Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

Truenas 12 OpenVPN service testing

RaymondE

Neophyte
Joined
Jun 10, 2020
Messages
4
I have been trying out the OpenVPN service option in Truenas 12, and I've come across a couple of things that I think are worth mentioning, but perhaps don't count as actual bugs:

1. When a CA Certificate is created with OpenVPN profile, it only sets the Server Auth purpose, which means that it cannot Authenticate Client Certificates. Is there a reason why Client Auth should not be set as well for an OpenVPN CA cert by default?

2. The downloading of a Client configuration file is a great idea, but I came across these issues:
The exported client config has the "remote" option set to the value of "server" option of the OpenVPN server configuration, which doesn't work well at all. I'm not sure exactly how the best address specification of the server gets determined for the Client unless perhaps there's a "local" option specified in the Server, which may not be alway suitable, but the 'server' value is never going to work.

Also all the Server Additional Parameters seem to get fully copied into the Client config, which may not always be appropriate. In the particular case of push options, I would suggest leaving them out of the Client config entirely, so that the Server can remain capable of dynamically adjusting these settings for the clients as time goes by. Other Server settings may also be confusing for a Client.

I've been enjoying doing the bit of testing I've been able to do and look forward to the Beta.
 

Ericloewe

Not-very-passive-but-aggressive
Moderator
Joined
Feb 15, 2014
Messages
16,650
Sounds like a good list to put in a bug report.
 

Kris Moore

VP of Engineering
Administrator
Moderator
iXsystems
Joined
Nov 12, 2015
Messages
275
Yes, please do so we can be sure to take a look into this!
 

RSVP

Member
Joined
Feb 11, 2016
Messages
63
Did you ever get the server to run? Is it functioning? I cant get it to start..
 

RaymondE

Neophyte
Joined
Jun 10, 2020
Messages
4
It seems OK. I've just upgraded to 12.0-Beta, and it looks to be behaving the same as the last nightly.
Just on the off-chance, what values have you put in the 'Server' parameter fields of the OpenVPN server configuration?
 

RSVP

Member
Joined
Feb 11, 2016
Messages
63
It seems OK. I've just upgraded to 12.0-Beta, and it looks to be behaving the same as the last nightly.
Just on the off-chance, what values have you put in the 'Server' parameter fields of the OpenVPN server configuration?
This go around I get errors in that field saying not valid . . tried same subnet , diff, just about every variation I can think of. I just put beta back on here and I don't recall this problem the first time. First time just could not turn it on.
 

RaymondE

Neophyte
Joined
Jun 10, 2020
Messages
4
Despite what it says on the Tooltip, the 'Server' parameter is actually looking for you to specify the subnet of addresses for the server to use inside th VPN tunnel. Try entering an Internet-unroutable subnet like say 10.1.0.0/16. I put in a bug report suggesting that this should be clarified/fixed, but it hasn't happened yet.
Also if you try the 'generate VPN client config', it continues the misunderstanding in the generated client config, so watch out for that as well.
 

RSVP

Member
Joined
Feb 11, 2016
Messages
63
Updated --- I got it to work after restart.

Ok it saved it can renew download clients. Just cant start it.

Console says-
WARNING: /usr/local/etc/openvpn/server/openvpn_server.conf is not readable.
WARNING: failed precmd routine for openvpn_server
WARNING: failed to start openvpn_server
 
Last edited:

RSVP

Member
Joined
Feb 11, 2016
Messages
63
Despite what it says on the Tooltip, the 'Server' parameter is actually looking for you to specify the subnet of addresses for the server to use inside th VPN tunnel. Try entering an Internet-unroutable subnet like say 10.1.0.0/16. I put in a bug report suggesting that this should be clarified/fixed, but it hasn't happened yet.
Also if you try the 'generate VPN client config', it continues the misunderstanding in the generated client config, so watch out for that as well.
Thank for your inisght , you sure saved me time and frustration as clearly no info on this really except what your posting now. What is the deal with the 'generate VPN client config' to which you refer. The problem I have this part is that I have created several different openvpn client certificates and none will log in as they are asking password, phrase or whatever but I am not seeing where that is set.
 

rwatts_tci

Newbie
Joined
Jul 25, 2020
Messages
3
Despite what it says on the Tooltip, the 'Server' parameter is actually looking for you to specify the subnet of addresses for the server to use inside th VPN tunnel.
This is the answer I have been looking for, for hours and days! Amazing
 

rwatts_tci

Newbie
Joined
Jul 25, 2020
Messages
3
I have managed to get the server running. But I can't get the client to connect. Looking in the client logs I can see:
"TLS handshake failed"

server log shows:
Code:
Sat Jul 25 05:09:02 2020 192.168.0.2:1194 TLS: Initial packet from [AF_INET6]::ffff:192.168.0.2:1194, sid=cccc241c 4fac986d
Sat Jul 25 05:09:02 2020 192.168.0.2:1194 VERIFY ERROR: depth=1, error=unsupported certificate purpose: CN=FamilyFreeNAS, C=GB, ST=England, L=England, O=None, emailAddress=XXXX@gmail.com
Sat Jul 25 05:09:02 2020 192.168.0.2:1194 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Sat Jul 25 05:09:02 2020 192.168.0.2:1194 TLS_ERROR: BIO read tls_read_plaintext error
Sat Jul 25 05:09:02 2020 192.168.0.2:1194 TLS Error: TLS object -> incoming plaintext read error
Sat Jul 25 05:09:02 2020 192.168.0.2:1194 TLS Error: TLS handshake failed
Sat Jul 25 05:09:02 2020 192.168.0.2:1194 SIGUSR1[soft,tls-error] received, client-instance restarting


I have updated the remote IP to be the same as the freenas LAN IP address and it seems to reach the server. Just hangs on authentication.

I think its likely that my client certificate config is the issue, but there are so many options, and I chose the defaults I think.

Have you got any tips?
 

Maxime FRANCK

Junior Member
Joined
Mar 3, 2017
Messages
16
you need to add client indentification to the ca it's not automatic already reported on bugtracker

my problem is how to add more that one additional server parameter ^^
 
Last edited:

mhale

Newbie
Joined
Aug 1, 2020
Messages
1
I have a couple of thoughts after doing my own testing.

1) There should perhaps be a tab in the UI for the OpenVPN server service to directly edit the .conf file and add additional parameters. That would make things simpler than using a shell and vi.

2) I'm somewhat novice at FreeBSD, so it would be truly great if there was a simple interface to set up NAT and allow all clients to route internet traffic through TrueNAS running as an OpenVPN server. If there's a way to do this simply already, forgive me if I'm not aware of it, but I was able to get clients to connect to the OpenVPN server actually fairly easily, but then translating that to fully routing internet traffic was beyond me.

This is a phenomenal implementation so far, and I'm looking forward to seeing it mature in the RC and gold builds.
 

RSVP

Member
Joined
Feb 11, 2016
Messages
63
I have a couple of thoughts after doing my own testing.

1) There should perhaps be a tab in the UI for the OpenVPN server service to directly edit the .conf file and add additional parameters. That would make things simpler than using a shell and vi.

2) I'm somewhat novice at FreeBSD, so it would be truly great if there was a simple interface to set up NAT and allow all clients to route internet traffic through TrueNAS running as an OpenVPN server. If there's a way to do this simply already, forgive me if I'm not aware of it, but I was able to get clients to connect to the OpenVPN server actually fairly easily, but then translating that to fully routing internet traffic was beyond me.

This is a phenomenal implementation so far, and I'm looking forward to seeing it mature in the RC and gold builds.
I am liking this effort to solve this problem and support openvpn too. I hope it evolves quickly because I am enthusiastic about project for deployments not having this option at router level. its huge need for what i have seen. At this time I still cannot connect. I think tab idea is great and not have it as service. Too complicated with the certs. Bundling it up with info comments etc and tie it in a bow. I cannot connect to running server. But i havent started mucking with configs. will it be addressed before moving off beta channel?
 
Top