Log in or Sign up

Download Latest 9.10STABLE

Home Forums Resources Members Forum Rules Documentation Report a Bug

Search Forums Recent Posts
Search...

Home Forums Archived Sections HowTo Guides Jails

How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via Sign up now!

NAT
Discussion in 'Jails' started by robles, Aug 19, 2014.

Page 1 of 23 1 2 3 4 5 6 23 Next > Members Online Now

JoshDW19, suhlhorn, Ben Wiesner,

Haggis663, nojohnny101, gpsguy, sleep,
This tutorial will show you how to configure OpenVPN inside a jail so you can VPN to your home, access your local kipden88
jails and other hosts and optionally, use it as a complete tunnel in case you're in a public network. Total: 156 (members: 10, guests: 137, robots:
9)

Tutorial change-log:
1.3.5 Nov 1 2016: Added line to the server/client configuration to use at least SHA256 handshake and AES-256-CBC
Share This Page
robles encryption. Cleared minor wording.
FreeNAS Aware
Tweet
Show : Full changelog
Joined: Jul 29, 2014
Messages: 84
Thanks Received: 34
Trophy Points: 11
TLDR 0

Show : Condensed version

Requirements
FreeNAS 9.10+
Domain updated by DDNS or a static IP
Internet access
Router forwarding of your port of choice (in my case 10011 UDP internal to 443 UDP external).
SFTP Client (Winscp, Transmit or plain scp)

Route all traffic?

If you want to route all traffic through the VPN Tunnel, be sure to read the Know This section

Overview
In this guide, we'll do the server/client configuration as follows:

Server configuration:

Creating the Jail.

Optional: mounting local storage.
Installing OpenVPN inside the jail.
Creating all the certificates needed: the server root cert, the OpenVPN server cert and each of the client's cert.
OpenVPN configuration file.
Firewall settings so NAT can work.
Registering OpenVPN as a service so it can start automatically with the jail.

Client configuration:

OpenVPN configuration file.

Certificate installation in client

Network Setup
Understanding how the OpenVPN networking works is very important, so I'm going to explain it here (you can skip
this and go straight to the configuration). Since I'm a very visual person, here's the diagram of the logical network we'll
be creating:

This diagram shows how FreeNAS, its jails and even the how remote client will exist in the network. As they are all
connected to the same switch*, they can talk to each other. So my Crashplan Jail (10.0.0.12) can talk to a computer in
my home network called Other Host** (10.0.0.30) and my FreeNAS server can access the internet via the Gateway
(10.0.0.254).
*They are all connected to switches in the same broadcast domain, which logically places them as if they were all connected to the same
switch.
**"Host" we refer to as any device, could be a jail, a computer or your latest internet-connected thermostat.

This diagram is divided into three main sections and it shows how FreeNAS looks at the world:

Yellow network (home): With addressing 10.0.0.0/24. This is the network in which our FreeNAS server exists.
Blue network (internet): The internet routes traffic from my home where FreeNAS is, to my remote location.
Purple network (NAT): The network inside my jail which contains all of the clients which will connect remotely.
It uses addressing 172.16.8.0/24

Now, let's see how this same diagram appears not logically, but physically (i.e. how the cables are connected).

This is the same diagram as before, but it includes a new section:

Green network (remote): This has 192.168.1.0/24 addressing. It's the external network from which we'll be
connecting from and it's the simplest network you'll find, in which traffic goes to the gateway and from there, to
the internet.

Notice that even though the jails are connected to a switch (FreeNAS Virtual Switch) and that switch is connected to
the Gateway Switch, they are all still in the same yellow network (10.0.0.0/24) so they can still talk to each other.

When connecting through VPN, the connection highlighted in orange is created. Now the Remote Client will have two
IPs, one inside the green network (192.168.1.200) which lets it communicate with other hosts inside the same green
network, and one inside the purple network (172.16.8.4) which by itself only lets you communicate with other hosts
inside the purple network. You can imagine as if the Remote Client (our computer in a far away network) is
transported from the green network to the purple network.

Topology as it appears after VPN connection is made

You may notice that the OpenVPN jail is halfway inside the yellow and purple networks. One side talks to the yellow
network (the jail has an outside IP of 10.0.0.14) and the other to the purple network (the jail has inside IP of
172.16.8.1). Using some Firewall configuration, we can allow the Remote Client and anyone inside the purple network
to talk to the yellow network. This is what allows any remote client to connect and access other computers in the yellow
network. Now you understand how the VPN tunnel works.

Example:

If Remote Client wants to ping Other Host (or any other host in the yellow network, could be another jail), it will
forward that packet to OpenVPN Jail, then the OpenVPN Jail will translate the packet from the purple network to the
yellow one, and forward the packet to Other Host.

Since Other Host will only see a ping coming from 10.0.0.14/24 (OpenVPN Jail), it will respond to it. When OpenVPN
Jail sees it, it will translate it back from the yellow to the purple network and send it to Remote Client.

OpenVPN Jail Setup

Create a new jail in the webgui

You can name it whatever you like. Take a note of the IPv4 Address that was assigned to your Jail. If you'd like to change it, go to Jails > Edit
Jail > IPv4. This jail must have an IP in your yellow network.

Optional: Add storage from outside the jail, I'll mount mine in /mnt/keys but you can store them inside the jail in
/usr/local/etc/openvpn.

SSH to your FreeNAS install and enter the jail:

Robles-MacBook-Pro:~ robles$ ssh robles@10.0.0.11
Last login: Tue Aug 19 12:29:05 2014 from 10.0.0.192
Welcome to FreeNAS
[robles@nas] ~> jls
JID IP Address Hostname Path
7 - openvpn /mnt/vault/pluginjails/openvpn
[robles@nas] ~> sudo jexec 7 tcsh
Password:
root@openvpn:/ #

You can list your installed jails with the jls command, notice how my openvpn jail has the JID 7. To get inside the
jail, use the jexec command as shown.

Upgrade your jail (optional), install bash, nano (optional) and openvpn using the pkg command:

Code:

pkg update
pkg upgrade
pkg install bash nano openvpn
exit

Note: The first time it will have to upgrade repositories, so don't worry if it spurts a lot of data. We need bash because the ./easyrsa command
behaves weirdly using tcsh. If you run into a "shared object not found" problem, run pkg upgrade again so it repairs the missing packages.

Using the jexec command, enter your jail now using bash:
[robles@nas] ~> sudo jexec 7 bash
[root@openvpn /]# cd /usr/local/share/easy-rsa
[root@openvpn /usr/local/share/easy-rsa]#

Easy-RSA Prep
First, let's move the example files to their destination. Then we'll edit the vars file to suit our needs
[root@OpenVPN /usr/local/share/easy-rsa]# mv easyrsa.real easyrsa
[root@OpenVPN /usr/local/share/easy-rsa]# mv vars.example vars
[root@OpenVPN /usr/local/share/easy-rsa]# nano vars

Inside the vars file, look for the line EASYRSA_KEY_SIZE and uncomment it by removing the pound symbol. Do the
same for the line with EASYRSA_DIGEST.

Optional: You can uncomment the EASYRSA_REQ_COUNTRY lines above to default to your local address. You can also
uncomment the EASYRSA_CA_EXPIRE to change your certificate expiration from 10 years to something more sensible.

To close nano, press ctrl+x. To save the changes answer "y".

Certificate Creation
>Note: Easy-RSA 3.1's output is much more verbose. This instructions omit long explanations by the program
wherever you find the [...] symbol. The relevant information is underlined.

Creating the Root Certificate

Let's create our NAS' Cert Authority
[root@OpenVPN /usr/local/share/easy-rsa]# ./easyrsa init-pki
[...]
Your newly created PKI dir is: /usr/local/share/easy-rsa/pki
[root@OpenVPN /usr/local/share/easy-rsa]# ./easyrsa build-ca nopass
[...]Generating a 2048 bit RSA private key
.............+++.....+++...........
writing new private key to '/usr/local/share/easy-rsa/pki/private/ca.key.#########'[...]
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:Robles NAS CA
[...]
Your new CA certificate file for publishing is at:
/usr/local/share/easy-rsa/pki/ca.crt

Creating the OpenVPN Server Certificate

Answer the questions appropriately. Now let's create a server key, this will identify your OpenVPN server against any
other server.

This is a two step process: first we create a request for the certificate, and then we sign it. Let's create the server's
certificate request:
[root@OpenVPN /usr/local/share/easy-rsa]# ./easyrsa gen-req openvpn-server nopass
[...] Generating a 2048 bit RSA private key
...................................+++..........+++ [...]
Common Name (eg: your user, host, or server name) [openvpn-server]: [return]
[...]
req: /usr/local/share/easy-rsa/pki/reqs/openvpn-server.req
key: /usr/local/share/easy-rsa/pki/private/openvpn-server.key

Step two: now, we'll sign the request (the file with the *.req extension)
[root@OpenVPN /usr/local/share/easy-rsa]# ./easyrsa sign-req server openvpn-server
[...]
commonName = openvpn-server
[...]
Confirm request details: yes
[...]
Certificate is to be certified until Aug 14 01:21:20 2026 GMT (3650 days) [...]
Certificate created at: /usr/local/share/easy-rsa/pki/issued/openvpn-server.crt

Again, answer the questions appropriately, when asked if you want to sign it and if you want to commit, type yes .
Afterwards, we'll create the Diffie-Hellman parameters (this one takes a long time):
[root@OpenVPN /usr/local/share/easy-rsa]# ./easyrsa gen-dh
[...]
This is going to take a long time
............+.......+....+.............[...]
DH parameters of size 2048 created at /usr/local/share/easy-rsa/pki/dh.pem
[root@vpnserver /usr/local/share/easy-rsa]# openvpn --genkey --secret ta.key
[root@vpnserver /usr/local/share/easy-rsa]# chmod 400 ta.key

Creating the User's Certificates

The next step can be repeated for as many users as you want to allow in your VPN. They will all be assigned an IP
inside the purple network. First we create the user's request:
[root@OpenVPN /usr/local/share/easy-rsa]# ./easyrsa gen-req john.appleseed nopass
[...]
Common Name (eg: your user, host, or server name) [john.appleseed]: [return]
[...]
req: /usr/local/share/easy-rsa/pki/reqs/john.appleseed.req
key: /usr/local/share/easy-rsa/pki/private/john.appleseed.key

Then we sign the new user's request:

[root@OpenVPN /usr/local/share/easy-rsa]# ./easyrsa sign-req client john.appleseed
[...]
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
[...]
Certificate created at: /usr/local/share/easy-rsa/pki/issued/john.appleseed.crt

All of the generated keys are inside the pki folder: we'll find our public keys in pki/issued, and the private keys in
pki/private. Now copy the generated keys to your permanent storage, I mounted mine in /mnt/keys:
[root@OpenVPN /usr/local/share/easy-rsa]# cp pki/issued/* /mnt/keys
[root@OpenVPN /usr/local/share/easy-rsa]# cp pki/private/* /mnt/keys
[root@OpenVPN /usr/local/share/easy-rsa]# cp pki/ca.crt /mnt/keys
[root@OpenVPN /usr/local/share/easy-rsa]# cp pki/dh.pem /mnt/keys
[root@OpenVPN /usr/local/share/easy-rsa]# cp ta.key /mnt/keys
[root@openvpn /usr/local/share/easy-rsa]# cd /mnt/keys
[root@OpenVPN /mnt/keys]# ls -lah
drwxr-xr-x 2 root wheel 8B Aug 15 21:06 .
drwxr-xr-x 3 root wheel 3B Sep 29 2015 ..
-rw------- 1 root wheel 1.1k Aug 15 21:06 ca.crt
-rw------- 1 root wheel 1.7k Aug 15 21:06 ca.key
-rw------- 1 root wheel 424B Aug 15 21:16 dh.pem
-rw------- 1 root wheel 4.3k Aug 15 21:05 john.appleseed.crt
-rw------- 1 root wheel 1.7k Aug 15 21:06 john.appleseed.key
-rw------- 1 root wheel 4.3k Aug 15 21:05 openvpn-server.crt
-rw------- 1 root wheel 1.7k Aug 15 21:06 openvpn-server.key
-rw------- 1 root wheel 636B Aug 15 21:17 ta.key

After listing your keys, you should see your CA, OpenVPN and user's private and public keys (*.crt and *.key) and
Diffie-Hellman file (dh.pem)

OpenVPN Server Configuration

Now we'll place our OpenVPN configuration in /mnt/keys/openvpn.conf using nano
[root@OpenVPN /mnt/keys]# nano openvpn.conf

Insert the next configuration:

Code:

port 10011
proto udp
dev tun
ca ca.crt
cert openvpnserver.crt #Server public key
key openvpnserver.key #Server private key
dh dh.pem #DiffieHellman parameters
server 172.16.8.0 255.255.255.0 #Purple network
ifconfigpoolpersist ipp.txt
push "route 10.0.0.0 255.255.255.0" #Yellow network
tlsauth ta.key 0
#crlverify crl.pem
keepalive 10 120
cipher AES256CBC
auth SHA256
group nobody
user nobody
complzo
persistkey
persisttun
verb 3

A couple of notes about this configuration:

The port in which the OpenVPN service listens to is UDP 10011. That's because my router maps OpenVPN Jail's
IP port 10011 to the 443 WAN (internet) port for security reasons.
Change the 10.0.0.0 address to your yellow network.
The file ipp.txt will store the active connections and give you the same IP the last time you connected.
Note how a static route is pushed to the client, which indicates that the yellow network can be accessed through
this jail (OpenVPN Jail).

Exit and save this file (ctrl+x in nano). Now let's configure NAT so we can create the purple network.

Server NAT Configuration

Next, we'll create the firewall rules for the server:
[root@openvpn /mnt/keys]# nano /usr/local/etc/ipfw.rules

This will create a new file in /usr/local/etc/ named ipfw.rules. Insert the next rules in that file:

Code:

#!/bin/sh

EPAIR=$(/sbin/ifconfig l | tr " " "\n" | /usr/bin/grep epair)

ipfw q f flush
ipfw q nat 1 config if ${EPAIR}
ipfw q add nat 1 all from 172.16.8.0/24 to any out via ${EPAIR}
ipfw q add nat 1 all from any to any in via ${EPAIR}

TUN=$(/sbin/ifconfig l | tr " " "\n" | /usr/bin/grep tun)

ifconfig ${TUN} name tun0

Important: Avoid copying and pasting any command from the internet. But if you have to do it, make sure that on
${EPAIR} there's no space between the $ and the brackets.

A couple of notes about this configuration:

After EPAIR, the first line flushes any previous configuration in the firewall
The second one, creates the purple network.
The third one, creates a rule saying that all traffic from the purple network should be translated and outputted
through the epair0b interface (the one connected to the yellow network.
The last one accepts any traffic coming from the yellow network (i.e. the one connected through epair0b
interface) back into the jail.
This configurations are the backbone of the translation between the yellow and purple networks.

Finally, let's edit /etc/rc.conf so our configuration can be properly read:

[root@openvpn /mnt/keys]# nano /etc/rc.conf

Insert this after the last line:

Code:

openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/mnt/keys/openvpn.conf"
openvpn_dir="/mnt/keys"
cloned_interfaces="tun"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

Replace /mnt/keys/ for the path where you mounted your permanent storage. This enables the OpenVPN service,
tells it where to find the configuration we saved and tells it where to find the NAT configuration.

Now go to your FreeNAS Web-gui and restart the jail.

Use jexec to get inside your jail again. Lets confirm the firewall is configured properly.
[root@openvpn /mnt/keys]# ipfw list
00100 nat 1 ip from 10.8.0.0/24 to any out via epair0b
00200 nat 1 ip from any to any in via epair0b
65535 allow ip from any to any
[root@openvpn /mnt/keys]#

To check that OpenVPN is listening in your configured port, run

[root@OpenVPN /]# sockstat -4 -l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
nobody openvpn 63758 6 udp4 *:10010 *:*
root syslogd 63726 7 udp4 *:514 *:*
[root@OpenVPN /]#

This means that OpenVPN is successfully listening on the configured port.

Client Configuration
For each client that was configured, we need to obtain their certificates and the CA root cert. Go to /mnt/keys and
type:
[root@vpnserver /mnt/keys]# chmod 644 john.appleseed.key john.appleseed.crt ca.crt ta.key

We need to change the private key's permissions so we can download them from the jail and insert it into our client
configuration file. Do this for each client you created.

Using any SFTP program you like, copy the files in /mnt/keys: ca.crt, john.appleseed.key,
john.appleseed.crt and ta.key to a folder in your desktop. In a text editor, type the next client configuration:

Code:

client
dev tun
proto udp
remote myddnsdomain.com 443
resolvretry infinite
nobind
persistkey
persisttun
ca ca.crt
cert john.appleseed.crt
key john.appleseed.key
remotecerttls server
cipher AES256CBC
tlsauth ta.key 1
#dhcpoption DNS 0.0.0.0
#redirectgateway def1
complzo
verb 3

Replace myddnsdomain.com with your DDNS domain or with your static ip. If your router is configured to another
port mapping, replace 443 with your custom UDP port.

Save that file as home-vpn.ovpn in the folder in your desktop where you saved your certificates.

Now use any OpenVPN client you like to import the OVPN file you just created. It will automatically detect your
certificates and import them into configuration. Congratulations, you now have a working VPN!

Know this
This will only help you access clients in the yellow network. If you want to route all of your traffic (act as a default
gateway), uncomment the lines dhcp-option and redirect-gateway.

Replace 0.0.0.0 with your local DNS server. This is almost always your gateway's IP address, in this case, it's my
ISP's modem in the Yellow Network.

Security Hardening
This section is completely optional and will help you protect your server from DoS and unauthorized intruders.

DoS mitigation
There's an option called tls-auth that checks for a signature in each packet so unsigned ones can be dropped much
easily, it helps to obfuscate your OpenVPN service and protects against DoS by creating a static pre-shared hash-based
message authentication code (HMAC) key.

What this means is that if the someone doesn't provide this key first, the OpenVPN server won't even entertain the idea
of authenticating any request from it.

This key is generated in the server and must be included in each client along with the other files (ca.crt,
john.appleseed.crt and john.appleseed.key). It is included in the main instructions, so if you followed them
correctly, this is already implemented.

Troubleshooting

Is it running?
[root@openvpn /]# ps aux
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
nobody 4977 0.0 0.0 21704 3536 - SsJ 10:20PM 0:00.08 /usr/local/sbin/openvpn --cd /usr/local/
Here I can confirm that my OpenVPN server is running inside the jail as a service. If you don't see your process, run
OpenVPN manually (next step).

Check OpenVPN's output

Stop the OpenVPN service (if running) and run it manually to see the output.
[root@openvpn /]# service openvpn stop
[root@openvpn /]# openvpn --config /mnt/keys/openvpn.conf

Reboot
Have you tried turning it on and off again? No seriously, FreeNAS seems to not update its routing tables properly using
the newly created tunnel interface, but it seems that after a reboot, OpenVPN does connect properly.

Check the firewall rules

You can prompt the firewall to output its current rules, if after restarting your jail your output looks like this:
[root@openvpn /mnt/keys]# ipfw list
65535 allow ip from any to any

Then there's something wrong with your firewall configuration. Check if /usr/local/etc/ipfw.rules contains
the proper rules and that your paths are correct in /etc/rc.conf.

---
I hope this helps reduce the time it took me to originally figure out how to do everything without messing with static
routes in the gateway router, firewall configurations and NAT issues.

If you find some mistake or have a suggestion or improvement, please don't forget to comment!

Special thanks to:

aplats for his/her post involving NAT issues.
Cosmo_Kramer for his/her answer about how to configure the firewall properly
DeliveryGuy for his incredibly comprehensive tutorial of OpenVPN in FreeNAS.
qwertymodo for tutorial on OpenVPN which this one extends.
enemy85 for his solution to bash not resolving a gettext dependency.
nello for his extensive support to other users in this thread, the server configuration hardening commands and the
small script for tunnel interfaces.

Last edited: Nov 1, 2016

robles, Aug 19, 2014 #1

NasKar, TeChn4K, Steo and 15 others said thanks for this.

I will be impressed if this works.

We have gone through several iterations of posts like this, and none of them ever are correct. Perhaps I will step
through the guide tomorrow.

DrKK FreeNAS 9.3.latest

FreeNAS Generalissimo SuperMicro X10SLM+-F
Joined: Oct 15, 2013
Intel Pentium G3220
16 GB Kingston ECC UDIMM RAM
Messages: 2,630
3x2TB WD Red in RAID-Z
Thanks Received: 595
Cyberpower CP685AVR
Trophy Points: 111
2x16GB Sandisk Cruzer Fit USB 2.0
Occupation:
If your drives are over 35C, you're doing it wrong.
Promulgator of Peace and Love
Location: East Coast USA
DrKK, Aug 19, 2014 #2

At a quick glance, this looks pretty good. I'll look forward to trying it.

DrKK FreeNAS 9.3.latest

FreeNAS Generalissimo SuperMicro X10SLM+-F
Intel Pentium G3220
Joined: Oct 15, 2013
16 GB Kingston ECC UDIMM RAM
Messages: 2,630 3x2TB WD Red in RAID-Z
Thanks Received: 595 Cyberpower CP685AVR
Trophy Points: 111 2x16GB Sandisk Cruzer Fit USB 2.0
Occupation: If your drives are over 35C, you're doing it wrong.
Promulgator of Peace and Love
Location: East Coast USA DrKK, Aug 19, 2014 #3

Hell yes it does work! I imported the OVPN profile into my phone, here it is connected (notice I'm using my celular
network):

robles
FreeNAS Aware

Joined: Jul 29, 2014

Messages: 84
Thanks Received: 34
Trophy Points: 11

robles, Aug 19, 2014 #4

Thumbs up! I have favorite the thread for my use later. Thanks for the write up

Send from Note 3

Market Guru, Aug 22, 2014 #5

Market Guru
Newbie

Joined: Aug 10, 2014

Messages: 17
Thanks Received: 0
Trophy Points: 4
Occupation: Trader
Location: Toronto, Canada

Great guide, works like a charm for me.

now i can finally get rid of my old "router" that i used purely for VPN tunneling through.

I can confirm that the redirect, so that all traffic goes through the VPN also works flawless.

marcusorwen one thing to note in the guide (not that hard to spot but will point it out anyway) is that on the last lines on configuring
Newbie
the redirect you said we should replace the ip 10.0.0.10 with our DNS but in the bit of code above its 10.0.0.254 (just a
Joined: Aug 22, 2013 small typo i think?)
Messages: 14
Thanks Received: 1
Trophy Points: 6 Also i had to have vanilla checked because pkg install didnt want to update repositories, and failed if i didnt leave that
checked.

But anyway thanks alot for this

marcusorwen, Aug 26, 2014 #6

Nicely spotted! thanks for the correction

robles, Aug 26, 2014 #7

robles
FreeNAS Aware

Joined: Jul 29, 2014

Messages: 84
Thanks Received: 34
Trophy Points: 11

Great guide!!!. After weeks of trying to set up a openvpn service on my netgear r6300 unsucessfully. I just follow it
your guide and got the vpn working from a jail in freenas. Thank You. I need it the vpn so badly. Question is there any
ways to add a username/pwd to the configuration. Kind of like a two factor authentication. Just want it to know if it is
possible and if you have successfully done it robles.

Metalcraft Current FREENAS Bare Build

Newbie 6 x Western Digital Red NAS Hard Drive WD20EFRX 2TB IntelliPower 64MB Cache SATA 6.0Gb/s 3.5" Internal Hard Drive
Joined: May 17, 2014
Fractal Design Node 304 FD-CA-NODE-304-BL Black Aluminum / Steel Mini-ITX Tower Computer Case
Messages: 16
Thanks Received: 1
2 x Kingston DataTraveler microDuo 8GB Micro USB OTG Flash Drive Model DTDUO/8GB
Trophy Points: 4

ASRock C2750D4I Mini ITX Server Motherboard FCBGA1283 DDR3 1600/1333

SeaSonic SSR-360GP 360W ATX12V v2.31 80 PLUS GOLD Certified Active PFC Power Supply New 4th Gen CPU Certified

Crucial 16GB Kit (8GBx2) DDR3L 1600MT/s (PC3-12800) DR x8 ECC UDIMM 240-Pin Server Memory CT2KIT102472BD160B

Metalcraft, Sep 2, 2014 #8

I haven't tested it, but when you create your client's certificate (./build-key john.appleseed) you can specify a
password and OpenVPN should ask you for it when trying to connect in order to decrypt it.
If you want multi-factor authentication (OTAP) you can try DeliveryGuy's tutorial here:
http://joepaetzel.com/2014/05/20/enable-multi-factor-authentication-for-openvpn/

robles robles, Sep 2, 2014 #9

FreeNAS Aware

Joined: Jul 29, 2014

Messages: 84
Thanks Received: 34
Trophy Points: 11

Hi Robles,

I am new to this forum and am new to freenas servers overall. I have been messing with the Freenas server these past
couple days and have become somewhat familiar with everything. I am currently trying to setup my own OpenVPN
server and have followed your guide all the way through but have yet to get it to work. I am a bit confused since I am a
Ethan Tran novice to networking.
Newbie

Joined: Sep 2, 2014 This is my current setup:

Messages: 12
Modem: Motorola SB6141 Surfboard
Thanks Received: 0
Trophy Points: 4 ISP: 72.XXX.X.XXX
ASUS RT-N53 Router: 10.0.0.1/255.255.0.0
OpenVPN Jail: 10.0.0.3/255.255.0.0
Freenas Web GUI: 10.0.0.192/255.255.0.0

The Freenas server is connected directly to one of the Router's lan port and the motorola modem is connected to the
WAN port of the router.

1) How do we know which port to forward to, for example you have 10011 as your internal and 443 as your external.
On OpenVPN's website they were using 1194 and 943. I have a ASUS RT-N53 and the setup is similiar to this online
GUI: http://event.asus.com/2012/nw/dummy_ui/EN/Advanced_VirtualServer_Content.html

I am a bit confused with "internal/external" ports since my router only asks for Port Range, Local IP, Loacl Port and
protocol. Will I be opening the port for the OpenVPN 10.0.0.3 as the local ip or am I using my ISP's assigned IP?

2) On your OpenVPN configuration file I am bit confused with the IP's 10.8.0.0 255.255.255.240, could I use the same
set of ip's in my setup even though I have the netmask 255.255.0.0? Also where did you get the 10.8.0.1? I noticed you
explained it above in the diagram but I was abit confused of how the purple networks were assigned their IP's. I
currently have it setup as following:

port 10011
proto udp
dev tun
ca /mnt/openvpn/keys/ca.crt
cert /mnt/openvpn/keys/openvpn-server.crt
key /mnt/openvpn/keys/openvpn-server.key
dh /mnt/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.240
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.255.0.0"
route 10.0.0.3 255.255.0.0 10.8.0.1
keepalive 10 120
comp-lzo
persist-key
persist-tun

3) For the .OVPN file, do I assigned DDNS to my ISP's IP 72.XXX.X.XXX? And I would have to make sure port 443 is
open for it also correct?

4) This is my OpenVPN connection attempt log using Window's OpenVPN Client, where 72.XXX.X.XXX is my ISP's
IP:
Tue Sep 02 15:02:01 2014 UDPv4 link local: [undef]
Tue Sep 02 15:02:01 2014 UDPv4 link remote: [AF_INET]72.XXX.X.XXX:443
Tue Sep 02 15:02:01 2014 MANAGEMENT: >STATE:1409688121,WAIT,,,
Tue Sep 02 15:03:02 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network
connectivity)
Tue Sep 02 15:03:02 2014 TLS Error: TLS handshake failed
Tue Sep 02 15:03:02 2014 SIGUSR1[soft,tls-error] received, process restarting
Tue Sep 02 15:03:02 2014 MANAGEMENT: >STATE:1409688182,RECONNECTING,tls-error,,
Tue Sep 02 15:03:02 2014 Restart pause, 2 second(s)
Tue Sep 02 15:03:04 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Sep 02 15:03:04 2014 UDPv4 link local: [undef]
Tue Sep 02 15:03:04 2014 UDPv4 link remote: [AF_INET]72.XXX.X.XXX:443
Tue Sep 02 15:03:04 2014 MANAGEMENT: >STATE:1409688184,WAIT,,,
Tue Sep 02 15:04:04 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network
connectivity)
Tue Sep 02 15:04:04 2014 TLS Error: TLS handshake failed
Tue Sep 02 15:04:04 2014 SIGUSR1[soft,tls-error] received, process restarting
Tue Sep 02 15:04:04 2014 MANAGEMENT: >STATE:1409688244,RECONNECTING,tls-error,,
Tue Sep 02 15:04:04 2014 Restart pause, 2 second(s)
Tue Sep 02 15:04:06 2014 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Sep 02 15:04:06 2014 UDPv4 link local: [undef]
Tue Sep 02 15:04:06 2014 UDPv4 link remote: [AF_INET]72.XXX.X.XXX:443
Tue Sep 02 15:04:06 2014 MANAGEMENT: >STATE:1409688246,WAIT,,,
Tue Sep 02 15:05:06 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network
connectivity)
.....etc and it continues to attempt to connect.

5) Do I need to double click on the .crt file and install it on the client device or should it work as long as it exists in the
same place as the .OVPN file?

Sorry for lengthy questions, I am new all this and am very excited to learn. Correct me anywhere I am wrong as I am
open to anything. Thank you.

Ethan

Ethan Tran, Sep 2, 2014 #10

Update: I actually just figured it out, thanks for the write up. It was a typo on my end and setting I forgot to add.

Ethan Tran, Sep 2, 2014 #11

Ethan Tran
Newbie

Joined: Sep 2, 2014

Messages: 12
Thanks Received: 0
Trophy Points: 4

Here's a quick explanation of how ports work:

robles
FreeNAS Aware

Joined: Jul 29, 2014

Messages: 84
Thanks Received: 34
Trophy Points: 11

Here's a web server that's operating inside a LAN, which can be accessed from the internet. The gateway's configured to
redirect port 80 of the web server to the port 80 on the internet facing side. This means that anyone in the LAN can
connect to the web server through port 80.

A more secure approach is to change the port from which the server "serves" the content from the LAN so it doesn't
match the outside port:

The web server is serving webpages internally through the 8080 port, but if the client types its address, it will be able to
connect successfully, because the 80 external port is redirected to the 8080 internal port.

The same is true the other way, if port 22 is very common for SSH access, it's easy for someone to attack it through
DDoS. This way, the not-so-obvious port 9088 gets to be the SSH external port. So if we're connecting through the
internet, we'd have to specify SSH that it needs to talk to the 9088 port instead of the default 22.

If I'm the admin of that server, I can SSH normally within the LAN because the web server is still using the port 22
internally.

If you must map ports from your public IP to a machine, make sure they're different than the internal ports for
increased security.

The "right way to do it" should be to create a virtual link between your computer and your office/home LAN and then
access the services as if they were local. That way, they travel in an encrypted secure way.

Last edited: Sep 15, 2014

robles, Sep 3, 2014 #12

JJT211 said thanks for this.

Whoa thanks for the diagrams and explanation robles. I was reading on ports and was able to understand the
external/internal ports but after reading your information it cleared everything up even more. So mainly the reason for
altering external ports from internal ports is for security and to throw off online scouters. One thing I did want to ask
was, is there always a major loss in download/upload speeds when connected through openvpn?

Ethan Tran For example (Using speedtest.net): My freenas server where the openvpn is setup at is at home in which I have a
Newbie
approximately 50mbps download/6mbps upload. I am connecting to the vpn at work where I have approximately
Joined: Sep 2, 2014 40mbps download/7-8mbps upload. But once connected to the openvpn server, my download is approximately
Messages: 12
5mbps/upload is 5mbps. I have about a 90% loss in speed.
Thanks Received: 0
Trophy Points: 4
1) Is there anyway to optimize for better speed/throughput?
2) Is the speed of the vpn dependent on the servers download or upload speed?

Thanks again.

Ethan Tran, Sep 4, 2014 #13

Hi Ethan,

Question does the vpn using at work is it from a windows pc. Do you have access to your home internal network like
can you access the nas. I am only able to access the nas when I vpn from an android device. I added it with my correct
dns.
Metalcraft
Newbie 1. dhcp-option DNS 10.0.0.254
Joined: May 17, 2014 2. redirect-gateway def1
Messages: 16
Thanks Received: 1
Trophy Points: 4 Current FREENAS Bare Build
6 x Western Digital Red NAS Hard Drive WD20EFRX 2TB IntelliPower 64MB Cache SATA 6.0Gb/s 3.5" Internal Hard Drive

Fractal Design Node 304 FD-CA-NODE-304-BL Black Aluminum / Steel Mini-ITX Tower Computer Case

2 x Kingston DataTraveler microDuo 8GB Micro USB OTG Flash Drive Model DTDUO/8GB

ASRock C2750D4I Mini ITX Server Motherboard FCBGA1283 DDR3 1600/1333

SeaSonic SSR-360GP 360W ATX12V v2.31 80 PLUS GOLD Certified Active PFC Power Supply New 4th Gen CPU Certified

Crucial 16GB Kit (8GBx2) DDR3L 1600MT/s (PC3-12800) DR x8 ECC UDIMM 240-Pin Server Memory CT2KIT102472BD160B

Metalcraft, Sep 5, 2014 #14

Metalcraft said:

Hi Ethan,

Question does the vpn using at work is it from a windows pc. Do you have access to your home internal network like can you access the
nas. I am only able to access the nas when I vpn from an android device. I added it with my correct dns.

Ethan Tran 1. dhcp-option DNS 10.0.0.254

Newbie 2. redirect-gateway def1
Joined: Sep 2, 2014
Messages: 12
Thanks Received: 0 Hi Metalcraft,
Trophy Points: 4

Yes I am using a work laptop with windows 7 64-bit. I am connect to the work's wifi using a asus router and a
motorola cable modem. I have a similiar setup at home. I am able to access my freenas, plex media web server, and
pretty much everything as if I was connected in my home LAN.

Ethan Tran, Sep 5, 2014 #15

Weird. I may have miss something allow the routing on the server side.

Metalcraft Current FREENAS Bare Build

Newbie 6 x Western Digital Red NAS Hard Drive WD20EFRX 2TB IntelliPower 64MB Cache SATA 6.0Gb/s 3.5" Internal Hard Drive

Joined: May 17, 2014

Fractal Design Node 304 FD-CA-NODE-304-BL Black Aluminum / Steel Mini-ITX Tower Computer Case
Messages: 16
Thanks Received: 1 2 x Kingston DataTraveler microDuo 8GB Micro USB OTG Flash Drive Model DTDUO/8GB
Trophy Points: 4
ASRock C2750D4I Mini ITX Server Motherboard FCBGA1283 DDR3 1600/1333

SeaSonic SSR-360GP 360W ATX12V v2.31 80 PLUS GOLD Certified Active PFC Power Supply New 4th Gen CPU Certified

Crucial 16GB Kit (8GBx2) DDR3L 1600MT/s (PC3-12800) DR x8 ECC UDIMM 240-Pin Server Memory CT2KIT102472BD160B

Metalcraft, Sep 5, 2014 #16

Ethan Tran said:

Hi Metalcraft,

Yes I am using a work laptop with windows 7 64-bit. I am connect to the work's wifi using a asus router and a motorola cable modem.
I have a similiar setup at home. I am able to access my freenas, plex media web server, and pretty much everything as if I was
connected in my home LAN.
Ethan Tran
Newbie

Joined: Sep 2, 2014 Metalcraft said:

Messages: 12
Hi Ethan,
Thanks Received: 0
Trophy Points: 4
Question does the vpn using at work is it from a windows pc. Do you have access to your home internal network like can you access the
nas. I am only able to access the nas when I vpn from an android device. I added it with my correct dns.

1. dhcp-option DNS 10.0.0.254

2. redirect-gateway def1

I forgot to add some suggestions, you should verify if your FreeNAS server has a default gateway in the global
configuration. I have mine setup the same as my router's lan ip, in my case "10.0.0.1" and I am using google's
nameserver1 8.8.8.8 and nameserver2 8.8.4.4. Also I am not sure if this should prevent you from being able to access
the FreeNAS server is making sure everything is on the same subnet. You can try turning off your window's firewall
completely to test and see if you can connect then, to make sure it is not a problem with your computer.

Ethan Tran, Sep 5, 2014 #17

Metalcraft said:

Weird. I may have miss something allow the routing on the server side.

If all the above does not work I would definitely check your server settings. Are you using the same certificates for both
Ethan Tran your phone and computer? The weird part is that you're able to access the FreeNAS from your phone and not your
Newbie computer.
Joined: Sep 2, 2014
Messages: 12 Ethan Tran, Sep 5, 2014 #18
Thanks Received: 0
Trophy Points: 4

Correct. I am using the same cert. I am going to check what you suggested it. I think you may be right on the windows
firewall going to test both both I don't think the dns for the name server on the nas has anything to do since it is an
internal dns it should work. Thx for the suggestions

Metalcraft Current FREENAS Bare Build

Newbie 6 x Western Digital Red NAS Hard Drive WD20EFRX 2TB IntelliPower 64MB Cache SATA 6.0Gb/s 3.5" Internal Hard Drive

Joined: May 17, 2014

Fractal Design Node 304 FD-CA-NODE-304-BL Black Aluminum / Steel Mini-ITX Tower Computer Case
Messages: 16
Thanks Received: 1 2 x Kingston DataTraveler microDuo 8GB Micro USB OTG Flash Drive Model DTDUO/8GB
Trophy Points: 4
ASRock C2750D4I Mini ITX Server Motherboard FCBGA1283 DDR3 1600/1333

SeaSonic SSR-360GP 360W ATX12V v2.31 80 PLUS GOLD Certified Active PFC Power Supply New 4th Gen CPU Certified

Crucial 16GB Kit (8GBx2) DDR3L 1600MT/s (PC3-12800) DR x8 ECC UDIMM 240-Pin Server Memory CT2KIT102472BD160B

Metalcraft, Sep 5, 2014 #19

Metalcraft said:

Correct. I am using the same cert. I am going to check what you suggested it. I think you may be right on the windows firewall going to
test both both I don't think the dns for the name server on the nas has anything to do since it is an internal dns it should work. Thx for the
suggestions

Ethan Tran Good luck! Hope you get it working.

Newbie

Joined: Sep 2, 2014 Ethan Tran, Sep 5, 2014 #20

Messages: 12
Thanks Received: 0
Trophy Points: 4

Page 1 of 23 1 2 3 4 5 6 23 Next > (You must log in or sign up to reply here.)

Home Forums Archived Sections HowTo Guides Jails

New Style Privacy Policy Help Home Top