OpenVPN on FreeNas 9.1

Back in July of 2012 I posted a write up on how to get OpenVPN running on FreeNas 8.2.  That write up was really just notes to myself and I never really thought it would get much attention.  Over the last year, it has seen enough traffic that I thought it deserved a re-write to try and make it easier to follow.  So, here goes.

As always, if you find this super useful, I wouldn’t turn down paypal donations.

If you are going to do this on your FreeNAS box, please also check out my guide on getting hacks to FreeNAS to survive system upgrades.

Dynamic DNS

If you don’t have a static ip address, lets start by setting up a Dynamic DNS entry.  There are several service providers that offer free dynamicDNS service…currently FreeNas supports: dyndns.org, freedns.afraid.org, zoneedit.com, no-ip.com, easydns.com and 3322.org.  So, pick one, set up an account, configure your FreeNas gui to use it in the services panel and then come back.

Port Forwarding on your Router

Next you’ll need to forward UDP port 1194 on your router to your FreeNAS box.  You’ll need to do a little google searching if you don’t know how to do that on your specific router.  Generally it involves logging into the web interface on the router, going to the advanced section and looking for something that sounds like port forwarding.

OpenVPN

Server Certificates – OpenSSL

You can configure OpenVPN for password authorization, but I really don’t like that method.  So I’ll tell you how to set it up with certificate authorization.  Easy-RSA is included in FreeNas 9.1 and later.  You can find it here: /usr/local/share/easy-rsa . If you don’t want to download my sample files or if you don’t trust me, then you should skip step 2 below and use the Easy-RSA files at /usr/local/share/easy-rsa and then also create your config files from scratch.

So, lets get started.

1. Mount the filesystem so we can make some changes.

su
enter your root password
mount -uw /

2. Now, download my openvpn.tar into the root of your data drive, so for me /mnt/Files. 

cd /mnt/Files
wget --no-check-certificate https://www.dropbox.com/s/14h2j1zslozotx8/openvpn.tar

tar -xvf openvpn.tar
cd openvpn

3. Now we need to create our CA.cert

chmod -R 755 easy-rsa/2.0/*
cd easy-rsa/2.0
sh
. ./vars
./clean-all
./build-ca

Your output from ./build-ca should look like this.  Answer the questions with the appropriate answers.

Generating a 1024 bit RSA private key

...++++++....................................++++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [BG]:
State or Province Name (full name) [Sofia]:
Locality Name (eg, city) [Sofia]:
Organization Name (eg, company) [example.org]:
Organizational Unit Name (eg, section) [ ]:
Common Name (eg, your name or your server's hostname) [openvpn.example.org CA]:openvpn.example.org
Name [ ]:daemon
Email Address [admin@example.org]:
 

4. Now, we want to create a server key.

./build-key-server server

Your output from ./build-key-server should look like this.  Answer the questions with the appropriate answers.

Generating a 1024 bit RSA private key
.......++++++..........................................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [MN]:
Locality Name (eg, city) [Coon Rapids]:
Organization Name (eg, company) [ ]:
Organizational Unit Name (eg, section) [ ]:
Common Name (eg, your name or your server's hostname) [server]:
Name [ ]:
Email Address [me@myhost.mydomain]:
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password [ ]:
An optional company name [ ]:
Using configuration from /mnt/Files/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok The Subject's Distinguished Name is as follows
countryName : PRINTABLE:'US'
stateOrProvinceName : PRINTABLE:'MN'
localityName : PRINTABLE:'Coon Rapids'
organizationName : PRINTABLE:''
commonName : PRINTABLE:'server'
emailAddress : IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Sep 20 18:43:20 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

5. Now let’s create the Diffie-Hellman parameters:

./build-dh

Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
………………………………………………………………………………+………………………………………………………………………….+…………………………………………………………………………………………++*++*++*

6. Now we might as well generate a client key.

./build-key joe.paetzel

Your output should look like this:

Generating a 1024 bit RSA private key
……………………………..++++++………++++++
writing new private key to ‘joe.paetzel.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [US]:
State or Province Name (full name) [MN]:
Locality Name (eg, city) [Coon Rapids]:
Organization Name (eg, company) [ ]:
Organizational Unit Name (eg, section) [ ]:
Common Name (eg, your name or your server’s hostname) [joe.paetzel]:
Name [ ]:
Email Address [me@myhost.mydomain]:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password [ ]:
An optional company name [ ]:
Using configuration from /mnt/Files/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName : PRINTABLE:’US’
stateOrProvinceName : PRINTABLE:’MN’
localityName : PRINTABLE:’Coon Rapids’
organizationName : PRINTABLE:”
commonName : PRINTABLE:’joe.paetzel’
emailAddress : IA5STRING:’me@myhost.mydomain’
Certificate is to be certified until Sep 20 19:03:19 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

7. Now we can get out of the sh shell and move the keys and certificates into their place.

exit
cp -R keys ../../

On my system, the place I want the certs and keys is /mnt/Files/openvpn/keys , I’m using shorthand above to backout two directories and place the keys folder there.  So, the long hand version would be:

cp -R  /mnt/Files/openvpn/easy-rsa/2.0/keys /mnt/Files/openvpn/

The reason we want the keys and config file on the data drive instead of the OS drive is FreeNas upgrades will wipe out our OpenVPN setup if we have everything installed on the OS drive.

Server Configuration File

1. Next we can create the openvpn.conf config file and edit it for our specific setup.  If you didn’t download the openvpn.tar file from me, then you will need to create a openvpn.conf file from scratch.  If you did download the openvpn.tar file, I’ve included a couple of Bare Bones sample configs.

cp BareBones_Server.conf.sample openvpn.conf
chmod 440 openvpn.conf
vi openvpn.conf

Side note, vi has lots of commands, we just need to know a few:

x will delete the character your cursor is over, i will insert, esc will exit insert mode and to save and quit we use :wq

You should get this on your screen:

# Sample OpenVPN 2.0 config file for
# multi-client server.

#replace x.x.x.x with freenas ip
local x.x.x.x
port 1194
proto udp
dev tun
topology subnet
#change the paths and filenames below to match what you did
ca /mnt/Files/openvpn/keys/ca.crt
cert /mnt/Files/openvpn/keys/server.crt
key /mnt/Files/openvpn/keys/server.key
dh /mnt/Files/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
#change x.x.x.x to match your network ip range
#ie 192.168.0.0 or 10.0.0.0
push “route x.x.x.x 255.255.255.0”
#replace x.x.x.x with freenas ip
route x.x.x.x 255.255.255.0 10.8.0.1
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3

We need to make a few changes to match our specific needs.

Change local x.x.x.x to the ip of your FreeNas box:

local 192.168.0.121

Check that your certs and keys match the lines here:

ca /mnt/Files/openvpn/keys/ca.crt
cert /mnt/Files/openvpn/keys/server.crt
key /mnt/Files/openvpn/keys/server.key
dh /mnt/Files/openvpn/keys/dh1024.pem

Change push “route x.x.x.x 255.255.255.0” to match your network setup:

push “route 192.168.0.0 255.255.255.0”

Change route x.x.x.x 255.255.255.0 10.8.0.1 to have the ip of your FreeNas box:

route 192.168.0.121 255.255.255.0 10.8.0.1

hit the ESC key, then type :wq to save and quit out of vi.

2. Now lets add a few things to rc.conf so we can start openvpn.

vi /etc/rc.conf

Add the following lines making sure that the openvpn_configfile is pointing to your config file location:

openvpn_enable=”YES”
openvpn_if=”tun”
openvpn_configfile=”/mnt/Files/openvpn/openvpn.conf”
openvpn_dir=”/mnt/Files/openvpn”

We also need to make these same changes to /conf/base/etc/rc.conf so they survive a restart.

vi /conf/base/etc/rc.conf

Again, add the following:

openvpn_enable=”YES”
openvpn_if=”tun”
openvpn_configfile=”/mnt/Files/openvpn/openvpn.conf”
openvpn_dir=”/mnt/Files/openvpn”

Cross Your Fingers and Fire It Up

1. Now we should be able to start the OpenVPN server.

service openvpn start

You should get something like this:

Starting openvpn.
route: writing to routing socket: File exists
add net 192.168.0.121: gateway 10.8.0.1: route already in table
add net 10.8.0.0: gateway 10.8.0.2

Clean Up

1. Make the filesystem read only again:

mount -ur /

2. Delete openvpn.tar

rm /mnt/Files/openvpn.tar

Set Up Your Client

1. Copy your client key(s), client crt(s) and ca.crt to the client computer you will be using to connect to the server.  There are a bunch of ways you could do this, I just copied them to a shared folder on my FreeNas box and moved them from there onto my client computer.

2. Create a client config file.  I’ve included a sample Bare Bones config for you to modify in the openvpn.tar file.  It will look something like this:

# Sample client-side OpenVPN 2.0 config file #
client
dev tun
proto udp
#change remote to your static ip
#or domain name for your freenas server
remote something.dyndns.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /Path/to/Some-ca.crt
cert /Path/to/laptop.crt
key /Path/to/laptop.key
ns-cert-type server
comp-lzo

You need to change the line remote something.dyndns.org 1194 to either your public static ip of your router or a dynamic or static domain name.  You also need to change the ca, cert and key lines to the path of where those files will live on the client.

On OS X using Tunnelblick as the client application those paths will look something like this:

ca /Users/joe/Library/Application\ Support/Tunnelblick/Configurations/ca.crt
cert /Users/joe/Library/Application\ Support/Tunnelblick/Configurations/joe.paetzel.crt
key /Users/joe/Library/Application\ Support/Tunnelblick/Configurations/joe.paetzel.key

Wrapping It Up

With all of that, you should be good to go.  I’ve tried to be as clear and accurate as possible.  I hope you all enjoy the rewrite.

Also, check out my writeup on setting up a firewall on FreeNAS.  It will help you get routing working properly so you can reach all the devices on your LAN over the VPN. https://joepaetzel.com/2014/03/04/secure-freenas-9-2-1-2-with-a-firewall/

Also, if you want to add an additional layer of security, check out my guide on getting OpenVPN working with Google Authenticator.

As always, donations are welcome via paypal.

If you are going to do this on your FreeNAS box, please also check out my guide on getting hacks to FreeNAS to survive system upgrades.

Advertisements

228 thoughts on “OpenVPN on FreeNas 9.1

  1. Pingback: OpenVPN on FreeNAS 8.2 | The Joe Paetzel Method

  2. Pingback: To re-Write or not? | The Joe Paetzel Method

  3. Hi Joe,
    I’m still using my keys made in the FreeNAS 8.2 guide. But I wanted to let you know this looks like a very good guide again.
    Cheers!

  4. I can’t seem to figure this out…when you create the certs. you have sh and then enter those commands ./vars and ./clean-all and ./build-ca which asks me to source ./vars. What is argument source in reference to a path directory? I know i have to edit that as well. I did make the directory keys in the /mnt/Open/openvpn/easy-ras/2.0/keys, is that correct?

  5. i had my openvpn installed in my /mnt/ZFS/ with openvpn.conf setup with correct path and rc.conf with correct path too. but i have no idea why when i run the command “service openvpn start” it always link to other path and having error msg “no such file and directory”

    i am using Freenas-9.1.1 now.

    • Add:
      openvpn_configfile=”/mnt/Files/openvpn”

      to the rc.conf file and it should work, there’s a comment in the openvpn init script that says:

      # You also need to set NAME_configfile and NAME_dir, if the configuration
      # file and directory where keys and certificates reside differ from the above
      # settings.

  6. openvpn_enable=”YES”
    openvpn_if=”tun”
    openvpn_configfile=”/mnt/ZFS/openvpn/openvpn.conf”

    and my conf file permission is -r–r

  7. it seem working now after i just modified /conf/base/etc/rc.conf with below string again and reboot my server.
    openvpn_enable=”YES”
    openvpn_if=”tun”
    openvpn_configfile=”/mnt/ZFS/openvpn/openvpn.conf”

  8. one question, i try to use openvpn client for windows to connect to my nas, but its always time out. May i know what i missed? and it ask for username and password every time i press connect but i do not know what is the username and password. I do download all the file needed for cert setup but there are no option to setup cert into windows client.

    • Hi. Admittedly I am not a windows guy any longer. Please take a look at this guide as it has a more windows centric approach. https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide#ClientConfigFiles

      This section looks like it answers your question.

      Copying the Server and Client Files to Their Appropriate Directories

      Copy these files from C:\Program Files\OpenVPN\easy-rsa\ on the server to C:\Program Files\OpenVPN\config\ on each client (mike-laptop, in this example):
      ca.crt
      mike-laptop.crt
      mike-laptop.key
      mike-laptop.ovpn

      and then this section

      ca “C:\\Program Files\\OpenVPN\\config\\ca.crt”
      cert “C:\\Program Files\\OpenVPN\\config\\mike-laptop.crt”
      key “C:\\Program Files\\OpenVPN\\config\\mike-laptop.key”

  9. I keep getting this error when trying to start openvpn. I am noob to this so any help would be great.

    cd to ‘/usr/local/etc/openvpn’ failed: No such file or directory (errno=2)

    • Looks like you might have specified /usr/local/etc/openvpn for something in rc.conf but you didn’t create that directory. Did you use the settings from the write-up for rc.conf?

      • I did, but I went to that location and mkdir openvpn, I dont know if that was the correct way to handle it, but it didnt give the error anymore

  10. I changed some lines in /usr/local/etc/rc.d/openvpn from:
    eval “: \${${name}_configfile:=\”/usr/local/etc/openvpn/${name}.conf\”}”
    eval “: \${${name}_dir:=\”/usr/local/etc/openvpn\”}”

    to:

    eval “: \${${name}_configfile:=\”/mnt/Familly/openvpn/${name}.conf\”}”
    eval “: \${${name}_dir:=\”/mnt/Familly/openvpn\”}”

    where Familly is my dataset and openvpn is the folder where reside openvpn.conf.

    hope had helped someone!

    • So FreeNas is a free fileserver operating system. OpenVPN is a free Virtual Private Network software package. This is a tutorial on how to get OpenVPN working on FreeNas so you can access your files remotely and securely.

      • Ah ha! I figured out what FreeNas was, and why it required its own box, but the VPN part was beyond me. Is there a way to do this using HPPS?

      • Do you mean https? Not sure what HPPS is…wikipedia says it is referring to Harry Potter.

        If you do mean https, then yes and no. I think I have a post about Ajaxplorer, which is a web based file sharing / access application. http://ajaxplorer.info/

        You can set that up on a computer and access your files over https.

        Strictly speaking, OpenVPN is it’s own thing even though is uses the same SSL technology that https does…it is not the same.

  11. Hi,

    Thanks a lot for the guide. I was tearing my hair out trying to figure this out before.

    I’ve followed the instructions here and I’m running into a problem: When I try to start the openvpn service I get a failed to start error on SSH, and my server’s console says “In [CMD-LINE]:1: Error opening configuration file: /mnt/grid/openvpn/openvpn.conf”
    Where grid is obviously the name of my ZFS volume. Any idea what could be causing it not to open?

      • Nope, same thing. Error opening configuration file, but this time the path is “usr/local/etc/openvpn/”. I can’t imagine why it wouldn’t be able to open the config file.

        Thanks for replying so quickly by the way, really appreciate the extra help.

      • This is what Luis did to resolve something similar.

        I changed some lines in /usr/local/etc/rc.d/openvpn from:
        eval “: \${${name}_configfile:=\”/usr/local/etc/openvpn/${name}.conf\”}”
        eval “: \${${name}_dir:=\”/usr/local/etc/openvpn\”}”

        to:

        eval “: \${${name}_configfile:=\”/mnt/Familly/openvpn/${name}.conf\”}”
        eval “: \${${name}_dir:=\”/mnt/Familly/openvpn\”}”

        where Familly is my dataset and openvpn is the folder where reside openvpn.conf.

        hope had helped someone!

  12. Tried that too. Same error message. I gotta wonder how stuff like this happens. It’s all the same files and procedure, and the only thing that’s different are the names of the datasets right? Despite that, it seems like FreeNAS is fighting me every step of the way.

    I guess I’ll cut my losses and try to get the other parts of my server running. Thanks for your help Joe.

  13. hi all,
    you need to modify the file “/conf/base/etc/local/rc.d/openvpn” to make the changes in “/usr/local/etc/rc.d/openvpn” permanent.

    now my the part which is leading to the openvpn dir and to the config file looks like this:

    # eval “: \${${name}_configfile:=\”/usr/local/etc/openvpn/${name}.conf\”}”
    eval “: \${${name}_configfile:=\”/path/to/openvpn/${name}.conf\”}”
    # eval “: \${${name}_dir:=\”/usr/local/etc/openvpn\”}”
    eval “: \${${name}_dir:=\”/path/to/openvpn\”}”

    and add these 3 lines, as mentioned above to the 2 files “/conf/base/etc/rc.conf” and “/etc/rc.conf”
    openvpn_enable=”YES”
    openvpn_if=”tun”
    openvpn_configfile=”/path/to/openvpn/openvpn.conf”

    after a reboot, you can check with “service openvpn status” that openvpn is really running 🙂

  14. Joe,

    I have followed your guide successfully but I am having one problem. My openvpn server is behind my router and I cannot seem to get my vpn to tunnel all my traffic. I cannot access any other computers on the LAN through the VPN. I can access the VPN server itself. I have found guides that point to iptables and changing firewall rules but I don’t believe that applies in this case. Do you have any advice?

    • Hi Javier-

      I have this same problem. It hasn’t risen to the top of the pile yet. If you can connect to your VPN Server, then it is not a firewall issue. What is most likely going on is a routing problem. The real fix is going to involve getting the VPN Server to successfully push the correct routing for the local network across the tunnel.

      A hack fix would be a create a virtual interface on the machine(s) inside the network you are trying to reach and give it a 10.8.0.x ip. Then from the remote computer, try to connect to it using the 10.8.0.x ip instead of the remote lan ip.

      The other more complicated fix would be to use your VPN server as the gateway for your network. I don’t think we really want to get into that though.

      • Joe,

        Sounds good. Is this also why, if I route all traffic through the VPN, I cannot get out to access any website either? Is there a way to push the DNS settings successfully? This is my other problem. At this point the only thing I can use the VPN server for is to access the Freenas box itself. I appreciate all the work you have put into this.

        If there is anything I can do to test for you let me know. I would be willing to extend any help I can.

  15. First, thanks a lot for this guide. I am preparing to dive into this and at beginning I’m facing a problem. My greedy ISP wont give me any permissions to access router and configure port forwarding myself. They charge $20 for any change in port forwarding, for what I must write request so they can do it for me! I was rash and asked for opening ports 21 and 22, when I wanted to setup access from wan. Now I realize what a terrible mistake it was and expensive one! So not to make more hasty moves, I’ll better ask someone who have experience.

    Should I change VPN listening port to 21 and how? Or tunnel it through SSH on 22?
    Or is it smarter to pay again ISP to close 21 and 22 ports for security reasons, and open 1194?
    Any advice will help. Thanks.

    • If I woke up in your place, I’d run OpenVPN on port 21. In each config, client and server, there are parameters for what port to use. Just change both of those from 1194 to 21. Best of luck.

  16. Hey! Followed ur guide, everything went well until i tried to start it up. Whats wrong? Error :

    [root@Server] /mnt/HDD/openvpn# service openvpn start
    Starting openvpn.
    Tue Nov 12 11:09:53 2013 cd to ‘/usr/local/etc/openvpn’ failed: No such file or
    directory (errno=2)
    Tue Nov 12 11:09:53 2013 Exiting due to fatal error
    /usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn
    [root@Server] /mnt/HDD/openvpn#

    • For some reason it seems like it is not following the configfile config variable. Try this below…

      hi all,
      you need to modify the file “/conf/base/etc/local/rc.d/openvpn” to make the changes in “/usr/local/etc/rc.d/openvpn” permanent.

      now my the part which is leading to the openvpn dir and to the config file looks like this:

      # eval “: \${${name}_configfile:=\”/usr/local/etc/openvpn/${name}.conf\”}”
      eval “: \${${name}_configfile:=\”/path/to/openvpn/${name}.conf\”}”
      # eval “: \${${name}_dir:=\”/usr/local/etc/openvpn\”}”
      eval “: \${${name}_dir:=\”/path/to/openvpn\”}”

      and add these 3 lines, as mentioned above to the 2 files “/conf/base/etc/rc.conf” and “/etc/rc.conf”
      openvpn_enable=”YES”
      openvpn_if=”tun”
      openvpn_configfile=”/path/to/openvpn/openvpn.conf”

      after a reboot, you can check with “service openvpn status” that openvpn is really running

      • [root@Server ~]# ls -la /mnt/HDD/openvpn
        total 200
        drwxrwxrwx 6 Foppa Foppa 16 Nov 12 10:13 .
        drwxrwxrwx 13 Foppa Foppa 24 Nov 12 10:58 ..
        -rwxrwxrwx 1 Foppa Foppa 6148 Jul 28 22:13 .DS_Store
        -rwxrwxrwx 1 Foppa Foppa 82 Jul 28 22:13 ._.DS_Store
        -rwxrwxrwx 1 Foppa Foppa 171 Jul 28 21:44 ._BareBones_Client.conf.sample
        -rwxrwxrwx 1 Foppa Foppa 171 Jul 28 22:12 ._BareBones_Server.conf.sample
        -rwxrwxrwx 1 Foppa Foppa 222 Jul 28 09:38 ._easy-rsa
        -rwxrwxrwx 1 Foppa Foppa 222 Sep 28 2012 ._sample-config-files
        -rwxrwxrwx 1 Foppa Foppa 222 Sep 28 2012 ._sample-scripts
        -rwxrwxrwx 1 Foppa Foppa 339 Jul 28 21:44 BareBones_Client.conf.sample
        -rwxrwxrwx 1 Foppa Foppa 583 Jul 28 22:12 BareBones_Server.conf.sample
        drwxrwxrwx 4 Foppa Foppa 8 Jul 28 09:38 easy-rsa
        drwxrwxrwx 2 Foppa Foppa 19 Nov 12 09:43 keys
        -rwxrwxrwx 1 Foppa Foppa 592 Nov 12 11:09 openvpn.conf
        drwxrwxrwx 2 Foppa Foppa 34 Sep 28 2012 sample-config-files
        drwxrwxrwx 2 Foppa Foppa 16 Sep 28 2012 sample-scripts
        [root@Server ~]#

        ——————————
        [root@Server ~]# ls -la /mnt/HDD
        total 976
        drwxrwxrwx 13 Foppa Foppa 24 Nov 12 10:58 .
        drwxr-xr-x 4 root wheel 512 Nov 12 11:57 ..
        drwxrwxrwx 2 Foppa Foppa 6 Nov 12 11:55 .AppleDB
        drwxrwxrwx 2 Foppa Foppa 3 Nov 5 09:06 .AppleDesktop
        drwxrwxrwx 2 Foppa Foppa 14 Nov 12 09:25 .AppleDouble
        -rwxrwxrwx 1 Foppa Foppa 21508 Nov 12 11:43 .DS_Store
        drwxrwxrwx 4 Foppa Foppa 4 Nov 12 09:58 .TemporaryItems
        -rwxrwxrwx 1 Foppa Foppa 222 Jul 28 22:12 ._openvpn
        -rwxrwxrwx 1 Foppa Foppa 898 Nov 5 13:21 .cshrc
        -rwxrwxrwx 1 Foppa Foppa 186 Nov 5 13:21 .login
        -rwxrwxrwx 1 Foppa Foppa 91 Nov 5 13:21 .login_conf
        -rwxrwxrwx 1 Foppa Foppa 301 Nov 5 13:21 .mail_aliases
        -rwxrwxrwx 1 Foppa Foppa 267 Nov 5 13:21 .mailrc
        -rwxrwxrwx 1 Foppa Foppa 680 Nov 5 13:21 .profile
        -rwxrwxrwx 1 Foppa Foppa 212 Nov 5 13:21 .rhosts
        -rwxrwxrwx 1 Foppa Foppa 909 Nov 5 13:21 .shrc
        drwxrwxrwx 42 Foppa Foppa 47 Nov 12 03:19 Film
        drwxrwxrwx 3 Foppa Foppa 3 Nov 5 09:06 Network Trash Folder
        drwxrwxrwx 7 Foppa Foppa 7 Nov 11 14:14 Serier
        drwxrwxrwx 10 Foppa Foppa 16 Nov 7 14:56 Stuffs
        drwxrwxrwx 3 Foppa Foppa 3 Nov 5 09:06 Temporary Items
        drwxrwxrwx 12 Foppa Foppa 15 Nov 5 11:19 jails
        drwxrwxrwx 6 Foppa Foppa 16 Nov 12 10:13 openvpn
        -rwxrwxrwx 1 Foppa Foppa 249344 Nov 12 09:25 openvpn.tar
        [root@Server ~]#

    • Changed some stuffs after i read you guys comments, now i seem to have a problem with permissions. Any help?

      [root@Server] /mnt/HDD/openvpn# service openvpn start
      Starting openvpn.
      eval: /mnt/HDD/openvpn: Permission denied
      /usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn
      [root@Server] /mnt/HDD/openvpn#

  17. I got this working, thanks for the guide.

    However what I really want to accomplish is a FreeNAS as OpenVPN client (not server) using “dev tap”. This would enable me to put my FreeNAS, configured as an Apple timemachine) anywhere on the internet and use it as remote backup…
    Without the need of a static IP on the FreeNAS side, without the need to control the router (if any) on the FreeNAS side etc.

    I learned I need to ‘compile’ a tap.so and maybe other modules. Problem is don’t know how to do that + Can I not download those .so from somewhere and reboot?

    Any pointers?

    Thx

    Peter

  18. Thanks for your guide! I am trying to get this to work. I am having a similar problem as mentioned in previous posts. I successfully connect to the VPN server and I can connect to my freenas website. However, I cannot access any of my other network devices (i.e. SABNZBD (hosted in jail), Sickbeard (hosted in jail), router itself). Any suggestions? I can sent log files if needed.

  19. I’m stuck at this after I changed the file “/conf/base/etc/local/rc.d/openvpn” as described here in the comments I’m getting another error message:

    [root@freenas] ~# service openvpn start
    Starting openvpn.
    eval: /mnt/nas1/openvpn: Permission denied

    I checked my permissions for the openvpn folder. Everything is -rwxrwxrwx.
    Please help.

  20. I’m stuck. when trying to create the CA. this is what i get.
    ——————————————————————————————————————
    [root@freenas] /mnt/NAS/openvpn# chmod -R 755 easy-rsa/2.0/*
    [root@freenas] /mnt/NAS/openvpn# cd easy-rsa/2.0
    [root@freenas] /mnt/NAS/openvpn/easy-rsa/2.0# sh
    [root@freenas] /mnt/NAS/openvpn/easy-rsa/2.0# sh
    # ./clean-all
    Please source the vars script first (i.e. “source ./vars”)
    Make sure you have edited it to reflect your configuration.
    # . ./vars
    NOTE: If you run ./clean-all, I will be doing a rm -rf on /mnt/NAS/openvpn/easy-rsa/2.0/keys
    # ./build-ca
    Please edit the vars script to reflect your configuration,
    then source it with “source ./vars”.
    Next, to start with a fresh PKI configuration and to delete any
    previous certificates and keys, run “./clean-all”.
    Finally, you can run this tool (pkitool) to build certificates/keys.
    #
    ——————————————————————————————————————–

    As above i have tried creating the keys directory manually, no luck. Also sourcing ./vars i get
    ——————————————————————————————————————–
    [root@freenas] /mnt/NAS/openvpn/easy-rsa/2.0# source ./vars
    export: Command not found.
    export: Command not found.
    export: Command not found.
    export: Command not found.
    EASY_RSA: Undefined variable.
    export: Command not found.
    EASY_RSA: Undefined variable.
    ————————————————————————————————————————-

    Unbelievably confused lol! any help would be great.

    Cheers

  21. Hi Joe, i installed openvpn with your previous guide in the passed,
    now with the 9.2 out, i wanted to change my exisitng openvpn with your new guide
    but there seems a problem, when i want to start openvpn, it says the following:
    [root@freenas] ~# service openvpn start
    Starting openvpn.
    Thu Dec 26 11:17:25 2013 cd to ‘/usr/local/etc/openvpn’ failed: No such file or directory (errno=2)
    Thu Dec 26 11:17:25 2013 Exiting due to fatal error
    /usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn

    the service thinks it has to look in the old location, and i don’t know how to (or where to) tell it to look in the new location.

    If you can help, thank you very much!!

  22. Can these instructions be used to connect two FreeNAS boxes with both ends having dynamic IP addresses? I want to schedule Rsync tasks to backup my FreeNAS box to another FreeNAS box at a remote location.

  23. Great guide. Got this working.

    I can VPN in and connect to the FreeNAS host, but I can’t get to any of the jail IPs or other IPs on the LAN.. must be something with the routing that needs fixing, I’ll need to poke at it more.

    • So basically you either have to add a route to your router to know that 10.8.0.0/24 should be routed to the VPN server, or set up NAT to masquerade VPN traffic to appear to come from the VPN server.

      I went with the latter, something like this seems to work:

      ipfw nat 1 config if em0
      ipfw add nat 1 all from 10.8.0.0/24 to any out via em0
      ipfw add nat 1 all from any to any in via em0

      • In which file do you add these lines?
        So is everything working for you now with connecting to other IP’s in the Lan? I have the same issue with the vpn that you had.

      • Excellent addition! This enabled me to route all my traffic through the VPN.

        A few modifications that everyone can make to enable this. (at least this is what I did that actually worked after a LOT of trying).

        Set this in FreeNAS GUI under sysctl:
        You can run this from the terminal to enable before restart – sysctl net.inet.ip.forwarding=1

        I put this in my /etc/ipfw.rules file:
        #my adapter was re0 not em0
        ipfw -f flush # might not be needed, but why not
        ipfw nat 1 config if re0
        ipfw add nat 1 all from 10.8.0.0/24 to any out via re0
        ipfw add nat 1 all from any to any in via re0

        Added this to /etc/rc.conf:
        firewall_enable=”YES”
        firewall_type=”open”
        firewall_script=”/etc/ipfw.rules”

        In the OpenVPN client config file add:
        redirect-gateway def1

      • Thanks perlguy9, that helped me a lot.
        I did how ever figure out that I had to add ” gateway_enable=”YES” ” to the “rc.conf” file.
        Edit both “/etc/rc.conf” and “/conf/base/etc/rc.conf”

        Just to recap below are the commands I used.
        BTW, I use nano instead vi as an text editor.

        —–edit /etc/rc.conf and add gateway_enable=”YES” to the bottom
        nano /etc/rc.conf
        —–edit /conf/base/etc/rc.conf and add gateway_enable=”YES” to the bottom
        nano /conf/base/etc/rc.conf
        —–find the name of your ethernet interface mine was bge0
        ifconfig
        —–add rules to the ip firewall and test OpenVPN
        ipfw nat 1 config if bge0
        ipfw add nat 1 all from 10.8.0.0/24 to any out via bge0
        ipfw add nat 1 all from any to any in via bge0

        I’m out of my depth after this.
        As I have reissue the ipfw commands everytime I reboot.
        But hell it works.

  24. Well in order to test, you can just run those lines (or similar, if your configuration is a bit different) as root and then test. I added them to the openvpn startup script in /usr/local/etc/rc.d, but I haven’t taken the time to figure out how to properly remove them if the service is stopped, so your mileage may vary.

  25. Hi Joe, thanks for the great guide. I’ve got everything set up okay and the server is running on my freenas box, but I’m having trouble connecting to the server.

    No matter what I try, I keep getting an error that says:
    read UDP [EHOSTUNREACH]: No route to host (code=113)

    It sounds as though the client cannot find my freenas server… I’ve checked in my router’s log, and the request is indeed getting forwarded to the freenas box (dd-wrt log reports the request as ‘Accepted’).

    I don’t however, see any indication in the openvpn log that it is receiving information from a client. Is there anyway that I can see if the request is making it, or further debug this?

    Thanks again,
    Josh

  26. Hi Joe, thanks for the great write up. Sorry if this comment ends up posting twice, but I don’t think my first one went through.

    I think I got the server set up successfully, and it seems to be running ok. The problem is, I cannot connect to it from any clients (tried my Ubuntu laptop and cell phone). I’m using all the right certificates and everything, but the issue is that there is no route to the host, as shown by the error in the client log:
    read UDP [EHOSTUNREACH]: No route to host (code=113)

    I’ve confirmed that the requests are getting properly forwarded by my router, as they show up as ‘Accepted’ in the incoming log, but it seems like they’re not getting to the FreeNAS box. The openvpn log on the FreeNAS box does not show any indication of seeing the client requests, so it looks like they aren’t getting all the way to the running openvpn service.

    Do you have any idea how I could see where the connection is getting stuck? Perhaps it’s some FreeNAS setting that I don’t have set correctly?

    Thanks again,
    Josh

    • Hi Josh-

      Sorry that you are stuck. Is the OpenVPN service running?

      #service openvpn status

      Is the correct UDP port forwarded on your router? UDP 1194 as the default.
      I assume you are testing the VPN from outside the network? If not, you’ll need to specify the internal FreeNas IP in your client config.

      Might help if you send some data my way, like your client and server configs…x out your ip. Might help to see your router rules too.

      • Hi Joe, thanks for the reply. The service is definitely running (confirmed with status command), and the UDP port 1194 is forwarded correctly. I was testing from outside my network using a dynamic ip. Like I mentioned, I can see the request from the client (my laptop) in the router port forwarding logs as ‘Accepted’, so I know it’s getting at least that far.

        Here’s the server config:
        # Sample OpenVPN 2.0 config file for
        # multi-client server.
        #replace x.x.x.x with freenas ip
        local x.x.1.150
        port 1194
        proto udp
        dev tun
        ca /mnt/scratch/home/josh/openvpn_install/openvpn/keys/ca.crt
        cert /mnt/scratch/home/josh/openvpn_install/openvpn/keys/server.crt
        key /mnt/scratch/home/josh/openvpn_install/openvpn/keys/server.key
        dh /mnt/scratch/home/josh/openvpn_install/openvpn/keys/dh1024.pem
        server 10.8.0.0 255.255.255.0
        ifconfig-pool-persist ipp.txt
        #change x.x.x.x to match your network ip range
        #ie 192.168.0.0 or 10.0.0.0
        push “route x.x.1.0 255.255.255.0”
        #replace x.x.x.x with freenas ip
        route x.x.1.150 255.255.255.0 10.8.0.1
        keepalive 10 120
        comp-lzo
        persist-key
        persist-tun
        verb 3

        The client config:
        # Sample client-side OpenVPN 2.0 config file #
        client
        dev tun
        proto udp
        #change remote to your static ip
        #or domain name for your freenas server
        remote josh.xxxxx.org 1194
        resolv-retry infinite
        nobind
        persist-key
        persist-tun
        ca /home/josh/Dropbox/Life_Stuff/secrets/openvpn_certs/ca.crt
        cert /home/josh/Dropbox/Life_Stuff/secrets/openvpn_certs/josh.taillon.crt
        key /home/josh/Dropbox/Life_Stuff/secrets/openvpn_certs/josh.taillon.key
        ns-cert-type server
        comp-lzo
        verb 3

        The router configuration you can see here:

        Any thoughts?

  27. I’m not sure what I’ve changed, but now I can access the VPN and connect successfully, but I am having the issue where I cannot access other jails on the LAN or any WAN connections. Trying to debug though. Thanks again for the set up guide.

  28. Hey guys,

    If you have problems with:

    cd to ‘/usr/local/etc/openvpn’ failed: No such file or directory (errno=2)

    I found a solution. Just add this configuration to your /etc/rc.conf and /conf/base/etc/rc.conf files:

    openvpn_dir=”/mnt/storage/openvpn”

    specify the path where your openvpn.conf file is stored. You shouldn’t have problems anymore.

    Cheers!

  29. Thanks a lot for the guide and helping us all troubleshoot Joe.

    I’ve got my VPN server up and running, and I’ve got Windows clients that can connect to it properly. Now I’m trying to get a client set up in one of my jails, and I’m running into trouble. It establishes a connection, but from what I can see it has problems after that. Here’s the part of the client log where I think the problem is:
    Fri Jan 10 16:09:17 2014 SENT CONTROL [server]: ‘PUSH_REQUEST’ (status=1)
    Fri Jan 10 16:09:17 2014 PUSH: Received control message: ‘PUSH_REPLY,route 192.168.1.100 255.255.255.0,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120, ifconfig 10.8.0.6 10.8.0.5’
    Fri Jan 10 16:09:17 2014 OPTIONS IMPORT: timers and/or timeouts modified
    Fri Jan 10 16:09:17 2014 OPTIONS IMPORT: –ifconfig/up options modified
    Fri Jan 10 16:09:17 2014 OPTIONS IMPORT: route options modified
    Fri Jan 10 16:09:17 2014 ROUTE_GATEWAY 192.168.1.254
    Fri Jan 10 16:09:17 2014 TUN/TAP device /dev/tun1 opened
    Fri Jan 10 16:09:17 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Fri Jan 10 16:09:17 2014 /sbin/ifconfig tun1 10.8.0.6 10.8.0.5 mtu 1500 netmask 255.255.255.255 up
    Fri Jan 10 16:09:17 2014 /sbin/route add -net 192.168.1.100 10.8.0.5 255.255.255.0
    route: writing to routing socket: File exists add net 192.168.1.100: gateway 10.8.0.5: route already in table
    Fri Jan 10 16:09:17 2014 ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Fri Jan 10 16:09:17 2014 /sbin/route add -net 10.8.0.0 10.8.0.5 255.255.255.0
    add net 10.8.0.0: gateway 10.8.0.5
    Fri Jan 10 16:09:17 2014 Initialization Sequence Completed
    Fri Jan 10 16:09:33 2014 Connection reset, restarting [0]
    Fri Jan 10 16:09:33 2014 SIGUSR1[soft,connection-reset] received, process restarting

    And then it loops and tries to reconnect. I see there’s an error in there, but I’m not sure what it means or how to fix it. Any ideas?

  30. Hi Joe,

    thanks for the howto.

    i am running into the following issue and I am not sure why it is stating this:
    /usr/local/etc/rc.d/openvpn: WARNING: $openvpn_enable is not set properly – see rc.conf(5).
    Will not ‘start’ openvpn because openvpn_enable is NO.

      • The entire openvpn portion of your rc.conf file should look like this. Where /mnt/Files/openvpn is the path you are using for your config files and keys. The standard location is /usr/local/etc/openvpn

        openvpn_enable=”YES”
        openvpn_if=”tun”
        openvpn_configfile=”/mnt/Files/openvpn/openvpn.conf”
        openvpn_dir=”/mnt/Files/openvpn”

  31. Got it working as a client,

    Reason it wasn’t working is when editing files truh WinSCP it added some strange letters to it and this was only visible when I did a cat on the file.

    Thanks!!!

  32. Hi guys, for some reason I keep getting this message after trying literally everything in the comments :/ hopefully someone here can help me!

    [root@Pat ~]# service openvpn start
    Starting openvpn.
    /usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn

    • I get the same error and I tried absolutitly everythink from the comments, too.
      Is ther anything else I could try Joe?
      Error:
      service openvpn start
      Starting openvpn.
      /usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn
      [xxx@freenas] /mnt/vol0/openvpn/sample-config-files#
      My “/usr/local/etc/rc.d/openvpn”-file is fixed with this:
      # eval “: \${${name}_configfile:=\”/usr/local/etc/openvpn/${name}.conf\”}”
      eval “: \${${name}_configfile:=\”/mnt/vol0/openvpn/${name}.conf\”}”
      # eval “: \${${name}_dir:=\”/usr/local/etc/openvpn\”}”
      eval “: \${${name}_dir:=\”/mnt/vol0/openvpn\”}”
      And both of my rc.conf have this at the end:
      # OpenVPN
      openvpn_enable=”YES”
      openvpn_if=”tun”
      openvpn_configfile=”/mnt/vol0/openvpn/openvpn.conf”
      openvpn_dir=”/mnt/vol0/openvpn”
      Please help 🙂

      • My guess is there is a syntax error in your openvpn.conf file.

        Short of just seeing it and fixing it…I would trouble shoot like this.

        In your server openvpn.conf file set:
        verb 6

        Try starting again then ready through the messages log to see if it gives you any insight. /var/logs/messages

        After that, I’d revert the change you made to rc.d/openvpn. Then mkdir /usr/local/etc/openvpn

        Then cp /mnt/vol0/openvpn/openvpn.conf /usr/local/etc/openvpn/.

        Then comment out the openvpn_dir and openvpn_configfile from /etc/rc.conf

        Then try restarting. If it still fails, I’m 99% sure it is a error in your openvpn.conf file.

      • Thank You so much! The /var/logs/messages showed me there was a syntax error in line 2 of my openvpn.conf (ist was a period at the beginning).
        Now its working!

        Thank You again!

      • I had the same problem, for me the issue was that I typed “cp -R keys/ ../../” instead of “cp -R keys ../../” (the slash should not be there after “keys”). Abuse of TAB key :D!

  33. I’m pretty new to this. I have gotten to where I start the server. It tells me this “/usr/local/etc/rc.d/openvpn: WARNING: $openvpn_enable is not set properly – see rc.conf(5).
    Will not ‘start’ openvpn because openvpn_enable is NO.”
    So I attempted this
    “hi all,
    you need to modify the file “/conf/base/etc/local/rc.d/openvpn” to make the changes in “/usr/local/etc/rc.d/openvpn” permanent.

    now my the part which is leading to the openvpn dir and to the config file looks like this:

    # eval “: \${${name}_configfile:=\”/usr/local/etc/openvpn/${name}.conf\”}”
    eval “: \${${name}_configfile:=\”/path/to/openvpn/${name}.conf\”}”
    # eval “: \${${name}_dir:=\”/usr/local/etc/openvpn\”}”
    eval “: \${${name}_dir:=\”/path/to/openvpn\”}”

    and add these 3 lines, as mentioned above to the 2 files “/conf/base/etc/rc.conf” and “/etc/rc.conf”
    openvpn_enable=”YES”
    openvpn_if=”tun”
    openvpn_configfile=”/path/to/openvpn/openvpn.conf”

    after a reboot, you can check with “service openvpn status” that openvpn is really running :)”
    This is a read only file system and it will not allow me to make changes. I am logged in as root, using putty. Any other suggestions?

    • You need to make the filesystem writeable.

      mount -uw /

      As for changing rc.d/openvpn. I haven’t needed to do that. See the last few comments about openvpn directory setting in rc.conf

      • I seem to be very confused, sorry for my silly questions. my provider is boxpn they only list windows max and android setups?
        Is this going to let Sabnzbd and transmission connect to the internet through VPN and freenas to be locked down on the local network?
        Thank you for taking the time to reply and write your tutorials

      • Not familiar with Boxpn…so I checked it out and it looks like they only offer PPTP VPN’s. That won’t work with OpenVPN as far as I know. Sorry I can’t be more help.

  34. Sorry for asking such a dumb question, but where do you type in all these commands ? The shell inside Freenas, terminal on my mac ? I have a macbook pro and i have an old PC with Freenas 9.1 running and want to have secure remote access to my Freenas. I have LAN access running just fine with AFP shares, but I can’t seem to get the WAN access working. I have a static IP and DYNDNS setup but still no luck. Im new to this stuff and Ive been reading articles and forums for a week and I’m more confused now than I as before I decided I wanted a server. thank you

    • Hi Steve-
      You can either use the shell inside freenas or by ssh’ing into your freenas box using terminal on your mac. I usually ssh in. To do that open terminal on your mac, then type ssh user@ip_of_freenas

      User needs to be a valid user you set up on freenas with login capabilities and the ip is obviously the ip of the freenas box on the LAN.

      A VPN is one option for getting access to your fileserver from outside of your LAN. Another option would be to install the owncloud plugin and have your files live there. That basically gives you dropbox like access to your files.

      Hope that helps. Good luck!

      • Hey thanks for answering Joe, Ive actually got own cloud set up, and running and it has an IP address thats one number higher than the IP of me Freenas box. But I don’t know how to get access to it outside my LAN. Im assuming i port forward my router, but what service should I use to get to it ? HTTPS ? Is that secure enough ?

    • So for security there are two things to think about. Is there a security hole in SSL (https) and is there a security hole in owncloud? I don’t claim to be a security expert, so I don’t know the answer to those two questions. I do know that I run owncloud over ssl on my personal file server. As for how to do it…yes, forward the port on your router to the ip of the owncloud jail. For SSL, the standard port is 443. The other option is to use a VPN to connect to your LAN and then access owncloud over the VPN.

  35. Hi Joe
    I have Vpn Service that provide openvpn, it has username and password? how to use it
    I followed your method and instead of config files(“ovpn” I renamed to openvpn.conf) I used the files they provided I have set it up but they don’t have “Server Key” and “DH.pem” file it is asking for username and password every time I restart, and my dyndns stopped working I use SSH and SFTP and I’m receiving error “Permission denied (publickey,password).” help me.Thank You for your guide!

  36. hey joe,

    Thanks for the tutorial and helping us out!

    I am trying to connect to privateinternetaccess VPN as some other dude in the comments above. So sorry if this off-topic but there are clearly lots of people interested in that.

    It only works if the line auth-user-path in the openvpn.conf file does not contain a link to a login.conf file with login and password. PuttY then asks for login and password and openvpn starts fine. The link you gave just above seems to imply openvpn needs to be compiled with –enable-password-save configure option to be able to read login/password from a text file. I have never done that. Is this going to involve much pain…?

    Once the openvpn service is running do you have any tips to make sure that the Transmission plugin installed in a jail will download through the vpn and even maybe configuring some firewall rules to block internet connection in case the VPN goes down?

    Cheers

    • I personally don’t think password with is a good idea. So, I’m not a huge fan of spending time figuring out how to make it work.

      Also, not a user of transmission. Sorry. You might try reading up on netstat. Should help you figure out how things are connecting.

    • Hi there-
      Thanks for the interest in my Blog. To follow the blog, all you have to do is click the Follow button. Should be on the upper right when you first enter a page. Here’s a screen grab.

      • Joe, thanks for the excellent guide. I was able to get openvpn running successfully and am able to vpn into my freenas box. I do have a problem though where I can’t access any of my jails or other PC’s running on my LAN from a vpn client. Reading through many guides for openvpn it seems I need to configure port forwarding on the openvpn server itself which I believe I have done. In freenas gui, I went to sysctls under system and added net.inet.ip.forwarding to a value of 1. Other guides which seem to be for non freenas/bsd based OS’s say to use ‘echo 1 > /proc/sys/net/ipv4/ip_forward’. Unfortunately I am still unable to connect to any other jails or PC’s on my LAN. Do you have any suggestions to make this work? Thanks in advance!

      • Please see my post on enabling the pf firewall on freenas. https://joepaetzel.com/2014/03/04/secure-freenas-9-2-1-2-with-a-firewall/ Doing this will have the added benefit of allowing you to connect to other LAN computers through the VPN. Please be advised though. Currently pf and vimage jails do not get along and will result in kernel panics if they are used together. Please do your research. You may also need to specifically define the routes to the various other devices on your LAN. You would do that in your openvpn server config file. The line that pertains to this is:
        route x.x.x.x 255.255.255.0 10.8.0.1
        You can have as many of these as you need. Replace the xxx’s with the ip for the device. I’m sure there is a way to make it work without specifying every single one…but I haven’t taken the time to figure it out. Also, with the pf.conf file in my write up. Make sure to comment out any ports that you do not want open.

        Also, please think about doing something to get your hacks to stick even after upgrades. This has been working for me so far. https://joepaetzel.com/2014/03/09/freenas-getting-hacks-to-survive-part-2/

  37. Hi, I’m using Freenas 9.2.1.3 and I’m stuck at:
    # ./clean-all
    Please source the vars script first (i.e. “source ./vars”)
    Make sure you have edited it to reflect your configuration.
    # . ./vars
    Bus error (core dumped)
    NOTE: If you run ./clean-all, I will be doing a rm -rf on /mnt/Cloud/openvpn/easy-rsa/2.0/keys

    I’ve tried many times but everytime it says: “Bus error (core dumped)”
    Can anyone help me?
    Thanks

  38. Hi, i use your nice guide to setup OpenVPN on freensa. I have small problem, i can access freenas server over VPN, but cant access LAN network computer or other jails. I already have in server configuration ‘push “route 192.168.1.0 255.255.255.0″‘ without no luck. Have any help? Thx. Marian.

      • Hi,

        thx for your time.
        If i good understud, as you wrote ” Currently pf and vimage jails do not get along and will result in kernel panics if they are used together. “, if i have freenas with some runing vimage jails i get kernel panic?
        And if i want access LAN computers i must add “route LAN_computer_ip 255.255.255.0 10.8.0.1” to server.ovpn as many of these as i need and setup pf. Without pf dont work access to LAN, because in pf is configured NAT from vpn network to LAN network?

      • Yes, PF and Vimage jails can cause kernel panics. You can turn a vimage jail into a normal jail by unchecking the vimage check box in the jail settings. Then it will work fine with pf. The other option would be to use a different firewall, like ipfw. I don’t know ipfw though, so I will not be able to help you with that. I’m not sure if there are negative effects from turning off the vimage option on a jail. It does use an additional LAN IP…but other than that, I’m not sure. Sorry I can’t be more help.

      • Hi,

        Again BIG THX for your time.

        You helped me understud, that without pf access to lan do not work and i do not want risk kernel panic on my server. 😦

        Thx, Marian.

      • You are welcome. I’m looking at the man page for ipfw and it doesn’t look like it would be too hard to tweak my pf rules into ipfw rules. The main thing you need in order to get LAN access over the VPN is NAT’ing the interface on the appropriate ip range.

  39. Thx, for all informations. Yestarday i will start research how to nat with ipfw and how to setup permanent configuration.
    Ok, thx.

    Marian.

  40. Hi,
    i something learned and try some tricks. 🙂 As last step, i folow this “tutorial”: http://forums.freenas.org/index.php?threads/openvpn-server-in-a-freebsd-9-2-jail-routing-nat-issues.17998/#post-118626

    I have onwncloud in standard jail with working ipfw+fail2ban+openvpn. I decide to try on it. Setup some rules from that tutorial and add some line to rc.conf.

    to rc.conf i add:
    cloned_interfaces=”tun”
    gateway_enable=”YES”

    to ipfw.rules i add to first line:
    ipfw -f flush
    ipfw nat 1 config if epair0b
    ipfw add nat 1 all from 10.8.0.0/24 to any out via epair0b
    ipfw add nat 1 all from any to any in via epair0b

    No luck for me, not working. I can connect from internet with openvpn, but i cen only ping owncloud jail. no ping to freens or computers on lan.

    im at end. 😦

  41. sorry, i have bad wireless keyboard… 🙂
    No luck for me, not working. I can connect from internet with openvpn, ping to owncloud jail, but no ping to freenas or computers on lan.

  42. Pingback: Enable Multi-Factor Authentication for OpenVPN | The Joe Paetzel Method

  43. whoah this weblog is great i like reading your articles.
    Keep up the great work! You already know, a lot of persons are searching round for this info, you can help them greatly.

  44. Hi great guide but I’m hitting a problem at step 6 after I generate a client key. It says TXT_DB error number 2 TXT_DB not found. I’ve followed the guide to the letter up to this point. Not sure where I’m going wrong.
    I must note I’m only 5 weeks in with my Freenas and this is all new to me working with unix commands. I might be trying to swim before I can walk but I really want to get my freenas behind a VPN. Any pointers as to what could be my problem.
    Thanks in advance.

    • Hi Nick-
      A quick google search yielded this:

      “I’ve had this error with recent version of easy-rsa (2.2.0 works). These differ from older versions in that the following lines are included in easy-rsa/2.0/vars:
      export KEY_CN=changeme
      export KEY_NAME=changeme
      export KEY_OU=changeme
      export PKCS11_MODULE_PATH=changeme
      export PKCS11_PIN=1234
      Commenting these lines out leads to the old behavior, which allows you to create keys correctly with a unique CN.”

      To comment them out, edit them and insert a # at the beginning of the line.

      • Thanks for the prompt reply Joe, I’m sorry I don’t follow what I need to do though, as I say this is a whole new world still to me. So I need to edit those lines out from my current config? and I’ll find them in easy-rsa/2.0/vars?

        I think I need to seriously brush up on my use of the unix command line! as I say I’m very new it. apologies.

      • Yeah…so if are in the directory with the vars script and you do this as root:

        vi vars

        scroll down until you see export KEY_CN line. type “i” at the beginning of the line then #. Then hit esc. Do that for each of the lines in my previous comment. Then type :wq return
        No promise it will help/work.

  45. Thanks for this cool tuto !
    After spending some hours on it, it was perfectly working.
    Then I rebooted my nas.
    service openvpn start
    /usr/local/etc/rc.d/openvpn: WARNING: /mnt/PATH/openpvn/openvpn.conf is not readable.
    It looks like a read permissions error. I ‘ll take a look tomorrow. And setting up the firewall.
    Thanks again !

  46. My internet provider can’t (or don’t want to) gave me a static ip, and I don’t want to use an external service like dyndns, so I made a script to keep access to my FreeNas after a DHCP renew. This script is launched every hours by a crontable (easy to do with the web interface), and saved in my /mnt/PATH/hacks folder.

    It email me the new external ip if this one have changed.
    Then if I want to use the vpn with the client, I just have to check my mails and keep the last mail named “new ip”. And finally editing the remote field in the client config .

    —————————————–
    #!/bin/bash

    #oldip is a file in the hacks folder that only contain the last known external ip
    OLD_IP=$(egrep -o ‘([0-9]{1,3}\.){3}[0-9]{1,3}’ /mnt/PATH/hacks/oldip )

    #give the external ip
    NEW_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)

    #check if they are the same
    if [ “$OLD_IP” = “$NEW_IP” ]

    #if they are, there is nothing more to do
    then exit

    else

    #replace the old ip by the new one in my firewall’s rules, and reload the rules
    #you don’t need these two lines if you don’t have a firewall
    sed -i ” -e ‘s/'”$OLD_IP”‘/'”$NEW_IP”‘/g’ /mnt/PATH/hacks/pf.conf
    pfctl -F all -f /mnt/PATH/hacks/pf.conf

    #write the new ip instead of the old one in the oldip file
    #it also email me this ip with the mail subject “new ip”
    echo “$NEW_IP” > /mnt/PATH/hacks/oldip && echo “$NEW_IP” | mail -s “new ip” USER
    fi
    exit
    —————————————–

    USER is a freenas user who have a mail defined. (easy to do in the web interface).
    I would add an OpenPGP encryption to the ip before emailing it. Be paranoid ! (https://www.gnupg.org)

    I hope it may be useful.

  47. I’m totally stuck, following the guide and using the amended order for the easy-rsa process above has gotten me further than previously but when trying to generate the server and dh keys I get an “unable to write ‘random state'” error. Can anyone suggest how I fix this?

      • I am logged in as root, but it definitely was a permissions issue, did an ‘su’ before trying again and it worked. Also, if it helps anyone else, I also ran into an issue with the index.txt file that was a result of having the same Common Name in each cert/key changed a line in vars to allow non-unique CNs which got me past that. Still can’t get OpenVPN to start though, still not figured that part out.

  48. Hi there,

    I always getting the following error at “./build-key-server server”:

    Using configuration from /mnt/data_mirror/Daten/openvpn/easy-rsa/2.0/openssl.cnf
    /mnt/data_mirror/Daten/openvpn/easy-rsa/2.0/keys/index.txt: No such file or directory
    unable to open ‘/mnt/data_mirror/Daten/openvpn/easy-rsa/2.0/keys/index.txt’
    6489:error:02001002:system library:fopen:No such file or directory:/fusion/jkh/921/freenas/FreeBSD/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:356:fopen(‘/mnt/data_mirror/Daten/openvpn/easy-rsa/2.0/keys/index.txt’,’r’)
    6489:error:20074002:BIO routines:FILE_CTRL:system lib:/fusion/jkh/921/freenas/FreeBSD/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:358:

    after creating empty index.txt and serial file in keys-directory still receiving an error:

    Using configuration from /mnt/data_mirror/Daten/openvpn/easy-rsa/2.0/openssl.cnf
    /mnt/data_mirror/Daten/openvpn/easy-rsa/2.0/keys/serial: No such file or directory
    error while loading serial number
    6950:error:02001002:system library:fopen:No such file or directory:/fusion/jkh/921/freenas/FreeBSD/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:356:fopen(‘/mnt/data_mirror/Daten/openvpn/easy-rsa/2.0/keys/serial’,’r’)
    6950:error:20074002:BIO routines:FILE_CTRL:system lib:/fusion/jkh/921/freenas/FreeBSD/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:358:

    did anybody had the same troubles and now how to fix it?

    thanks for your help & kind regards,
    mfg82

  49. Great BLOG Guide!!!

    Question, how can I modify OpenVPN to allow access to the entire my home network?
    At the moment I can only access main FreeNAS server LAN ip address.
    It would be nice if I could login and access my whole network.

      • I just managed to get perlguy9 suggestion to work.
        I had to add ” gateway_enable=”YES” ” to the “rc.conf” file.
        Edit both “/etc/rc.conf” and “/conf/base/etc/rc.conf”

        Just to recap below are the commands I used.
        BTW, I use nano instead vi as an text editor.

        —–edit /etc/rc.conf and add gateway_enable=”YES” to the bottom
        nano /etc/rc.conf
        —–edit /conf/base/etc/rc.conf and add gateway_enable=”YES” to the bottom
        nano /conf/base/etc/rc.conf
        —–find the name of your ethernet interface mine was bge0
        ifconfig
        —–add rules to the ip firewall and test OpenVPN
        ipfw nat 1 config if bge0
        ipfw add nat 1 all from 10.8.0.0/24 to any out via bge0
        ipfw add nat 1 all from any to any in via bge0

        I’m out of my depth after this.
        As I have reissue the ipfw commands everytime I reboot.
        But hell it works.

        I review the firewall info next…

      • In order to load the firewall settings on reboot, I had to do the following:

        create /conf/base/etc/rc.local: (make sure to chmod for execute)
        #/bin/sh
        ipfw -f flush
        ipfw nat 1 config if re0 #<– whatever your adapter is
        ipfw add nat 1 all from 10.8.0.0/24 to any out via re0
        ipfw add nat 1 all from any to any in via re0

        edit /conf/base/etc/rc.conf.local:
        . /etc/rc.local

        I read online that FreeNAS should load rc.local on load, but it doesn't appear to. So I just called it from rc.conf.local instead and it worked fine.

      • I’d think about putting that into an init script in the GUI so it doesn’t get blown away on OS upgrade. This is all very cool stuff though and I’m super grateful that you both are sharing!!! So cool!

      • Good idea, I threw my script in the openvpn folder.

        I’m really new to FreeNAS (installed < a month ago), but can Google with the best of them. Still a huge thanks for the tutorial to get up and running. It's the best thing I found on the subject.

        I'm just glad I have a private tunnel to stream my movies. I'm pretty sure deep packet inspection was limiting my possibilities. The VPN pretty much proved that.

    • Thanks Joe and syko82 !

      I’m a bit of a FreeBSD noob and tried doing a PostInit .sh script with no luck.
      Instead I added the those three ipfw commands as a PostInit commands.
      Reboot FreeNAS+OpenVPN and done the IP Firewall rules stuck!

  50. Pingback: How to setup a VPN server in a FreeNAS jail | thealarmclocksixam

  51. I’ve added a couple more lines to my to my “openvpn.conf” file.

    push “dhcp-option DOMAIN localdomain.net” # <— your Freenas LAN domain
    push "dhcp-option DNS 192.168.1.254" # <— your Freenas DNS server

    This will allow DNS resolution of your the systems within the OpenVPN connection.
    This will not change the default domain context however, for example.
    Instead of typing "ping freenas" you must add the domain to the end, "ping freenas.localdomain.net".

  52. My brother recommended I would possibly like this web site.
    He was once totally right. This post actually made my day.
    You can not believe just how so much time I had spent for this info!
    Thanks!

  53. So I am trying to do this the other way around, have a freenas box be a openvpn client and route all it’s traffic over the vpn. (This is an offsite target for zfs replication of the primary box which is on the vpns network.) Seems like it should be simple to stick the openvpn conf file somewhere and have it start up as a client?

  54. First of all, thank you Joe for this amazing article! After some fiddling I got this running on my box and it works perfectly.
    I have a question I was hoping you could help me with. I’m not a 100% on what the different parts of the openvpn.conf does. As it sits now, the vpn gives me access to the internal network at home with several clients, but I’m wondering if its possible to add a client that is not allowed to see the internal network, only the internet through my router (my external ip)?
    My goal is to let my sister who lives abroad be able to get a norwegian ip through my vpn without giving her access to my box. Can this be done on the client (her) side config or will i have to do changes in the openvpn.conf and all my clients?

  55. Dear Joe,

    I am working with Windows 7 as my client PC and I have 3 questions(I am very new to servers and SSH, so please bear with me):

    1. From step 7 (On my system, the place I want the certs and keys is…..) until step 2 (last step) of the Server Configuration file section (Delete openvpn.tar):
    From where would these steps be performed? SSH (putty) or from somewhwere else?

    2. In step 7 (On my system, the place I want the certs and keys is…..) how did you pick the location /mntFiles/openvpn/keys/ where you wanted to place the certificate and key? On my data drive, I have created a volume /mnt/Data as part of setting up FreeNAS, but I have not created /mnt/Files.
    If I choose to, could I still use the same location that is included in your guide (/mntFiles/openvpn/keys/)?

    3. In the last step (Client set up), you indicated that the ca, key and cert lines had to be changed to a path where the files will live on the client. My client is Windows 7 so would something such as C:\Users\Username\Downloads work for this on Windows?

    • Hi THomas- Thanks for stopping and reading my blog. I’ll do my best to help you out.

      1) You can ssh in to the FreeNas box using putty, or open the terminal from the FreeNas Web GUI. I prefer ssh, but either works.

      2) You can pick any location you want on your data drives. So for you, anywhere within /mnt/Data is fine. To use /mnt/Files you would need to create that dataset, which there is no reason to do. Just change my examples to match your current data structure.

      3) If you install the Windows OpenVPN client first, it will create the folder structure for you. Sorry, but I’m a Mac user, so I don’t really know that folder structure. You can force it to use whatever location you want though, so totally your choice. Just make sure your client config points to the location you pick for the CA, Key and Cert.

      Best of luck. Let me know if there is anything else I can help with.

      • Hi Thomas!
        Since Joe doesn’t use Windows I can chime in with how I did it client side. I use the OpenVPN GUI client and put the config, key and certs in the “config” folder inside the the folder I installed the gui in. In the client side config file I used relative paths to make things easier. By keeping all the files in the same folder I get away with just “filename.crt” etc for paths. I used this with success on windows, mac and android.

  56. Joe,
    A question about security with the port-forwarding approach: With the setting up of a VPN connection, port forwarding is required on the router involved.

    As per this: http://www.computerhope.com/issues/ch001201.htm, is there some way to secure the open port on the router? I mean if a software (Operating system) firewall is installed, does that offer the required protection on its own?

    • Hi Thomas-

      First off, I’m not a security expert, so please consider my opinion as just that. Do your own research in addition to what I have to say.

      Yes, in order for the VPN to work, there needs to be an open port. That’s true if the router is the end point of the VPN or if you are forwarding it on to a machine on the LAN (your case with FreeNAS). From a security standpoint, you need to consider if the service running on that particular port is secure or not. Does the version of OpenVPN, in this case, have any known vulnerabilities? I don’t know the answer to that. Does the risk of any potential vulnerability outweigh the benefit of having the VPN service running? That will be determined by your own risk comfort level.

      Can you make things more secure while running OpenVPN? That depends. In general, my belief is that as security increases, usability tends to decrease. So, with a firewall rule (either hardware or software), you could limit access to the VPN port to only one IP address (Your IP at work maybe). That would be much more secure that allowing the entire world access to the port. However, what if you want access at more than just work? Then you need to allow more and more IP’s through. Again, this will depend on your own risk/reward tolerance.

      To specifically answer your question about software firewalls, you would need a properly written ruleset. One option for that would be to block all traffic, then open traffic only for the ports you want (1194 for default OpenVPN). Along with that, as I said above, you could limit that access to only certain IP’s.

      Long story short, if you can configure your router to only allow traffic on port 1194 for a IP range you deem acceptable, that is the best practical option. Software firewalls on FreeNAS are a bit difficult…as OS upgrades tend to wipe them out and in general they are more difficult to get right than a “hardware” based option.

      I hope all this is somewhat helpful.

      • Joe, thank you for the reply. It was very informative.

        When you say:

        “So, with a firewall rule (either hardware or software), you could limit access to the VPN port to only one IP address (Your IP at work maybe).”

        What specifically does this mean? Your other entry (https://joepaetzel.com/2014/03/04/secure-freenas-9-2-1-2-with-a-firewall/) talks about general firewall rules – does that entry cover this particular single IP situation? The main FreeNAS 9.3 docs (http://doc.freenas.org/9.3/) don’t offer anything on firewall or security, which is really disappointing.

      • Just heading to bed. FreeNAS will never offer security advise. Look at FreeBSD for info on pf or ipfw. In general…from my bad memory…you’d want to change a rule that reads: from any to any yadda yadda
        To:
        From x.x.x.x(your office ip or a range) to any yadda yadda

  57. Ive followed all the steps and for some reason I get an error starting. I turned logging up to 6 and this is what I see. I double and triple checked all configs and they match everything you have above. Any ideas?

    Mar 9 11:01:05 freenas openvpn[2636]: OpenVPN 2.3.6 amd64-portbld-freebsd9.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jan 7 2015
    Mar 9 11:01:05 freenas openvpn[2636]: library versions: OpenSSL 0.9.8zc-freebsd 15 Oct 2014, LZO 2.08
    Mar 9 11:01:05 freenas openvpn[2636]: Diffie-Hellman initialized with 1024 bit key
    Mar 9 11:01:05 freenas openvpn[2636]: TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Mar 9 11:01:05 freenas openvpn[2636]: Socket Buffers: R=[42080->65536] S=[9216->65536]
    Mar 9 11:01:05 freenas openvpn[2636]: ROUTE_GATEWAY 192.168.1.1
    Mar 9 11:01:05 freenas openvpn[2636]: TUN/TAP device /dev/tun0 opened
    Mar 9 11:01:05 freenas openvpn[2636]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Mar 9 11:01:05 freenas openvpn[2636]: /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
    Mar 9 11:01:05 freenas openvpn[2636]: FreeBSD ifconfig failed: external program exited with error status: 1
    Mar 9 11:01:05 freenas openvpn[2636]: Exiting due to fatal error
    Mar 9 11:01:05 freenas ayeso: /usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn
    Mar 9 11:01:05 freenas kernel: tun0: link state changed to UP
    Mar 9 11:01:05 freenas kernel: tun0: link state changed to UP
    Mar 9 11:01:05 freenas kernel: tun0: link state changed to DOWN
    Mar 9 11:01:05 freenas kernel: tun0: link state changed to DOWN

    • Nothing jumping out at me. Can you send me your server config? You can email it using the contact form if you don’t want to post it. Also, what version of FreeNAS? Last thing, anything related to this in /var/log/messages?

      • Hey! Thanks for the reply. Those messages above are from the /var/log/messages. I first tried it in a jail and it didnt work, figured it was something screwy with the jail but I get the same outside the jail. Im running FreeNAS-9.3-STABLE-201501090144

        The actual error outside the logs is

        Starting openvpn.
        ifconfig: interface tun0 does not exist
        /usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn

        config is super simple, I just modified your example.

        local 192.168.1.59
        port 1194
        proto udp
        dev tun
        ca /mnt/data_mirrored/DOS/openvpn/keys/ca.crt
        cert /mnt/data_mirrored/DOS/openvpn/keys/server.crt
        key /mnt/data_mirrored/DOS/openvpn/keys/server.key
        dh /mnt/data_mirrored/DOS/openvpn/keys/dh1024.pem
        server 10.8.0.0 255.255.255.0
        ifconfig-pool-persist ipp.txt
        #change x.x.x.x to match your network ip range
        #ie 192.168.0.0 or 10.0.0.0
        push “route 192.168.1.1 255.255.255.0”
        #replace x.x.x.x with freenas ip
        route 192.168.1.59 255.255.255.0 10.8.0.1
        keepalive 10 120
        comp-lzo
        persist-key
        persist-tun
        verb 6

      • Huh, that all looks right. Are you trying to start it as root? Can you send me the output from ifconfig? Maybe X out the external IP if the FreeNas box has one.

  58. Hi Joe, I’m looking to secure my 9.3 installation of FreeNAS using your guide but I’m a bit confused as to where to install it. I have Transmission running inside a Jail so do I need to insatll OpenVPN inside the Jail in order for Transmission to use the VPN or does installing OpenVPN globally on the box and enabling the VPN force everything to use that VPN?

    • Not exactly sure about that. It sounds like you’d probably want to install it globally as you say and then create some custom firewall rules to direct the traffic to and from your jail over the VPN.

      I’m not going to be much help with any of that sadly.

  59. Hey want list an issue I’m running into and want give more visibility to the FreeNAS/OpenVPN community at large.
    https://forums.freenas.org/index.php?threads/openvpn-cannot-access-freenas-jails.34647/#post-207993

    To Summerize the problem I’m encountering.
    While connected to my OpenVPN session on the FreeNAS server I cannot access any of the hosted FreeNAS plugins/Jails 192.168.1.50,51,52 & 53 .
    I can however access my LAN of 192.168.1.x/24.

    Thank you for any input you can lend to this topic!

    -Ethan

    • Hi Ethan- I looked at your Openvpn.conf file. It looks to me that the problem is you do not have routes set up for the jails. In theory, the push command should do that, but it doesn’t. Add a “route 192.168.1.x 255.255.255.0 10.8.1.1” for each jail, then restart openvpn and see if that helps. If that doesn’t help, the next thing I’d look at is your ipfw ruleset. Try it without ipfw enabled. Hope that helps.

  60. Hi,
    Thank you for this how to.
    COuld you please tell me if this should still be working on FreeNAS 9.3-RELEASE?
    When I typed . ./vars, get the message

    source: not found

    Can you help please?

  61. Hi,
    Thank you for this great How to.
    It work like a charme.
    Could you please tell me if it is possbible to use openvpn-auth-pam with your setup?

    Thank you

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s