jcoffey0093
Dabbler
- Joined
- Aug 26, 2019
- Messages
- 16
Thanks for the scripts
I don’t understand what you mean
Hi,
i am new to this community and i decided to mix info from How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT and OpenVPN On FreeBSD 10.3 tutorials.
Please report inconsistency.
PS: i've also created a script to fully automate this process. Automatic install OpenVPN inside iocage Jail in FreeNAS all versions
change-log: 0.7 - 2020.01.29 - Added note that external LAN should be different than FreeNAS LAN.
0.7 - 2020.01.29 - Added note that external LAN should be different than FreeNAS LAN.
0.6 - 2020.01.29 - Tested on FreeNAS FreeNAS-11.2-U7.
0.5 - 2018.10.14 - Added note that full restart is required sometimes
0.4 - 2018.07.26 - Removed "comp-lzo" from configuration due to becoming obsolete
0.3 - 2018.02.18 - Minor touches and test everything from scratch following all the steps
0.2 - 2018.02.17 - Beautify code and few more details
0.1 - 2018.02.16 - First release
Legend:
- Green text - should remain like it is
- Blue text - you may cange it if you like
- Red text - needs to be changed by you
Requirements:
Relevant data to use later in this tutorial ( use your own, this is just for reference )
- FreeNAS 11.1-U1 - 11.2-U7 ( may work with other versions either )
- FreeNAS User with ssh access and sudo
- SSH Client ( Putty for Windows and Terminal for MAC )
- Admin access to the router where FreeNAS exists
- Own domain or domain updated by DDNS or a static IP
- Please follow this step by step tutorial before ask for help
- Home Network: 192.168.222.0/24 ( LAN where is your FreeNAS * Try to use at home different subnet than common ones to avoid conflicts when connecting from outside)
- NAT Network: 10.8.0.0/24 ( virtual LAN between VPN clients and your LAN )
- Domain: nas.mydomain.com
- VPN Server Port: 1194 UDP.
- VPN Outside Access Port: 1194 UDP
- Certificate Authority Password: Password1
- Bibi40k Client Certificate Password: Password2
3,2,1.. START
Use FreeNAS Web GUI
Jails -> Add Jail
( Jail Name: OpenVPN, keep default settings )
SSH to your FreeNAS box
Code:% jls
JID IP Address Hostname Path ... 4 OpenVPN /mnt/Vol1-Z2/jails/OpenVPN% sudo jexec 4 sh
Password:
Get everything updated and install necessary apps
Code:# pkg update
# pkg upgrade -y
# pkg install -y nano openvpn mpack
Create directories for OpenVPN
Code:# mkdir /usr/local/etc/openvpn /usr/local/etc/openvpn/keys
Copy necessary files
Code:# cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/openvpn.conf
# cp -r /usr/local/share/easy-rsa /usr/local/etc/openvpn/easy-rsa
Easy-RSA ( edit /usr/local/etc/openvpn/easy-rsa/vars )
Code:# cd /usr/local/etc/openvpn/easy-rsa
# nano vars
if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
echo "This is no longer necessary and is disallowed. See the section called" >&2
echo "'How to use this file' near the top comments for more details." >&2
return 1
fi
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "me@mydomain.com"
set_var EASYRSA_REQ_OU "My Organizational Unit"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 3650
Generate Keys
Code:# ./easyrsa.real init-pki
Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /usr/local/etc/openvpn/easy-rsa/pki
Build Certificate Authority ( follow instructions using Password1 and common name )
Code:# ./easyrsa.real build-ca
Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key .......................................+++ ..+++ writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/ca.key.vpfhw9orph' Enter PEM pass phrase:Password1 Verifying - Enter PEM pass phrase:Password1 ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: OpenVPN FreeNAS CA CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /usr/local/etc/openvpn/easy-rsa/pki/ca.crt
Build Server Certificates
Code:# ./easyrsa.real build-server-full openvpn-server nopass
Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ...............................................+++ .................................+++ writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/openvpn-server.key.JKfgnZ3Ae8' ----- Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-1.0.cnf Enter pass phrase for /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key:Password1 Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'openvpn-server' Certificate is to be certified until Feb 13 18:22:32 2028 GMT (3650 days) Write out database with 1 new entries Data Base Updated
Build Client Certificate ( use unique name for each certificate, use Bibi40k with Password2 and authorize with Password1 )
Code:# ./easyrsa.real build-client-full Bibi40k
Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key .............................................................................................+++ .................+++ writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/Bibi40k.key.cd545aPaIq' Enter PEM pass phrase: Password2 Verifying - Enter PEM pass phrase: Password2 ----- Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-1.0.cnf Enter pass phrase for /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key: Password1 Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'Bibi40k' Certificate is to be certified until Feb 13 18:28:59 2028 GMT (3650 days) Write out database with 1 new entries Data Base Updated
Generate Diffie Hellman Parameters ( /usr/local/etc/openvpn/easy-rsa/pki/dh.pem )
Code:# ./easyrsa.real gen-dh
Note: using Easy-RSA configuration from: ./vars Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ........................................................................................................... ........................................................................................................... ......................................................................................+................... ........................................................................................................... .............................................................+............................................ ........................................................................................................... .............................+......................................................+................... .......+................................................................................................. .......................................................................................................... ..............................................................................+..................+..... ... ...................................................................................+.................... ......................................................................................................... ......................................................................................................... ...+.................................................................................................... ..........+..........................++*++* DH parameters of size 2048 created at /usr/local/etc/openvpn/easy-rsa/pki/dh.pem
Generate the TA key
Code:# openvpn --genkey --secret ta.key
Copy Keys Together
Code:# cp pki/dh.pem pki/ca.crt pki/issued/openvpn-server.crt pki/private/openvpn-server.key /usr/local/etc/openvpn/keys/
# cp ta.key /usr/local/etc/openvpn/keys/
# cp pki/issued/Bibi40k.crt pki/private/Bibi40k.key /usr/local/etc/openvpn/keys/
OpenVPN ( edit /usr/local/etc/openvpn/openvpn.conf )
Code:# cd /usr/local/etc/openvpn/
# nano openvpn.conf
port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key # This file should be kept secret
dh /usr/local/etc/openvpn/keys/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.222.0 255.255.255.0"
keepalive 10 120
tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret
remote-cert-tls client
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
Client Config ( /usr/local/etc/openvpn/Bibi40k.conf )
Code:# cp /usr/local/share/examples/openvpn/sample-config-files/client.conf /usr/local/etc/openvpn/Bibi40k.conf
# nano Bibi40k.conf
You can include everything in one file (useful on mobile and more convenient than keeping all certs appart)client
dev tun
proto udp
remote nas.mydomain.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert Bibi40k.crt
key Bibi40k.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.222.1
#redirect-gateway def1
verb 3
client
client
dev tun
proto udp
remote mynas.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
add cert content here...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
add cert content here...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
add cert content here...
-----END ENCRYPTED PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
add cert content here...
-----END OpenVPN Static key V1-----
</tls-auth>
# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.222.1
#redirect-gateway def1
Server NAT Configuration ( create /usr/local/etc/ipfw.rules and add green text )
Code:# nano /usr/local/etc/ipfw.rules
More configuration ( edit /etc/rc.conf and add green text at the end of the file )
Code:# nano /etc/rc.conf
Setup Logging ( edit /etcsyslog.conf )
Code:# nano /etc/syslog.conf
Setup log rotation ( edit /etcnewsyslog.conf )
Code:# nano /etc/newsyslog.conf
Use FreeNAS Web GUI
Jails -> Select OpenVPN Jail -> Restart
Note: sometimes is necessary to restart whole FreeNAS server because the routes are build properly after full restart.
SSH to your FreeNAS box and make some checks
Code:% jls
JID IP Address Hostname Path ... 5 OpenVPN /mnt/Vol1-Z2/jails/OpenVPN% sudo jexec 5 sh
Password:# ipfw list
00100 nat 1 IP from 10.8.0.0/24 to any out via epair0b 00200 nat 1 IP from any to any in via epair0b 65535 allow IP from any to any# sockstat -4 -l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS nobody openvpn 64842 7 udp46 *:1194 *:* root syslogd 64803 7 udp4 *:514 *:*
Let's send our OpenVPN client files and test connection from outside
Code:# cd /usr/local/etc/openvpn/
# tar cvf Bibi40k.tar Bibi40k.conf -C keys/ ca.crt Bibi40k.crt Bibi40k.key ta.key
a Bibi40k.conf a ca.crt a Bibi40k.crt a Bibi40k.key a ta.key# service sendmail onestart
# mpack -s "Bibi40k OpenVPN files" Bibi40k.tar me@mydomain.com
This is for setting up your VPN server or setting up a VPN client for your VPN service or even another VPN service.
Try this, maybe you are lucky NordVPN on Linux
When i check my service "sockstat -4 -1 i am not getting any numbers. I tried to start the openvpn server and i get "failed to start"Hi,
i am new to this community and i decided to mix info from How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT and OpenVPN On FreeBSD 10.3 tutorials.
Please report inconsistency.
PS: i've also created a script to fully automate this process. Automatic install OpenVPN inside iocage Jail in FreeNAS all versions
change-log: 0.7 - 2020.01.29 - Added note that external LAN should be different than FreeNAS LAN.
0.7 - 2020.01.29 - Added note that external LAN should be different than FreeNAS LAN.
0.6 - 2020.01.29 - Tested on FreeNAS FreeNAS-11.2-U7.
0.5 - 2018.10.14 - Added note that full restart is required sometimes
0.4 - 2018.07.26 - Removed "comp-lzo" from configuration due to becoming obsolete
0.3 - 2018.02.18 - Minor touches and test everything from scratch following all the steps
0.2 - 2018.02.17 - Beautify code and few more details
0.1 - 2018.02.16 - First release
Legend:
- Green text - should remain like it is
- Blue text - you may cange it if you like
- Red text - needs to be changed by you
Requirements:
Relevant data to use later in this tutorial ( use your own, this is just for reference )
- FreeNAS 11.1-U1 - 11.2-U7 ( may work with other versions either )
- FreeNAS User with ssh access and sudo
- SSH Client ( Putty for Windows and Terminal for MAC )
- Admin access to the router where FreeNAS exists
- Own domain or domain updated by DDNS or a static IP
- Please follow this step by step tutorial before ask for help
- Home Network: 192.168.222.0/24 ( LAN where is your FreeNAS * Try to use at home different subnet than common ones to avoid conflicts when connecting from outside)
- NAT Network: 10.8.0.0/24 ( virtual LAN between VPN clients and your LAN )
- Domain: nas.mydomain.com
- VPN Server Port: 1194 UDP.
- VPN Outside Access Port: 1194 UDP
- Certificate Authority Password: Password1
- Bibi40k Client Certificate Password: Password2
3,2,1.. START
Use FreeNAS Web GUI
Jails -> Add Jail
( Jail Name: OpenVPN, keep default settings )
SSH to your FreeNAS box
Code:% jls
JID IP Address Hostname Path ... 4 OpenVPN /mnt/Vol1-Z2/jails/OpenVPN% sudo jexec 4 sh
Password:
Get everything updated and install necessary apps
Code:# pkg update
# pkg upgrade -y
# pkg install -y nano openvpn mpack
Create directories for OpenVPN
Code:# mkdir /usr/local/etc/openvpn /usr/local/etc/openvpn/keys
Copy necessary files
Code:# cp /usr/local/share/examples/openvpn/sample-config-files/server.conf /usr/local/etc/openvpn/openvpn.conf
# cp -r /usr/local/share/easy-rsa /usr/local/etc/openvpn/easy-rsa
Easy-RSA ( edit /usr/local/etc/openvpn/easy-rsa/vars )
Code:# cd /usr/local/etc/openvpn/easy-rsa
# nano vars
if [ -z "$EASYRSA_CALLER" ]; then
echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
echo "This is no longer necessary and is disallowed. See the section called" >&2
echo "'How to use this file' near the top comments for more details." >&2
return 1
fi
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
set_var EASYRSA_REQ_CITY "San Francisco"
set_var EASYRSA_REQ_ORG "Copyleft Certificate Co"
set_var EASYRSA_REQ_EMAIL "me@mydomain.com"
set_var EASYRSA_REQ_OU "My Organizational Unit"
set_var EASYRSA_KEY_SIZE 2048
set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 3650
Generate Keys
Code:# ./easyrsa.real init-pki
Note: using Easy-RSA configuration from: ./vars init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: /usr/local/etc/openvpn/easy-rsa/pki
Build Certificate Authority ( follow instructions using Password1 and common name )
Code:# ./easyrsa.real build-ca
Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key .......................................+++ ..+++ writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/ca.key.vpfhw9orph' Enter PEM pass phrase:Password1 Verifying - Enter PEM pass phrase:Password1 ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Common Name (eg: your user, host, or server name) [Easy-RSA CA]: OpenVPN FreeNAS CA CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: /usr/local/etc/openvpn/easy-rsa/pki/ca.crt
Build Server Certificates
Code:# ./easyrsa.real build-server-full openvpn-server nopass
Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key ...............................................+++ .................................+++ writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/openvpn-server.key.JKfgnZ3Ae8' ----- Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-1.0.cnf Enter pass phrase for /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key:Password1 Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'openvpn-server' Certificate is to be certified until Feb 13 18:22:32 2028 GMT (3650 days) Write out database with 1 new entries Data Base Updated
Build Client Certificate ( use unique name for each certificate, use Bibi40k with Password2 and authorize with Password1 )
Code:# ./easyrsa.real build-client-full Bibi40k
Note: using Easy-RSA configuration from: ./vars Generating a 2048 bit RSA private key .............................................................................................+++ .................+++ writing new private key to '/usr/local/etc/openvpn/easy-rsa/pki/private/Bibi40k.key.cd545aPaIq' Enter PEM pass phrase: Password2 Verifying - Enter PEM pass phrase: Password2 ----- Using configuration from /usr/local/etc/openvpn/easy-rsa/openssl-1.0.cnf Enter pass phrase for /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key: Password1 Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :ASN.1 12:'Bibi40k' Certificate is to be certified until Feb 13 18:28:59 2028 GMT (3650 days) Write out database with 1 new entries Data Base Updated
Generate Diffie Hellman Parameters ( /usr/local/etc/openvpn/easy-rsa/pki/dh.pem )
Code:# ./easyrsa.real gen-dh
Note: using Easy-RSA configuration from: ./vars Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ........................................................................................................... ........................................................................................................... ......................................................................................+................... ........................................................................................................... .............................................................+............................................ ........................................................................................................... .............................+......................................................+................... .......+................................................................................................. .......................................................................................................... ..............................................................................+..................+..... ... ...................................................................................+.................... ......................................................................................................... ......................................................................................................... ...+.................................................................................................... ..........+..........................++*++* DH parameters of size 2048 created at /usr/local/etc/openvpn/easy-rsa/pki/dh.pem
Generate the TA key
Code:# openvpn --genkey --secret ta.key
Copy Keys Together
Code:# cp pki/dh.pem pki/ca.crt pki/issued/openvpn-server.crt pki/private/openvpn-server.key /usr/local/etc/openvpn/keys/
# cp ta.key /usr/local/etc/openvpn/keys/
# cp pki/issued/Bibi40k.crt pki/private/Bibi40k.key /usr/local/etc/openvpn/keys/
OpenVPN ( edit /usr/local/etc/openvpn/openvpn.conf )
Code:# cd /usr/local/etc/openvpn/
# nano openvpn.conf
port 1194
proto udp
dev tun
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key # This file should be kept secret
dh /usr/local/etc/openvpn/keys/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.222.0 255.255.255.0"
keepalive 10 120
tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret
remote-cert-tls client
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 1
Client Config ( /usr/local/etc/openvpn/Bibi40k.conf )
Code:# cp /usr/local/share/examples/openvpn/sample-config-files/client.conf /usr/local/etc/openvpn/Bibi40k.conf
# nano Bibi40k.conf
You can include everything in one file (useful on mobile and more convenient than keeping all certs appart)client
dev tun
proto udp
remote nas.mydomain.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert Bibi40k.crt
key Bibi40k.key
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.222.1
#redirect-gateway def1
verb 3
client
client
dev tun
proto udp
remote mynas.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
verb 3
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
add cert content here...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
add cert content here...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
add cert content here...
-----END ENCRYPTED PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
add cert content here...
-----END OpenVPN Static key V1-----
</tls-auth>
# Act as Gateway: Uncomment only if you need this
#dhcp-option DNS 192.168.222.1
#redirect-gateway def1
Server NAT Configuration ( create /usr/local/etc/ipfw.rules and add green text )
Code:# nano /usr/local/etc/ipfw.rules
More configuration ( edit /etc/rc.conf and add green text at the end of the file )
Code:# nano /etc/rc.conf
Setup Logging ( edit /etcsyslog.conf )
Code:# nano /etc/syslog.conf
Setup log rotation ( edit /etcnewsyslog.conf )
Code:# nano /etc/newsyslog.conf
Use FreeNAS Web GUI
Jails -> Select OpenVPN Jail -> Restart
Note: sometimes is necessary to restart whole FreeNAS server because the routes are build properly after full restart.
SSH to your FreeNAS box and make some checks
Code:% jls
JID IP Address Hostname Path ... 5 OpenVPN /mnt/Vol1-Z2/jails/OpenVPN% sudo jexec 5 sh
Password:# ipfw list
00100 nat 1 ip from 10.8.0.0/24 to any out via epair0b 00200 nat 1 ip from any to any in via epair0b 65535 allow ip from any to any# sockstat -4 -l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS nobody openvpn 64842 7 udp46 *:1194 *:* root syslogd 64803 7 udp4 *:514 *:*
Let's send our OpenVPN client files and test connection from outside
Code:# cd /usr/local/etc/openvpn/
# tar cvf Bibi40k.tar Bibi40k.conf -C keys/ ca.crt Bibi40k.crt Bibi40k.key ta.key
a Bibi40k.conf a ca.crt a Bibi40k.crt a Bibi40k.key a ta.key# service sendmail onestart
# mpack -s "Bibi40k OpenVPN files" Bibi40k.tar me@mydomain.com