Back in July of 2012 I posted a write up on how to get OpenVPN running on FreeNas 8.2. That write up was really just notes to myself and I never really thought it would get much attention. Over the last year, it has seen enough traffic that I thought it deserved a re-write to try and make it easier to follow. So, here goes.
As always, if you find this super useful, I wouldn’t turn down paypal donations.
If you are going to do this on your FreeNAS box, please also check out my guide on getting hacks to FreeNAS to survive system upgrades.
Dynamic DNS
If you don’t have a static ip address, lets start by setting up a Dynamic DNS entry. There are several service providers that offer free dynamicDNS service…currently FreeNas supports: dyndns.org, freedns.afraid.org, zoneedit.com, no-ip.com, easydns.com and 3322.org. So, pick one, set up an account, configure your FreeNas gui to use it in the services panel and then come back.
Port Forwarding on your Router
Next you’ll need to forward UDP port 1194 on your router to your FreeNAS box. You’ll need to do a little google searching if you don’t know how to do that on your specific router. Generally it involves logging into the web interface on the router, going to the advanced section and looking for something that sounds like port forwarding.
OpenVPN
Server Certificates – OpenSSL
You can configure OpenVPN for password authorization, but I really don’t like that method. So I’ll tell you how to set it up with certificate authorization. Easy-RSA is included in FreeNas 9.1 and later. You can find it here: /usr/local/share/easy-rsa . If you don’t want to download my sample files or if you don’t trust me, then you should skip step 2 below and use the Easy-RSA files at /usr/local/share/easy-rsa and then also create your config files from scratch.
So, lets get started.
1. Mount the filesystem so we can make some changes.
su enter your root password mount -uw /
2. Now, download my openvpn.tar into the root of your data drive, so for me /mnt/Files.
cd /mnt/Files wget --no-check-certificate https://www.dropbox.com/s/14h2j1zslozotx8/openvpn.tar tar -xvf openvpn.tar cd openvpn
3. Now we need to create our CA.cert
chmod -R 755 easy-rsa/2.0/* cd easy-rsa/2.0 sh . ./vars ./clean-all ./build-ca
Your output from ./build-ca should look like this. Answer the questions with the appropriate answers.
Generating a 1024 bit RSA private key
...++++++....................................++++++writing new private key to'ca.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter'.', the field will be left blank.-----Country Name (2 letter code) [BG]:State or Province Name (full name) [Sofia]:Locality Name (eg, city) [Sofia]:Organization Name (eg, company) [example.org]:Organizational Unit Name (eg, section) [ ]:Common Name (eg, your name or your server'shostname) [openvpn.example.org CA]:openvpn.example.orgName [ ]:daemonEmail Address [admin@example.org]:
4. Now, we want to create a server key.
./build-key-server serverYour output from ./build-key-server should look like this. Answer the questions with the appropriate answers.
Generating a 1024 bit RSA private key
.......++++++..........................................++++++writing new private key to 'server.key'-----You are about to be asked to enter information that will be incorporated into your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [US]:State or Province Name (full name) [MN]:Locality Name (eg, city) [Coon Rapids]:Organization Name (eg, company) [ ]:Organizational Unit Name (eg, section) [ ]:Common Name (eg, your name or your server's hostname) [server]:Name [ ]:Email Address [me@myhost.mydomain]:Please enter the following 'extra' attributes to be sent with your certificate requestA challenge password [ ]:An optional company name [ ]:Using configuration from /mnt/Files/openvpn/easy-rsa/2.0/openssl.cnfCheck that the request matches the signatureSignature ok The Subject's Distinguished Name is as followscountryName : PRINTABLE:'US'stateOrProvinceName : PRINTABLE:'MN'localityName : PRINTABLE:'Coon Rapids'organizationName : PRINTABLE:''commonName : PRINTABLE:'server'emailAddress : IA5STRING:'me@myhost.mydomain'Certificate is to be certified until Sep 20 18:43:20 2023 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated
5. Now let’s create the Diffie-Hellman parameters:
./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
………………………………………………………………………………+………………………………………………………………………….+…………………………………………………………………………………………++*++*++*
6. Now we might as well generate a client key.
./build-key joe.paetzel
Your output should look like this:
Generating a 1024 bit RSA private key
……………………………..++++++………++++++
writing new private key to ‘joe.paetzel.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [US]:
State or Province Name (full name) [MN]:
Locality Name (eg, city) [Coon Rapids]:
Organization Name (eg, company) [ ]:
Organizational Unit Name (eg, section) [ ]:
Common Name (eg, your name or your server’s hostname) [joe.paetzel]:
Name [ ]:
Email Address [me@myhost.mydomain]:Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password [ ]:
An optional company name [ ]:
Using configuration from /mnt/Files/openvpn/easy-rsa/2.0/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName : PRINTABLE:’US’
stateOrProvinceName : PRINTABLE:’MN’
localityName : PRINTABLE:’Coon Rapids’
organizationName : PRINTABLE:”
commonName : PRINTABLE:’joe.paetzel’
emailAddress : IA5STRING:’me@myhost.mydomain’
Certificate is to be certified until Sep 20 19:03:19 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
7. Now we can get out of the sh shell and move the keys and certificates into their place.
exit cp -R keys ../../
On my system, the place I want the certs and keys is /mnt/Files/openvpn/keys , I’m using shorthand above to backout two directories and place the keys folder there. So, the long hand version would be:
cp -R /mnt/Files/openvpn/easy-rsa/2.0/keys /mnt/Files/openvpn/
The reason we want the keys and config file on the data drive instead of the OS drive is FreeNas upgrades will wipe out our OpenVPN setup if we have everything installed on the OS drive.
Server Configuration File
1. Next we can create the openvpn.conf config file and edit it for our specific setup. If you didn’t download the openvpn.tar file from me, then you will need to create a openvpn.conf file from scratch. If you did download the openvpn.tar file, I’ve included a couple of Bare Bones sample configs.
cp BareBones_Server.conf.sample openvpn.conf chmod 440 openvpn.conf vi openvpn.conf
Side note, vi has lots of commands, we just need to know a few:
x will delete the character your cursor is over, i will insert, esc will exit insert mode and to save and quit we use :wq
You should get this on your screen:
# Sample OpenVPN 2.0 config file for
# multi-client server.#replace x.x.x.x with freenas ip
local x.x.x.x
port 1194
proto udp
dev tun
topology subnet
#change the paths and filenames below to match what you did
ca /mnt/Files/openvpn/keys/ca.crt
cert /mnt/Files/openvpn/keys/server.crt
key /mnt/Files/openvpn/keys/server.key
dh /mnt/Files/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
#change x.x.x.x to match your network ip range
#ie 192.168.0.0 or 10.0.0.0
push “route x.x.x.x 255.255.255.0”
#replace x.x.x.x with freenas ip
route x.x.x.x 255.255.255.0 10.8.0.1
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3
We need to make a few changes to match our specific needs.
Change local x.x.x.x to the ip of your FreeNas box:
local 192.168.0.121
Check that your certs and keys match the lines here:
ca /mnt/Files/openvpn/keys/ca.crt
cert /mnt/Files/openvpn/keys/server.crt
key /mnt/Files/openvpn/keys/server.key
dh /mnt/Files/openvpn/keys/dh1024.pem
Change push “route x.x.x.x 255.255.255.0” to match your network setup:
push “route 192.168.0.0 255.255.255.0”
Change route x.x.x.x 255.255.255.0 10.8.0.1 to have the ip of your FreeNas box:
route 192.168.0.121 255.255.255.0 10.8.0.1
hit the ESC key, then type :wq to save and quit out of vi.
2. Now lets add a few things to rc.conf so we can start openvpn.
vi /etc/rc.conf
Add the following lines making sure that the openvpn_configfile is pointing to your config file location:
openvpn_enable=”YES”
openvpn_if=”tun”
openvpn_configfile=”/mnt/Files/openvpn/openvpn.conf”
openvpn_dir=”/mnt/Files/openvpn”
We also need to make these same changes to /conf/base/etc/rc.conf so they survive a restart.
vi /conf/base/etc/rc.conf
Again, add the following:
openvpn_enable=”YES”
openvpn_if=”tun”
openvpn_configfile=”/mnt/Files/openvpn/openvpn.conf”
openvpn_dir=”/mnt/Files/openvpn”
Cross Your Fingers and Fire It Up
1. Now we should be able to start the OpenVPN server.
service openvpn start
You should get something like this:
Starting openvpn.
route: writing to routing socket: File exists
add net 192.168.0.121: gateway 10.8.0.1: route already in table
add net 10.8.0.0: gateway 10.8.0.2
Clean Up
1. Make the filesystem read only again:
mount -ur /
2. Delete openvpn.tar
rm /mnt/Files/openvpn.tar
Set Up Your Client
1. Copy your client key(s), client crt(s) and ca.crt to the client computer you will be using to connect to the server. There are a bunch of ways you could do this, I just copied them to a shared folder on my FreeNas box and moved them from there onto my client computer.
2. Create a client config file. I’ve included a sample Bare Bones config for you to modify in the openvpn.tar file. It will look something like this:
# Sample client-side OpenVPN 2.0 config file #
client
dev tun
proto udp
#change remote to your static ip
#or domain name for your freenas server
remote something.dyndns.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /Path/to/Some-ca.crt
cert /Path/to/laptop.crt
key /Path/to/laptop.key
ns-cert-type server
comp-lzo
You need to change the line remote something.dyndns.org 1194 to either your public static ip of your router or a dynamic or static domain name. You also need to change the ca, cert and key lines to the path of where those files will live on the client.
On OS X using Tunnelblick as the client application those paths will look something like this:
ca /Users/joe/Library/Application\ Support/Tunnelblick/Configurations/ca.crt
cert /Users/joe/Library/Application\ Support/Tunnelblick/Configurations/joe.paetzel.crt
key /Users/joe/Library/Application\ Support/Tunnelblick/Configurations/joe.paetzel.key
Wrapping It Up
With all of that, you should be good to go. I’ve tried to be as clear and accurate as possible. I hope you all enjoy the rewrite.
Also, check out my writeup on setting up a firewall on FreeNAS. It will help you get routing working properly so you can reach all the devices on your LAN over the VPN. https://joepaetzel.com/2014/03/04/secure-freenas-9-2-1-2-with-a-firewall/
Also, if you want to add an additional layer of security, check out my guide on getting OpenVPN working with Google Authenticator.
As always, donations are welcome via paypal.
The Joe Paetzel Method 
Pingback: OpenVPN on FreeNAS 8.2 | The Joe Paetzel Method
Pingback: To re-Write or not? | The Joe Paetzel Method
Hi Joe,
I’m still using my keys made in the FreeNAS 8.2 guide. But I wanted to let you know this looks like a very good guide again.
Cheers!
Thanks Dimitri. I appreciate the feedback.
FYI, Easy-RSA is in;
/usr/local/share/easy-rsa
on my FreeNAS 9.1.1
Thanks. I’ll add that to the write up
I can’t seem to figure this out…when you create the certs. you have sh and then enter those commands ./vars and ./clean-all and ./build-ca which asks me to source ./vars. What is argument source in reference to a path directory? I know i have to edit that as well. I did make the directory keys in the /mnt/Open/openvpn/easy-ras/2.0/keys, is that correct?
Try switching to sh.
Then run ./clean-all
then . ./vars
then ./build-ca
I got the exact same and very confusing message. The problem was that the keys directory was missing. I created it manually and every thing worked fine after that.
i had my openvpn installed in my /mnt/ZFS/ with openvpn.conf setup with correct path and rc.conf with correct path too. but i have no idea why when i run the command “service openvpn start” it always link to other path and having error msg “no such file and directory”
i am using Freenas-9.1.1 now.
Can you give me the lines you added to rc.conf Also, what are the permissions on your config file?
How do you check or change permissions on your config file?
Add:
openvpn_configfile=”/mnt/Files/openvpn”
to the rc.conf file and it should work, there’s a comment in the openvpn init script that says:
# You also need to set NAME_configfile and NAME_dir, if the configuration
# file and directory where keys and certificates reside differ from the above
# settings.
hi, I followed all the instructions but when i try to start the service i get the same error…
Does anybody knows why?
tnx
openvpn_enable=”YES”
openvpn_if=”tun”
openvpn_configfile=”/mnt/ZFS/openvpn/openvpn.conf”
and my conf file permission is -r–r
Are you trying to run OpenVPN inside a jail? I’m assuming /mnt/ZFS/openvpn is readable. Can you give me the relevant lines from /var/logs/messages after you try starting OpenVPN?
it seem working now after i just modified /conf/base/etc/rc.conf with below string again and reboot my server.
openvpn_enable=”YES”
openvpn_if=”tun”
openvpn_configfile=”/mnt/ZFS/openvpn/openvpn.conf”
Thanks you so much for quick response.
Glad you got it working. 🙂
one question, i try to use openvpn client for windows to connect to my nas, but its always time out. May i know what i missed? and it ask for username and password every time i press connect but i do not know what is the username and password. I do download all the file needed for cert setup but there are no option to setup cert into windows client.
You need to edit the client config to have the path to your user.key, user.crt and ca.crt
for windows should i add the path as D:\cert\ca.crt ? and the following only for to my user crt?
Hi. Admittedly I am not a windows guy any longer. Please take a look at this guide as it has a more windows centric approach. https://community.openvpn.net/openvpn/wiki/Easy_Windows_Guide#ClientConfigFiles
This section looks like it answers your question.
and then this section
I keep getting this error when trying to start openvpn. I am noob to this so any help would be great.
cd to ‘/usr/local/etc/openvpn’ failed: No such file or directory (errno=2)
Looks like you might have specified /usr/local/etc/openvpn for something in rc.conf but you didn’t create that directory. Did you use the settings from the write-up for rc.conf?
I did, but I went to that location and mkdir openvpn, I dont know if that was the correct way to handle it, but it didnt give the error anymore
I changed some lines in /usr/local/etc/rc.d/openvpn from:
eval “: \${${name}_configfile:=\”/usr/local/etc/openvpn/${name}.conf\”}”
eval “: \${${name}_dir:=\”/usr/local/etc/openvpn\”}”
to:
eval “: \${${name}_configfile:=\”/mnt/Familly/openvpn/${name}.conf\”}”
eval “: \${${name}_dir:=\”/mnt/Familly/openvpn\”}”
where Familly is my dataset and openvpn is the folder where reside openvpn.conf.
hope had helped someone!
I had the same issue as well. Only when I updated the paths in /usr/local/etc/rc.d/openvpn was I able to start the service.
I have no idea what this is about at all. What is the objective and what does it do?
So FreeNas is a free fileserver operating system. OpenVPN is a free Virtual Private Network software package. This is a tutorial on how to get OpenVPN working on FreeNas so you can access your files remotely and securely.
Ah ha! I figured out what FreeNas was, and why it required its own box, but the VPN part was beyond me. Is there a way to do this using HPPS?
Do you mean https? Not sure what HPPS is…wikipedia says it is referring to Harry Potter.
If you do mean https, then yes and no. I think I have a post about Ajaxplorer, which is a web based file sharing / access application. http://ajaxplorer.info/
You can set that up on a computer and access your files over https.
Strictly speaking, OpenVPN is it’s own thing even though is uses the same SSL technology that https does…it is not the same.
How would i implement this to connect to a third party VPN service like PIA or Hidemyarse? Which part would i change?
First off you will need to get the config info from the provider. Besides that, you’ll need to use a client config on the Nas box instead of a server config.
Is there any guides or write ups to help with setting up a client config? I bet there are a lot of peeps looking to safely connect to a VPN service? Thanks great guide!
Well, none that I know of except by each individual provider. What specifically are you looking to do?
I’m not sure about the guy below me, but I am trying to set up my FreeNAS box to connect to a third party VPN so that my torrenting is encrypted. How would I do this?
You need to set it up as a VPN client. What is the third party provider you are using?
Private internet access
Hi there-
I’ll probably do a write up on this some day.
For now, download this file from Private Internet Access and use the appropriate client config instead of the server.conf file that is in my tutorial.
https://www.privateinternetaccess.com/openvpn/openvpn.zip
Would I also use PIA’s ca.crt?
Yes
So I think it worked ask me for username and password and i entered them. Question I used this cmd “/usr/local/etc/rc.d/openvpn status” and it said I, openvpn is running as pid and some numbers. Do you think it worked?
Yes…it is running.
I’ve managed to get PIA up and running thanks to the excellent write up and this additional info here, I’ve one question…how do I prove I’m encrypted / location masked etc??
Seems like you’d just want to check your external facing IP. Not really sure about your setup though. Try doing a google search for what’s my IP and it will give you the external IP.
So what I’m trying to achieve is to connect Freenas to https://www.privateinternetaccess.com which is my VPN service provider. Following this info “For now, download this file from Private Internet Access and use the appropriate client config instead of the server.conf file that is in my tutorial.” I’ve set up one of the .opvn files as my openvpn.conf file, replaced ca.crt with the one from the download as per anonymous, I was asked for username and password, does that mean my freenas box is connected to PIA??
Hi,
Thanks a lot for the guide. I was tearing my hair out trying to figure this out before.
I’ve followed the instructions here and I’m running into a problem: When I try to start the openvpn service I get a failed to start error on SSH, and my server’s console says “In [CMD-LINE]:1: Error opening configuration file: /mnt/grid/openvpn/openvpn.conf”
Where grid is obviously the name of my ZFS volume. Any idea what could be causing it not to open?
Try this…make the directory /usr/local/etc/openvpn
If that works, then
mount -rw /
mkdir /conf/base/etc/local/openvpn
mount -uw /
Nope, same thing. Error opening configuration file, but this time the path is “usr/local/etc/openvpn/”. I can’t imagine why it wouldn’t be able to open the config file.
Thanks for replying so quickly by the way, really appreciate the extra help.
This is what Luis did to resolve something similar.
Tried that too. Same error message. I gotta wonder how stuff like this happens. It’s all the same files and procedure, and the only thing that’s different are the names of the datasets right? Despite that, it seems like FreeNAS is fighting me every step of the way.
I guess I’ll cut my losses and try to get the other parts of my server running. Thanks for your help Joe.
Did you try putting everything in /use/local/etc/openvpn ?
hi all,
you need to modify the file “/conf/base/etc/local/rc.d/openvpn” to make the changes in “/usr/local/etc/rc.d/openvpn” permanent.
now my the part which is leading to the openvpn dir and to the config file looks like this:
# eval “: \${${name}_configfile:=\”/usr/local/etc/openvpn/${name}.conf\”}”
eval “: \${${name}_configfile:=\”/path/to/openvpn/${name}.conf\”}”
# eval “: \${${name}_dir:=\”/usr/local/etc/openvpn\”}”
eval “: \${${name}_dir:=\”/path/to/openvpn\”}”
and add these 3 lines, as mentioned above to the 2 files “/conf/base/etc/rc.conf” and “/etc/rc.conf”
openvpn_enable=”YES”
openvpn_if=”tun”
openvpn_configfile=”/path/to/openvpn/openvpn.conf”
after a reboot, you can check with “service openvpn status” that openvpn is really running 🙂
sry for the typo:
you need to modify “/conf/base/etc/local/rc.d/openvpn” to make changes permanent in “/usr/local/etc/rc.d/openvpn”.
I tweaked the original comment. I’ll go through and update the article with this info at some point. Thanks for the great tip!
Joe,
I have followed your guide successfully but I am having one problem. My openvpn server is behind my router and I cannot seem to get my vpn to tunnel all my traffic. I cannot access any other computers on the LAN through the VPN. I can access the VPN server itself. I have found guides that point to iptables and changing firewall rules but I don’t believe that applies in this case. Do you have any advice?
Hi Javier-
I have this same problem. It hasn’t risen to the top of the pile yet. If you can connect to your VPN Server, then it is not a firewall issue. What is most likely going on is a routing problem. The real fix is going to involve getting the VPN Server to successfully push the correct routing for the local network across the tunnel.
A hack fix would be a create a virtual interface on the machine(s) inside the network you are trying to reach and give it a 10.8.0.x ip. Then from the remote computer, try to connect to it using the 10.8.0.x ip instead of the remote lan ip.
The other more complicated fix would be to use your VPN server as the gateway for your network. I don’t think we really want to get into that though.
Joe,
Sounds good. Is this also why, if I route all traffic through the VPN, I cannot get out to access any website either? Is there a way to push the DNS settings successfully? This is my other problem. At this point the only thing I can use the VPN server for is to access the Freenas box itself. I appreciate all the work you have put into this.
If there is anything I can do to test for you let me know. I would be willing to extend any help I can.
As I’ve said…not at the top of the pile. You can try this though.
push “dhcp-option DNS x.x.x.x”
First, thanks a lot for this guide. I am preparing to dive into this and at beginning I’m facing a problem. My greedy ISP wont give me any permissions to access router and configure port forwarding myself. They charge $20 for any change in port forwarding, for what I must write request so they can do it for me! I was rash and asked for opening ports 21 and 22, when I wanted to setup access from wan. Now I realize what a terrible mistake it was and expensive one! So not to make more hasty moves, I’ll better ask someone who have experience.
Should I change VPN listening port to 21 and how? Or tunnel it through SSH on 22?
Or is it smarter to pay again ISP to close 21 and 22 ports for security reasons, and open 1194?
Any advice will help. Thanks.
If I woke up in your place, I’d run OpenVPN on port 21. In each config, client and server, there are parameters for what port to use. Just change both of those from 1194 to 21. Best of luck.
Hey! Followed ur guide, everything went well until i tried to start it up. Whats wrong? Error :
[root@Server] /mnt/HDD/openvpn# service openvpn start
Starting openvpn.
Tue Nov 12 11:09:53 2013 cd to ‘/usr/local/etc/openvpn’ failed: No such file or
directory (errno=2)
Tue Nov 12 11:09:53 2013 Exiting due to fatal error
/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn
[root@Server] /mnt/HDD/openvpn#
For some reason it seems like it is not following the configfile config variable. Try this below…
[root@Server ~]# ls -la /mnt/HDD/openvpn
total 200
drwxrwxrwx 6 Foppa Foppa 16 Nov 12 10:13 .
drwxrwxrwx 13 Foppa Foppa 24 Nov 12 10:58 ..
-rwxrwxrwx 1 Foppa Foppa 6148 Jul 28 22:13 .DS_Store
-rwxrwxrwx 1 Foppa Foppa 82 Jul 28 22:13 ._.DS_Store
-rwxrwxrwx 1 Foppa Foppa 171 Jul 28 21:44 ._BareBones_Client.conf.sample
-rwxrwxrwx 1 Foppa Foppa 171 Jul 28 22:12 ._BareBones_Server.conf.sample
-rwxrwxrwx 1 Foppa Foppa 222 Jul 28 09:38 ._easy-rsa
-rwxrwxrwx 1 Foppa Foppa 222 Sep 28 2012 ._sample-config-files
-rwxrwxrwx 1 Foppa Foppa 222 Sep 28 2012 ._sample-scripts
-rwxrwxrwx 1 Foppa Foppa 339 Jul 28 21:44 BareBones_Client.conf.sample
-rwxrwxrwx 1 Foppa Foppa 583 Jul 28 22:12 BareBones_Server.conf.sample
drwxrwxrwx 4 Foppa Foppa 8 Jul 28 09:38 easy-rsa
drwxrwxrwx 2 Foppa Foppa 19 Nov 12 09:43 keys
-rwxrwxrwx 1 Foppa Foppa 592 Nov 12 11:09 openvpn.conf
drwxrwxrwx 2 Foppa Foppa 34 Sep 28 2012 sample-config-files
drwxrwxrwx 2 Foppa Foppa 16 Sep 28 2012 sample-scripts
[root@Server ~]#
——————————
[root@Server ~]# ls -la /mnt/HDD
total 976
drwxrwxrwx 13 Foppa Foppa 24 Nov 12 10:58 .
drwxr-xr-x 4 root wheel 512 Nov 12 11:57 ..
drwxrwxrwx 2 Foppa Foppa 6 Nov 12 11:55 .AppleDB
drwxrwxrwx 2 Foppa Foppa 3 Nov 5 09:06 .AppleDesktop
drwxrwxrwx 2 Foppa Foppa 14 Nov 12 09:25 .AppleDouble
-rwxrwxrwx 1 Foppa Foppa 21508 Nov 12 11:43 .DS_Store
drwxrwxrwx 4 Foppa Foppa 4 Nov 12 09:58 .TemporaryItems
-rwxrwxrwx 1 Foppa Foppa 222 Jul 28 22:12 ._openvpn
-rwxrwxrwx 1 Foppa Foppa 898 Nov 5 13:21 .cshrc
-rwxrwxrwx 1 Foppa Foppa 186 Nov 5 13:21 .login
-rwxrwxrwx 1 Foppa Foppa 91 Nov 5 13:21 .login_conf
-rwxrwxrwx 1 Foppa Foppa 301 Nov 5 13:21 .mail_aliases
-rwxrwxrwx 1 Foppa Foppa 267 Nov 5 13:21 .mailrc
-rwxrwxrwx 1 Foppa Foppa 680 Nov 5 13:21 .profile
-rwxrwxrwx 1 Foppa Foppa 212 Nov 5 13:21 .rhosts
-rwxrwxrwx 1 Foppa Foppa 909 Nov 5 13:21 .shrc
drwxrwxrwx 42 Foppa Foppa 47 Nov 12 03:19 Film
drwxrwxrwx 3 Foppa Foppa 3 Nov 5 09:06 Network Trash Folder
drwxrwxrwx 7 Foppa Foppa 7 Nov 11 14:14 Serier
drwxrwxrwx 10 Foppa Foppa 16 Nov 7 14:56 Stuffs
drwxrwxrwx 3 Foppa Foppa 3 Nov 5 09:06 Temporary Items
drwxrwxrwx 12 Foppa Foppa 15 Nov 5 11:19 jails
drwxrwxrwx 6 Foppa Foppa 16 Nov 12 10:13 openvpn
-rwxrwxrwx 1 Foppa Foppa 249344 Nov 12 09:25 openvpn.tar
[root@Server ~]#
How to change the permissions? Thx for ur help!
Changed some stuffs after i read you guys comments, now i seem to have a problem with permissions. Any help?
[root@Server] /mnt/HDD/openvpn# service openvpn start
Starting openvpn.
eval: /mnt/HDD/openvpn: Permission denied
/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn
[root@Server] /mnt/HDD/openvpn#
What are your permissions set to on /mnt/HDD/openvpn and /mnt/HDD/openvpn/* ? ls -la /mnt/HDD/openvpn and ls -la /mnt/HDD will tell you.
I got this working, thanks for the guide.
However what I really want to accomplish is a FreeNAS as OpenVPN client (not server) using “dev tap”. This would enable me to put my FreeNAS, configured as an Apple timemachine) anywhere on the internet and use it as remote backup…
Without the need of a static IP on the FreeNAS side, without the need to control the router (if any) on the FreeNAS side etc.
I learned I need to ‘compile’ a tap.so and maybe other modules. Problem is don’t know how to do that + Can I not download those .so from somewhere and reboot?
Any pointers?
Thx
Peter
hi, i tried to follow your guide, and everything seems ok, but when i try to connect to my nas, i cannot reach it…
could you please help me to figure out why? where did i go wrong????
here is the description of my problem (user enemy85)
http://forums.freenas.org/threads/any-openvpn-guides-for-freenas-9-1-1.14773/
thank you
Thanks for your guide! I am trying to get this to work. I am having a similar problem as mentioned in previous posts. I successfully connect to the VPN server and I can connect to my freenas website. However, I cannot access any of my other network devices (i.e. SABNZBD (hosted in jail), Sickbeard (hosted in jail), router itself). Any suggestions? I can sent log files if needed.
I’m stuck at this after I changed the file “/conf/base/etc/local/rc.d/openvpn” as described here in the comments I’m getting another error message:
[root@freenas] ~# service openvpn start
Starting openvpn.
eval: /mnt/nas1/openvpn: Permission denied
I checked my permissions for the openvpn folder. Everything is -rwxrwxrwx.
Please help.
I’m stuck. when trying to create the CA. this is what i get.
——————————————————————————————————————
[root@freenas] /mnt/NAS/openvpn# chmod -R 755 easy-rsa/2.0/*
[root@freenas] /mnt/NAS/openvpn# cd easy-rsa/2.0
[root@freenas] /mnt/NAS/openvpn/easy-rsa/2.0# sh
[root@freenas] /mnt/NAS/openvpn/easy-rsa/2.0# sh
# ./clean-all
Please source the vars script first (i.e. “source ./vars”)
Make sure you have edited it to reflect your configuration.
# . ./vars
NOTE: If you run ./clean-all, I will be doing a rm -rf on /mnt/NAS/openvpn/easy-rsa/2.0/keys
# ./build-ca
Please edit the vars script to reflect your configuration,
then source it with “source ./vars”.
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run “./clean-all”.
Finally, you can run this tool (pkitool) to build certificates/keys.
#
——————————————————————————————————————–
As above i have tried creating the keys directory manually, no luck. Also sourcing ./vars i get
——————————————————————————————————————–
[root@freenas] /mnt/NAS/openvpn/easy-rsa/2.0# source ./vars
export: Command not found.
export: Command not found.
export: Command not found.
export: Command not found.
EASY_RSA: Undefined variable.
export: Command not found.
EASY_RSA: Undefined variable.
————————————————————————————————————————-
Unbelievably confused lol! any help would be great.
Cheers
I have the same problem.
Great tutorial, thank you!
If anyone has figured out how to route to other IPs on the local network, please let me know. I can only access the FreeNAS IP from the VPN.
You need to setup a firewall on the FreeNAS box to allow it to act as a gateway to the rest of your network. I have a writeup on how to do it…however, it is based on pf, and pf has issues with vimage jails…like kernel panic issues. So, you should be careful if you follow it. https://joepaetzel.com/2014/03/04/secure-freenas-9-2-1-2-with-a-firewall/
Hi Joe, i installed openvpn with your previous guide in the passed,
now with the 9.2 out, i wanted to change my exisitng openvpn with your new guide
but there seems a problem, when i want to start openvpn, it says the following:
[root@freenas] ~# service openvpn start
Starting openvpn.
Thu Dec 26 11:17:25 2013 cd to ‘/usr/local/etc/openvpn’ failed: No such file or directory (errno=2)
Thu Dec 26 11:17:25 2013 Exiting due to fatal error
/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn
the service thinks it has to look in the old location, and i don’t know how to (or where to) tell it to look in the new location.
If you can help, thank you very much!!
As it didn’t work out i went back to my old configuration like in the 8.2 guide.
Works good that way. Thanks
Can these instructions be used to connect two FreeNAS boxes with both ends having dynamic IP addresses? I want to schedule Rsync tasks to backup my FreeNAS box to another FreeNAS box at a remote location.
I would like that to
Great guide. Got this working.
I can VPN in and connect to the FreeNAS host, but I can’t get to any of the jail IPs or other IPs on the LAN.. must be something with the routing that needs fixing, I’ll need to poke at it more.
Yeah…something with the routing. Hasn’t risen to the top of the pile yet for me. If you figure it out please share it with us.
Will do. I’m going to run it by my resident openvpn guru at work.
So basically you either have to add a route to your router to know that 10.8.0.0/24 should be routed to the VPN server, or set up NAT to masquerade VPN traffic to appear to come from the VPN server.
I went with the latter, something like this seems to work:
ipfw nat 1 config if em0
ipfw add nat 1 all from 10.8.0.0/24 to any out via em0
ipfw add nat 1 all from any to any in via em0
In which file do you add these lines?
So is everything working for you now with connecting to other IP’s in the Lan? I have the same issue with the vpn that you had.
Excellent addition! This enabled me to route all my traffic through the VPN.
A few modifications that everyone can make to enable this. (at least this is what I did that actually worked after a LOT of trying).
Set this in FreeNAS GUI under sysctl:
You can run this from the terminal to enable before restart – sysctl net.inet.ip.forwarding=1
I put this in my /etc/ipfw.rules file:
#my adapter was re0 not em0
ipfw -f flush # might not be needed, but why not
ipfw nat 1 config if re0
ipfw add nat 1 all from 10.8.0.0/24 to any out via re0
ipfw add nat 1 all from any to any in via re0
Added this to /etc/rc.conf:
firewall_enable=”YES”
firewall_type=”open”
firewall_script=”/etc/ipfw.rules”
In the OpenVPN client config file add:
redirect-gateway def1
Thanks perlguy9, that helped me a lot.
I did how ever figure out that I had to add ” gateway_enable=”YES” ” to the “rc.conf” file.
Edit both “/etc/rc.conf” and “/conf/base/etc/rc.conf”
Just to recap below are the commands I used.
BTW, I use nano instead vi as an text editor.
—–edit /etc/rc.conf and add gateway_enable=”YES” to the bottom
nano /etc/rc.conf
—–edit /conf/base/etc/rc.conf and add gateway_enable=”YES” to the bottom
nano /conf/base/etc/rc.conf
—–find the name of your ethernet interface mine was bge0
ifconfig
—–add rules to the ip firewall and test OpenVPN
ipfw nat 1 config if bge0
ipfw add nat 1 all from 10.8.0.0/24 to any out via bge0
ipfw add nat 1 all from any to any in via bge0
I’m out of my depth after this.
As I have reissue the ipfw commands everytime I reboot.
But hell it works.
Well in order to test, you can just run those lines (or similar, if your configuration is a bit different) as root and then test. I added them to the openvpn startup script in /usr/local/etc/rc.d, but I haven’t taken the time to figure out how to properly remove them if the service is stopped, so your mileage may vary.
Ok, thanks for the reply, I will try that.
Hi Joe, thanks for the great guide. I’ve got everything set up okay and the server is running on my freenas box, but I’m having trouble connecting to the server.
No matter what I try, I keep getting an error that says:
read UDP [EHOSTUNREACH]: No route to host (code=113)
It sounds as though the client cannot find my freenas server… I’ve checked in my router’s log, and the request is indeed getting forwarded to the freenas box (dd-wrt log reports the request as ‘Accepted’).
I don’t however, see any indication in the openvpn log that it is receiving information from a client. Is there anyway that I can see if the request is making it, or further debug this?
Thanks again,
Josh
Hi Joe, thanks for the great write up. Sorry if this comment ends up posting twice, but I don’t think my first one went through.
I think I got the server set up successfully, and it seems to be running ok. The problem is, I cannot connect to it from any clients (tried my Ubuntu laptop and cell phone). I’m using all the right certificates and everything, but the issue is that there is no route to the host, as shown by the error in the client log:
read UDP [EHOSTUNREACH]: No route to host (code=113)
I’ve confirmed that the requests are getting properly forwarded by my router, as they show up as ‘Accepted’ in the incoming log, but it seems like they’re not getting to the FreeNAS box. The openvpn log on the FreeNAS box does not show any indication of seeing the client requests, so it looks like they aren’t getting all the way to the running openvpn service.
Do you have any idea how I could see where the connection is getting stuck? Perhaps it’s some FreeNAS setting that I don’t have set correctly?
Thanks again,
Josh
Hi Josh-
Sorry that you are stuck. Is the OpenVPN service running?
Is the correct UDP port forwarded on your router? UDP 1194 as the default.
I assume you are testing the VPN from outside the network? If not, you’ll need to specify the internal FreeNas IP in your client config.
Might help if you send some data my way, like your client and server configs…x out your ip. Might help to see your router rules too.
Hi Joe, thanks for the reply. The service is definitely running (confirmed with status command), and the UDP port 1194 is forwarded correctly. I was testing from outside my network using a dynamic ip. Like I mentioned, I can see the request from the client (my laptop) in the router port forwarding logs as ‘Accepted’, so I know it’s getting at least that far.
Here’s the server config:
# Sample OpenVPN 2.0 config file for
# multi-client server.
#replace x.x.x.x with freenas ip
local x.x.1.150
port 1194
proto udp
dev tun
ca /mnt/scratch/home/josh/openvpn_install/openvpn/keys/ca.crt
cert /mnt/scratch/home/josh/openvpn_install/openvpn/keys/server.crt
key /mnt/scratch/home/josh/openvpn_install/openvpn/keys/server.key
dh /mnt/scratch/home/josh/openvpn_install/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
#change x.x.x.x to match your network ip range
#ie 192.168.0.0 or 10.0.0.0
push “route x.x.1.0 255.255.255.0”
#replace x.x.x.x with freenas ip
route x.x.1.150 255.255.255.0 10.8.0.1
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3
The client config:
# Sample client-side OpenVPN 2.0 config file #
client
dev tun
proto udp
#change remote to your static ip
#or domain name for your freenas server
remote josh.xxxxx.org 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /home/josh/Dropbox/Life_Stuff/secrets/openvpn_certs/ca.crt
cert /home/josh/Dropbox/Life_Stuff/secrets/openvpn_certs/josh.taillon.crt
key /home/josh/Dropbox/Life_Stuff/secrets/openvpn_certs/josh.taillon.key
ns-cert-type server
comp-lzo
verb 3
The router configuration you can see here:
Any thoughts?
Are you running openvpn in a jail?
Nope, I followed your instructions as above, so it’s running in the main FreeNAS install, rather than a jail
I’m not sure what I’ve changed, but now I can access the VPN and connect successfully, but I am having the issue where I cannot access other jails on the LAN or any WAN connections. Trying to debug though. Thanks again for the set up guide.
Finally able to get it working! I used this website as a guide to setting up PF, which allowed me to get the proper forwarding I needed to access the LAN and the internet through the FreeNAS box. Thanks again!
http://sniker.codebase.nu/post/8
If you don’t mind me asking, how did you setup PF on the FreeNAS box?
Check out my latest guide…I go through this step by step.
Hey guys,
If you have problems with:
cd to ‘/usr/local/etc/openvpn’ failed: No such file or directory (errno=2)
I found a solution. Just add this configuration to your /etc/rc.conf and /conf/base/etc/rc.conf files:
openvpn_dir=”/mnt/storage/openvpn”
specify the path where your openvpn.conf file is stored. You shouldn’t have problems anymore.
Cheers!
Thanks a lot for the guide and helping us all troubleshoot Joe.
I’ve got my VPN server up and running, and I’ve got Windows clients that can connect to it properly. Now I’m trying to get a client set up in one of my jails, and I’m running into trouble. It establishes a connection, but from what I can see it has problems after that. Here’s the part of the client log where I think the problem is:
Fri Jan 10 16:09:17 2014 SENT CONTROL [server]: ‘PUSH_REQUEST’ (status=1)
Fri Jan 10 16:09:17 2014 PUSH: Received control message: ‘PUSH_REPLY,route 192.168.1.100 255.255.255.0,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120, ifconfig 10.8.0.6 10.8.0.5’
Fri Jan 10 16:09:17 2014 OPTIONS IMPORT: timers and/or timeouts modified
Fri Jan 10 16:09:17 2014 OPTIONS IMPORT: –ifconfig/up options modified
Fri Jan 10 16:09:17 2014 OPTIONS IMPORT: route options modified
Fri Jan 10 16:09:17 2014 ROUTE_GATEWAY 192.168.1.254
Fri Jan 10 16:09:17 2014 TUN/TAP device /dev/tun1 opened
Fri Jan 10 16:09:17 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Fri Jan 10 16:09:17 2014 /sbin/ifconfig tun1 10.8.0.6 10.8.0.5 mtu 1500 netmask 255.255.255.255 up
Fri Jan 10 16:09:17 2014 /sbin/route add -net 192.168.1.100 10.8.0.5 255.255.255.0
route: writing to routing socket: File exists add net 192.168.1.100: gateway 10.8.0.5: route already in table
Fri Jan 10 16:09:17 2014 ERROR: FreeBSD route add command failed: external program exited with error status: 1
Fri Jan 10 16:09:17 2014 /sbin/route add -net 10.8.0.0 10.8.0.5 255.255.255.0
add net 10.8.0.0: gateway 10.8.0.5
Fri Jan 10 16:09:17 2014 Initialization Sequence Completed
Fri Jan 10 16:09:33 2014 Connection reset, restarting [0]
Fri Jan 10 16:09:33 2014 SIGUSR1[soft,connection-reset] received, process restarting
And then it loops and tries to reconnect. I see there’s an error in there, but I’m not sure what it means or how to fix it. Any ideas?
Hi Joe,
thanks for the howto.
i am running into the following issue and I am not sure why it is stating this:
/usr/local/etc/rc.d/openvpn: WARNING: $openvpn_enable is not set properly – see rc.conf(5).
Will not ‘start’ openvpn because openvpn_enable is NO.
Has to be a typo in your rc.conf file. Or you forgot to set it in rc.conf
Should be:
openvpn_enable=”YES”
The entire openvpn portion of your rc.conf file should look like this. Where /mnt/Files/openvpn is the path you are using for your config files and keys. The standard location is /usr/local/etc/openvpn
openvpn_enable=”YES”
openvpn_if=”tun”
openvpn_configfile=”/mnt/Files/openvpn/openvpn.conf”
openvpn_dir=”/mnt/Files/openvpn”
Got it working as a client,
Reason it wasn’t working is when editing files truh WinSCP it added some strange letters to it and this was only visible when I did a cat on the file.
Thanks!!!
Hi guys, for some reason I keep getting this message after trying literally everything in the comments
hopefully someone here can help me!
[root@Pat ~]# service openvpn start
Starting openvpn.
/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn
I get the same error and I tried absolutitly everythink from the comments, too.
Is ther anything else I could try Joe?
Error:
service openvpn start
Starting openvpn.
/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn
[xxx@freenas] /mnt/vol0/openvpn/sample-config-files#
My “/usr/local/etc/rc.d/openvpn”-file is fixed with this:
# eval “: \${${name}_configfile:=\”/usr/local/etc/openvpn/${name}.conf\”}”
eval “: \${${name}_configfile:=\”/mnt/vol0/openvpn/${name}.conf\”}”
# eval “: \${${name}_dir:=\”/usr/local/etc/openvpn\”}”
eval “: \${${name}_dir:=\”/mnt/vol0/openvpn\”}”
And both of my rc.conf have this at the end:
# OpenVPN
openvpn_enable=”YES”
openvpn_if=”tun”
openvpn_configfile=”/mnt/vol0/openvpn/openvpn.conf”
openvpn_dir=”/mnt/vol0/openvpn”
Please help 🙂
My guess is there is a syntax error in your openvpn.conf file.
Short of just seeing it and fixing it…I would trouble shoot like this.
In your server openvpn.conf file set:
verb 6
Try starting again then ready through the messages log to see if it gives you any insight. /var/logs/messages
After that, I’d revert the change you made to rc.d/openvpn. Then mkdir /usr/local/etc/openvpn
Then cp /mnt/vol0/openvpn/openvpn.conf /usr/local/etc/openvpn/.
Then comment out the openvpn_dir and openvpn_configfile from /etc/rc.conf
Then try restarting. If it still fails, I’m 99% sure it is a error in your openvpn.conf file.
Thank You so much! The /var/logs/messages showed me there was a syntax error in line 2 of my openvpn.conf (ist was a period at the beginning).
Now its working!
Thank You again!
So glad you got it all sorted out!
I had the same problem, for me the issue was that I typed “cp -R keys/ ../../” instead of “cp -R keys ../../” (the slash should not be there after “keys”). Abuse of TAB key :D!
I’m pretty new to this. I have gotten to where I start the server. It tells me this “/usr/local/etc/rc.d/openvpn: WARNING: $openvpn_enable is not set properly – see rc.conf(5).
Will not ‘start’ openvpn because openvpn_enable is NO.”
So I attempted this
“hi all,
you need to modify the file “/conf/base/etc/local/rc.d/openvpn” to make the changes in “/usr/local/etc/rc.d/openvpn” permanent.
now my the part which is leading to the openvpn dir and to the config file looks like this:
# eval “: \${${name}_configfile:=\”/usr/local/etc/openvpn/${name}.conf\”}”
eval “: \${${name}_configfile:=\”/path/to/openvpn/${name}.conf\”}”
# eval “: \${${name}_dir:=\”/usr/local/etc/openvpn\”}”
eval “: \${${name}_dir:=\”/path/to/openvpn\”}”
and add these 3 lines, as mentioned above to the 2 files “/conf/base/etc/rc.conf” and “/etc/rc.conf”
openvpn_enable=”YES”
openvpn_if=”tun”
openvpn_configfile=”/path/to/openvpn/openvpn.conf”
after a reboot, you can check with “service openvpn status” that openvpn is really running :)”
This is a read only file system and it will not allow me to make changes. I am logged in as root, using putty. Any other suggestions?
You need to make the filesystem writeable.
mount -uw /
As for changing rc.d/openvpn. I haven’t needed to do that. See the last few comments about openvpn directory setting in rc.conf
I want to connect my nas box to my vpn provider, will this work?
Yes. Check with your provider for their client config.
I seem to be very confused, sorry for my silly questions. my provider is boxpn they only list windows max and android setups?
Is this going to let Sabnzbd and transmission connect to the internet through VPN and freenas to be locked down on the local network?
Thank you for taking the time to reply and write your tutorials
Not familiar with Boxpn…so I checked it out and it looks like they only offer PPTP VPN’s. That won’t work with OpenVPN as far as I know. Sorry I can’t be more help.
AWESOME!
Sorry for asking such a dumb question, but where do you type in all these commands ? The shell inside Freenas, terminal on my mac ? I have a macbook pro and i have an old PC with Freenas 9.1 running and want to have secure remote access to my Freenas. I have LAN access running just fine with AFP shares, but I can’t seem to get the WAN access working. I have a static IP and DYNDNS setup but still no luck. Im new to this stuff and Ive been reading articles and forums for a week and I’m more confused now than I as before I decided I wanted a server. thank you
Hi Steve-
You can either use the shell inside freenas or by ssh’ing into your freenas box using terminal on your mac. I usually ssh in. To do that open terminal on your mac, then type ssh user@ip_of_freenas
User needs to be a valid user you set up on freenas with login capabilities and the ip is obviously the ip of the freenas box on the LAN.
A VPN is one option for getting access to your fileserver from outside of your LAN. Another option would be to install the owncloud plugin and have your files live there. That basically gives you dropbox like access to your files.
Hope that helps. Good luck!
Hey thanks for answering Joe, Ive actually got own cloud set up, and running and it has an IP address thats one number higher than the IP of me Freenas box. But I don’t know how to get access to it outside my LAN. Im assuming i port forward my router, but what service should I use to get to it ? HTTPS ? Is that secure enough ?
So for security there are two things to think about. Is there a security hole in SSL (https) and is there a security hole in owncloud? I don’t claim to be a security expert, so I don’t know the answer to those two questions. I do know that I run owncloud over ssl on my personal file server. As for how to do it…yes, forward the port on your router to the ip of the owncloud jail. For SSL, the standard port is 443. The other option is to use a VPN to connect to your LAN and then access owncloud over the VPN.
Hi Joe
I have Vpn Service that provide openvpn, it has username and password? how to use it
I followed your method and instead of config files(“ovpn” I renamed to openvpn.conf) I used the files they provided I have set it up but they don’t have “Server Key” and “DH.pem” file it is asking for username and password every time I restart, and my dyndns stopped working I use SSH and SFTP and I’m receiving error “Permission denied (publickey,password).” help me.Thank You for your guide!
I think what you want is described here…
https://forums.openvpn.net/topic11342.html
add this line to your openvpn clients config file
Quote:
auth-user-pass login.conf
create new file named login.conf and then add your clients username and password
Quote:
username
password
hey joe,
Thanks for the tutorial and helping us out!
I am trying to connect to privateinternetaccess VPN as some other dude in the comments above. So sorry if this off-topic but there are clearly lots of people interested in that.
It only works if the line auth-user-path in the openvpn.conf file does not contain a link to a login.conf file with login and password. PuttY then asks for login and password and openvpn starts fine. The link you gave just above seems to imply openvpn needs to be compiled with –enable-password-save configure option to be able to read login/password from a text file. I have never done that. Is this going to involve much pain…?
Once the openvpn service is running do you have any tips to make sure that the Transmission plugin installed in a jail will download through the vpn and even maybe configuring some firewall rules to block internet connection in case the VPN goes down?
Cheers
I personally don’t think password with is a good idea. So, I’m not a huge fan of spending time figuring out how to make it work.
Also, not a user of transmission. Sorry. You might try reading up on netstat. Should help you figure out how things are connecting.
hey joe,
is there any simple way to setup the vpn for us to access from iPad or iPhone?
If there is an openvpn client for iOS. Otherwise, natively mobile devices seem to only support IPSec and PPTP. OpenVPN uses SSL for tunneling.
there’s a openvpn client in iOS
but they use opvn profile to connect server
Hi Everyone-
Just wanted to let you all know that I’ve figured out a way to get hacks to FreeNAS to survive system upgrades. Check out the guide at https://joepaetzel.com/2014/03/09/freenas-getting-hacks-to-survive-part-2/
Hi Joe, I’m using FreeNAS 9.2.1.2, are there any differences to look out for compared to 9.1?
Thanks,
Matt
None that I am aware of. Make sure to read my post on how to make your changes stick even after an OS upgrade.
Hello, I desire to subscribe for this web site to
take newest updates, so where can i do it please help.
Hi there-
Thanks for the interest in my Blog. To follow the blog, all you have to do is click the Follow button. Should be on the upper right when you first enter a page. Here’s a screen grab.
Joe, thanks for the excellent guide. I was able to get openvpn running successfully and am able to vpn into my freenas box. I do have a problem though where I can’t access any of my jails or other PC’s running on my LAN from a vpn client. Reading through many guides for openvpn it seems I need to configure port forwarding on the openvpn server itself which I believe I have done. In freenas gui, I went to sysctls under system and added net.inet.ip.forwarding to a value of 1. Other guides which seem to be for non freenas/bsd based OS’s say to use ‘echo 1 > /proc/sys/net/ipv4/ip_forward’. Unfortunately I am still unable to connect to any other jails or PC’s on my LAN. Do you have any suggestions to make this work? Thanks in advance!
Please see my post on enabling the pf firewall on freenas. https://joepaetzel.com/2014/03/04/secure-freenas-9-2-1-2-with-a-firewall/ Doing this will have the added benefit of allowing you to connect to other LAN computers through the VPN. Please be advised though. Currently pf and vimage jails do not get along and will result in kernel panics if they are used together. Please do your research. You may also need to specifically define the routes to the various other devices on your LAN. You would do that in your openvpn server config file. The line that pertains to this is:
route x.x.x.x 255.255.255.0 10.8.0.1
You can have as many of these as you need. Replace the xxx’s with the ip for the device. I’m sure there is a way to make it work without specifying every single one…but I haven’t taken the time to figure it out. Also, with the pf.conf file in my write up. Make sure to comment out any ports that you do not want open.
Also, please think about doing something to get your hacks to stick even after upgrades. This has been working for me so far. https://joepaetzel.com/2014/03/09/freenas-getting-hacks-to-survive-part-2/
Hi, I’m using Freenas 9.2.1.3 and I’m stuck at:
# ./clean-all
Please source the vars script first (i.e. “source ./vars”)
Make sure you have edited it to reflect your configuration.
# . ./vars
Bus error (core dumped)
NOTE: If you run ./clean-all, I will be doing a rm -rf on /mnt/Cloud/openvpn/easy-rsa/2.0/keys
I’ve tried many times but everytime it says: “Bus error (core dumped)”
Can anyone help me?
Thanks
did you switch your shell to sh? Because you need to do that.
Yes, I did…
It looks like you are, but did you switch user to root?
might as well try this.
login in.
su to switch to root
sh to switch your shell
cd to the openvpn directory
./clean-all
. ./vars
Ok, now it doesn’t say “Bus error (core dumped)” (but I’ve also updated Freenas), but with ./build-ca it says:
Please edit the vars script to reflect your configuration,
then source it with “source ./vars”.
Next, to start with a fresh PKI configuration and to delete any
previous certificates and keys, run “./clean-all”.
Finally, you can run this tool (pkitool) to build certificates/keys.
#
And obviously nothing happens, so, what am I doing wrong? What I’ve to edit?
Thanks
Yeah, I’ve re-entered the ./clean-all, . ./vars, ./build-ca sequence and now it seems to work! 🙂
Sweet. Seems like that is always really picky for me too.
Hi, i use your nice guide to setup OpenVPN on freensa. I have small problem, i can access freenas server over VPN, but cant access LAN network computer or other jails. I already have in server configuration ‘push “route 192.168.1.0 255.255.255.0″‘ without no luck. Have any help? Thx. Marian.
Please see the comment I made earlier:
Hi,
thx for your time.
If i good understud, as you wrote ” Currently pf and vimage jails do not get along and will result in kernel panics if they are used together. “, if i have freenas with some runing vimage jails i get kernel panic?
And if i want access LAN computers i must add “route LAN_computer_ip 255.255.255.0 10.8.0.1” to server.ovpn as many of these as i need and setup pf. Without pf dont work access to LAN, because in pf is configured NAT from vpn network to LAN network?
Yes, PF and Vimage jails can cause kernel panics. You can turn a vimage jail into a normal jail by unchecking the vimage check box in the jail settings. Then it will work fine with pf. The other option would be to use a different firewall, like ipfw. I don’t know ipfw though, so I will not be able to help you with that. I’m not sure if there are negative effects from turning off the vimage option on a jail. It does use an additional LAN IP…but other than that, I’m not sure. Sorry I can’t be more help.
Hi,
Again BIG THX for your time.
You helped me understud, that without pf access to lan do not work and i do not want risk kernel panic on my server. 😦
Thx, Marian.
You are welcome. I’m looking at the man page for ipfw and it doesn’t look like it would be too hard to tweak my pf rules into ipfw rules. The main thing you need in order to get LAN access over the VPN is NAT’ing the interface on the appropriate ip range.
Hm,
do you thing that with ipfw i dont get kernel panic?
That is what I have been told.
Found this:
http://forums.freenas.org/index.php?threads/freenas-9-2-0-and-ipfw.17722/
Maybe there i start my research… 😉
Thx, for all informations. Yestarday i will start research how to nat with ipfw and how to setup permanent configuration.
Ok, thx.
Marian.
I’d love to hear what you come up with. Please keep me posted. Best of luck!
Tomorrow.. sorry, it too late for me (23:00h).
Hi,
i something learned and try some tricks. 🙂 As last step, i folow this “tutorial”: http://forums.freenas.org/index.php?threads/openvpn-server-in-a-freebsd-9-2-jail-routing-nat-issues.17998/#post-118626
I have onwncloud in standard jail with working ipfw+fail2ban+openvpn. I decide to try on it. Setup some rules from that tutorial and add some line to rc.conf.
to rc.conf i add:
cloned_interfaces=”tun”
gateway_enable=”YES”
to ipfw.rules i add to first line:
ipfw -f flush
ipfw nat 1 config if epair0b
ipfw add nat 1 all from 10.8.0.0/24 to any out via epair0b
ipfw add nat 1 all from any to any in via epair0b
No luck for me, not working. I can connect from internet with openvpn, but i cen only ping owncloud jail. no ping to freens or computers on lan.
im at end. 😦
sorry, i have bad wireless keyboard… 🙂
No luck for me, not working. I can connect from internet with openvpn, ping to owncloud jail, but no ping to freenas or computers on lan.
Pingback: Enable Multi-Factor Authentication for OpenVPN | The Joe Paetzel Method
Wow that was odd. I just wrote an very long comment but after I clicked submit my comment didn’t show up.
Grrrr… well I’m not writing all that over again. Anyhow, just wanted to say excellent blog!
Thanks. So curious what all you were saying.
whoah this weblog is great i like reading your articles.
Keep up the great work! You already know, a lot of persons are searching round for this info, you can help them greatly.
Thanks! I really appreciate that.
Hi great guide but I’m hitting a problem at step 6 after I generate a client key. It says TXT_DB error number 2 TXT_DB not found. I’ve followed the guide to the letter up to this point. Not sure where I’m going wrong.
I must note I’m only 5 weeks in with my Freenas and this is all new to me working with unix commands. I might be trying to swim before I can walk but I really want to get my freenas behind a VPN. Any pointers as to what could be my problem.
Thanks in advance.
Hi Nick-
A quick google search yielded this:
“I’ve had this error with recent version of easy-rsa (2.2.0 works). These differ from older versions in that the following lines are included in easy-rsa/2.0/vars:
export KEY_CN=changeme
export KEY_NAME=changeme
export KEY_OU=changeme
export PKCS11_MODULE_PATH=changeme
export PKCS11_PIN=1234
Commenting these lines out leads to the old behavior, which allows you to create keys correctly with a unique CN.”
To comment them out, edit them and insert a # at the beginning of the line.
Thanks for the prompt reply Joe, I’m sorry I don’t follow what I need to do though, as I say this is a whole new world still to me. So I need to edit those lines out from my current config? and I’ll find them in easy-rsa/2.0/vars?
I think I need to seriously brush up on my use of the unix command line! as I say I’m very new it. apologies.
Yeah…so if are in the directory with the vars script and you do this as root:
vi vars
scroll down until you see export KEY_CN line. type “i” at the beginning of the line then #. Then hit esc. Do that for each of the lines in my previous comment. Then type :wq return
No promise it will help/work.
Thanks Joe I’ll give it a bash! I’ve just ordered myself a unix for dummies book by the way! : )
I’m reading through FreeBSD’s guide as we speak, as good a place as any I think.
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/basics.html
Thanks for you help Joe.
i try to save the openvpn.conf by typing :w! and then :q!. So it should save before I quit. But when open again, it was not modified.
Sounds like your config is not somewhere that is writeable.
Thanks for this cool tuto !
After spending some hours on it, it was perfectly working.
Then I rebooted my nas.
service openvpn start
/usr/local/etc/rc.d/openvpn: WARNING: /mnt/PATH/openpvn/openvpn.conf is not readable.
It looks like a read permissions error. I ‘ll take a look tomorrow. And setting up the firewall.
Thanks again !
Sounds like you might not have saved your changes to /conf/base…
Resolved, I made an error in this file and named the path …/openpvn/…
Thanks !
My internet provider can’t (or don’t want to) gave me a static ip, and I don’t want to use an external service like dyndns, so I made a script to keep access to my FreeNas after a DHCP renew. This script is launched every hours by a crontable (easy to do with the web interface), and saved in my /mnt/PATH/hacks folder.
It email me the new external ip if this one have changed.
Then if I want to use the vpn with the client, I just have to check my mails and keep the last mail named “new ip”. And finally editing the remote field in the client config .
—————————————–
#!/bin/bash
#oldip is a file in the hacks folder that only contain the last known external ip
OLD_IP=$(egrep -o ‘([0-9]{1,3}\.){3}[0-9]{1,3}’ /mnt/PATH/hacks/oldip )
#give the external ip
NEW_IP=$(dig +short myip.opendns.com @resolver1.opendns.com)
#check if they are the same
if [ “$OLD_IP” = “$NEW_IP” ]
#if they are, there is nothing more to do
then exit
else
#replace the old ip by the new one in my firewall’s rules, and reload the rules
#you don’t need these two lines if you don’t have a firewall
sed -i ” -e ‘s/'”$OLD_IP”‘/'”$NEW_IP”‘/g’ /mnt/PATH/hacks/pf.conf
pfctl -F all -f /mnt/PATH/hacks/pf.conf
#write the new ip instead of the old one in the oldip file
#it also email me this ip with the mail subject “new ip”
echo “$NEW_IP” > /mnt/PATH/hacks/oldip && echo “$NEW_IP” | mail -s “new ip” USER
fi
exit
—————————————–
USER is a freenas user who have a mail defined. (easy to do in the web interface).
I would add an OpenPGP encryption to the ip before emailing it. Be paranoid ! (https://www.gnupg.org)
I hope it may be useful.
That’s super sweet. Thanks for sharing it.
Joe, thanks a lot for the tutorial. It was very useful.
One thing I noticed was the order for building the CA. It must start with the . ./vars line.
. ./vars
./clean-all
./build-ca
The order on the tutorial is different. Though the errors will lead many down the right path, the beginning will get stumped. I got that from openVPN’s guide at http://openvpn.net/index.php/open-source/documentation/howto.html#install
Joe, thanks a lot for the tutorial. It was very useful.
One thing I noticed was the order for building the CA. It must start with the . ./vars line.
. ./vars
./clean-all
./build-ca
The order on the tutorial is different. Though the errors will lead many down the right path, the beginning will get stumped. I got that from openVPN’s guide at http://openvpn.net/index.php/open-source/documentation/howto.html#install
Hello Joe,
you may be interested by this new tuto on the freenas forum :
http://forums.freenas.org/index.php?threads/how-to-install-routed-openvpn-server-in-a-vimage-portjail.21856/
Have a good day !
I’m totally stuck, following the guide and using the amended order for the easy-rsa process above has gotten me further than previously but when trying to generate the server and dh keys I get an “unable to write ‘random state'” error. Can anyone suggest how I fix this?
Sounds like a permissions problem. Where are you trying to write the key? Are you logged in as root?
I am logged in as root, but it definitely was a permissions issue, did an ‘su’ before trying again and it worked. Also, if it helps anyone else, I also ran into an issue with the index.txt file that was a result of having the same Common Name in each cert/key changed a line in vars to allow non-unique CNs which got me past that. Still can’t get OpenVPN to start though, still not figured that part out.
Hi there,
I always getting the following error at “./build-key-server server”:
Using configuration from /mnt/data_mirror/Daten/openvpn/easy-rsa/2.0/openssl.cnf
/mnt/data_mirror/Daten/openvpn/easy-rsa/2.0/keys/index.txt: No such file or directory
unable to open ‘/mnt/data_mirror/Daten/openvpn/easy-rsa/2.0/keys/index.txt’
6489:error:02001002:system library:fopen:No such file or directory:/fusion/jkh/921/freenas/FreeBSD/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:356:fopen(‘/mnt/data_mirror/Daten/openvpn/easy-rsa/2.0/keys/index.txt’,’r’)
6489:error:20074002:BIO routines:FILE_CTRL:system lib:/fusion/jkh/921/freenas/FreeBSD/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:358:
after creating empty index.txt and serial file in keys-directory still receiving an error:
Using configuration from /mnt/data_mirror/Daten/openvpn/easy-rsa/2.0/openssl.cnf
/mnt/data_mirror/Daten/openvpn/easy-rsa/2.0/keys/serial: No such file or directory
error while loading serial number
6950:error:02001002:system library:fopen:No such file or directory:/fusion/jkh/921/freenas/FreeBSD/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:356:fopen(‘/mnt/data_mirror/Daten/openvpn/easy-rsa/2.0/keys/serial’,’r’)
6950:error:20074002:BIO routines:FILE_CTRL:system lib:/fusion/jkh/921/freenas/FreeBSD/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:358:
did anybody had the same troubles and now how to fix it?
thanks for your help & kind regards,
mfg82
I would start with a ./clean-all
That will wipe out everything…so use with caution.
Then make sure you are using the sh shell.
Then . ./vars
Then ./build-ca
Then ./build-key-server server
of course I followed these steps before, as described in your “howto”……. ?
now it worked, had to do “. ./vars” before the “./clean-all”-command
Great BLOG Guide!!!
Question, how can I modify OpenVPN to allow access to the entire my home network?
At the moment I can only access main FreeNAS server LAN ip address.
It would be nice if I could login and access my whole network.
You need to setup a firewall on the FreeNAS box to allow it to act as a gateway to the rest of your network. I have a writeup on how to do it…however, it is based on pf, and pf has issues with vimage jails…like kernel panic issues. So, you should be careful if you follow it. https://joepaetzel.com/2014/03/04/secure-freenas-9-2-1-2-with-a-firewall/
I just managed to get perlguy9 suggestion to work.
I had to add ” gateway_enable=”YES” ” to the “rc.conf” file.
Edit both “/etc/rc.conf” and “/conf/base/etc/rc.conf”
Just to recap below are the commands I used.
BTW, I use nano instead vi as an text editor.
—–edit /etc/rc.conf and add gateway_enable=”YES” to the bottom
nano /etc/rc.conf
—–edit /conf/base/etc/rc.conf and add gateway_enable=”YES” to the bottom
nano /conf/base/etc/rc.conf
—–find the name of your ethernet interface mine was bge0
ifconfig
—–add rules to the ip firewall and test OpenVPN
ipfw nat 1 config if bge0
ipfw add nat 1 all from 10.8.0.0/24 to any out via bge0
ipfw add nat 1 all from any to any in via bge0
I’m out of my depth after this.
As I have reissue the ipfw commands everytime I reboot.
But hell it works.
I review the firewall info next…
In order to load the firewall settings on reboot, I had to do the following:
create /conf/base/etc/rc.local: (make sure to chmod for execute)
#/bin/sh
ipfw -f flush
ipfw nat 1 config if re0 #<– whatever your adapter is
ipfw add nat 1 all from 10.8.0.0/24 to any out via re0
ipfw add nat 1 all from any to any in via re0
edit /conf/base/etc/rc.conf.local:
. /etc/rc.local
I read online that FreeNAS should load rc.local on load, but it doesn't appear to. So I just called it from rc.conf.local instead and it worked fine.
I’d think about putting that into an init script in the GUI so it doesn’t get blown away on OS upgrade. This is all very cool stuff though and I’m super grateful that you both are sharing!!! So cool!
Good idea, I threw my script in the openvpn folder.
I’m really new to FreeNAS (installed < a month ago), but can Google with the best of them. Still a huge thanks for the tutorial to get up and running. It's the best thing I found on the subject.
I'm just glad I have a private tunnel to stream my movies. I'm pretty sure deep packet inspection was limiting my possibilities. The VPN pretty much proved that.
On that note does anyone know a way I can run ipfw commands after FreeBSD boots up?
Wow thanks guys, you answered my question as I was writing it. 😛
I’ll give that a shot. 🙂
In case you are having trouble finding the init script in the GUI.
Thanks Joe and syko82 !
I’m a bit of a FreeBSD noob and tried doing a PostInit .sh script with no luck.
Instead I added the those three ipfw commands as a PostInit commands.
Reboot FreeNAS+OpenVPN and done the IP Firewall rules stuck!
BTW, this works great with the Android OpenVPN App!
Nerdvana achieved!!1 🙂
Pingback: How to setup a VPN server in a FreeNAS jail | thealarmclocksixam
I’ve added a couple more lines to my to my “openvpn.conf” file.
push “dhcp-option DOMAIN localdomain.net” # <— your Freenas LAN domain
push "dhcp-option DNS 192.168.1.254" # <— your Freenas DNS server
This will allow DNS resolution of your the systems within the OpenVPN connection.
This will not change the default domain context however, for example.
Instead of typing "ping freenas" you must add the domain to the end, "ping freenas.localdomain.net".
My brother recommended I would possibly like this web site.
He was once totally right. This post actually made my day.
You can not believe just how so much time I had spent for this info!
Thanks!
So I am trying to do this the other way around, have a freenas box be a openvpn client and route all it’s traffic over the vpn. (This is an offsite target for zfs replication of the primary box which is on the vpns network.) Seems like it should be simple to stick the openvpn conf file somewhere and have it start up as a client?
Basically you just use the client config on the FreeNAS box. Then you will need to write some firewall rules to make sure all traffic goes out over the VPN.
Aw, this was an exceptionally nice post. Taking a few minutes and actual effort to make a
superb article… but what can I say… I procrastinate a whole lot and
don’t manage to get anything done.
First of all, thank you Joe for this amazing article! After some fiddling I got this running on my box and it works perfectly.
I have a question I was hoping you could help me with. I’m not a 100% on what the different parts of the openvpn.conf does. As it sits now, the vpn gives me access to the internal network at home with several clients, but I’m wondering if its possible to add a client that is not allowed to see the internal network, only the internet through my router (my external ip)?
My goal is to let my sister who lives abroad be able to get a norwegian ip through my vpn without giving her access to my box. Can this be done on the client (her) side config or will i have to do changes in the openvpn.conf and all my clients?
Sorry Petter, but I am not familiar with how to do that.
That’s alright, I’ll have to put on my research pants and try to figure it out then:) Thanks again!
Dear Joe,
I am working with Windows 7 as my client PC and I have 3 questions(I am very new to servers and SSH, so please bear with me):
1. From step 7 (On my system, the place I want the certs and keys is…..) until step 2 (last step) of the Server Configuration file section (Delete openvpn.tar):
From where would these steps be performed? SSH (putty) or from somewhwere else?
2. In step 7 (On my system, the place I want the certs and keys is…..) how did you pick the location /mntFiles/openvpn/keys/ where you wanted to place the certificate and key? On my data drive, I have created a volume /mnt/Data as part of setting up FreeNAS, but I have not created /mnt/Files.
If I choose to, could I still use the same location that is included in your guide (/mntFiles/openvpn/keys/)?
3. In the last step (Client set up), you indicated that the ca, key and cert lines had to be changed to a path where the files will live on the client. My client is Windows 7 so would something such as C:\Users\Username\Downloads work for this on Windows?
Hi THomas- Thanks for stopping and reading my blog. I’ll do my best to help you out.
1) You can ssh in to the FreeNas box using putty, or open the terminal from the FreeNas Web GUI. I prefer ssh, but either works.
2) You can pick any location you want on your data drives. So for you, anywhere within /mnt/Data is fine. To use /mnt/Files you would need to create that dataset, which there is no reason to do. Just change my examples to match your current data structure.
3) If you install the Windows OpenVPN client first, it will create the folder structure for you. Sorry, but I’m a Mac user, so I don’t really know that folder structure. You can force it to use whatever location you want though, so totally your choice. Just make sure your client config points to the location you pick for the CA, Key and Cert.
Best of luck. Let me know if there is anything else I can help with.
Hi Thomas!
Since Joe doesn’t use Windows I can chime in with how I did it client side. I use the OpenVPN GUI client and put the config, key and certs in the “config” folder inside the the folder I installed the gui in. In the client side config file I used relative paths to make things easier. By keeping all the files in the same folder I get away with just “filename.crt” etc for paths. I used this with success on windows, mac and android.
Thanks a lot. This was very helpful.
Joe,
A question about security with the port-forwarding approach: With the setting up of a VPN connection, port forwarding is required on the router involved.
As per this: http://www.computerhope.com/issues/ch001201.htm, is there some way to secure the open port on the router? I mean if a software (Operating system) firewall is installed, does that offer the required protection on its own?
Hi Thomas-
First off, I’m not a security expert, so please consider my opinion as just that. Do your own research in addition to what I have to say.
Yes, in order for the VPN to work, there needs to be an open port. That’s true if the router is the end point of the VPN or if you are forwarding it on to a machine on the LAN (your case with FreeNAS). From a security standpoint, you need to consider if the service running on that particular port is secure or not. Does the version of OpenVPN, in this case, have any known vulnerabilities? I don’t know the answer to that. Does the risk of any potential vulnerability outweigh the benefit of having the VPN service running? That will be determined by your own risk comfort level.
Can you make things more secure while running OpenVPN? That depends. In general, my belief is that as security increases, usability tends to decrease. So, with a firewall rule (either hardware or software), you could limit access to the VPN port to only one IP address (Your IP at work maybe). That would be much more secure that allowing the entire world access to the port. However, what if you want access at more than just work? Then you need to allow more and more IP’s through. Again, this will depend on your own risk/reward tolerance.
To specifically answer your question about software firewalls, you would need a properly written ruleset. One option for that would be to block all traffic, then open traffic only for the ports you want (1194 for default OpenVPN). Along with that, as I said above, you could limit that access to only certain IP’s.
Long story short, if you can configure your router to only allow traffic on port 1194 for a IP range you deem acceptable, that is the best practical option. Software firewalls on FreeNAS are a bit difficult…as OS upgrades tend to wipe them out and in general they are more difficult to get right than a “hardware” based option.
I hope all this is somewhat helpful.
Joe, thank you for the reply. It was very informative.
When you say:
“So, with a firewall rule (either hardware or software), you could limit access to the VPN port to only one IP address (Your IP at work maybe).”
What specifically does this mean? Your other entry (https://joepaetzel.com/2014/03/04/secure-freenas-9-2-1-2-with-a-firewall/) talks about general firewall rules – does that entry cover this particular single IP situation? The main FreeNAS 9.3 docs (http://doc.freenas.org/9.3/) don’t offer anything on firewall or security, which is really disappointing.
Just heading to bed. FreeNAS will never offer security advise. Look at FreeBSD for info on pf or ipfw. In general…from my bad memory…you’d want to change a rule that reads: from any to any yadda yadda
To:
From x.x.x.x(your office ip or a range) to any yadda yadda
Ive followed all the steps and for some reason I get an error starting. I turned logging up to 6 and this is what I see. I double and triple checked all configs and they match everything you have above. Any ideas?
Mar 9 11:01:05 freenas openvpn[2636]: OpenVPN 2.3.6 amd64-portbld-freebsd9.3 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jan 7 2015
Mar 9 11:01:05 freenas openvpn[2636]: library versions: OpenSSL 0.9.8zc-freebsd 15 Oct 2014, LZO 2.08
Mar 9 11:01:05 freenas openvpn[2636]: Diffie-Hellman initialized with 1024 bit key
Mar 9 11:01:05 freenas openvpn[2636]: TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mar 9 11:01:05 freenas openvpn[2636]: Socket Buffers: R=[42080->65536] S=[9216->65536]
Mar 9 11:01:05 freenas openvpn[2636]: ROUTE_GATEWAY 192.168.1.1
Mar 9 11:01:05 freenas openvpn[2636]: TUN/TAP device /dev/tun0 opened
Mar 9 11:01:05 freenas openvpn[2636]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mar 9 11:01:05 freenas openvpn[2636]: /sbin/ifconfig tun0 10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255 up
Mar 9 11:01:05 freenas openvpn[2636]: FreeBSD ifconfig failed: external program exited with error status: 1
Mar 9 11:01:05 freenas openvpn[2636]: Exiting due to fatal error
Mar 9 11:01:05 freenas ayeso: /usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn
Mar 9 11:01:05 freenas kernel: tun0: link state changed to UP
Mar 9 11:01:05 freenas kernel: tun0: link state changed to UP
Mar 9 11:01:05 freenas kernel: tun0: link state changed to DOWN
Mar 9 11:01:05 freenas kernel: tun0: link state changed to DOWN
Nothing jumping out at me. Can you send me your server config? You can email it using the contact form if you don’t want to post it. Also, what version of FreeNAS? Last thing, anything related to this in /var/log/messages?
Hey! Thanks for the reply. Those messages above are from the /var/log/messages. I first tried it in a jail and it didnt work, figured it was something screwy with the jail but I get the same outside the jail. Im running FreeNAS-9.3-STABLE-201501090144
The actual error outside the logs is
Starting openvpn.
ifconfig: interface tun0 does not exist
/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn
config is super simple, I just modified your example.
local 192.168.1.59
port 1194
proto udp
dev tun
ca /mnt/data_mirrored/DOS/openvpn/keys/ca.crt
cert /mnt/data_mirrored/DOS/openvpn/keys/server.crt
key /mnt/data_mirrored/DOS/openvpn/keys/server.key
dh /mnt/data_mirrored/DOS/openvpn/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
#change x.x.x.x to match your network ip range
#ie 192.168.0.0 or 10.0.0.0
push “route 192.168.1.1 255.255.255.0”
#replace x.x.x.x with freenas ip
route 192.168.1.59 255.255.255.0 10.8.0.1
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 6
Huh, that all looks right. Are you trying to start it as root? Can you send me the output from ifconfig? Maybe X out the external IP if the FreeNas box has one.
Hi Joe, I’m looking to secure my 9.3 installation of FreeNAS using your guide but I’m a bit confused as to where to install it. I have Transmission running inside a Jail so do I need to insatll OpenVPN inside the Jail in order for Transmission to use the VPN or does installing OpenVPN globally on the box and enabling the VPN force everything to use that VPN?
Not exactly sure about that. It sounds like you’d probably want to install it globally as you say and then create some custom firewall rules to direct the traffic to and from your jail over the VPN.
I’m not going to be much help with any of that sadly.
Thanks for the quick response, I’ll install globally and see what happens 🙂
Hey want list an issue I’m running into and want give more visibility to the FreeNAS/OpenVPN community at large.
https://forums.freenas.org/index.php?threads/openvpn-cannot-access-freenas-jails.34647/#post-207993
To Summerize the problem I’m encountering.
While connected to my OpenVPN session on the FreeNAS server I cannot access any of the hosted FreeNAS plugins/Jails 192.168.1.50,51,52 & 53 .
I can however access my LAN of 192.168.1.x/24.
Thank you for any input you can lend to this topic!
-Ethan
Hi Ethan- I looked at your Openvpn.conf file. It looks to me that the problem is you do not have routes set up for the jails. In theory, the push command should do that, but it doesn’t. Add a “route 192.168.1.x 255.255.255.0 10.8.1.1” for each jail, then restart openvpn and see if that helps. If that doesn’t help, the next thing I’d look at is your ipfw ruleset. Try it without ipfw enabled. Hope that helps.
Moving OpenVPN to a jail solved my routing issue.
I learned a lot setting up OpenVPN with this guide and would still recommend it as a OpenVPN reference to anyone.
Hi,
Thank you for this how to.
COuld you please tell me if this should still be working on FreeNAS 9.3-RELEASE?
When I typed . ./vars, get the message
—
source: not found
—
Can you help please?
Hi Fred-
I’m honestly not sure. It should. Did you switch your shell to sh before doing . ./vars ?
Thank you, no I didn’t. all fix now
Hi,
Thank you for this great How to.
It work like a charme.
Could you please tell me if it is possbible to use openvpn-auth-pam with your setup?
Thank you
I think so, but I have no experience with it. Sorry.