Step by step to install OpenVPN inside a Jail in FreeNAS 11.1-U1

[adrianwi]

It's very hard to follow exactly what you are doing, and what problems you have. Having recently followed the guide step-by-step, it does work, but you need to think about what settings are required for your specific configuration.

If I were you, I'd remove any vpn jails you've created and then reboot the FreeNAS server. Then have another go following the guide, and if you hit a problem.

What version of FreeNAS are you using? What hardware specs? And how are you creating the jail at the beginning of the process?

 

[twsps]

It's very hard to follow exactly what you are doing, and what problems you have. Having recently followed the guide step-by-step, it does work, but you need to think about what settings are required for your specific configuration.

If I were you, I'd remove any vpn jails you've created and then reboot the FreeNAS server. Then have another go following the guide, and if you hit a problem.

What version of FreeNAS are you using? What hardware specs? And how are you creating the jail at the beginning of the process?

I can connect to my openvpn properly without using redirect-gateway, however, when I use redirect-gateway(which means all connections must go through OpenVPN, so having FreeNAS' public ip), I'm not able to connect to the internet(e.g. google.com)
My version of FreeNAS is 11.1-U5.
Any tips/helps will be very appreciated.

 

[Limitedheadroom]

Great Tutorial, thanks for this. I got through it all without errors but I'm having a problem where openvpn won't start. Saying it can't allocate tun/tap dynamically. Can anyone give any clues as to where I might look?

The output below is after a clean server restart.

Code:

[root@OpenVPN /]# openvpn --config /usr/local/etc/openvpn/openvpn.conf
Sat Aug 11 23:03:20 2018 OpenVPN 2.4.6 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Aug  7 2018
Sat Aug 11 23:03:20 2018 library versions: OpenSSL 1.0.2o-freebsd  27 Mar 2018, LZO 2.10
Sat Aug 11 23:03:20 2018 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Sat Aug 11 23:03:20 2018 Diffie-Hellman initialized with 2048 bit key
Sat Aug 11 23:03:20 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Aug 11 23:03:20 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Aug 11 23:03:20 2018 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=epair0b HWADDR=02:ff:60:9b:c8:80
Sat Aug 11 23:03:20 2018 Cannot allocate TUN/TAP dev dynamically
Sat Aug 11 23:03:20 2018 Exiting due to fatal error

Thanks

 

[Sokonomi]

This is my first attempt at using a VPN, so im not sure what im doing. Admittedly this is way above my paygrade, but people keep urging me to use VPN instead of just port forwarding everything out into the open.

I've followed the steps and didn't seem to run into any issues, but.. what next? Am I supposed to open up some ports on my router? (I would assume so)
Do I need to install something on my android device? If, for example, I am in a different country with my phone on some hotel WiFi, and I want to mess with my NAS a bit, what do I do (after following all your steps)?

on a small sidenote; was that last command supposed to email me something? Because its been an hour and I havent seen an email arrive yet.

 

[Chris Deluca]

Fantastic guide. I had OpenVPN working using the older instructions in the past - and just redid my jail with these. Clear, concise - very nice. The only suggestions would be to make a note in the "client config" section that for the OpenVPN client for iOS requires the ovpn extension on the conf file - a note there would make things more "self-contained" (the solution is later in this thread, but that top post is too good to not be perfect). The Setup Logging and Log Rotation are missing / in the header after /etc - again, super small item as the actual descriptions are correct.

 

[HeavyD8086]

I'm having the same issue as Limitedheadroom. "Cannot allocate TUN/TAP dev dynamically"
I can't get the OpenVPN service to start. Anyone else with the issue?

Very good guide to follow, btw. The colours helped.

Running on FreeNAS 11.2 with a 11.2 jail. I'll attempt on an earlier jail and submit findings.

 

[memel.parduin]

Same here. I also noticed that ifconfig lists all tun devices (tun0 ... tun255), but none of them are visible in /dev/

 

[Scentle5S]

Same as @Limitedheadroom and @memel.parduin. For me it started right after I upgraded from 11.2 BETA 2 to BETA 3 : it has been working fine before. What about you guys ? Did you find any solution ? If it helps, I found this topic and mentioned my issue yesterday. The trick they proposed there didn't work for me, but you may give it a shot.

 

[Scentle5S]

Update : Just found another trick until a better solution is found. Posted on the other topic as it seems more oriented towards this particular issue.

 

[memel.parduin]

Nope, doesn't work for me either. Still 256 tun devices on server reboot, a tun0 on jail restart which openvpn cannot allocate nor open.

 

[Scentle5S]

@memel.parduin Like I said, try setting a defined tun device in your OpenVPN config (e.g. : dev tun4 instead of dev tun). This will not only help you keep track of which interfaces are used by which jails (I have 3 different OpenVPN jails, each serving a different purpose and using a different tun interface), but it will also avoid the "256 tun devices thing" for some reason : OpenVPN will fail at creating the one you told it to and that's it. Then you can manually create another one, take note of its number, edit your OpenVPN config file so that it uses that interface, and restart the OpenVPN service : service openvpn restart. That's how I got it to work, but I'm pretty sure that if I restart it will fail again and I would have to create another tun device manually and use that new one, and so on and so on.

 

[memel.parduin]

I tried it all, but still the same. When using a defined tun device I get

Code:

Sep 11 14:18:36 openvpn openvpn[11865]: TUN/TAP device tun1 exists previously, keep at program end
Sep 11 14:18:36 openvpn openvpn[11865]: Cannot open TUN/TAP dev /dev/tun1: No such file or directory (errno=2)
Sep 11 14:18:36 openvpn openvpn[11865]: Exiting due to fatal error

Also:

Code:

root@openvpn:/ # openvpn --mktun --dev tun2
Tue Sep 11 15:03:02 2018 Options error: options --mktun and --rmtun are not available on your operating system.  Please check 'man tun' (or 'tap'), whether your system supports using 'ifconfig tun5 create' / 'destroy' to create/remove persistant tunnel interfaces.
Tue Sep 11 15:03:02 2018 Exiting due to fatal error

And do you see any tun devices listed in /dev? Because I don't.

Code:

root@openvpn:/ # ls /dev
crypto	fd	log	null	ptmx	pts	random	stderr	stdin	stdout	urandom	zero	zfs

 

[Scentle5S]

And do you see any tun devices listed in /dev? Because I don't.

I do :

Code:

# ls /dev/
crypto	fd	log	null	ptmx	pts	random	stderr	stdin	stdout	tun4	tun5	urandom	zero	zfs

tun4 is the one for this jail and tun5 is the one for another jail. Both were manually created and I don't see any of the devices that were automatically created by OpenVPN. I do see those however from the host ( tun0 to tun3) :

Code:

# ll /dev/tun*
crw-------  1 uucp  dialer   0xfa Sep 11 03:01 /dev/tun0
crw-------  1 uucp  dialer   0xd7 Sep 11 03:01 /dev/tun1
crw-------  1 uucp  dialer   0xbd Sep 11 03:00 /dev/tun2
crw-------  1 uucp  dialer  0x115 Sep 11 13:08 /dev/tun3
crw-------  1 uucp  dialer  0x117 Sep 11 18:29 /dev/tun4
crw-------  1 uucp  dialer   0xc0 Sep 12 00:18 /dev/tun5

You mentioned the openvpn --mktun --dev command, but did you use ifconfig tun create like I did to create the devices ?

Edit : Also, you said that after a reboot you still got 256 devices. From what I understood, that shouldn't happen if you have a defined tun in your OpenVPN config. Do you have another jail with OpenVPN that still has dev tun instead of dev tun# ? In any case, I'm not surprised that it doesn't work for you if you still have 256 devices after reboot : you should fix that first and then try my trick.

 

[memel.parduin]

I upgraded my FreeNAS box to 11.2-BETA3, which changed things a little bit.

After a reboot, my host shows

Code:

root@audhumla:~ # ll /dev/tun*
crw-------  1 uucp  dialer  0xd3 Sep 12 09:14 /dev/tun0

My jail

Code:

root@openvpn:~ # ll /dev/tun*
ls: No match.
root@openvpn:~ # ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
	inet 127.0.0.1 netmask 0xff000000
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	groups: lo
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:ff:60:36:38:32
	hwaddr 02:86:10:00:0a:0b
	inet 192.168.178.204 netmask 0xffffff00 broadcast 192.168.178.255
	nd6 options=1<PERFORMNUD>
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
	groups: epair
tun0: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	nd6 options=1<PERFORMNUD>
	groups: tun

The OpenVPN log

Code:

Sep 12 09:14:57 openvpn openvpn[7634]: TUN/TAP device tun0 exists previously, keep at program end
Sep 12 09:14:57 openvpn openvpn[7634]: Cannot open TUN/TAP dev /dev/tun0: No such file or directory (errno=2)
Sep 12 09:14:57 openvpn openvpn[7634]: Exiting due to fatal error

I set my openvpn.conf to use dev tun0. Setting it to dev tun and restarting OpenVPN gives me

Code:

Sep 12 09:40:17 openvpn openvpn[10366]: Tried opening /dev/tun0 (failed): No such file or directory (errno=2)
Sep 12 09:40:17 openvpn openvpn[10366]: Tried opening /dev/tun1 (failed): No such file or directory (errno=2)
...
Sep 12 09:40:17 openvpn openvpn[10366]: Tried opening /dev/tun255 (failed): No such file or directory (errno=2)
Sep 12 09:40:17 openvpn openvpn[10366]: Cannot allocate TUN/TAP dev dynamically
Sep 12 09:40:17 openvpn openvpn[10366]: Exiting due to fatal error

and ifconfig returns tun0 through tun255. Exiting my jail, the host ll /dev/tun* now lists tun0 through tun255 too.

Stopping and starting the jail, the jail ifconfig shows the same results as on host reboot but the openvpn log lists errors for tun0 through tun255.

Rebooting the host again gives the same results as after setting dev tun in my openvpn config file.

 

[memel.parduin]

btw, here's my iocage jail config

 

[Scentle5S]

I upgraded my FreeNAS box to 11.2-BETA3, which changed things a little bit.

Maybe something changed indeed with the update. After all, my jails worked fine before.

However, I believe that you're doing things differently than I did. Maybe I wasn't clear enough, so let me try to explain step by step what you should do and please try to follow those exactly :

1. In your OpenVPN jail config, set dev tun0 (or any dev tun# where # is a number) and NOT dev tun.
2. Restart your host.
3. From your jail, create a new tun device with this command : ifconfig tun create.
4. Take note of the number of that new device with ifconfig. If you only have one OpenVPN jail, it should be tun1, since OpenVPN would have created the first one as tun0, like you told it to in your config file.
5. Edit your OpenVPN config file and replace dev tun0 with the new device (e.g. : dev tun1).
6. Restart the OpenVPN service with service openvpn restart.
7. Enjoy.

If this ends up working for you too, keep in mind that if you reboot, OpenVPN will now create its buggy device as tun1 and you will have to follow these steps again to create a new functional device under another name. You could go back and forth between tun0 and tun1, or keep incrementing, the choice is yours, as long as you create a new device manually from the jail after each reboot of the host : that's the trick, and that's what I'm gonna do until someone finds something better or the bug gets fixed.

 

[memel.parduin]

Ok, I gave it another try with dev tun0 in my openvpn.conf

Code:

root@openvpn:~ # ifconfig tun create
tun1

Restarted openvpn, but nothing:

Code:

Sep 13 15:35:59 openvpn openvpn[8925]: TUN/TAP device tun1 exists previously, keep at program end
Sep 13 15:35:59 openvpn openvpn[8925]: Cannot open TUN/TAP dev /dev/tun1: No such file or directory (errno=2)
Sep 13 15:35:59 openvpn openvpn[8925]: Exiting due to fatal error

ifconfig lists both tun0 and tun1, ll /dev/tun* lists nothing.

Your solution doesn't seem to work for me. I think I'd better wait for another FreeNAS upgrade.. :(

 

[Scentle5S]

Did you restart your host before creating the tun device (step 2.) ?

 

[memel.parduin]

Yes, I did. but to no avail unfortunately

 

[Scentle5S]

Ok, sorry to hear that this trick doesn't work for you then. I can't think of anything else.