy-rsa/vars
sed -i ''	 's/^#set_var EASYRSA_REQ_CITY.*$/set_var EASYRSA_REQ_CITY		"San Francisco"/' /usr/local/etc/openvpn/easy-rsa/vars
sed -i ''	  's/^#set_var EASYRSA_REQ_ORG.*$/set_var EASYRSA_REQ_ORG		 "Copyleft Certificate Co"/' /usr/local/etc/openvpn/easy-rsa/vars
sed -i ''	's/^#set_var EASYRSA_REQ_EMAIL.*$/set_var EASYRSA_REQ_EMAIL	   "me@mydomain.com"/' /usr/local/etc/openvpn/easy-rsa/vars
sed -i ''	   's/^#set_var EASYRSA_REQ_OU.*$/set_var EASYRSA_REQ_OU		  "My Organizational Unit"/' /usr/local/etc/openvpn/easy-rsa/vars
sed -i ''	 's/^#set_var EASYRSA_KEY_SIZE.*$/set_var EASYRSA_KEY_SIZE		2048/' /usr/local/etc/openvpn/easy-rsa/vars
sed -i ''	's/^#set_var EASYRSA_CA_EXPIRE.*$/set_var EASYRSA_CA_EXPIRE	   3650/' /usr/local/etc/openvpn/easy-rsa/vars
sed -i ''  's/^#set_var EASYRSA_CERT_EXPIRE.*$/set_var EASYRSA_CERT_EXPIRE	 3650/' /usr/local/etc/openvpn/easy-rsa/vars

cd /usr/local/etc/openvpn/easy-rsa

./easyrsa.real init-pki
script -q /dev/null ./easyrsa.real build-ca << ENDDOC
Password1
Password1
openvpn-server
ENDDOC

script -q /dev/null ./easyrsa.real build-server-full openvpn-server nopass << ENDDOC
Password1
ENDDOC

script -q /dev/null ./easyrsa.real build-client-full Bibi40k << ENDDOC
Password2
Password2
Password1
ENDDOC

./easyrsa.real gen-dh

cp pki/dh.pem pki/ca.crt pki/issued/openvpn-server.crt pki/private/openvpn-server.key /usr/local/etc/openvpn/keys/
cp pki/issued/Bibi40k.crt pki/private/Bibi40k.key /usr/local/etc/openvpn/keys/

openvpn --genkey --secret /usr/local/etc/openvpn/keys/ta.key


sed -i ''  's#^ca ca.crt$#ca /usr/local/etc/openvpn/keys/ca.crt#' /usr/local/etc/openvpn/openvpn.conf
sed -i ''  's#^cert server.crt$#cert /usr/local/etc/openvpn/keys/openvpn-server.crt#' /usr/local/etc/openvpn/openvpn.conf
sed -i ''  's#^key server.key.*$#key /usr/local/etc/openvpn/keys/openvpn-server.key#' /usr/local/etc/openvpn/openvpn.conf
sed -i ''  's#^dh dh2048.pem$#dh /usr/local/etc/openvpn/keys/dh.pem#' /usr/local/etc/openvpn/openvpn.conf
sed -i ''  's#^;push "route 192.168.20.0 255.255.255.0"$#push "route 192.168.1.0 255.255.255.0"#' /usr/local/etc/openvpn/openvpn.conf
sed -i ''  's#^tls-auth ta.key 0.*#tls-auth /usr/local/etc/openvpn/keys/ta.key 0\
remote-cert-tls client#' /usr/local/etc/openvpn/openvpn.conf
sed -i ''  's#^;user nobody$#user nobody#' /usr/local/etc/openvpn/openvpn.conf
sed -i ''  's#^;group nobody$#group nobody#' /usr/local/etc/openvpn/openvpn.conf


cp /usr/local/share/examples/openvpn/sample-config-files/client.conf /usr/local/etc/openvpn/Bibi40k.conf
sed -i ''  's#^remote .*#remote nas.mydomain.com 443#' /usr/local/etc/openvpn/Bibi40k.conf
sed -i ''  's#^cert client.crt$#cert Bibi40k.crt#' /usr/local/etc/openvpn/Bibi40k.conf
sed -i ''  's#^key client.key$#key Bibi40k.key#' /usr/local/etc/openvpn/Bibi40k.conf

cat > /usr/local/etc/ipfw.rules << ENDDOC
#!/bin/sh
EPAIR=\$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if \${EPAIR}
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via \${EPAIR}
ipfw -q add nat 1 all from any to any in via \${EPAIR}

TUN=\$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig \${TUN} name tun0
ENDDOC

grep -q openvpn_configfile  /etc/rc.conf && echo "An openvpn_configfile line already present" || cat >>  /etc/rc.conf << ENDDOC
openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
openvpn_dir="/usr/local/etc/openvpn/"
cloned_interfaces="tun"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"
ENDDOC

grep -q openvpn.log /etc/syslog.conf && echo "An openvpn.log line already present" || sed -i ''  's#^!\*$#!openvpn\
\*\.\*					  /var/log/openvpn.log\
!\*#' /etc/syslog.conf

echo '/var/log/openvpn.log		   600  30 *   @T00  ZC' > /etc/newsyslog.conf.d/openvpn.conf

# Restart jail

 

[Jost Wittmann]

Hello there,
I struggled a long time trying to get openVPN running in a jail in FreeNAS. A friend of mine helped me get things done using a workaround (you might call it cheating), but maybe it helps somebody else:
I installed debian (netinstall, minimal) as a VM in FreeNAS, and then the openVPN Access Server within debian. Far less hassle than any other alternative I came across, and it has been running now for some months without any troubles.

 

[xman111]

is this to setup an OpenVPN server or client within a Freenas jail? i am a little confused.

 

[Jost Wittmann]

is this to setup an OpenVPN server or client within a Freenas jail? i am a little confused.

Sorry for the confusion. Server. OpenVPN Access Server.

 

[adrianwi]

I had it working in a warden jail for a number of years, and more recently in an iocage jail for the last 3-4 and it works perfectly. I'm not against running VMs (I have one running 24x7 for CrashPlan/Docker) but if it working in a jail, a VM is just unnecessary overhead.

 

[xman111]

when I do sockstat -4 -l, I get nothing about openVPN, any way to troubleshoot this? does it have to be done as root? I did it as a user because I couldn't get past the sudo command

 

[Greg161]

Hi,
i am new to this community and i decided to mix info from How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT and OpenVPN On FreeBSD 10.3 tutorials.
Please report inconsistency.

change-log: 0.4 - 2018.07.26 - Removed "comp-lzo" from configuration due to becoming obsolete

Show : Full change log

0.4 - 2018.07.26 - Removed "comp-lzo" from configuration due to becoming obsolete
0.3 - 2018.02.18 - Minor touches and test everything from scratch following all the steps
0.2 - 2018.02.17 - Beautify code and few more details
0.1 - 2018.02.16 - First release

Legend:

1. Green text - should remain like it is
2. Blue text - you may cange it if you like
3. Red text - needs to be changed by you

Requirements:

1. FreeNAS 11.1-U1 ( may work with other versions either )
2. FreeNAS User with ssh access and sudo
3. SSH Client ( Putty for Windows and Terminal for MAC )
4. Admin access to the router where FreeNAS exists
5. Own domain or domain updated by DDNS or a static IP
6. Please follow this step by step tutorial before ask for help

Relevant data to use later in this tutorial ( use your own, this is just for reference )

1. Home Network: 192.168.1.0/24 ( LAN where is your FreeNAS )
2. NAT Network: 10.8.0.0/24 ( virtual LAN between VPN clients and your LAN )
3. Domain: nas.mydomain.com
4. VPN Server Port: 1194 UDP
5. VPN Outside Access Port: 443 UDP
6. Certificate Authority Password: Password1
7. Bibi40k Client Certificate Password: Password2

3,2,1.. START

Use FreeNAS Web GUI
Jails -> Add Jail ( Jail Name: OpenVPN, keep default settings )

SSH to your FreeNAS box

Code:

% jls
JID	 IP Address	Hostname	  Path
...
4					 OpenVPN	   /mnt/Vol1-Z2/jails/OpenVPN
% sudo jexec 4 sh
Password:

Get everything updated and install necessary apps

Code:

# pkg update
# pkg upgrade -y
# pkg install -y nano openvpn mpack

Create directories for OpenVPN

Code:

# mkdir /usr/local/etc/openvpn /usr/local/etc/openvpn/keys

Copy necessary files

Code:

# cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/openvpn.conf
# cp -r /usr/local/share/easy-rsa /usr/local/etc/openvpn/easy-rsa

Easy-RSA ( edit /usr/local/etc/openvpn/easy-rsa/vars )

Code:

# cd /usr/local/etc/openvpn/easy-rsa
# nano vars

Show : vars - values only

if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
echo "This is no longer necessary and is disallowed. See the section called" >&2
echo "'How to use this file' near the top comments for more details." >&2
return 1
fi
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "me@mydomain.com"
set_var EASYRSA_REQ_OU "My Organizational Unit"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 3650

Generate Keys

Code:

# ./easyrsa.real init-pki
Note: using Easy-RSA configuration from: ./vars
init-pki complete; you may now create a CA or requests.
Your newly created PKI dir is: /usr/local/etc/openvpn/easy-rsa/pki

Build Certificate Authority ( follow instructions using Password1 and common name )

Code:

# ./easyrsa.real build-ca
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.......................................+++
..+++
writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/ca.key.vpfhw9orph'
Enter PEM pass phrase:Password1
Verifying - Enter PEM pass phrase:Password1
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: OpenVPN FreeNAS CA
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/usr/local/etc/openvpn/easy-rsa/pki/ca.crt

Build Server Certificates

Code:

# ./easyrsa.real build-server-full openvpn-server nopass
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...............................................+++
.................................+++
writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/openvpn-server.key.JKfgnZ3Ae8'
-----
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key:Password1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName	  :ASN.1 12:'openvpn-server'
Certificate is to be certified until Feb 13 18:22:32 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated

Build Client Certificate ( use unique name for each certificate, use Bibi40k with Password2 and authorize with Password1 )

Code:

# ./easyrsa.real build-client-full Bibi40k
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.............................................................................................+++
.................+++
writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/Bibi40k.key.cd545aPaIq'
Enter PEM pass phrase: Password2
Verifying - Enter PEM pass phrase: Password2
-----
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key: Password1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName	  :ASN.1 12:'Bibi40k'
Certificate is to be certified until Feb 13 18:28:59 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated

Generate Diffie Hellman Parameters ( /usr/local/etc/openvpn/easy-rsa/pki/dh.pem )

Code:

# ./easyrsa.real gen-dh
Note: using Easy-RSA configuration from: ./vars
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
...........................................................................................................
...........................................................................................................
......................................................................................+...................
...........................................................................................................
.............................................................+............................................
...........................................................................................................
.............................+......................................................+...................
.......+.................................................................................................
..........................................................................................................
..............................................................................+..................+.....
...
...................................................................................+....................
.........................................................................................................
.........................................................................................................
...+....................................................................................................
..........+..........................++*++*
DH parameters of size 2048 created at /usr/local/etc/openvpn/easy-rsa/pki/dh.pem

Generate the TA key

Code:

# openvpn --genkey --secret ta.key

Copy Keys Together

Code:

# cp pki/dh.pem pki/ca.crt pki/issued/openvpn-server.crt pki/private/openvpn-server.key /usr/local/etc/openvpn/keys/
# cp ta.key /usr/local/etc/openvpn/keys/
# cp pki/issued/Bibi40k.crt pki/private/Bibi40k.key /usr/local/etc/openvpn/keys/

OpenVPN ( edit /usr/local/etc/openvpn/openvpn.conf )

Code:

# cd /usr/local/etc/openvpn/
# nano openvpn.conf

Show : openvpn.conf - values only

port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key # This file should be kept secret
dh /usr/local/etc/openvpn/keys/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
keepalive 10 120
tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret
remote-cert-tls client
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1

Client Config ( /usr/local/etc/openvpn/Bibi40k.conf )

Code:

# cp /usr/local/share/examples/openvpn/sample-config-files/client.conf /usr/local/etc/openvpn/Bibi40k.conf
# nano Bibi40k.conf

Show : Bibi40k.conf - values only

client
dev tun
proto udp
remote nas.mydomain.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert Bibi40k.crt
key Bibi40k.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.1.1
#redirect-gateway def1
verb 3

Server NAT Configuration ( create /usr/local/etc/ipfw.rules and add green text )

Code:

# nano /usr/local/etc/ipfw.rules

More configuration ( edit /etc/rc.conf and add green text at the end of the file )

Code:

# nano /etc/rc.conf

Setup Logging ( edit /etcsyslog.conf )

Code:

# nano /etc/syslog.conf

Setup log rotation ( edit /etcnewsyslog.conf )

Code:

# nano /etc/newsyslog.conf

Use FreeNAS Web GUI
Jails -> Select OpenVPN Jail -> Restart

SSH to your FreeNAS box and make some checks

Code:

% jls
JID  IP Address   Hostname		Path
...
5				 OpenVPN		 /mnt/Vol1-Z2/jails/OpenVPN
% sudo jexec 5 sh
Password:
# ipfw list
00100 nat 1 IP from 10.8.0.0/24 to any out via epair0b
00200 nat 1 IP from any to any in via epair0b
65535 allow IP from any to any
# sockstat -4 -l
USER	COMMAND  PID	FD  PROTO  LOCAL ADDRESS  FOREIGN ADDRESS
nobody  openvpn  64842  7   udp46  *:1194		 *:*
root	syslogd  64803  7   udp4   *:514		  *:*

Let's send our OpenVPN client files and test connection from outside

Code:

# cd /usr/local/etc/openvpn/
# tar cvf Bibi40k.tar Bibi40k.conf -C keys/ ca.crt Bibi40k.crt Bibi40k.key ta.key
a Bibi40k.conf
a ca.crt
a Bibi40k.crt
a Bibi40k.key
a ta.key
# service sendmail onestart
# mpack -s "Bibi40k OpenVPN files" Bibi40k.tar me@mydomain.com

[/COLOR][/COLOR][/COLOR][/COLOR]

Could you add to the part about checks that it is sometimes necessary to restart whole FreeNAS server not only OpenVPN jail because there could be a problem with proper routes, they are build properly after restarting whole server.[/COLOR][/COLOR][/SIZE][/FONT]

 

[okenok]

Yes I have your same symptoms. I have stopped the jail, run the command devfs rule -s 4 add path 'tun*' unhide and restart the jail.
I have also add the command as pre-init script and post-init script, but don't work! :-(
When restart FreeNAS I have to repeat the command and restart the jail.

Same issue there, but I edited the /etc/defaults/devfs.rules files and added add path 'tun*' unhide. Worked but I hope they'll fix the issue, openvpn is widely used and we shoudln't need to tweet config files to make it work.

 

[Brad1976]

I hope you don't mind me chiming in... As I was doing my research I came across an issue (bug) that has already been reported where when the tun devices were being dynamically created, they were being created at the host system level and not within the jail itself. Meaning nothing on the jail would be able to see the tun device and why there could be upwards of 256 tun devices visible through ifconfig... The issue has been found on iocage 11.0, 11.1 and also in 11.2... Apparently it has been fixed and if I understood what I read correctly *fingers crossed*, then the fix should be included in the next FreeNAS 11.2 release. And according to the FreeNAS roadmap, the next release is due on 14 Nov 2018...

I'll be looking forward to going through the OP step by step after the next release! ;-) lol

 

[Stane1210]

Hello,
im total green in configuration of vpn. Can you help me with configration of vpn server. Client connects without problem, but after connection, cant see 172.16.1.0 subnet.
Regards, Stane

jail release 11.2 U4
172.16.1.1 gateway
172.16.1.5 jail with openvpn
172.16.1.3 vpn client
10.9.0.0 255.255.255.0 vpn subnet

after vpn connection

vpn client ip 10.9.0.2


topology subnet
port 1194
proto tcp
dev tun0
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key
dh /usr/local/etc/openvpn/keys/dh.pem
server 10.9.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.16.1.0 255.255.255.0"
route 172.16.0.5 255.255.255.0 10.9.0.1
#push "dhcp-option DNS 172.16.1.1"
#push "dhcp-option DNS 10.9.0.1"
#push "redirect-gateway def1 local"
tls-auth /usr/local/etc/openvpn/keys/ta.key
keepalive 10 120
cipher AES-256-CBC
#auth SHA256
group nobody
user nobody
#comp-lzo
persist-key
persist-tun
management localhost 7505
verb 7

 

[Martin99]

You generate all necessary files then you open .conf file with ovpn. If it does not recognize .conf you rename it to .ovpn

If you want, you can also copy certificates from each file into .conf instead of that link/path.

Is the same thing

Bibi40k.conf
ca.crt
Bibi40k.crt
Bibi40k.key
ta.key


Example:

client
dev tun
proto udp
remote myserver.com 11941
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass

<ca>
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIJAPZi8xHec85GMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNV
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
MIIDSTCCAjGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAdMRswGQYDVQQDDBJPcGVu
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIecU3Dsb/F/UCAggA
-----END ENCRYPTED PRIVATE KEY-----
</key>

key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
ea2e6d2f985acdcdc716b6109b284e28
-----END OpenVPN Static key V1-----
</tls-auth>


I just wanted to say wow and thanks for this step-by-step guide Bibi40k. It worked perfectly. Especially these last instructions on how to combine the client files into a single .ovpn file. That "key-direction 1" was very important and I missed it the first time :). I was able to build/configure an OpenVPN jail, open the .ovpn file on my iPad using the OpenVPN app and connected into my network via my external IP, awesome work Bibi40k.