Truenas 12 OpenVPN service testing

RaymondE

Cadet
Joined
Jun 10, 2020
Messages
4
I have been trying out the OpenVPN service option in Truenas 12, and I've come across a couple of things that I think are worth mentioning, but perhaps don't count as actual bugs:

1. When a CA Certificate is created with OpenVPN profile, it only sets the Server Auth purpose, which means that it cannot Authenticate Client Certificates. Is there a reason why Client Auth should not be set as well for an OpenVPN CA cert by default?

2. The downloading of a Client configuration file is a great idea, but I came across these issues:
The exported client config has the "remote" option set to the value of "server" option of the OpenVPN server configuration, which doesn't work well at all. I'm not sure exactly how the best address specification of the server gets determined for the Client unless perhaps there's a "local" option specified in the Server, which may not be alway suitable, but the 'server' value is never going to work.

Also all the Server Additional Parameters seem to get fully copied into the Client config, which may not always be appropriate. In the particular case of push options, I would suggest leaving them out of the Client config entirely, so that the Server can remain capable of dynamically adjusting these settings for the clients as time goes by. Other Server settings may also be confusing for a Client.

I've been enjoying doing the bit of testing I've been able to do and look forward to the Beta.
 

Ericloewe

Server Wrangler
Moderator
Joined
Feb 15, 2014
Messages
20,175
Sounds like a good list to put in a bug report.
 

Kris Moore

SVP of Engineering
Administrator
Moderator
iXsystems
Joined
Nov 12, 2015
Messages
1,448
Yes, please do so we can be sure to take a look into this!
 

RSVP

Explorer
Joined
Feb 11, 2016
Messages
73
Did you ever get the server to run? Is it functioning? I cant get it to start..
 

RaymondE

Cadet
Joined
Jun 10, 2020
Messages
4
It seems OK. I've just upgraded to 12.0-Beta, and it looks to be behaving the same as the last nightly.
Just on the off-chance, what values have you put in the 'Server' parameter fields of the OpenVPN server configuration?
 

RSVP

Explorer
Joined
Feb 11, 2016
Messages
73
It seems OK. I've just upgraded to 12.0-Beta, and it looks to be behaving the same as the last nightly.
Just on the off-chance, what values have you put in the 'Server' parameter fields of the OpenVPN server configuration?

This go around I get errors in that field saying not valid . . tried same subnet , diff, just about every variation I can think of. I just put beta back on here and I don't recall this problem the first time. First time just could not turn it on.
 

RaymondE

Cadet
Joined
Jun 10, 2020
Messages
4
Despite what it says on the Tooltip, the 'Server' parameter is actually looking for you to specify the subnet of addresses for the server to use inside th VPN tunnel. Try entering an Internet-unroutable subnet like say 10.1.0.0/16. I put in a bug report suggesting that this should be clarified/fixed, but it hasn't happened yet.
Also if you try the 'generate VPN client config', it continues the misunderstanding in the generated client config, so watch out for that as well.
 

RSVP

Explorer
Joined
Feb 11, 2016
Messages
73
Updated --- I got it to work after restart.

Ok it saved it can renew download clients. Just cant start it.

Console says-
WARNING: /usr/local/etc/openvpn/server/openvpn_server.conf is not readable.
WARNING: failed precmd routine for openvpn_server
WARNING: failed to start openvpn_server
 
Last edited:

RSVP

Explorer
Joined
Feb 11, 2016
Messages
73
Despite what it says on the Tooltip, the 'Server' parameter is actually looking for you to specify the subnet of addresses for the server to use inside th VPN tunnel. Try entering an Internet-unroutable subnet like say 10.1.0.0/16. I put in a bug report suggesting that this should be clarified/fixed, but it hasn't happened yet.
Also if you try the 'generate VPN client config', it continues the misunderstanding in the generated client config, so watch out for that as well.

Thank for your inisght , you sure saved me time and frustration as clearly no info on this really except what your posting now. What is the deal with the 'generate VPN client config' to which you refer. The problem I have this part is that I have created several different openvpn client certificates and none will log in as they are asking password, phrase or whatever but I am not seeing where that is set.
 

rwatts_tci

Cadet
Joined
Jul 25, 2020
Messages
3
Despite what it says on the Tooltip, the 'Server' parameter is actually looking for you to specify the subnet of addresses for the server to use inside th VPN tunnel.
This is the answer I have been looking for, for hours and days! Amazing
 

rwatts_tci

Cadet
Joined
Jul 25, 2020
Messages
3
I have managed to get the server running. But I can't get the client to connect. Looking in the client logs I can see:
"TLS handshake failed"

server log shows:
Code:
Sat Jul 25 05:09:02 2020 192.168.0.2:1194 TLS: Initial packet from [AF_INET6]::ffff:192.168.0.2:1194, sid=cccc241c 4fac986d
Sat Jul 25 05:09:02 2020 192.168.0.2:1194 VERIFY ERROR: depth=1, error=unsupported certificate purpose: CN=FamilyFreeNAS, C=GB, ST=England, L=England, O=None, emailAddress=XXXX@gmail.com
Sat Jul 25 05:09:02 2020 192.168.0.2:1194 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Sat Jul 25 05:09:02 2020 192.168.0.2:1194 TLS_ERROR: BIO read tls_read_plaintext error
Sat Jul 25 05:09:02 2020 192.168.0.2:1194 TLS Error: TLS object -> incoming plaintext read error
Sat Jul 25 05:09:02 2020 192.168.0.2:1194 TLS Error: TLS handshake failed
Sat Jul 25 05:09:02 2020 192.168.0.2:1194 SIGUSR1[soft,tls-error] received, client-instance restarting


I have updated the remote IP to be the same as the freenas LAN IP address and it seems to reach the server. Just hangs on authentication.

I think its likely that my client certificate config is the issue, but there are so many options, and I chose the defaults I think.

Have you got any tips?
 

Maxime FRANCK

Dabbler
Joined
Mar 3, 2017
Messages
16
you need to add client indentification to the ca it's not automatic already reported on bugtracker

my problem is how to add more that one additional server parameter ^^
 
Last edited:

mhale

Cadet
Joined
Aug 1, 2020
Messages
1
I have a couple of thoughts after doing my own testing.

1) There should perhaps be a tab in the UI for the OpenVPN server service to directly edit the .conf file and add additional parameters. That would make things simpler than using a shell and vi.

2) I'm somewhat novice at FreeBSD, so it would be truly great if there was a simple interface to set up NAT and allow all clients to route internet traffic through TrueNAS running as an OpenVPN server. If there's a way to do this simply already, forgive me if I'm not aware of it, but I was able to get clients to connect to the OpenVPN server actually fairly easily, but then translating that to fully routing internet traffic was beyond me.

This is a phenomenal implementation so far, and I'm looking forward to seeing it mature in the RC and gold builds.
 

RSVP

Explorer
Joined
Feb 11, 2016
Messages
73
I have a couple of thoughts after doing my own testing.

1) There should perhaps be a tab in the UI for the OpenVPN server service to directly edit the .conf file and add additional parameters. That would make things simpler than using a shell and vi.

2) I'm somewhat novice at FreeBSD, so it would be truly great if there was a simple interface to set up NAT and allow all clients to route internet traffic through TrueNAS running as an OpenVPN server. If there's a way to do this simply already, forgive me if I'm not aware of it, but I was able to get clients to connect to the OpenVPN server actually fairly easily, but then translating that to fully routing internet traffic was beyond me.

This is a phenomenal implementation so far, and I'm looking forward to seeing it mature in the RC and gold builds.
I am liking this effort to solve this problem and support openvpn too. I hope it evolves quickly because I am enthusiastic about project for deployments not having this option at router level. its huge need for what i have seen. At this time I still cannot connect. I think tab idea is great and not have it as service. Too complicated with the certs. Bundling it up with info comments etc and tie it in a bow. I cannot connect to running server. But i havent started mucking with configs. will it be addressed before moving off beta channel?
 

akballow

Cadet
Joined
Aug 15, 2020
Messages
2
Hello All,

Thanks for this thread as I ran into the server IP issue where it was asking subnet instead.

Now I am running into the issue of making it routable so i can get to my local network.

I can ssh into the freenas and ping the ip of my clients assigned but god only knows how to route it correctly. WIll wait very patiently for any info
 

akballow

Cadet
Joined
Aug 15, 2020
Messages
2
Just as an FYI to TrueNAS is to maybe streamline the creation of OpenVPN for non-advanced users. The creation of all the certs had me a little confused until I realized that there were profiles for OpenVPN, but even so it just seems to make more sense to have one guide that creates all 3 certs. root, CA, and client ones.
 

Sasquatch

Explorer
Joined
Nov 11, 2017
Messages
86
Hello All,

Thanks for this thread as I ran into the server IP issue where it was asking subnet instead.

Now I am running into the issue of making it routable so i can get to my local network.

I can ssh into the freenas and ping the ip of my clients assigned but god only knows how to route it correctly. WIll wait very patiently for any info
my 2 clients can ping server but client-client doesn't work...
back to tinkering ;)
 

Sasquatch

Explorer
Joined
Nov 11, 2017
Messages
86
Now I am running into the issue of making it routable so i can get to my local network.

I can ssh into the freenas and ping the ip of my clients assigned but god only knows how to route it correctly. WIll wait very patiently for any info
Second that, feature request? add tick box: "give vpn clients access to local network" ??

At the moment only trueanas GUI and ssh is accessible for build in OpenVpn clients.
And that only on desktop, for some reason neither works on mobile...
 
Last edited:
Top