Step by step to install OpenVPN inside a Jail in FreeNAS 11.1-U1

[vrtareg]

Hi
Thanks a lot for this guide.
I have followed it and faced some issues:

• For latest clients and versions it is necessary to uncomment following in configuration for server:

/usr/local/etc/openvpn/openvpn.conf

Code:

# Enable compression on the VPN link and push the
# option to the client (v2.4+ only, for earlier
# versions see below)
compress lz4-v2
push "compress lz4-v2"

• To allow full NAT and full traffic redirect uncomment

Code:

topology subnet

Code:

push "redirect-gateway def1 bypass-dhcp"

Code:

push "dhcp-option DNS <Your DNS - possibly from local router>"

• Secured connection with One Time code using Google Authenticator

https://joepaetzel.com/2014/05/14/google-authenticator-on-freenas/
https://joepaetzel.com/2014/05/20/enable-multi-factor-authentication-for-openvpn/

Added file /etc/pam.d/openvpn

Code:

auth requisite pam_google_authenticator.so forward_pass
auth required  pam_unix.so				 use_first_pass

Added 2 lines in Server Config

Code:

# Adding PAM Auth using Google Auth
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
reneg-sec 0

In client configuration added:

Code:

auth-user-pass

Thanks a lot !

 

[anakin827]

Thanks for the great writeup. I have everything configured as outlined in this tutorial and I can connect to the VPN. However, I cannot ping within the 10.8.x.x subnet and can only ping my gateway 192.168.0.1 and nothing more.

My router does not have the ability to configure static routes, so would it make sense to configure that on the NAS itself? I can post configs if needed.

 

[vrtareg]

Thanks for the great writeup. I have everything configured as outlined in this tutorial and I can connect to the VPN. However, I cannot ping within the 10.8.x.x subnet and can only ping my gateway 192.168.0.1 and nothing more.

My router does not have the ability to configure static routes, so would it make sense to configure that on the NAS itself? I can post configs if needed.

There is a line in OpenVPN configuration file that allows clients to see each other.
With that line commented out server blocks cross traffic.

Code:

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client

 

[anakin827]

Thanks for the quick reply, so that let's me ping and connect within the 10.8.x.x network, but I still cannot access anything in my internal network on the 192.168.0.x side.

 

[vrtareg]

I have seen that kind of behaviour.
I'm my FreeNAS with OpenVPN jail if I restart that jail for configuration change it fails to start correctly and even crashed NAS 2 times.
Only way to recover back OpenVPN jail settings and NAT configuration is fully restart FreeNAS box.
I have seen this in some forums and raised bug on tracker.

 

[anakin827]

That didn't work either. Rebooting actually caused me to have to run this command on the host to allow dynamic allocation of the tun adapter:

devfs rule -s 4 add path 'tun*' unhide

Any way to make that persistent through reboots?

And any advice on non-comms?

 

[itskando]

Relevant data to use later in this tutorial ( use your own, this is just for reference )

1. Home Network: 192.168.1.0/24 ( LAN where is your FreeNAS )
2. NAT Network: 10.8.0.0/24 ( virtual LAN between VPN clients and your LAN )
3. Domain: nas.mydomain.com
4. VPN Server Port: 1194 UDP
5. VPN Outside Access Port: 443 UDP
6. Certificate Authority Password: Password1
7. Bibi40k Client Certificate Password: Password2

• How complex should Password1 and Password2 be?

8 chars? 12? 16+?
Upper and lowercase?
Numbers?
Symbols?

• What are alternative NAT addresses one might use (and why)?
• What are alternative VPN server port one might use (and why)?
• What are alternative VPN outside access port one might use (and why)?
• What are alternatives to Bibi40k (why did you choose it)?

.
.
.

Use FreeNAS Web GUI
Jails -> Add Jail ( Jail Name: OpenVPN, keep default settings )

• Is VNET necessary if DHCP is not used?

.
.
.

Easy-RSA ( edit /usr/local/etc/openvpn/easy-rsa/vars )

Code:

set_var EASYRSA_REQ_COUNTRY     "US"
set_var EASYRSA_REQ_PROVINCE    "California"
set_var EASYRSA_REQ_CITY        "San Francisco"
set_var EASYRSA_REQ_ORG         "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL       "me@mydomain.com"
set_var EASYRSA_REQ_OU          "My Organizational Unit"
set_var EASYRSA_KEY_SIZE        2048
set_var EASYRSA_CA_EXPIRE       3650
set_var EASYRSA_CERT_EXPIRE     3650

• set_var EASYRSA_REQ_ORG:
Is this just your company?

• set_var EASYRSA_REQ_OU:
What are examples of this?

.
.
.

Build Certificate Authority ( follow instructions using Password1 and common name )

Code:

# ./easyrsa.real build-ca
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.......................................+++
..+++
writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/ca.key.vpfhw9orph'
Enter PEM pass phrase:Password1
Verifying - Enter PEM pass phrase:Password1
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: OpenVPN FreeNAS CA
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/usr/local/etc/openvpn/easy-rsa/pki/ca.crt

Can you redden the input values in the code?
[In this case, Password1.]

Can you blueen the input values in the code?
[In this case, OpenVPN FreeNAS CA.]

.
.
.

Build Server Certificates

Code:

# ./easyrsa.real build-server-full openvpn-server nopass
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
...............................................+++
.................................+++
writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/openvpn-server.key.JKfgnZ3Ae8'
-----
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key:Password1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName      :ASN.1 12:'openvpn-server'
Certificate is to be certified until Feb 13 18:22:32 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated

Can you redden the input values in the code?
[In this case, Password1.]

.
.
.

Build Client Certificate ( use unique name for each certificate, use Bibi40k with Password2 and authorize with Password1 )

Code:

# ./easyrsa.real build-client-full Bibi40k
Note: using Easy-RSA configuration from: ./vars
Generating a 2048 bit RSA private key
.............................................................................................+++
.................+++
writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/Bibi40k.key.cd545aPaIq'
Enter PEM pass phrase: Password2
Verifying - Enter PEM pass phrase: Password2
-----
Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-1.0.cnf
Enter pass phrase for /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key: Password1
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName      :ASN.1 12:'Bibi40k'
Certificate is to be certified until Feb 13 18:28:59 2028 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated

Can you redden the input values in the code?
[In this case, Password2 and Password1.]

.
.
.

Client Config ( /usr/local/etc/openvpn/Bibi40k.conf )
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
;remote my-server-1 1194
remote nas.mydomain.com 443

• Can you greenen the semicolon in:

;remote my-server-1 1194

(or the whole line for visibility) -
the semicolon is not included in the original.[/QUOTE]

 

[angelcos]

it's a perfect HowTo.

I follow it with the most recent version of freenas (11.2 december update) and almost everything works at the first attempt. The first error that i found was this:

Dec 15 23:04:26 OpenVPN openvpn[19849]: Cannot allocate TUN/TAP dev dynamically
Dec 15 23:04:26 OpenVPN openvpn[19849]: Exiting due to fatal error

That was my mistake, i do not restart freenas completely and this is clearly indicated in one of the steps.

The secont error after restart was this:

Dec 15 23:14:09 OpenVPN openvpn[4812]: ERROR: FreeBSD route delete command failed: external program exited with error status: 77
Dec 15 23:14:09 OpenVPN openvpn[4812]: Closing TUN/TAP interface
Dec 15 23:14:09 OpenVPN openvpn[4812]: /sbin/ifconfig tun0 destroy
Dec 15 23:14:09 OpenVPN openvpn[4812]: FreeBSD 'destroy tun interface' failed (non-critical): external program exited with error status: 1
Dec 15 23:14:09 OpenVPN openvpn[4812]: SIGTERM[hard,] received, process exiting

And after looking a bit I found another post where they talked about this topic and explained the solution.
the only thing I had to do that does not appear in this tutorial is the following:

When you finish all the steps, you have to stop the openvpn jail and from the shell off freenas enable TUN option to the jail with this commnad:
iocage set allow_tun = 1 <openvpn-jail-name>

Then restart all freenas host again. If the error persists, simply connect to the shell of the jail and execute service openvpn restart.
It should work.

Bibi40k could you update the post with this last step?
Thank you so much!! it help a lot.

 

[angelcos]

Every time that i restart the jail or freenas host i have to connect by ssh to the jail and restart the vpn (service openvpn restart) to make it work again.

Always the same logs:

Sun Dec 16 01:07:22 2018 /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0
add net 10.8.0.0: gateway 10.8.0.2 fib 0: route already in table
Sun Dec 16 01:07:22 2018 ERROR: FreeBSD route add command failed: external program exited with error status: 1
Sun Dec 16 01:07:22 2018 Could not determine IPv4/IPv6 protocol. Using AF_INET6
Sun Dec 16 01:07:22 2018 Socket Buffers: R=[42080->42080] S=[9216->9216]
Sun Dec 16 01:07:22 2018 setsockopt(IPV6_V6ONLY=0)
Sun Dec 16 01:07:22 2018 TCP/UDP: Socket bind failed on local address [AF_INET6][undef]:1194: Address already in use (errno=48)
Sun Dec 16 01:07:22 2018 Exiting due to fatal error
Sun Dec 16 01:07:22 2018 Closing TUN/TAP interface
Sun Dec 16 01:07:22 2018 /sbin/ifconfig tun1 destroy

can someone help me?

 

[angelcos]

I'm sorry .. I think it works great ... I was reviewing the logs before trying the VPN and that's why I thought it did not work. It must be that when starting the jail something fails .. But then the service starts automatically, although appears in the log that something failed ... testing the vpn I check that everything is OK.

The vpn gets up and works normally even if the jail or the freenas host is restarted

Thanks!!

 

[Adures]

Hi
I am on FreeNAS-11.2-RELEASE
jail is also 11.2-RELEASE

I still get the problem with TUN/TAP interface and as far as i know it already should be resolved?
Here is the error.

openvpn --config /usr/local/etc/openvpn/openvpn.conf
Tue Dec 18 01:01:43 2018 OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Dec 6 2018
Tue Dec 18 01:01:43 2018 library versions: OpenSSL 1.0.2o-freebsd 27 Mar 2018, LZO 2.10
Tue Dec 18 01:01:43 2018 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Tue Dec 18 01:01:43 2018 Diffie-Hellman initialized with 2048 bit key
Tue Dec 18 01:01:43 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 18 01:01:43 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Dec 18 01:01:43 2018 Cannot allocate TUN/TAP dev dynamically
Tue Dec 18 01:01:43 2018 Exiting due to fatal error

any ideas what might be causing the problem?

 

[itskando]

With regard to:

SSH to your FreeNAS box and make some checks

Code:

% jls
JID  IP Address   Hostname        Path
...
5                 OpenVPN         /mnt/Vol1-Z2/jails/OpenVPN
% sudo jexec 5 sh
Password:
# ipfw list
00100 nat 1 IP from 10.8.0.0/24 to any out via epair0b
00200 nat 1 IP from any to any in via epair0b
65535 allow IP from any to any
# sockstat -4 -l
USER    COMMAND  PID    FD  PROTO  LOCAL ADDRESS  FOREIGN ADDRESS
nobody  openvpn  64842  7   udp46  *:1194         *:*
root    syslogd  64803  7   udp4   *:514          *:*

Should I be seeing something under the sockstat -4 -l command?
(Restarted entire system.)

Code:

[root@Deetz ~]# iocage restart openVPN
* Stopping openVPN
  + Running prestop OK
  + Stopping services OK
  + Tearing down VNET OK
  + Removing devfs_ruleset: 6 OK
  + Removing jail process OK
  + Running poststop OK
* Starting openVPN
  + Started OK
  + Configuring VNET OK
  + Starting services OK
[root@Deetz ~]# iocage console openVPN
Last login: Sat Jan  5 15:39:56 on pts/1
root@openVPN:~ # ipfw list00100 nat 1 ip from 10.8.0.0/24 to any out via epair0b
00200 nat 1 ip from any to any in via epair0b
65535 allow ip from any to any
root@openVPN:~ # sockstat -4 -l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root@openVPN:~ #

.
.
.

Additionally, the subsequent instructions:

Let's send our OpenVPN client files and test connection from outside

Code:

# cd /usr/local/etc/openvpn/
# tar cvf Bibi40k.tar Bibi40k.conf -C keys/ ca.crt Bibi40k.crt Bibi40k.key ta.key
a Bibi40k.conf
a ca.crt
a Bibi40k.crt
a Bibi40k.key
a ta.key
# service sendmail onestart
# mpack -s "Bibi40k OpenVPN files" Bibi40k.tar me@mydomain.com

[/QUOTE]

did not result in any email sent:

Code:

root@openVPN:~ # cd /usr/local/etc/openvpn/root@openVPN:/usr/local/etc/openvpn # tar cvf Bibi40k.tar Bibi40k.conf -C keys/
ca.crt Bibi40k.crt Bibi40k.key ta.key
a Bibi40k.conf
a ca.crt
a Bibi40k.crt
a Bibi40k.key
a ta.key
root@openVPN:/usr/local/etc/openvpn # service sendmail onestart
Starting sendmail.Starting sendmail_msp_queue.
root@openVPN:/usr/local/etc/openvpn # mpack -s "Bibi40k OpenVPN files" Bibi40k.tar me@mydomain.com
root@openVPN:/usr/local/etc/openvpn # mpack -s "Bibi40k OpenVPN files" Bibi40k.t
ar nate.kando@gmail.com
root@openVPN:/usr/local/etc/openvpn #

I assumed the command was to be run from the openVPN jail on the freeNAS server
and would result in an email sent to my personal email address (substituted for me@mydomain.com)

Nothing was found in my inbox or spam folder.

 

[AndiM202]

Hi guys!
First I want to thank you for this very well explained tutorial with all required steps! Well done Bibi!

I am nearly done with all my different configurations, different ports, adresses etc.

I tried to complete your configuration by creating new iocage jails for the third time now...

OpenVPN Service is running like mentioned in the OP but I cannot connect to my Tunnel using configurations with OpenVPN for android.

Here is my Machine/Jail Configuration:

Code:

OS on my physical Server is a Debian 9.5
I am using FreeNAS with VirtualBox (Bridged Network)

private network behind hardware firewall: 192.168.0.0/24
router which going outside with network 192.168.1.0/24

OpenVPN 2.4.6 on FreeNAS 11.2 RC1 with 11.2 RELEASE-P4 iocage jail.

I am using DHCP (because when not using DHCP, ipfw doesn't work) with IP-Address 192.168.0.30

Heres my openvpn.conf:

Code:

local 192.168.0.30

port 1194

proto udp

dev tun

ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key  # This file should be kept secret

dh /usr/local/etc/openvpn/keys/dh.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 192.168.0.0 255.255.255.0"

client-to-client

keepalive 10 120

tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret
remote-cert-tls client

comp-lzo

user nobody
group nobody

persist-key
persist-tun

status openvpn-status.log

verb 3

explicit-exit-notify 1

Here my AndiM202.conf:

Code:

client

dev tun

proto udp

remote murkcloud.ddns.net 443
;remote my-server-2 1194

resolv-retry infinite

nobind

persist-key
persist-tun

ca ca.crt
cert AndiM202.crt
key AndiM202.key

remote-cert-tls server

tls-auth ta.key 1

cipher AES-256-CBC

comp-lzo

verb 3

# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.0.1
#redirect-gateway def1

When starting openvpn server with command openvpn --config openvpn.conf there is following output:

Code:

Sun Jan  6 05:52:30 2019 OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Dec 20 2018
Sun Jan  6 05:52:30 2019 library versions: OpenSSL 1.0.2o-freebsd  27 Mar 2018, LZO 2.10
Sun Jan  6 05:52:30 2019 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Sun Jan  6 05:52:30 2019 Diffie-Hellman initialized with 2048 bit key
Sun Jan  6 05:52:30 2019 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jan  6 05:52:30 2019 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jan  6 05:52:30 2019 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=epair0b HWADDR=02:ff:60:36:38:32
Sun Jan  6 05:52:30 2019 TUN/TAP device /dev/tun0 opened
Sun Jan  6 05:52:30 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Jan  6 05:52:30 2019 /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
Sun Jan  6 05:52:30 2019 /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0
add net 10.8.0.0: gateway 10.8.0.2
Sun Jan  6 05:52:30 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sun Jan  6 05:52:30 2019 Socket Buffers: R=[42080->42080] S=[9216->9216]
Sun Jan  6 05:52:30 2019 UDPv4 link local (bound): [AF_INET]192.168.0.30:1194
Sun Jan  6 05:52:30 2019 UDPv4 link remote: [AF_UNSPEC]
Sun Jan  6 05:52:30 2019 GID set to nobody
Sun Jan  6 05:52:30 2019 UID set to nobody
Sun Jan  6 05:52:30 2019 MULTI: multi_init called, r=256 v=256
Sun Jan  6 05:52:30 2019 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Sun Jan  6 05:52:30 2019 IFCONFIG POOL LIST
Sun Jan  6 05:52:30 2019 Initialization Sequence Completed

Is there a problem because I'm using a Bridged Network in VirtualBox? If yes, should I change the normally specified server address 10.8.0.0 to a bridged network? I am not aware of these other configurations due to I am relatively new to this topic with FreeNAS and Jails...

I am using external port 443 and forwarded it from 443 UDP to 1194 UDP (canyouseeme.org says that Port is opened correctly)

Here my ifconfig:

Code:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    groups: lo
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:ff:60:36:38:32
    hwaddr 02:6f:d0:00:05:0b
    inet 192.168.0.30 netmask 0xffffff00 broadcast 192.168.0.255
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    groups: epair
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
    nd6 options=1<PERFORMNUD>
    groups: tun
    Opened by PID 5053

ipfw.rules:

Code:

#!/bin/sh
EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0

When connecting with my Smartphone to the VPN it always says:

Code:

2019-01-06 15:02:51 official build 0.7.5 running on Xiaomi POCOPHONE F1 (sdm845), Android 9 (PKQ1.180729.001) API 28, ABI arm64-v8a, (Xiaomi/beryllium/beryllium:9/PKQ1.180729.001/V10.1.3.0.PEJMIFI:user/release-keys)
2019-01-06 15:02:51 New OpenVPN Status (USER_VPN_PERMISSION->LEVEL_WAITING_FOR_USER_INPUT):
2019-01-06 15:02:52 Building configuration…
2019-01-06 15:02:52 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START):
2019-01-06 15:02:52 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START):
2019-01-06 15:02:52 started Socket Thread
2019-01-06 15:02:52 Network Status: CONNECTED LTE to MOBILE webaut
2019-01-06 15:02:52 Debug state info: CONNECTED LTE to MOBILE webaut, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2019-01-06 15:02:52 Debug state info: CONNECTED LTE to MOBILE webaut, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2019-01-06 15:02:53 Current Parameter Settings:
2019-01-06 15:02:53   config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2019-01-06 15:02:53   mode = 0
2019-01-06 15:02:53   show_ciphers = DISABLED
2019-01-06 15:02:53   show_digests = DISABLED
2019-01-06 15:02:53   show_engines = DISABLED
2019-01-06 15:02:53   genkey = DISABLED
2019-01-06 15:02:53   key_pass_file = '[UNDEF]'
2019-01-06 15:02:53   show_tls_ciphers = DISABLED
2019-01-06 15:02:53   connect_retry_max = 0
2019-01-06 15:02:53 Connection profiles [0]:
2019-01-06 15:02:53   proto = udp
2019-01-06 15:02:53   local = '[UNDEF]'
2019-01-06 15:02:53   local_port = '1194'
2019-01-06 15:02:53   remote = 'murkcloud.ddns.net'
2019-01-06 15:02:53   remote_port = '443'
2019-01-06 15:02:53   remote_float = DISABLED
2019-01-06 15:02:53   bind_defined = DISABLED
2019-01-06 15:02:53   bind_local = ENABLED
2019-01-06 15:02:53   bind_ipv6_only = DISABLED
2019-01-06 15:02:53   connect_retry_seconds = 2
2019-01-06 15:02:53   connect_timeout = 90
2019-01-06 15:02:53   socks_proxy_server = '[UNDEF]'
2019-01-06 15:02:53   socks_proxy_port = '[UNDEF]'
2019-01-06 15:02:53   tun_mtu = 1500
2019-01-06 15:02:53   tun_mtu_defined = ENABLED
2019-01-06 15:02:53   link_mtu = 1500
2019-01-06 15:02:53   link_mtu_defined = DISABLED
2019-01-06 15:02:53   tun_mtu_extra = 0
2019-01-06 15:02:53   tun_mtu_extra_defined = DISABLED
2019-01-06 15:02:53   mtu_discover_type = -1
2019-01-06 15:02:53   fragment = 0
2019-01-06 15:02:53   mssfix = 1450
2019-01-06 15:02:53   explicit_exit_notification = 0
2019-01-06 15:02:53 Connection profiles END
2019-01-06 15:02:53   remote_random = DISABLED
2019-01-06 15:02:53   ipchange = '[UNDEF]'
2019-01-06 15:02:53   dev = 'tun'
2019-01-06 15:02:53   dev_type = '[UNDEF]'
2019-01-06 15:02:53   dev_node = '[UNDEF]'
2019-01-06 15:02:53   lladdr = '[UNDEF]'
2019-01-06 15:02:53   topology = 1
2019-01-06 15:02:53   ifconfig_local = '[UNDEF]'
2019-01-06 15:02:53   ifconfig_remote_netmask = '[UNDEF]'
2019-01-06 15:02:53   ifconfig_noexec = DISABLED
2019-01-06 15:02:53   ifconfig_nowarn = ENABLED
2019-01-06 15:02:53 Waiting 0s seconds between connection attempt
2019-01-06 15:02:53   ifconfig_ipv6_local = '[UNDEF]'
2019-01-06 15:02:53   ifconfig_ipv6_netbits = 0
2019-01-06 15:02:53   ifconfig_ipv6_remote = '[UNDEF]'
2019-01-06 15:02:53   shaper = 0
2019-01-06 15:02:53   mtu_test = 0
2019-01-06 15:02:53   mlock = DISABLED
2019-01-06 15:02:53   keepalive_ping = 0
2019-01-06 15:02:53   keepalive_timeout = 0
2019-01-06 15:02:53   inactivity_timeout = 0
2019-01-06 15:02:53   ping_send_timeout = 0
2019-01-06 15:02:53   ping_rec_timeout = 0
2019-01-06 15:02:53   ping_rec_timeout_action = 0
2019-01-06 15:02:53   ping_timer_remote = DISABLED
2019-01-06 15:02:53   remap_sigusr1 = 0
2019-01-06 15:02:53   persist_tun = DISABLED
2019-01-06 15:02:53   persist_local_ip = DISABLED
2019-01-06 15:02:53   persist_remote_ip = DISABLED
2019-01-06 15:02:53   persist_key = DISABLED
2019-01-06 15:02:53   passtos = DISABLED
2019-01-06 15:02:53   resolve_retry_seconds = 60
2019-01-06 15:02:53   resolve_in_advance = DISABLED
2019-01-06 15:02:53   username = '[UNDEF]'
2019-01-06 15:02:53   groupname = '[UNDEF]'
2019

And here the attempt when connecting from my Smartphone:

I have read that I need to define the local ip in the openvpn.conf to avoid TLS Handshake failure, but with no success..

Maybe someone of you can help me out!

Big thanks!!!

 

[thejamesk]

What's the process for setting up the domain iv'e defined in the conf file and being able to use it on a remote device such as an android mobile?

 

[AndiM202]

Hi guys!
First I want to thank you for this very well explained tutorial with all required steps! Well done Bibi!

I am nearly done with all my different configurations, different ports, adresses etc.

I tried to complete your configuration by creating new iocage jails for the third time now...

OpenVPN Service is running like mentioned in the OP but I cannot connect to my Tunnel using configurations with OpenVPN for android.

Here is my Machine/Jail Configuration:

Code:

OS on my physical Server is a Debian 9.5
I am using FreeNAS with VirtualBox (Bridged Network)

private network behind hardware firewall: 192.168.0.0/24
router which going outside with network 192.168.1.0/24

OpenVPN 2.4.6 on FreeNAS 11.2 RC1 with 11.2 RELEASE-P4 iocage jail.

I am using DHCP (because when not using DHCP, ipfw doesn't work) with IP-Address 192.168.0.30

Heres my openvpn.conf:

Code:

local 192.168.0.30

port 1194

proto udp

dev tun

ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key  # This file should be kept secret

dh /usr/local/etc/openvpn/keys/dh.pem

server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

push "route 192.168.0.0 255.255.255.0"

client-to-client

keepalive 10 120

tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret
remote-cert-tls client

comp-lzo

user nobody
group nobody

persist-key
persist-tun

status openvpn-status.log

verb 3

explicit-exit-notify 1

Here my AndiM202.conf:

Code:

client

dev tun

proto udp

remote murkcloud.ddns.net 443
;remote my-server-2 1194

resolv-retry infinite

nobind

persist-key
persist-tun

ca ca.crt
cert AndiM202.crt
key AndiM202.key

remote-cert-tls server

tls-auth ta.key 1

cipher AES-256-CBC

comp-lzo

verb 3

# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.0.1
#redirect-gateway def1

When starting openvpn server with command openvpn --config openvpn.conf there is following output:

Code:

Sun Jan  6 05:52:30 2019 OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Dec 20 2018
Sun Jan  6 05:52:30 2019 library versions: OpenSSL 1.0.2o-freebsd  27 Mar 2018, LZO 2.10
Sun Jan  6 05:52:30 2019 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Sun Jan  6 05:52:30 2019 Diffie-Hellman initialized with 2048 bit key
Sun Jan  6 05:52:30 2019 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jan  6 05:52:30 2019 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Jan  6 05:52:30 2019 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=epair0b HWADDR=02:ff:60:36:38:32
Sun Jan  6 05:52:30 2019 TUN/TAP device /dev/tun0 opened
Sun Jan  6 05:52:30 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Jan  6 05:52:30 2019 /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
Sun Jan  6 05:52:30 2019 /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0
add net 10.8.0.0: gateway 10.8.0.2
Sun Jan  6 05:52:30 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Sun Jan  6 05:52:30 2019 Socket Buffers: R=[42080->42080] S=[9216->9216]
Sun Jan  6 05:52:30 2019 UDPv4 link local (bound): [AF_INET]192.168.0.30:1194
Sun Jan  6 05:52:30 2019 UDPv4 link remote: [AF_UNSPEC]
Sun Jan  6 05:52:30 2019 GID set to nobody
Sun Jan  6 05:52:30 2019 UID set to nobody
Sun Jan  6 05:52:30 2019 MULTI: multi_init called, r=256 v=256
Sun Jan  6 05:52:30 2019 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Sun Jan  6 05:52:30 2019 IFCONFIG POOL LIST
Sun Jan  6 05:52:30 2019 Initialization Sequence Completed

Is there a problem because I'm using a Bridged Network in VirtualBox? If yes, should I change the normally specified server address 10.8.0.0 to a bridged network? I am not aware of these other configurations due to I am relatively new to this topic with FreeNAS and Jails...

I am using external port 443 and forwarded it from 443 UDP to 1194 UDP (canyouseeme.org says that Port is opened correctly)

Here my ifconfig:

Code:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    groups: lo
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=8<VLAN_MTU>
    ether 02:ff:60:36:38:32
    hwaddr 02:6f:d0:00:05:0b
    inet 192.168.0.30 netmask 0xffffff00 broadcast 192.168.0.255
    nd6 options=1<PERFORMNUD>
    media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
    status: active
    groups: epair
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
    options=80000<LINKSTATE>
    inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
    nd6 options=1<PERFORMNUD>
    groups: tun
    Opened by PID 5053

ipfw.rules:

Code:

#!/bin/sh
EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0

When connecting with my Smartphone to the VPN it always says:

Code:

2019-01-06 15:02:51 official build 0.7.5 running on Xiaomi POCOPHONE F1 (sdm845), Android 9 (PKQ1.180729.001) API 28, ABI arm64-v8a, (Xiaomi/beryllium/beryllium:9/PKQ1.180729.001/V10.1.3.0.PEJMIFI:user/release-keys)
2019-01-06 15:02:51 New OpenVPN Status (USER_VPN_PERMISSION->LEVEL_WAITING_FOR_USER_INPUT):
2019-01-06 15:02:52 Building configuration…
2019-01-06 15:02:52 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START):
2019-01-06 15:02:52 New OpenVPN Status (VPN_GENERATE_CONFIG->LEVEL_START):
2019-01-06 15:02:52 started Socket Thread
2019-01-06 15:02:52 Network Status: CONNECTED LTE to MOBILE webaut
2019-01-06 15:02:52 Debug state info: CONNECTED LTE to MOBILE webaut, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2019-01-06 15:02:52 Debug state info: CONNECTED LTE to MOBILE webaut, pause: userPause, shouldbeconnected: true, network: SHOULDBECONNECTED
2019-01-06 15:02:53 Current Parameter Settings:
2019-01-06 15:02:53   config = '/data/user/0/de.blinkt.openvpn/cache/android.conf'
2019-01-06 15:02:53   mode = 0
2019-01-06 15:02:53   show_ciphers = DISABLED
2019-01-06 15:02:53   show_digests = DISABLED
2019-01-06 15:02:53   show_engines = DISABLED
2019-01-06 15:02:53   genkey = DISABLED
2019-01-06 15:02:53   key_pass_file = '[UNDEF]'
2019-01-06 15:02:53   show_tls_ciphers = DISABLED
2019-01-06 15:02:53   connect_retry_max = 0
2019-01-06 15:02:53 Connection profiles [0]:
2019-01-06 15:02:53   proto = udp
2019-01-06 15:02:53   local = '[UNDEF]'
2019-01-06 15:02:53   local_port = '1194'
2019-01-06 15:02:53   remote = 'murkcloud.ddns.net'
2019-01-06 15:02:53   remote_port = '443'
2019-01-06 15:02:53   remote_float = DISABLED
2019-01-06 15:02:53   bind_defined = DISABLED
2019-01-06 15:02:53   bind_local = ENABLED
2019-01-06 15:02:53   bind_ipv6_only = DISABLED
2019-01-06 15:02:53   connect_retry_seconds = 2
2019-01-06 15:02:53   connect_timeout = 90
2019-01-06 15:02:53   socks_proxy_server = '[UNDEF]'
2019-01-06 15:02:53   socks_proxy_port = '[UNDEF]'
2019-01-06 15:02:53   tun_mtu = 1500
2019-01-06 15:02:53   tun_mtu_defined = ENABLED
2019-01-06 15:02:53   link_mtu = 1500
2019-01-06 15:02:53   link_mtu_defined = DISABLED
2019-01-06 15:02:53   tun_mtu_extra = 0
2019-01-06 15:02:53   tun_mtu_extra_defined = DISABLED
2019-01-06 15:02:53   mtu_discover_type = -1
2019-01-06 15:02:53   fragment = 0
2019-01-06 15:02:53   mssfix = 1450
2019-01-06 15:02:53   explicit_exit_notification = 0
2019-01-06 15:02:53 Connection profiles END
2019-01-06 15:02:53   remote_random = DISABLED
2019-01-06 15:02:53   ipchange = '[UNDEF]'
2019-01-06 15:02:53   dev = 'tun'
2019-01-06 15:02:53   dev_type = '[UNDEF]'
2019-01-06 15:02:53   dev_node = '[UNDEF]'
2019-01-06 15:02:53   lladdr = '[UNDEF]'
2019-01-06 15:02:53   topology = 1
2019-01-06 15:02:53   ifconfig_local = '[UNDEF]'
2019-01-06 15:02:53   ifconfig_remote_netmask = '[UNDEF]'
2019-01-06 15:02:53   ifconfig_noexec = DISABLED
2019-01-06 15:02:53   ifconfig_nowarn = ENABLED
2019-01-06 15:02:53 Waiting 0s seconds between connection attempt
2019-01-06 15:02:53   ifconfig_ipv6_local = '[UNDEF]'
2019-01-06 15:02:53   ifconfig_ipv6_netbits = 0
2019-01-06 15:02:53   ifconfig_ipv6_remote = '[UNDEF]'
2019-01-06 15:02:53   shaper = 0
2019-01-06 15:02:53   mtu_test = 0
2019-01-06 15:02:53   mlock = DISABLED
2019-01-06 15:02:53   keepalive_ping = 0
2019-01-06 15:02:53   keepalive_timeout = 0
2019-01-06 15:02:53   inactivity_timeout = 0
2019-01-06 15:02:53   ping_send_timeout = 0
2019-01-06 15:02:53   ping_rec_timeout = 0
2019-01-06 15:02:53   ping_rec_timeout_action = 0
2019-01-06 15:02:53   ping_timer_remote = DISABLED
2019-01-06 15:02:53   remap_sigusr1 = 0
2019-01-06 15:02:53   persist_tun = DISABLED
2019-01-06 15:02:53   persist_local_ip = DISABLED
2019-01-06 15:02:53   persist_remote_ip = DISABLED
2019-01-06 15:02:53   persist_key = DISABLED
2019-01-06 15:02:53   passtos = DISABLED
2019-01-06 15:02:53   resolve_retry_seconds = 60
2019-01-06 15:02:53   resolve_in_advance = DISABLED
2019-01-06 15:02:53   username = '[UNDEF]'
2019-01-06 15:02:53   groupname = '[UNDEF]'
2019

And here the attempt when connecting from my Smartphone:

View attachment 27575


I have read that I need to define the local IP in the openvpn.conf to avoid TLS Handshake failure, but with no success..

Maybe someone of you can help me out!

Big thanks!!!

Nobody has an answer or even a hint where I can look at? I would be so glad when I have this up and running

BG
Andi

 

[AndiM202]

What's the process for setting up the domain iv'e defined in the conf file and being able to use it on a remote device such as an android mobile?

Hi!
Go to No-IP website and make an account there. Register a DNS which points to your public IP-Adress and then you are able to use this domain to connect to the tunnel.

BG

 

[kypdurron5]

Thanks so much for this tutorial! After many hours of playing with this under Freenas 11.2, I got it working!

Here are my tips (YMMV):

For the commands executed within the jail under iocage to get in it's:

Code:

iocage console <jail name>

To get OpenVPN to run under iocage with default settings ("cannot create TAP dynamically" exit error) I had to run from the NAS host (not within the jail):

Code:

iocage stop <jail-name>
iocage set allow_tun=1 <jail-name>
iocage start <jail-name>

Connecting to the VPN required two things:

Code:

#Server Config File at the very top
local <IP address of the jail>

And:

Code:

#In the client config file set the port number = the server port number

remote <your internet domain or public (static) IP> 1194 #instead of 443

(not sure if this was completely necessary)

In order to test the connection I found I could not connect from within the network on my PC for some reason. Instead, I used the OpenVPN connect app under iOS. To load the files, connect the phone to iTunes, go to File Sharing then click on the OpenVPN app and upload the files there. Profile pops up in the app and all is good.

Obviously I had to forward the appropriate ports in my router/firewall as well. Hopefully this helps someone; overall the process is straightforward enough hopefully someone can come up with a working plugin instead.

Oh and the email thing didn't work for me either for some reason. Rather than tracking down the issue I just (in the Freenas GUI) stopped the jail, added a NAS mount point on a shared directory, and copied the files from there.

 

[itskando]

i'm sorry, i don't have time any more for this. Please PM with TW credentials if/when you have time. This kind of communication does not help anyone.

Don't be toooo hasty ; j -
this kind of conversation just might help me and some other guy with the same issues ;D

Using command openvpn --config /usr/local/etc/openvpn/openvpn.conf:

Show

Code:

root@openVPN:~ # ipfw list
00100 nat 1 ip from 10.8.0.0/24 to any out via epair0b
00200 nat 1 ip from any to any in via epair0b
65535 allow ip from any to any

root@openVPN:~ # sockstat -4 -l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS     
nobody   openvpn    4456  7  udp4   192.168.86.8:1194     *:*

root@openVPN:~ # openvpn --config /usr/local/etc/openvpn/openvpn.conf
Mon Feb 18 12:10:14 2019 OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 29 2018
Mon Feb 18 12:10:14 2019 library versions: OpenSSL 1.0.2o-freebsd  27 Mar 2018, LZO 2.10
Mon Feb 18 12:10:14 2019 Diffie-Hellman initialized with 2048 bit key
Mon Feb 18 12:10:14 2019 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 18 12:10:14 2019 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 18 12:10:14 2019 ROUTE_GATEWAY 192.168.86.1/255.255.255.0 IFACE=epair0b HWADDR=02:ff:60:c1:31:6f
Mon Feb 18 12:10:14 2019 TUN/TAP device /dev/tun1 opened
Mon Feb 18 12:10:14 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Feb 18 12:10:14 2019 /sbin/ifconfig tun1 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up

Mon Feb 18 12:10:14 2019 /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0
add net 10.8.0.0: gateway 10.8.0.2 fib 0: route already in table
Mon Feb 18 12:10:14 2019 ERROR: FreeBSD route add command failed: external program exited with error status: 1

Mon Feb 18 12:10:14 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Feb 18 12:10:14 2019 Socket Buffers: R=[42080->42080] S=[9216->9216]
Mon Feb 18 12:10:14 2019 TCP/UDP: Socket bind failed on local address [AF_INET]192.168.86.8:1194: Address already in use (errno=48)
Mon Feb 18 12:10:14 2019 Exiting due to fatal error
Mon Feb 18 12:10:14 2019 Closing TUN/TAP interface
Mon Feb 18 12:10:14 2019 /sbin/ifconfig tun1 destroy
root@openVPN:~ #

.

.

Show : Unrelated

Just what are TW credentials? Google failed me on this.. I feel like it's something so obvious.

 

[kypdurron5]

Code:

push "redirect-gateway def1 bypass-dhcp"

This! I noticed when connected to OpenVPN via iPhone that my public IP address remained the same as the network I was connected on, not the OpenVPN/Freenas server public IP address. I didn't have to do any of the other commands in your post; just changing this one server config command fixed the problem for me. Without this command I could still access LAN sites, but kind of the whole point of a VPN is to redirect traffic (including internet) through the VPN so this option is kind of important.

 

[itskando]

In my server config file, I use:

push "route 192.168.86.0 255.255.255.0"
where 192.168.86.0 is my default gateway.

Since I get the error:

Show : Error

Code:

root@openVPN:~ # openvpn --config /usr/local/etc/openvpn/openvpn.conf
Mon Feb 18 12:10:14 2019 OpenVPN 2.4.6 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Nov 29 2018
Mon Feb 18 12:10:14 2019 library versions: OpenSSL 1.0.2o-freebsd  27 Mar 2018, LZO 2.10
Mon Feb 18 12:10:14 2019 Diffie-Hellman initialized with 2048 bit key
Mon Feb 18 12:10:14 2019 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 18 12:10:14 2019 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Feb 18 12:10:14 2019 ROUTE_GATEWAY 192.168.86.1/255.255.255.0 IFACE=epair0b HWADDR=02:ff:60:c1:31:6f
Mon Feb 18 12:10:14 2019 TUN/TAP device /dev/tun1 opened
Mon Feb 18 12:10:14 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0

Mon Feb 18 12:10:14 2019 /sbin/ifconfig tun1 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
Mon Feb 18 12:10:14 2019 /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0
add net 10.8.0.0: gateway 10.8.0.2 fib 0: route already in table
Mon Feb 18 12:10:14 2019 ERROR: FreeBSD route add command failed: external program exited with error status: 1

Mon Feb 18 12:10:14 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Feb 18 12:10:14 2019 Socket Buffers: R=[42080->42080] S=[9216->9216]
Mon Feb 18 12:10:14 2019 TCP/UDP: Socket bind failed on local address [AF_INET]192.168.86.8:1194: Address already in use (errno=48)
Mon Feb 18 12:10:14 2019 Exiting due to fatal error
Mon Feb 18 12:10:14 2019 Closing TUN/TAP interface
Mon Feb 18 12:10:14 2019 /sbin/ifconfig tun1 destroy
root@openVPN:~ #

.

Is it possible that I should use a unique number, such as 192.168.80.0?