This article is no longer current, please go here for an updated writeup on OpenVPN on FreeNas
So I’ve been playing around with FreeNAS 8.2. Decided it would be handy to have OpenVPN running on the fileserver so my wife and I can get to our files if we are away from home. There are a couple of tricks that I discovered along the way to get this to work right.
***Make sure to read the comments as there are sample configs and a bunch of other useful stuff down there!!!***
If you find this super useful, I wouldn’t turn down paypal donations.
First the easy stuff. We don’t have a static public IP, so I needed to set up a DynDNS account. Once I did that, I configured the Dynamic DNS service on the FreeNAS box with my DynDNS account info. Then started the service.
Next I needed to forward port 1194 on my gateway to the FreeNAS box. So now I have a domain name to use and a port that forwards to my file server.
FreeNAS 8.2 has OpenVPN built in. The config files that we need to be concerned with are:
/conf/base/etc/rc.conf /conf/base/etc/local/openvpn
The thing about /conf/base/etc/local/etc/openvpn is that you need to create it. Inorder to do that, you need to make the filesystem writeable.
mount -uw / mkdir /conf/base/etc/local/openvpn
There is a really good tutorial on setting up OpenVPN here. It goes through all the steps of generating your certificates, setting up your config files and the like. But pay no attention to the Adding routes to the OpenVPN server over at http://www.unix-heaven.org/node/47. The push route and route entries you enter below will handle that.
When you get to the point of configuring the /conf/base/etc/local/etc/openvpn/openvpn.conf file you’ll need to make a bit of a tweak from the norm to get things to work. Here’s an excerpt of what was needed. You can find my full server and client configs in the comments below.
# Push routes to the client to allow it # to reach other private subnets behind # the server. Remember that these # private subnets will also need # to know to route the OpenVPN client # address pool (10.8.0.0/255.255.255.0) # back to the OpenVPN server. push "route 192.168.0.0 255.255.255.0" route 192.168.0.100 255.255.255.0 10.8.0.1
The “special” part is the route line. route (freeNAS-IP) subnet-mask 10.8.0.1
You’ll have to change the push “route” to match your network ip ranges too.
If you don’t make that entry, you’ll get an error like this in your server log:
OpenVPN ROUTE: OpenVPN needs a gateway parameter for a –route option and no default was specified by either –route-gateway or –ifconfig options OpenVPN ROUTE: failed to parse/resolve route for host/network
Now add this to the end of /conf/base/etc/rc.conf
openvpn_enable="YES" openvpn_if="tun" openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
If you make your config changes directly to /etc/rc.conf or /usr/local/etc/openvpn they will get blown away on restarts. So, now you should be able to restart your FreeNAS box. Then:
/usr/local/etc/rc.d/openvpn status
to see if OpenVPN is running.
I think that’s pretty much it. Let me know if you have any questions.
The Joe Paetzel Method 
I can’t seem to get this to work. Are the /conf/base/etc/local/etc/openvpn files supposed to be moved over automatically?
Yes. They should get moved over on reboot. If you don’t want to reboot, you’ll need to move then into place manually.
Now it seems the kldload for if_tap fails
I used tun…have you tried that?
An example script would be great to have here. I’m at the ends of my expertise trying to make this openvpn a reality in my server.
Only the names have been changed to protect the innocent…also deleted all the extra comments.
CLIENT CONFIG
# Sample client-side OpenVPN 2.0 config file #
client
dev tun
proto udp
#change remote to your static ip
#or domain name for your freenas server
remote something.dyndns.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /Path/to/Some-ca.crt
cert /Path/to/laptop.crt
key /Path/to/laptop.key
ns-cert-type server
comp-lzo
verb 3
SERVER CONFIG
# Sample OpenVPN 2.0 config file for
# multi-client server.
#replace x.x.x.x with freenas ip
local x.x.x.x
port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/server.crt
key /usr/local/etc/openvpn/keys/server.key
dh /usr/local/etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
#change x.x.x.x to match your network ip range
#ie 192.168.0.0 or 10.0.0.0
push "route x.x.x.x 255.255.255.0"
#replace x.x.x.x with freenas ip
route x.x.x.x 255.255.255.0 10.8.0.1
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3
Hope that helps. Those are my actual configs, so if they don’t work for you after changing the ip’s to match your setup, you have other problems.
specifically, I’m running into difficulty producing the certificates.
when I execute:
[root@nas /usr/local/etc/openvpn/easy-rsa/2.0]# ./build-ca
I get:
Please edit the vars script to reflect your configuration,
then source it with “source ./vars”.
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run “./clean-all”.
Finally, you can run this tool (pkitool) to build certificates/keys.
I have not a clue where or what the vars script is, any help here?
also, possibly noteworthy, I was previously running on a version 8 build, and upgraded to 8.2
ok…are you trying to follow the directions over at http://www.unix-heaven.org/node/46?
Sounds like you didn’t switch your shell to /bin/sh before sourcing the vars.
try this from root:
/bin/sh
cd /usr/local/etc/openvpn/easy-rsa/2.0 && . vars
still the same problem…
[root@nas ~]# /bin/sh
# cd /usr/local/etc/openvpn/easy-rsa/2.0 && . vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/etc/openvpn
/easy-rsa/2.0/keys
# ./build-ca
Please edit the vars script to reflect your configuration,
then source it with “source ./vars”.
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run “./clean-all”.
Finally, you can run this tool (pkitool) to build certificates/keys.
#
That’s weird. So here’s what is in my vars file. What does yours look like?
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="`pwd`"
#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"
# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"
# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"
# Increase this to 2048 if you
# are paranoid. This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=1024
# In how many days should the root CA key expire?
export CA_EXPIRE=3650
# In how many days should certificates expire?
export KEY_EXPIRE=3650
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
# easy-rsa parameter settings
# NOTE: If you installed from an RPM,
# don’t edit this file in place in
# /usr/share/openvpn/easy-rsa —
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.
# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA=”`pwd`”
#
# This variable should point to
# the requested executables
#
export OPENSSL=”openssl”
export PKCS11TOOL=”pkcs11-tool”
export GREP=”grep”
Yeah…try it with the vars file that I posted.
So I finally figured this out. You have to run the ./clean script before you run the ./build-ca script.
Arrg…missed a very important line in the Client Config above. Forgot to have the remote line, which is the ip/domain name for your openvpn server and the port. I aded the line above…so take another look if you’ve already looked at it.
Will this still work for Freenas 8.0.4?
I honestly have no idea if OpenVPN is part of that base install. I’d say look in /usr/local/sbin and see if openvpn is there. If it is, then yes, this should work.
Nope, well thanks. I guess i could update to freenas 8.4 after all im using ZFS so it should be easy to restore.
You should look into the versions of zfs between the two versions of FreeNas. I don’t know if this will be a problem or not, but some FreeNas upgrades upgrade your ZFS…and that is a one-way street.
Ahh, ok ill do research before i do so. Never the less good practice is Backing up. Plus ill do a trial run on virtual servers just incase.
err mean 8.2
How you install openvpn in freenas?
It’s a default part of 8.2. If you aren’t on 8.2…then you’ll need to make the drive writable.
mount -uw /
Then you could try pkg_add openvpn
if that doesn’t work…it’s going to get more complicated.
i have freenas 8.2 but i cant find it.can you be more specific please.
Not sure why you’d need to know where the executable lives…
/usr/local/sbin/openvpn
Start/stop script for it is /usr/local/etc/rc.d/openvpn
when i try to create mkdir /conf/base/etc/local/etc/openvpn the /etc folder before /openvpn does not exist is it normal?
Sorry, I typo’ed that. Should be /conf/base/etc/local/openvpn
I read the instructions http://www.unix-heaven.org/node/46 and i cant find the vars file and the other files like server.conf etc.Do you know the path where those files are?
Huh…stumped me. I think I must have copied it from one of my FreeBSD servers over to the FreeNas box. I’ll see if I can upload them somewhere that you can grab them.
ok…so this i a hack, but here is a link to the standard stuff from /usr/local/share/doc/openvpn/
Download that, change the extension to .tar, then uncompress it. Copy it to your FreeNas box however you want. I just copied it to a share on the FreeNas box then moved it from there.
Hope that helps.
Really ugly article ;/
How so???
Hi, awesome guide, glad somebody posted one for freenas8.2 (:
however, there’s some things i’m wondering about.
first is about the ‘push’ and ‘route’ in server.conf – i’m kind of a newb on this, i’m not exactly sure what i should put in there..
some info about my network:
freenasip: xxx.xxx.8.201
gateway: xxx.xxx.8.193
netmask: 255.255.255.224 (/27)
secondly, if i reboot, everything goes away from the /usr/local/etc/openvpn/ – how do i prevent that? i had to redo every step with the config because i rebooted :3
thirdly, when i try to connect using tunnelblick, it get’s stuck at authorization (even when i told it that i dont have anything to auth with), what do i put in as username/password?
cheers and thanks for a awesomly guide! (:
-Andreas
Hi Andreas-
Thanks for the compliment.
First, you’ve given what looks like external IP info. The push and route portions should be the internal side of your network…assuming you are running NAT. If you are not running NAT, not sure how you’d set that up. So if your internal network is a 192.168.0.0/24 network and your FreeNAS box has an IP of 192.168.0.2 then you would want the following.
push “route 192.168.0.0 255.255.255.0”
route 192.168.0.2 255.255.255.0 10.8.0.1
Secondly, you need to modify the following config files
/conf/base/etc/rc.conf
/conf/base/etc/local/openvpn
The thing about /conf/base/etc/local/etc/openvpn is that you need to create it. Inorder to do that, you need to make the filesystem writeable.
mount -uw /
mkdir /conf/base/etc/local/openvpn
Thirdly, if the push and route info isn’t right, you won’t be able to connect. Connecting from inside the network can be tricky…haven’t figured that one out yet…but then why would you need to 🙂
Let me know if you are still running into issues.
Hi again,
the FreeNAS box has a static ip, which i can access both externally and internally, there’s no router in-between, if i want to use my computer on that network, i need a router which gives me an ip in the same ip-pool, so i guess that means that there is no NAT.
i’m not actually connecting from the “inside” of the network, that would be silly (: so i guess that i’m stuck at authorization due to that route and push are incorrect?
about the files going away on reboot, the rc.conf and the folder openVPN is intact, however the content of the openVPN directory is empty upon reboot.
Thank You,
-Andreas
So you really do need to make your config changes to
/conf/base/etc/rc.conf
and
/conf/base/etc/local/openvpn
Then when you reboot, your config changes will be intact.
Great ‘howto’ Joe – thanks for the effort. I tried to get openvpn to work using windows as a server, but had problems and I eventually gave up (I suspect the issues we related to routes / bridging etc – way beyond me!)
Freenas doesn’t seem to include the sample conf’s and easy-rsa, but I got them from pkg_add -r openvpn.
After sorting all sorts of configuration errors that were obvious in /var/log/messages, I have the following error which I do not know how to address.
Feb 24 11:34:11 freenas openvpn[1901]: ROUTE default_gateway=192.168.150.10
Feb 24 11:34:11 freenas openvpn[1901]: TUN/TAP device /dev/tun0 opened
Feb 24 11:34:11 freenas kernel: tun0: link state changed to UP
Feb 24 11:34:11 freenas openvpn[1901]: /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
Feb 24 11:34:11 freenas openvpn[1901]: WARNING: potential route subnet conflict between local LAN [192.168.150.0/255.255.255.0] and remote VPN [192.168.150.0/255.255.255.0]
Feb 24 11:34:11 freenas openvpn[1901]: /sbin/route add -net 192.168.150.23 10.8.0.1 255.255.255.0
Feb 24 11:34:11 freenas openvpn[1901]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Feb 24 11:34:11 freenas openvpn[1901]: /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0
Feb 24 11:34:11 freenas openvpn[1901]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Feb 24 11:34:11 freenas openvpn[1927]: UDPv4 link local (bound): 192.168.150.23:1194
Feb 24 11:34:11 freenas openvpn[1927]: UDPv4 link remote: [undef]
Feb 24 11:34:11 freenas openvpn[1927]: MULTI: multi_init called, r=256 v=256
Feb 24 11:34:11 freenas openvpn[1927]: IFCONFIG POOL: base=10.8.0.4 size=62
Feb 24 11:34:11 freenas openvpn[1927]: IFCONFIG POOL LIST
Feb 24 11:34:11 freenas openvpn[1927]: Initialization Sequence Completed
Feb 24 11:34:11 freenas openvpn[1927]: IPv6 in tun mode is not supported in OpenVPN 2.2
Any idea why the route add command fails and the warning exists?
My server.conf is essentially the same as yours
Can you give me your server.conf file?
Also, the output from ifconfig
So just messing around, went ahead and restarted OpenVPN. I get the same warnings as you are. It works though…so I vote, no harm no foul.
I’d echo everyone’s comments about how great this tutorial is, thanks! When I tried this, I ran into the same situation Ralph did (with the missing samples/easy-rsa), but when I ran pkg_add I got this:
Error: Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.3-release/Latest/openvpn.tbz: No address record
pkg_add: unable to fetch ‘ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.3-release/Latest/openvpn.tbz’ by URL
Has this address been changed? If so, do you happen to have the updated address and know where to make the change?
Thanks,
Jeff
Hi Jeff-
I don’t have an answer for that…but this will work if you want to go this route. The following will get you the easy-rsa goodness.
ok…so this i a hack, but here is a link to the standard stuff from /usr/local/share/doc/openvpn/
Download that by right-clicking and save as, change the extension to .tar, then uncompress it. Copy it to your FreeNas box however you want. I just copied it to a share on the FreeNas box then moved it from there.
Hope that helps.
Thanks for the confirmation Joe.
I did use a client to connect (whilst on my 192.x.x.x net), and that seemed to work, but with the client getting a 10.x.x.x address. The client then lost connection to the local 192.x.x.x network. I’ve never had this problem before when connecting to a VPN, but then I usual go out through my gateway to the internet and onto the OpenVPN server. So I’ll try again from the ‘outside world’ once I set up port forwarding on the router.
I’ve lost count of the number of times I’ve been away on business and left some files on my server – at least with OpenVPN up and running, I won’t need to worry about that any more (just the poor upload bandwidth!)
Yeah, I haven’t managed to work the magic that makes it work from inside the network yet. Really isn’t something that I need, but would make testing things a bit easier.
First of all, thx for your great post. I followed all the steps and seems to work ok, but i have a silly network problem for sure. The openvpn is up and running, my windows openvpn client is up and running and connects without problems, the static routes are pushed too, but i can only ping to freenas box. This is my network summary:
Freenas
em0 192.168.0.200/24
tun0 10.8.0.1/10.8.0.2
Gateway 192.168.0.1
Windows Client:
Net:192.168.69.x/24
Gateway 192.168.69.25
TAP: 10.8.0.6
Wed Apr 03 10:10:03 2013 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
Wed Apr 03 10:10:03 2013 C:\WINDOWS\system32\route.exe ADD 192.168.0.0 MASK 255.255.255.0 10.8.0.5
Wed Apr 03 10:10:03 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Apr 03 10:10:03 2013 Route addition via IPAPI succeeded [adaptive]
Wed Apr 03 10:10:03 2013 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
Wed Apr 03 10:10:03 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
Wed Apr 03 10:10:03 2013 Route addition via IPAPI succeeded [adaptive]
Wed Apr 03 10:10:03 2013 Initialization Sequence Completed
The config files for server and client are the same as yours.
Any idea?
Hello,
I’m have no experience with openvpn at all, even freenas is quite new to me, but that part is working for me.
now i would be really interested in openvpn for file access remotely.
http://www.unix-heaven.org/node/46
but when i do # cp /usr/local/share/doc/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn i get cp: /usr/local/share/doc/openvpn/sample-config-files/server.conf: No such file or directory
Does that mean openvpn doesn’t come with freenas 8.3.1 anymore, or did i need to install or download something first?
step by step help would be much appreciated.
Shino
ok…so this i a hack, but here is a link to the standard stuff from /usr/local/share/doc/openvpn/
Download that by right-clicking and save as, change the extension to .tar, then uncompress it. Copy it to your FreeNas box however you want. I just copied it to a share on the FreeNas box then moved it from there.
Hope that helps.
Thanks that did the trick.
at a certain point before i could do # ./build-ca i had to # ./clean-all
then successfully did # ./build-key-server openvpn.example.org
and # ./build-dh then
# mkdir /usr/local/etc/openvpn/keys
# cp /usr/local/etc/openvpn/easy-rsa/2.0/keys/* /usr/local/etc/openvpn/keys
followed by ./clean-all
now aftr doing # ./build-key client.example.org i get
pkitool: Need a readable ca.crt and ca.key in /usr/local/etc/openvpn/easy-rsa/2.0/keys
Try pkitool –initca to build a root certificate/key.
i browsed to the location, and the ca.crt and ca.key are in there.
Any idea what’s going on?
Your help is greatly appreciated 😀
Is most likely a permissions issue if the files are there. Permissions should be:
-rw-r–r– 1 root wheel 1354 Mar 25 08:01 ca.crt
-rw——- 1 root wheel 887 Mar 25 08:01 ca.key
-rw-r–r– 1 root wheel 245 Mar 25 08:01 dh1024.pem
ls -la /conf/base/etc/local/openvpn/keys to see what your perms are.
To get -rw-r–r– perms.
chmod 644 file_name
To get -rw——- perms.
chmod 600 file_name
Also check the user and group. Should be root for user and wheel for group.
To fix user and group.
chown root:wheel file_name
Hope that helps.
Also…make sure you are making these changes to /conf/base/etc/local/openvpn or they will not survive a reboot.
Hello again,
the permission are correct and the user is root and group wheel.
Still i get the same problem. i have no idea what could the problem
Did i have to do everything in /conf/base/etc/local/openvpn instead of /etc/local/openvpn/?
I believe you can work in either spot. Just have to make sure /conf/base/etc/local/openvpn is there or a reboot will wipe out /usr/local/etc/openvpn.
I think the issue is you did a ./clean-all after making your crt and key. Start over and don’t do the clean-all after making your server crt and key. Grasping at straws here. Might be in need of a good google search.
so yes, it was because the ./clean-all (seems this is to be done after you have all the keys for all the clients)
But now i’m confused, as i started over doing all in /conf/base/etc/local/openvpn
I’m at the configuring server.conf now
do i need to tell it the keys are in /conf/base/etc/local/openvpn/keys or /usr/local/etc/openvpn/keys ??
i’m sorry to ask you so much, i never did those before, and I am really heppy you are willing to help
even after googling a lot i seem to always end up here on your post.
And is server.conf to be renamed to openvpn.conf?
You can name the config file whatever you want…just need to have /conf/base/etc/rc.conf reflect the name you used.
From /conf/base/etc/rc.conf:
openvpn_configfile=”/usr/local/etc/openvpn/openvpn.conf”
So to explain the difference between /conf/base/etc/local and /usr/local/etc is pretty simple. /conf/base/whatever is the fixed snapshot of the system. On boot, FreeNas looks at /conf/base and populates the OS with what it finds there. So, /usr/local/etc/openvpn is popluated from /conf/base/etc/local/openvpn
Nothing from /conf/base/whatever is run/read/written by the OS once it has finished booting. So all the configs in /conf/base/whatever are written as if they are in their final populated destination. YOU DO NOT WANT TO REFERENCE /conf/base/whatever AS THE PATH FOR ANYTHING.
Hope that helps.
everytime you help, i get closer to the end.
now after making the changes in rc.conf (adding the openvpn lines)
doing reboot. It doesn’t seem to boot at all. and i’m not home to check yet.
and not sure what i’ll have to do at home. reinstall it or?
hello hello,
your help is great.
i figured out i forgot a ” at the end of the last line, so that wasn’t good hehe
now i continue your guide and when doing /usr/local/etc/rc.d/openvpn status
it answers : openvpn is not running, i’ll try to find what the problem here could be, i’ll let you know
/usr/local/etc/rc.d/openvpn start
then
tail /var/log/messages
Should give you a glue as to the problem.
Forgot to say…pretty sure you need to be root to start openvpn…so don;t forget to su to root.
Am I assuming correctly that I have to put all key files and the .conf file into the /conf/base/etc/local/openvpn directory but reference those files via the /usr/local/etc/openvpn (e.g. in the rc.conf etc.)?
Yes, reference the files in /etc/rc.conf to /usr/local/etc/openvpn
Even better is to keep your keys and config on your data disk and reference them there. If you do keep them in /conf/base/etc/local/openvpn, an upgrade to FreeNas will wipe them out. The only thing you HAVE to edit in /conf/base/etc/ is your rc.conf file.
I hope that helps.
Hi Joe,
tail helped me out. it told me server.crt doesn’t exist (yes i copied your server.conf)
so i had to replace server.crt and server.server.key with the ones i made.
ok this is the result:
# /usr/local/etc/rc.d/openvpn start
Starting openvpn.
route: writing to routing socket: File exists
add net 192.168.1.4: gateway 10.8.0.1: route already in table
add net 10.8.0.0: gateway10.8.0.2
Let me know if this looks good. in the meantime i’ll google on how this works on the clients side.
Many thanks for this great guide and your even better help.
add:
i have an openvpn connection, but i don’t see the server and other machines from my home lan in windows explorer. all i can do is ping the FreeNAS ip.
That is typical. You will need to connect via ip. Start > run > \\user_name:password@xxx.xxx.xxx.xxx\share_name
Dear Joe,
I finally got this up and running thanks to you.
Here are my latest tweaks.
i could only ping freenas, not the jail nor any other machine in the home lan.
This is what i found and worked for me.
in rc.conf i added the line: gateway_enable=”YES”
in freenas webgui i added a Sysctl
variable: net.ipv4.ip_forward
value : 1
now i can connect to any machine in the home lan from remote via openvpn
GREAT guide !
That great.. Can you share your server config with me…. I still cant access my jail from the vpn at all… I have also tried using the setting you have mentioned above.
Thank you.
Read through the comments. Both my server config and client config are there.
Hello Joe,
Thanks for the response. I have used the same config given by you in the comments. To add to it as suggested by Dimitri in the comments I have added whatever he has asked for and I still cannot access my jail. I can connect to my NAS and access files, but I can’t access my jail 😦
to subodh chettri
i’m not sure the sysctl variable is really needed.
What i would try is reboot the system.
server conf is probably same as Joe (i got it from him after all:
# Sample OpenVPN 2.0 config file for
# multi-client server.
#replace x.x.x.x with freenas ip
local x.x.x.x
port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/FreeNas.crt
key /usr/local/etc/openvpn/keys/FreeNas.key
dh /usr/local/etc/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
#change x.x.x.x to match your network ip range
#ie 192.168.0.0 or 10.0.0.0
push “route x.x.x.x 255.255.255.0”
#replace x.x.x.x with freenas ip
route x.x.x.x 255.255.255.0 10.8.0.1
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3
client:
# Sample client-side OpenVPN 2.0 config file #
client
dev tun
proto udp
#change remote to your static ip
#or domain name for your freenas server
remote x.x.x.x (www.xxx.xx) 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert “client”.crt
key “client”.key
ns-cert-type server
comp-lzo
verb 3
Hello Dimitri,
Thanks for the help. I shall test it and update you soon.
Regards.
When I attempt to source the vars, I get:
# cd /usr/local/etc/openvpn/easy-rsa/2.0 && . vars
: not found
: not found
: not found
: not found
: not found
/whichopensslcnf: not foundn/easy-rsa/2.0
: not found
: not found
/keys If you run ./clean-all, I will be doing a rm -rf on /usr/local/etc/openvpn/easy-rsa/2.0
: not found
: not found
: not found
: not found
: not found
Have you ever seen that? I’ve followed the directions perfectly, as best I can tell…
Yeah…the easy-rsa stuff isn’t part of the standard FreeNas install. Read my comment from April 8th…it’s a few up from here.
Pingback: 5bays raid5 NAS recommendation - www.hardwarezone.com.sg
Hey Joe,
I want to do something simpler than this, and wonder if I could pick your brains about it. I have a VPN service, and I would like my FreeNAS to use it whenever it accesses the internet. As OpenVPN is included in FreeNAS 8.2 (which is what I am using) I was hoping to see a configuration option to use it in the regular FreeNAS GUI, but I can’t find it.
Given that I don’t want anything clever like secure remote access, but just want the box to access the VPN service I already have, is there an easier way to accomplish this?
What standard is your current VPN Service using?
It’s Private Internet Access. I think they use pretty much everything:
https://www.privateinternetaccess.com/pages/client-support/#other_guides
Looks like you just need to install their certificates, and then use their client config.
https://www.privateinternetaccess.com/openvpn/openvpn-ip.zip
They actually have pretty good documentation and I am sure their support would be of more help to you than I can be.
I’m sure I’m being incredibly stupid, but I’m not sure what you mean by ‘use their client config’. The certificates I get, no worries, but the guides they have written muddle me a bit as I’m not sure which one I should be following to achieve my intended result.
I’ll take another look and see if the penny drops.
This is from their US Midwest Config that is included in the zip file I referenced.
I would talk to their support and see if there is a way for you to use certificate authentication…that way you don’t have to enter your username and password each time you start OpenVPN on the FreeNas box. Otherwise, there might be some clever way to pass your username and password to OpenVPN as part of your rc.conf settings, but I don’t know what that is.
Alright, so I answered my own question. You can “script” the username and password.
So all you need is a file with your username and password on separate lines. Then point to that file on the auth-user-pass line of the config. So if you save the file at /mnt/Files/Secure-User/VPN-user_password , your config then looks like this. Also, make sure you use the full path to the ca.crt in the config to avoid it yelling at you about not being able to find it.
First of all, thank you for the help so far. It’s appreciated.
I have copied over the relevant local gateway .ovpn files to my /conf/base/etc/local/openvpn directory and tried to run the client using two different configurations.
The first was using the scripted approach you suggested. I linked out to a separate two line file with username and password, but OpenVPN didn’t like that and told me it wouldn’t accept a password from a file. I believe this is because the OpenVPN client that comes with FreeNAS was not configured to be able to do this.
Undaunted, I then tried to launch it locally using the following command:
openvpn /conf/base/etc/local/openvpn/”UK London.ovpn”
The box returned the following error:
Cannot load CA certificate file ca.crt path (null) (SSL
_CTX_load_verify_locations): error:02001002:system library:fopen:No such file or
directory: error:2006D080:BIO routines:BIO_new_file:no such file: error:0B08400
2:x509 certificate routines:X509_load_cert_crl_file:system lib
The exact contents of the config file are unchanged from what OpenVPN sent out. I have listed them here too, for clarity:
client
dev tun
proto udp
remote uk-london.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0
The ca.crt file is also in the same /conf/base/etc/local/openvpn folder as the config file quoted above.
I’m closing in, but still no cigar!
Update to the above post:
I realise now what you meant about displaying the full path to the ca.crt file. I changed it to an absolute path to the file and it has now, I think, initialised. At least, it is saying
Initialization Sequence Completed
and the Shell is now hanging. I think, therefore, that is is working, but I can’t test it because my shell is not active so I can’t get a status report!
Therefore, my first query would be: if I just close the FreeNAS shell by hitting the X in the corner, will the process terminate? If the VPN is working (no clue how to verify this) then fudging things in this fashion would be OK as I would still have the VPN up and active, but it’s not ideal.
Thinking positively, can I run a cronjob or a script to run OpenVPN, enter my username and password, then return control of the shell session to me? If there a simpler way to regain control that a beginner like myself would not be aware of?
Thinking negatively, how hard is it to rebuild OpenVPN to allow for entry of a username/password from a file, as this seems the most elegant solution, albeit the most difficult to accomplish.
Thanks again!
I think I managed to break the thread with my post above, so I’m bumping this in hope of getting some clarification from one who knows 🙂
Also, with the news that Easy RSA is in 9.1, does that simplify anything for me with my more modest client setup aspirations?
ok…so try this for your client config.
Create the file pass-auth.conf in the same location as your Openvpn client configuration, or add the absolute path before pass-auth.conf in your config file. Then, create the pass-auth.conf file. It should look like this:
Make sure the username and password are on separate lines.
Try that and let me know if it works for you.
Also, I am having trouble getting back to you on whether your OpenVPN fix worked for me, as FreeNAS took this opportunity to become unstable. Given that the system fell over on me, I have been looking to get 9.1 installed, on the may-as-well principle. Oddly, it doesn’t want to boot up on my Kingston memory sticks, so I am fannying around to find another brand of USB that won’t be quite so tempramental.
Sorry for the delay, I will report back once I have this up and running. Or not.
I have it on pretty good authority that easy-RSA will not be included with any version of FreeNas. Where did you see that it will be included?
http://doc.freenas.org/index.php/What's_New_in_9.1.0
It’s the bottom bullet point.
So much for good authority. That will make it easier for people to implement server configurations in the future. For you setting up OpenVpn as a client, it will not have any impact.
I had this running perfect on freenas 8.2. When setting up on 9.1 fresh install, it seems to randomly not tunnel through the VPN. I’ll start it, status will say running, traceroute will show VPN tunnel. I’ll try a few hours / days later, status will still say running, same traceroute not going through VPN — any idea where to start?
Can you ping the 10.8.x.x address for the VPN Server? I have no ideas off the top of my head…so just asking questions.
Yes when it’s running i can ping 10.x.x.x fine. It just seems as if certain behaviour will cause the tunnel to die, while openvpn status will still say “running.” — I can see with netstat -nr that the tunnel is gone. Do you have this running fine on 9.1? That’s the only thing I’ve changed. I’m playing with it now — right after starting openvpn tunnel is there, mess around with a few tracroutes and pings, check netstat / traceroute and it’s gone, while still saying it’s “running”
thank for you help.
Did you keep the openvpn files from 8.2?
As Joe told me, i kept those, and just repasted them in the same subdirectory in freenas 9.1.1.
and readd the few lines in rc.conf
For me like this all keeps working as it was.
No I didn’t — I did pkg_add openvpn on the new install, so maybe that’s where it went wrong — will trying starting over, thanks.
Are you running the VPN in a jail? It should already be installed as part of the base install in the host OS…so no need for pkg_add.
No on the main system — what happened is I has actually upgraded from 8.1 not 8.2, which doesn’t have openvpn built in, so I installed it myself. I was used to this and did the same on 9.1 — perhaps there is some issue / conflict now that I have multiple openvpns going (or overwritten by pkg_add) — I will start over and see if it fixes it. thanks.
So I think what’s happening is that openvpn is running fine, but the route is somehow disappearing. If I start openvpn, do nothing, and stop it one minute later, everything looks fine in the log (routes added and deleted normally). But if I start and then do some random internet activity, the route will disappear after a few minutes, and when I stop it I get these errors in the log
ERROR: FreeBSD route delete command failed: external program exited with error status: 1
which is occurring, I believe, because the route that openvpn created when it started is no longer there.
So something is causing my route to disappear, which is why openvpn stops working while still running. Anyone have any idea how to troubleshoot this?
So I think what’s happening is that openvpn is running fine, but the route is somehow disappearing. If I start openvpn, do nothing, and stop it one minute later, everything looks fine in the log (routes added and deleted normally). But if I start and then do some random internet activity, the route will disappear after a few minutes, and when I stop it I get these errors in the log
ERROR: FreeBSD route delete command failed: external program exited with error status: 1
which is occurring, I believe, because the route that openvpn created when it started is no longer there.
So something is causing my route to disappear, which is why openvpn stops working while still running. Anyone have any idea how to troubleshoot this??