OpenVPN on FreeNAS 8.2

This article is no longer current, please go here for an updated writeup on OpenVPN on FreeNas

So I’ve been playing around with FreeNAS 8.2.  Decided it would be handy to have OpenVPN running on the fileserver so my wife and I can get to our files if we are away from home.  There are a couple of tricks that I discovered along the way to get this to work right.

***Make sure to read the comments as there are sample configs and a bunch of other useful stuff down there!!!***

If you find this super useful, I wouldn’t turn down paypal donations.

First the easy stuff.  We don’t have a static public IP, so I needed to set up a DynDNS account.  Once I did that, I configured the Dynamic DNS service on the FreeNAS box with my DynDNS account info.  Then started the service.

Next I needed to forward port 1194 on my gateway to the FreeNAS box.  So now I have a domain name to use and a port that forwards to my file server.

FreeNAS 8.2 has OpenVPN built in.  The config files that we need to be concerned with are:

/conf/base/etc/rc.conf
/conf/base/etc/local/openvpn

The thing about /conf/base/etc/local/etc/openvpn is that you need to create it.  Inorder to do that, you need to make the filesystem writeable.

mount -uw /
mkdir /conf/base/etc/local/openvpn

There is a really good tutorial on setting up OpenVPN here.  It goes through all the steps of generating your certificates, setting up your config files and the like. But pay no attention to the Adding routes to the OpenVPN server over at http://www.unix-heaven.org/node/47. The push route and route entries you enter below will handle that.

When you get to the point of configuring the /conf/base/etc/local/etc/openvpn/openvpn.conf file you’ll need to make a bit of a tweak from the norm to get things to work.  Here’s an excerpt of what was needed. You can find my full server and client configs in the comments below.

# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
push "route 192.168.0.0 255.255.255.0"
route 192.168.0.100 255.255.255.0 10.8.0.1

The “special” part is the route line. route (freeNAS-IP) subnet-mask 10.8.0.1
You’ll have to change the push “route” to match your network ip ranges too.

If you don’t make that entry, you’ll get an error like this in your server log:

OpenVPN ROUTE: OpenVPN needs a gateway parameter for a –route option and no default was specified by either –route-gateway or –ifconfig options
OpenVPN ROUTE: failed to parse/resolve route for host/network

Now add this to the end of /conf/base/etc/rc.conf

openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"

If you make your config changes directly to /etc/rc.conf or /usr/local/etc/openvpn they will get blown away on restarts. So, now you should be able to restart your FreeNAS box. Then:

/usr/local/etc/rc.d/openvpn status

to see if OpenVPN is running.

I think that’s pretty much it. Let me know if you have any questions.

Advertisements

97 thoughts on “OpenVPN on FreeNAS 8.2

      • Only the names have been changed to protect the innocent…also deleted all the extra comments.

        CLIENT CONFIG

        # Sample client-side OpenVPN 2.0 config file #
        client
        dev tun
        proto udp
        #change remote to your static ip
        #or domain name for your freenas server
        remote something.dyndns.org 1194
        resolv-retry infinite
        nobind
        persist-key
        persist-tun
        ca /Path/to/Some-ca.crt
        cert /Path/to/laptop.crt
        key /Path/to/laptop.key
        ns-cert-type server
        comp-lzo
        verb 3

        SERVER CONFIG

        # Sample OpenVPN 2.0 config file for
        # multi-client server.

        #replace x.x.x.x with freenas ip
        local x.x.x.x
        port 1194
        proto udp
        dev tun
        ca /usr/local/etc/openvpn/keys/ca.crt
        cert /usr/local/etc/openvpn/keys/server.crt
        key /usr/local/etc/openvpn/keys/server.key
        dh /usr/local/etc/openvpn/keys/dh1024.pem
        server 10.8.0.0 255.255.255.0
        ifconfig-pool-persist ipp.txt
        #change x.x.x.x to match your network ip range
        #ie 192.168.0.0 or 10.0.0.0
        push "route x.x.x.x 255.255.255.0"
        #replace x.x.x.x with freenas ip
        route x.x.x.x 255.255.255.0 10.8.0.1
        keepalive 10 120
        comp-lzo
        persist-key
        persist-tun
        verb 3

        Hope that helps. Those are my actual configs, so if they don’t work for you after changing the ip’s to match your setup, you have other problems.

      • specifically, I’m running into difficulty producing the certificates.

        when I execute:
        [root@nas /usr/local/etc/openvpn/easy-rsa/2.0]# ./build-ca

        I get:
        Please edit the vars script to reflect your configuration,
        then source it with “source ./vars”.
        Next, to start with a fresh PKI configuration and to delete any
        previous certificates and keys, run “./clean-all”.
        Finally, you can run this tool (pkitool) to build certificates/keys.

        I have not a clue where or what the vars script is, any help here?

        also, possibly noteworthy, I was previously running on a version 8 build, and upgraded to 8.2

      • still the same problem…

        [root@nas ~]# /bin/sh
        # cd /usr/local/etc/openvpn/easy-rsa/2.0 && . vars
        NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/etc/openvpn
        /easy-rsa/2.0/keys
        # ./build-ca
        Please edit the vars script to reflect your configuration,
        then source it with “source ./vars”.
        Next, to start with a fresh PKI configuration and to delete any
        previous certificates and keys, run “./clean-all”.
        Finally, you can run this tool (pkitool) to build certificates/keys.
        #

      • That’s weird. So here’s what is in my vars file. What does yours look like?

        # easy-rsa parameter settings

        # NOTE: If you installed from an RPM,
        # don't edit this file in place in
        # /usr/share/openvpn/easy-rsa --
        # instead, you should copy the whole
        # easy-rsa directory to another location
        # (such as /etc/openvpn) so that your
        # edits will not be wiped out by a future
        # OpenVPN package upgrade.

        # This variable should point to
        # the top level of the easy-rsa
        # tree.
        export EASY_RSA="`pwd`"

        #
        # This variable should point to
        # the requested executables
        #
        export OPENSSL="openssl"
        export PKCS11TOOL="pkcs11-tool"
        export GREP="grep"

        # This variable should point to
        # the openssl.cnf file included
        # with easy-rsa.
        export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

        # Edit this variable to point to
        # your soon-to-be-created key
        # directory.
        #
        # WARNING: clean-all will do
        # a rm -rf on this directory
        # so make sure you define
        # it correctly!
        export KEY_DIR="$EASY_RSA/keys"

        # Issue rm -rf warning
        echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

        # PKCS11 fixes
        export PKCS11_MODULE_PATH="dummy"
        export PKCS11_PIN="dummy"

        # Increase this to 2048 if you
        # are paranoid. This will slow
        # down TLS negotiation performance
        # as well as the one-time DH parms
        # generation process.
        export KEY_SIZE=1024

        # In how many days should the root CA key expire?
        export CA_EXPIRE=3650

        # In how many days should certificates expire?
        export KEY_EXPIRE=3650

        # These are the default values for fields
        # which will be placed in the certificate.
        # Don't leave any of these fields blank.
        export KEY_COUNTRY="US"
        export KEY_PROVINCE="CA"
        export KEY_CITY="SanFrancisco"
        export KEY_ORG="Fort-Funston"
        export KEY_EMAIL="me@myhost.mydomain"

      • # easy-rsa parameter settings

        # NOTE: If you installed from an RPM,
        # don’t edit this file in place in
        # /usr/share/openvpn/easy-rsa —
        # instead, you should copy the whole
        # easy-rsa directory to another location
        # (such as /etc/openvpn) so that your
        # edits will not be wiped out by a future
        # OpenVPN package upgrade.

        # This variable should point to
        # the top level of the easy-rsa
        # tree.
        export EASY_RSA=”`pwd`”

        #
        # This variable should point to
        # the requested executables
        #
        export OPENSSL=”openssl”
        export PKCS11TOOL=”pkcs11-tool”
        export GREP=”grep”

  1. Arrg…missed a very important line in the Client Config above. Forgot to have the remote line, which is the ip/domain name for your openvpn server and the port. I aded the line above…so take another look if you’ve already looked at it.

      • ok…so this i a hack, but here is a link to the standard stuff from /usr/local/share/doc/openvpn/

        Download that, change the extension to .tar, then uncompress it. Copy it to your FreeNas box however you want. I just copied it to a share on the FreeNas box then moved it from there.

        Hope that helps.

  2. Hi, awesome guide, glad somebody posted one for freenas8.2 (:

    however, there’s some things i’m wondering about.
    first is about the ‘push’ and ‘route’ in server.conf – i’m kind of a newb on this, i’m not exactly sure what i should put in there..

    some info about my network:
    freenasip: xxx.xxx.8.201
    gateway: xxx.xxx.8.193
    netmask: 255.255.255.224 (/27)

    secondly, if i reboot, everything goes away from the /usr/local/etc/openvpn/ – how do i prevent that? i had to redo every step with the config because i rebooted :3

    thirdly, when i try to connect using tunnelblick, it get’s stuck at authorization (even when i told it that i dont have anything to auth with), what do i put in as username/password?

    cheers and thanks for a awesomly guide! (:
    -Andreas

    • Hi Andreas-
      Thanks for the compliment.

      First, you’ve given what looks like external IP info. The push and route portions should be the internal side of your network…assuming you are running NAT. If you are not running NAT, not sure how you’d set that up. So if your internal network is a 192.168.0.0/24 network and your FreeNAS box has an IP of 192.168.0.2 then you would want the following.

      push “route 192.168.0.0 255.255.255.0”
      route 192.168.0.2 255.255.255.0 10.8.0.1

      Secondly, you need to modify the following config files
      /conf/base/etc/rc.conf
      /conf/base/etc/local/openvpn
      The thing about /conf/base/etc/local/etc/openvpn is that you need to create it. Inorder to do that, you need to make the filesystem writeable.

      mount -uw /
      mkdir /conf/base/etc/local/openvpn

      Thirdly, if the push and route info isn’t right, you won’t be able to connect. Connecting from inside the network can be tricky…haven’t figured that one out yet…but then why would you need to 🙂

      Let me know if you are still running into issues.

      • Hi again,
        the FreeNAS box has a static ip, which i can access both externally and internally, there’s no router in-between, if i want to use my computer on that network, i need a router which gives me an ip in the same ip-pool, so i guess that means that there is no NAT.

        i’m not actually connecting from the “inside” of the network, that would be silly (: so i guess that i’m stuck at authorization due to that route and push are incorrect?

        about the files going away on reboot, the rc.conf and the folder openVPN is intact, however the content of the openVPN directory is empty upon reboot.

        Thank You,
        -Andreas

      • So you really do need to make your config changes to
        /conf/base/etc/rc.conf
        and
        /conf/base/etc/local/openvpn

        Then when you reboot, your config changes will be intact.

  3. Great ‘howto’ Joe – thanks for the effort. I tried to get openvpn to work using windows as a server, but had problems and I eventually gave up (I suspect the issues we related to routes / bridging etc – way beyond me!)

    Freenas doesn’t seem to include the sample conf’s and easy-rsa, but I got them from pkg_add -r openvpn.

    After sorting all sorts of configuration errors that were obvious in /var/log/messages, I have the following error which I do not know how to address.

    Feb 24 11:34:11 freenas openvpn[1901]: ROUTE default_gateway=192.168.150.10
    Feb 24 11:34:11 freenas openvpn[1901]: TUN/TAP device /dev/tun0 opened
    Feb 24 11:34:11 freenas kernel: tun0: link state changed to UP
    Feb 24 11:34:11 freenas openvpn[1901]: /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
    Feb 24 11:34:11 freenas openvpn[1901]: WARNING: potential route subnet conflict between local LAN [192.168.150.0/255.255.255.0] and remote VPN [192.168.150.0/255.255.255.0]
    Feb 24 11:34:11 freenas openvpn[1901]: /sbin/route add -net 192.168.150.23 10.8.0.1 255.255.255.0
    Feb 24 11:34:11 freenas openvpn[1901]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Feb 24 11:34:11 freenas openvpn[1901]: /sbin/route add -net 10.8.0.0 10.8.0.2 255.255.255.0
    Feb 24 11:34:11 freenas openvpn[1901]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Feb 24 11:34:11 freenas openvpn[1927]: UDPv4 link local (bound): 192.168.150.23:1194
    Feb 24 11:34:11 freenas openvpn[1927]: UDPv4 link remote: [undef]
    Feb 24 11:34:11 freenas openvpn[1927]: MULTI: multi_init called, r=256 v=256
    Feb 24 11:34:11 freenas openvpn[1927]: IFCONFIG POOL: base=10.8.0.4 size=62
    Feb 24 11:34:11 freenas openvpn[1927]: IFCONFIG POOL LIST
    Feb 24 11:34:11 freenas openvpn[1927]: Initialization Sequence Completed
    Feb 24 11:34:11 freenas openvpn[1927]: IPv6 in tun mode is not supported in OpenVPN 2.2

    Any idea why the route add command fails and the warning exists?

    My server.conf is essentially the same as yours

      • I’d echo everyone’s comments about how great this tutorial is, thanks! When I tried this, I ran into the same situation Ralph did (with the missing samples/easy-rsa), but when I ran pkg_add I got this:

        Error: Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.3-release/Latest/openvpn.tbz: No address record
        pkg_add: unable to fetch ‘ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.3-release/Latest/openvpn.tbz’ by URL

        Has this address been changed? If so, do you happen to have the updated address and know where to make the change?

        Thanks,
        Jeff

      • Hi Jeff-
        I don’t have an answer for that…but this will work if you want to go this route. The following will get you the easy-rsa goodness.

        ok…so this i a hack, but here is a link to the standard stuff from /usr/local/share/doc/openvpn/

        Download that by right-clicking and save as, change the extension to .tar, then uncompress it. Copy it to your FreeNas box however you want. I just copied it to a share on the FreeNas box then moved it from there.

        Hope that helps.

  4. Thanks for the confirmation Joe.

    I did use a client to connect (whilst on my 192.x.x.x net), and that seemed to work, but with the client getting a 10.x.x.x address. The client then lost connection to the local 192.x.x.x network. I’ve never had this problem before when connecting to a VPN, but then I usual go out through my gateway to the internet and onto the OpenVPN server. So I’ll try again from the ‘outside world’ once I set up port forwarding on the router.

    I’ve lost count of the number of times I’ve been away on business and left some files on my server – at least with OpenVPN up and running, I won’t need to worry about that any more (just the poor upload bandwidth!)

  5. First of all, thx for your great post. I followed all the steps and seems to work ok, but i have a silly network problem for sure. The openvpn is up and running, my windows openvpn client is up and running and connects without problems, the static routes are pushed too, but i can only ping to freenas box. This is my network summary:

    Freenas
    em0 192.168.0.200/24
    tun0 10.8.0.1/10.8.0.2
    Gateway 192.168.0.1

    Windows Client:
    Net:192.168.69.x/24
    Gateway 192.168.69.25
    TAP: 10.8.0.6
    Wed Apr 03 10:10:03 2013 TEST ROUTES: 2/2 succeeded len=2 ret=1 a=0 u/d=up
    Wed Apr 03 10:10:03 2013 C:\WINDOWS\system32\route.exe ADD 192.168.0.0 MASK 255.255.255.0 10.8.0.5
    Wed Apr 03 10:10:03 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
    Wed Apr 03 10:10:03 2013 Route addition via IPAPI succeeded [adaptive]
    Wed Apr 03 10:10:03 2013 C:\WINDOWS\system32\route.exe ADD 10.8.0.1 MASK 255.255.255.255 10.8.0.5
    Wed Apr 03 10:10:03 2013 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4
    Wed Apr 03 10:10:03 2013 Route addition via IPAPI succeeded [adaptive]
    Wed Apr 03 10:10:03 2013 Initialization Sequence Completed

    The config files for server and client are the same as yours.

    Any idea?

  6. Hello,

    I’m have no experience with openvpn at all, even freenas is quite new to me, but that part is working for me.
    now i would be really interested in openvpn for file access remotely.

    http://www.unix-heaven.org/node/46

    but when i do # cp /usr/local/share/doc/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn i get cp: /usr/local/share/doc/openvpn/sample-config-files/server.conf: No such file or directory

    Does that mean openvpn doesn’t come with freenas 8.3.1 anymore, or did i need to install or download something first?

    step by step help would be much appreciated.

    Shino

    • ok…so this i a hack, but here is a link to the standard stuff from /usr/local/share/doc/openvpn/

      Download that by right-clicking and save as, change the extension to .tar, then uncompress it. Copy it to your FreeNas box however you want. I just copied it to a share on the FreeNas box then moved it from there.

      Hope that helps.

      • Thanks that did the trick.

        at a certain point before i could do # ./build-ca i had to # ./clean-all

        then successfully did # ./build-key-server openvpn.example.org
        and # ./build-dh then
        # mkdir /usr/local/etc/openvpn/keys
        # cp /usr/local/etc/openvpn/easy-rsa/2.0/keys/* /usr/local/etc/openvpn/keys
        followed by ./clean-all

        now aftr doing # ./build-key client.example.org i get
        pkitool: Need a readable ca.crt and ca.key in /usr/local/etc/openvpn/easy-rsa/2.0/keys
        Try pkitool –initca to build a root certificate/key.

        i browsed to the location, and the ca.crt and ca.key are in there.

        Any idea what’s going on?

        Your help is greatly appreciated 😀

      • Is most likely a permissions issue if the files are there. Permissions should be:

        -rw-r–r– 1 root wheel 1354 Mar 25 08:01 ca.crt
        -rw——- 1 root wheel 887 Mar 25 08:01 ca.key
        -rw-r–r– 1 root wheel 245 Mar 25 08:01 dh1024.pem

        ls -la /conf/base/etc/local/openvpn/keys to see what your perms are.

        To get -rw-r–r– perms.
        chmod 644 file_name

        To get -rw——- perms.
        chmod 600 file_name

        Also check the user and group. Should be root for user and wheel for group.

        To fix user and group.
        chown root:wheel file_name

        Hope that helps.

  7. Hello again,

    the permission are correct and the user is root and group wheel.
    Still i get the same problem. i have no idea what could the problem

    • I believe you can work in either spot. Just have to make sure /conf/base/etc/local/openvpn is there or a reboot will wipe out /usr/local/etc/openvpn.

      I think the issue is you did a ./clean-all after making your crt and key. Start over and don’t do the clean-all after making your server crt and key. Grasping at straws here. Might be in need of a good google search.

      • so yes, it was because the ./clean-all (seems this is to be done after you have all the keys for all the clients)
        But now i’m confused, as i started over doing all in /conf/base/etc/local/openvpn
        I’m at the configuring server.conf now
        do i need to tell it the keys are in /conf/base/etc/local/openvpn/keys or /usr/local/etc/openvpn/keys ??

        i’m sorry to ask you so much, i never did those before, and I am really heppy you are willing to help

        even after googling a lot i seem to always end up here on your post.

    • You can name the config file whatever you want…just need to have /conf/base/etc/rc.conf reflect the name you used.

      From /conf/base/etc/rc.conf:
      openvpn_configfile=”/usr/local/etc/openvpn/openvpn.conf”

      So to explain the difference between /conf/base/etc/local and /usr/local/etc is pretty simple. /conf/base/whatever is the fixed snapshot of the system. On boot, FreeNas looks at /conf/base and populates the OS with what it finds there. So, /usr/local/etc/openvpn is popluated from /conf/base/etc/local/openvpn

      Nothing from /conf/base/whatever is run/read/written by the OS once it has finished booting. So all the configs in /conf/base/whatever are written as if they are in their final populated destination. YOU DO NOT WANT TO REFERENCE /conf/base/whatever AS THE PATH FOR ANYTHING.

      Hope that helps.

      • everytime you help, i get closer to the end.

        now after making the changes in rc.conf (adding the openvpn lines)
        doing reboot. It doesn’t seem to boot at all. and i’m not home to check yet.
        and not sure what i’ll have to do at home. reinstall it or?

      • hello hello,
        your help is great.
        i figured out i forgot a ” at the end of the last line, so that wasn’t good hehe
        now i continue your guide and when doing /usr/local/etc/rc.d/openvpn status
        it answers : openvpn is not running, i’ll try to find what the problem here could be, i’ll let you know

      • Am I assuming correctly that I have to put all key files and the .conf file into the /conf/base/etc/local/openvpn directory but reference those files via the /usr/local/etc/openvpn (e.g. in the rc.conf etc.)?

      • Yes, reference the files in /etc/rc.conf to /usr/local/etc/openvpn

        Even better is to keep your keys and config on your data disk and reference them there. If you do keep them in /conf/base/etc/local/openvpn, an upgrade to FreeNas will wipe them out. The only thing you HAVE to edit in /conf/base/etc/ is your rc.conf file.

        I hope that helps.

  8. Hi Joe,
    tail helped me out. it told me server.crt doesn’t exist (yes i copied your server.conf)
    so i had to replace server.crt and server.server.key with the ones i made.

    ok this is the result:
    # /usr/local/etc/rc.d/openvpn start
    Starting openvpn.
    route: writing to routing socket: File exists
    add net 192.168.1.4: gateway 10.8.0.1: route already in table
    add net 10.8.0.0: gateway10.8.0.2

    Let me know if this looks good. in the meantime i’ll google on how this works on the clients side.
    Many thanks for this great guide and your even better help.

  9. add:

    i have an openvpn connection, but i don’t see the server and other machines from my home lan in windows explorer. all i can do is ping the FreeNAS ip.

  10. Dear Joe,

    I finally got this up and running thanks to you.
    Here are my latest tweaks.

    i could only ping freenas, not the jail nor any other machine in the home lan.

    This is what i found and worked for me.

    in rc.conf i added the line: gateway_enable=”YES”
    in freenas webgui i added a Sysctl
    variable: net.ipv4.ip_forward
    value : 1

    now i can connect to any machine in the home lan from remote via openvpn

    GREAT guide !

      • Hello Joe,

        Thanks for the response. I have used the same config given by you in the comments. To add to it as suggested by Dimitri in the comments I have added whatever he has asked for and I still cannot access my jail. I can connect to my NAS and access files, but I can’t access my jail 😦

      • to subodh chettri
        i’m not sure the sysctl variable is really needed.
        What i would try is reboot the system.

        server conf is probably same as Joe (i got it from him after all:
        # Sample OpenVPN 2.0 config file for
        # multi-client server.

        #replace x.x.x.x with freenas ip
        local x.x.x.x
        port 1194
        proto udp
        dev tun
        ca /usr/local/etc/openvpn/keys/ca.crt
        cert /usr/local/etc/openvpn/keys/FreeNas.crt
        key /usr/local/etc/openvpn/keys/FreeNas.key
        dh /usr/local/etc/openvpn/keys/dh1024.pem
        server 10.8.0.0 255.255.255.0
        ifconfig-pool-persist ipp.txt
        #change x.x.x.x to match your network ip range
        #ie 192.168.0.0 or 10.0.0.0
        push “route x.x.x.x 255.255.255.0”
        #replace x.x.x.x with freenas ip
        route x.x.x.x 255.255.255.0 10.8.0.1
        keepalive 10 120
        comp-lzo
        persist-key
        persist-tun
        verb 3

        client:
        # Sample client-side OpenVPN 2.0 config file #
        client
        dev tun
        proto udp
        #change remote to your static ip
        #or domain name for your freenas server
        remote x.x.x.x (www.xxx.xx) 1194
        resolv-retry infinite
        nobind
        persist-key
        persist-tun
        ca ca.crt
        cert “client”.crt
        key “client”.key
        ns-cert-type server
        comp-lzo
        verb 3

  11. When I attempt to source the vars, I get:

    # cd /usr/local/etc/openvpn/easy-rsa/2.0 && . vars
    : not found
    : not found
    : not found
    : not found
    : not found
    /whichopensslcnf: not foundn/easy-rsa/2.0
    : not found
    : not found
    /keys If you run ./clean-all, I will be doing a rm -rf on /usr/local/etc/openvpn/easy-rsa/2.0
    : not found
    : not found
    : not found
    : not found
    : not found

    Have you ever seen that? I’ve followed the directions perfectly, as best I can tell…

  12. Pingback: 5bays raid5 NAS recommendation - www.hardwarezone.com.sg

  13. Hey Joe,

    I want to do something simpler than this, and wonder if I could pick your brains about it. I have a VPN service, and I would like my FreeNAS to use it whenever it accesses the internet. As OpenVPN is included in FreeNAS 8.2 (which is what I am using) I was hoping to see a configuration option to use it in the regular FreeNAS GUI, but I can’t find it.

    Given that I don’t want anything clever like secure remote access, but just want the box to access the VPN service I already have, is there an easier way to accomplish this?

      • I’m sure I’m being incredibly stupid, but I’m not sure what you mean by ‘use their client config’. The certificates I get, no worries, but the guides they have written muddle me a bit as I’m not sure which one I should be following to achieve my intended result.

        I’ll take another look and see if the penny drops.

      • This is from their US Midwest Config that is included in the zip file I referenced.

        client
        dev tun
        proto udp
        remote 208.53.158.60 1194
        resolv-retry infinite
        nobind
        persist-key
        persist-tun
        ca ca.crt
        tls-client
        remote-cert-tls server
        auth-user-pass
        comp-lzo
        verb 1
        reneg-sec 0

        I would talk to their support and see if there is a way for you to use certificate authentication…that way you don’t have to enter your username and password each time you start OpenVPN on the FreeNas box. Otherwise, there might be some clever way to pass your username and password to OpenVPN as part of your rc.conf settings, but I don’t know what that is.

      • Alright, so I answered my own question. You can “script” the username and password.

        –auth-user-pass [up]
        Authenticate with server using username/password. up is a file containing username/password on 2 lines (Note: OpenVPN will only read passwords from a file if it has been built with the –enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h).

        If up is omitted, username/password will be prompted from the console.

        The server configuration must specify an –auth-user-pass-verify script to verify the username/password provided by the client.

        So all you need is a file with your username and password on separate lines. Then point to that file on the auth-user-pass line of the config. So if you save the file at /mnt/Files/Secure-User/VPN-user_password , your config then looks like this. Also, make sure you use the full path to the ca.crt in the config to avoid it yelling at you about not being able to find it.

        client
        dev tun
        proto udp
        remote 208.53.158.60 1194
        resolv-retry infinite
        nobind
        persist-key
        persist-tun
        ca ca.crt
        tls-client
        remote-cert-tls server
        auth-user-pass /mnt/Files/Secure-User/VPN-user_password
        comp-lzo
        verb 1
        reneg-sec 0

      • First of all, thank you for the help so far. It’s appreciated.

        I have copied over the relevant local gateway .ovpn files to my /conf/base/etc/local/openvpn directory and tried to run the client using two different configurations.

        The first was using the scripted approach you suggested. I linked out to a separate two line file with username and password, but OpenVPN didn’t like that and told me it wouldn’t accept a password from a file. I believe this is because the OpenVPN client that comes with FreeNAS was not configured to be able to do this.

        Undaunted, I then tried to launch it locally using the following command:

        openvpn /conf/base/etc/local/openvpn/”UK London.ovpn”

        The box returned the following error:

        Cannot load CA certificate file ca.crt path (null) (SSL
        _CTX_load_verify_locations): error:02001002:system library:fopen:No such file or
        directory: error:2006D080:BIO routines:BIO_new_file:no such file: error:0B08400
        2:x509 certificate routines:X509_load_cert_crl_file:system lib

        The exact contents of the config file are unchanged from what OpenVPN sent out. I have listed them here too, for clarity:

        client
        dev tun
        proto udp
        remote uk-london.privateinternetaccess.com 1194
        resolv-retry infinite
        nobind
        persist-key
        persist-tun
        ca ca.crt
        tls-client
        remote-cert-tls server
        auth-user-pass
        comp-lzo
        verb 1
        reneg-sec 0

        The ca.crt file is also in the same /conf/base/etc/local/openvpn folder as the config file quoted above.

        I’m closing in, but still no cigar!

  14. Update to the above post:

    I realise now what you meant about displaying the full path to the ca.crt file. I changed it to an absolute path to the file and it has now, I think, initialised. At least, it is saying

    Initialization Sequence Completed

    and the Shell is now hanging. I think, therefore, that is is working, but I can’t test it because my shell is not active so I can’t get a status report!

    Therefore, my first query would be: if I just close the FreeNAS shell by hitting the X in the corner, will the process terminate? If the VPN is working (no clue how to verify this) then fudging things in this fashion would be OK as I would still have the VPN up and active, but it’s not ideal.

    Thinking positively, can I run a cronjob or a script to run OpenVPN, enter my username and password, then return control of the shell session to me? If there a simpler way to regain control that a beginner like myself would not be aware of?

    Thinking negatively, how hard is it to rebuild OpenVPN to allow for entry of a username/password from a file, as this seems the most elegant solution, albeit the most difficult to accomplish.

    Thanks again!

    • I think I managed to break the thread with my post above, so I’m bumping this in hope of getting some clarification from one who knows 🙂

      Also, with the news that Easy RSA is in 9.1, does that simplify anything for me with my more modest client setup aspirations?

      • ok…so try this for your client config.

        client
        dev tun
        proto udp
        remote uk-london.privateinternetaccess.com 1194
        resolv-retry infinite
        nobind
        persist-key
        persist-tun
        ca ca.crt
        tls-client
        remote-cert-tls server
        auth-user-pass pass-auth.conf
        comp-lzo
        verb 1
        reneg-sec 0

        Create the file pass-auth.conf in the same location as your Openvpn client configuration, or add the absolute path before pass-auth.conf in your config file. Then, create the pass-auth.conf file. It should look like this:

        UserName
        Password

        Make sure the username and password are on separate lines.

        Try that and let me know if it works for you.

      • Also, I am having trouble getting back to you on whether your OpenVPN fix worked for me, as FreeNAS took this opportunity to become unstable. Given that the system fell over on me, I have been looking to get 9.1 installed, on the may-as-well principle. Oddly, it doesn’t want to boot up on my Kingston memory sticks, so I am fannying around to find another brand of USB that won’t be quite so tempramental.

        Sorry for the delay, I will report back once I have this up and running. Or not.

      • So much for good authority. That will make it easier for people to implement server configurations in the future. For you setting up OpenVpn as a client, it will not have any impact.

  15. I had this running perfect on freenas 8.2. When setting up on 9.1 fresh install, it seems to randomly not tunnel through the VPN. I’ll start it, status will say running, traceroute will show VPN tunnel. I’ll try a few hours / days later, status will still say running, same traceroute not going through VPN — any idea where to start?

      • Yes when it’s running i can ping 10.x.x.x fine. It just seems as if certain behaviour will cause the tunnel to die, while openvpn status will still say “running.” — I can see with netstat -nr that the tunnel is gone. Do you have this running fine on 9.1? That’s the only thing I’ve changed. I’m playing with it now — right after starting openvpn tunnel is there, mess around with a few tracroutes and pings, check netstat / traceroute and it’s gone, while still saying it’s “running”
        thank for you help.

    • Did you keep the openvpn files from 8.2?
      As Joe told me, i kept those, and just repasted them in the same subdirectory in freenas 9.1.1.
      and readd the few lines in rc.conf

      For me like this all keeps working as it was.

  16. No on the main system — what happened is I has actually upgraded from 8.1 not 8.2, which doesn’t have openvpn built in, so I installed it myself. I was used to this and did the same on 9.1 — perhaps there is some issue / conflict now that I have multiple openvpns going (or overwritten by pkg_add) — I will start over and see if it fixes it. thanks.

  17. So I think what’s happening is that openvpn is running fine, but the route is somehow disappearing. If I start openvpn, do nothing, and stop it one minute later, everything looks fine in the log (routes added and deleted normally). But if I start and then do some random internet activity, the route will disappear after a few minutes, and when I stop it I get these errors in the log

    ERROR: FreeBSD route delete command failed: external program exited with error status: 1

    which is occurring, I believe, because the route that openvpn created when it started is no longer there.

    So something is causing my route to disappear, which is why openvpn stops working while still running. Anyone have any idea how to troubleshoot this?

  18. So I think what’s happening is that openvpn is running fine, but the route is somehow disappearing. If I start openvpn, do nothing, and stop it one minute later, everything looks fine in the log (routes added and deleted normally). But if I start and then do some random internet activity, the route will disappear after a few minutes, and when I stop it I get these errors in the log

    ERROR: FreeBSD route delete command failed: external program exited with error status: 1

    which is occurring, I believe, because the route that openvpn created when it started is no longer there.

    So something is causing my route to disappear, which is why openvpn stops working while still running. Anyone have any idea how to troubleshoot this??

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s