{"id":4306,"date":"2017-05-25T04:55:31","date_gmt":"2017-05-25T07:55:31","guid":{"rendered":"https:\/\/blog.clusterweb.com.br\/?p=4306"},"modified":"2017-05-25T04:55:31","modified_gmt":"2017-05-25T07:55:31","slug":"how-to-install-openvpn-inside-a-jail-in-freenas-9-2-1-6-with-access-to-remote-hosts-via-nat","status":"publish","type":"post","link":"https:\/\/blog.clusterweb.com.br\/?p=4306","title":{"rendered":"How to install OpenVPN inside a jail in FreeNAS 9.2.1.6+ with access to remote hosts via NAT"},"content":{"rendered":"<p><b>Requirements<\/b><\/p>\n<ul>\n<li>FreeNAS 9.10+<\/li>\n<li>Domain updated by DDNS or a static IP<\/li>\n<li>Internet access<\/li>\n<li>Router forwarding of your port of choice (in my case 10011 UDP internal to 443 UDP external).<\/li>\n<li>SFTP Client (Winscp, Transmit or plain scp)<\/li>\n<\/ul>\n<p><b>Route all traffic?<\/b><br \/>\nIf you want to route all traffic through the VPN Tunnel, be sure to read the <b>Know This<\/b> section<\/p>\n<p><b>Overview<\/b><br \/>\nIn this guide, we&#8217;ll do the server\/client configuration as follows:<\/p>\n<p><b>Server configuration:<\/b><\/p>\n<ul>\n<li>Creating the Jail.<\/li>\n<li>Optional: mounting local storage.<\/li>\n<li>Installing OpenVPN inside the jail.<\/li>\n<li>Creating all the certificates needed: the server root cert, the OpenVPN server cert and each of the client&#8217;s cert.<\/li>\n<li>OpenVPN configuration file.<\/li>\n<li>Firewall settings so NAT can work.<\/li>\n<li>Registering OpenVPN as a service so it can start automatically with the jail.<\/li>\n<\/ul>\n<p><b>Client configuration:<\/b><\/p>\n<ul>\n<li>OpenVPN configuration file.<\/li>\n<li>Certificate installation in client<\/li>\n<\/ul>\n<p><!--more--><br \/>\n<b>Network Setup<\/b><br \/>\nUnderstanding how the OpenVPN networking works is very important, so I&#8217;m going to explain it here (you can skip this and go straight to the configuration). Since I&#8217;m a very visual person, here&#8217;s the diagram of the logical network we&#8217;ll be creating:<\/p>\n<p><img decoding=\"async\" class=\"bbCodeImage LbImage\" src=\"https:\/\/i.imgur.com\/r6alZE2.png\" alt=\"[\u200bIMG]\" data-url=\"https:\/\/i.imgur.com\/r6alZE2.png\" \/><\/p>\n<p>This diagram shows how FreeNAS, its jails and even the how remote client will exist in the network. As they are all connected to the same switch*, they can talk to each other. So my<i>Crashplan Jail <\/i>(10.0.0.12) can talk to a computer in my home network called <i>Other Host**<\/i> (10.0.0.30) and my FreeNAS server can access the internet via the <i>Gateway<\/i> (10.0.0.254).<br \/>\n*They are all connected to switches in the same broadcast domain, which logically places them as if they were all connected to the same switch.<br \/>\n**&#8221;Host&#8221; we refer to as any device, could be a jail, a computer or your latest internet-connected thermostat.<\/p>\n<p>This diagram is divided into three main sections and it shows how FreeNAS looks at the world:<\/p>\n<ul>\n<li>Yellow network (home): With addressing 10.0.0.0\/24. This is the network in which our FreeNAS server exists.<\/li>\n<li>Blue network (internet): The internet routes traffic from my home where FreeNAS is, to my remote location.<\/li>\n<li>Purple network (NAT): The network inside my jail which contains all of the clients which will connect remotely. It uses addressing 172.16.8.0\/24<\/li>\n<\/ul>\n<p>Now, let&#8217;s see how this same diagram appears not logically, but physically (i.e. how the cables are connected).<br \/>\n<img decoding=\"async\" class=\"bbCodeImage LbImage\" src=\"http:\/\/i.imgur.com\/keuCVXH.png\" alt=\"[\u200bIMG]\" data-url=\"http:\/\/i.imgur.com\/keuCVXH.png\" \/><\/p>\n<p>This is the same diagram as before, but it includes a new section:<\/p>\n<ul>\n<li>Green network (remote): This has 192.168.1.0\/24 addressing. It&#8217;s the external network from which we&#8217;ll be connecting from and it&#8217;s the simplest network you&#8217;ll find, in which traffic goes to the gateway and from there, to the internet.<\/li>\n<\/ul>\n<p>Notice that even though the jails are connected to a switch (<i>FreeNAS<\/i> V<i>irtual Switch<\/i>) and that switch is connected to the <i>Gateway Switch<\/i>, they are all still in the same yellow network (10.0.0.0\/24) so they can still talk to each other.<\/p>\n<p>When connecting through VPN, the connection highlighted in orange is created. Now the <i>Remote Client<\/i> will have two IPs, one inside the green network (192.168.1.200) which lets it communicate with other hosts inside the same green network, and one inside the purple network (172.16.8.4) which by itself only lets you communicate with other hosts inside the purple network. You can imagine as if the <i>Remote Client<\/i> (our computer in a far away network) is transported from the green network to the purple network.<\/p>\n<div><img decoding=\"async\" class=\"bbCodeImage LbImage\" src=\"http:\/\/i.imgur.com\/bTDAERI.png\" alt=\"[\u200bIMG]\" data-url=\"http:\/\/i.imgur.com\/bTDAERI.png\" \/><br \/>\n<i>Topology as it appears after VPN connection is made<\/i>\u200b<\/div>\n<p>You may notice that the OpenVPN jail is halfway inside the yellow and purple networks. One side talks to the yellow network (the jail has an outside IP of 10.0.0.14) and the other to the purple network (the jail has inside IP of 172.16.8.1). Using some Firewall configuration, we can allow the <i>Remote Client<\/i> and anyone inside the purple network to talk to the yellow network. This is what allows any remote client to connect and access other computers in the yellow network. Now you understand how the VPN tunnel works.<\/p>\n<p><b>Example:<\/b><\/p>\n<div><img decoding=\"async\" class=\"bbCodeImage LbImage\" src=\"http:\/\/i.imgur.com\/qmahTjU.png\" alt=\"[\u200bIMG]\" data-url=\"http:\/\/i.imgur.com\/qmahTjU.png\" \/> \u200b<\/div>\n<p>If <i>Remote Client<\/i> wants to ping <i>Other Host<\/i> (or any other host in the yellow network, could be another jail), it will forward that packet to <i>OpenVPN Jail<\/i>, then the <i>OpenVPN Jail<\/i> will translate the packet from the purple network to the yellow one, and forward the packet to <i>Other Host<\/i>.<\/p>\n<p>Since <i>Other Host<\/i> will only see a ping coming from 10.0.0.14\/24 (<i>OpenVPN Jail<\/i>), it will respond to it. When <i>OpenVPN Jail<\/i> sees it, it will translate it back from the yellow to the purple network and send it to <i>Remote Client<\/i>.<\/p>\n<p><b>OpenVPN Jail Setup<\/b><br \/>\nCreate a new jail in the webgui<\/p>\n<p><img decoding=\"async\" class=\"bbCodeImage LbImage\" src=\"http:\/\/i.imgur.com\/ADaBh8n.png\" alt=\"[\u200bIMG]\" data-url=\"http:\/\/i.imgur.com\/ADaBh8n.png\" \/><br \/>\n<i>You can name it whatever you like. Take a note of the IPv4 Address that was assigned to your Jail. If you&#8217;d like to change it, go to Jails &gt; Edit Jail &gt; IPv4. This jail must have an IP in your yellow network.<\/i><\/p>\n<p>Optional: Add storage from outside the jail, I&#8217;ll mount mine in \/mnt\/keys but you can store them inside the jail in \/usr\/local\/etc\/openvpn.<\/p>\n<p><img decoding=\"async\" class=\"bbCodeImage LbImage\" src=\"http:\/\/i.imgur.com\/SEts1a5.png\" alt=\"[\u200bIMG]\" data-url=\"http:\/\/i.imgur.com\/SEts1a5.png\" \/><\/p>\n<p>SSH to your FreeNAS install and enter the jail:<\/p>\n<div>Robles-MacBook-Pro:~ robles$ <b>ssh robles@10.0.0.11<\/b><br \/>\nLast login: Tue Aug 19 12:29:05 2014 from 10.0.0.192<br \/>\nWelcome to FreeNAS<br \/>\n[robles@nas] ~&gt; <b>jls<\/b><br \/>\nJID\u00a0\u00a0IP Address \u00a0\u00a0Hostname \u00a0\u00a0Path<br \/>\n7\u00a0\u00a0&#8211; \u00a0\u00a0\u00a0openvpn \u00a0\u00a0\u00a0\/mnt\/vault\/pluginjails\/openvpn<br \/>\n[robles@nas] ~&gt; <b>sudo jexec 7 tcsh<\/b><br \/>\nPassword:<br \/>\nroot@openvpn:\/ #\u200b<\/div>\n<p>You can list your installed jails with the jls command, notice how my openvpn jail has the JID 7. To get inside the jail, use the jexec command as shown.<\/p>\n<p>Upgrade your jail (optional), install bash, nano (optional) and openvpn using the pkg command:<\/p>\n<div class=\"bbCodeBlock bbCodeCode\">\n<div class=\"type\">Code:<\/div>\n<pre>pkg update\r\npkg upgrade\r\npkg install bash nano openvpn\r\nexit<\/pre>\n<\/div>\n<p><i>Note: The first time it will have to upgrade repositories, so don&#8217;t worry if it spurts a lot of data. We need bash because the .\/easyrsa command behaves weirdly using tcsh. If you run into a &#8220;shared object not found&#8221; problem, run pkg upgradeagain so it repairs the missing packages.<br \/>\n<\/i><br \/>\nUsing the jexec command, enter your jail now using bash:<\/p>\n<div>[robles@nas] <b>~<\/b>&gt; <b>sudo jexec 7 bash<\/b><br \/>\n[root@openvpn \/]# <b>cd \/usr\/local\/share\/easy-rsa<\/b><br \/>\n[root@openvpn \/usr\/local\/share\/easy-rsa]#\u200b<\/div>\n<p><b>Easy-RSA Prep<\/b><br \/>\nFirst, let&#8217;s move the example files to their destination. Then we&#8217;ll edit the vars file to suit our needs<\/p>\n<div>[root@OpenVPN \/usr\/local\/share\/easy-rsa]# <b>mv easyrsa.real easyrsa<\/b><br \/>\n[root@OpenVPN \/usr\/local\/share\/easy-rsa]# <b>mv vars.example vars<\/b><br \/>\n[root@OpenVPN \/usr\/local\/share\/easy-rsa]# <b>nano vars<\/b>\u200b<\/div>\n<p>Inside the vars file, look for the line EASYRSA_KEY_SIZE and uncomment it by removing the pound symbol. Do the same for the line with EASYRSA_DIGEST.<\/p>\n<p>Optional: You can uncomment the EASYRSA_REQ_COUNTRY lines above to default to your local address. You can also uncomment the EASYRSA_CA_EXPIRE to change your certificate expiration from 10 years to something more sensible.<\/p>\n<p>To close nano, press <b>ctrl+x<\/b>. To save the changes answer &#8220;y&#8221;.<\/p>\n<p><b>Certificate Creation<\/b><br \/>\n<i>&gt;Note: Easy-RSA 3.1&#8217;s output is much more verbose. This instructions omit long explanations by the program wherever you find the [&#8230;] symbol. The relevant information is underlined.<br \/>\n<\/i><br \/>\n<b>Creating the Root Certificate<\/b><br \/>\nLet&#8217;s create our NAS&#8217; Cert Authority<\/p>\n<div>[root@OpenVPN \/usr\/local\/share\/easy-rsa]# <b>.\/easyrsa init-pki<\/b><br \/>\n[&#8230;]<br \/>\nYour newly created PKI dir is: \/usr\/local\/share\/easy-rsa\/pki<br \/>\n[root@OpenVPN \/usr\/local\/share\/easy-rsa]# <b>.\/easyrsa build-ca nopass<\/b><br \/>\n[&#8230;]Generating a 2048 bit RSA private key<br \/>\n&#8230;&#8230;&#8230;&#8230;.+++&#8230;..+++&#8230;&#8230;&#8230;..<br \/>\nwriting new private key to &#8216;\/usr\/local\/share\/easy-rsa\/pki\/private\/ca.key.#########'[&#8230;]<br \/>\nCommon Name (eg: your user, host, or server name) [Easy-RSA CA]:<b>Robles NAS CA<\/b><br \/>\n[&#8230;]<br \/>\nYour new CA certificate file for publishing is at:<br \/>\n\/usr\/local\/share\/easy-rsa\/pki\/ca.crt\u200b<\/div>\n<p><b>Creating the OpenVPN Server Certificate<\/b><br \/>\nAnswer the questions appropriately. Now let&#8217;s create a server key, this will identify your OpenVPN server against any other server.<\/p>\n<p>This is a two step process: first we create a request for the certificate, and then we sign it. Let&#8217;s create the server&#8217;s certificate request:<\/p>\n<div>[root@OpenVPN \/usr\/local\/share\/easy-rsa]# <b>.\/easyrsa gen-req openvpn-server nopass<\/b><br \/>\n[&#8230;] Generating a 2048 bit RSA private key<br \/>\n&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;..+++&#8230;&#8230;&#8230;.+++ [&#8230;]<br \/>\nCommon Name (eg: your user, host, or server name) [openvpn-server]: <b>[return]<\/b><br \/>\n[&#8230;]<br \/>\nreq: \/usr\/local\/share\/easy-rsa\/pki\/reqs\/openvpn-server.req<br \/>\nkey: \/usr\/local\/share\/easy-rsa\/pki\/private\/openvpn-server.key\u200b<\/div>\n<p>Step two: now, we&#8217;ll sign the request (the file with the *.req extension)<\/p>\n<div>[root@OpenVPN \/usr\/local\/share\/easy-rsa]# <b>.\/easyrsa sign-req server openvpn-server<\/b><br \/>\n[&#8230;]<br \/>\ncommonName = openvpn-server<br \/>\n[&#8230;]<br \/>\nConfirm request details: <b>yes<\/b><br \/>\n[&#8230;]<br \/>\nCertificate is to be certified until Aug 14 01:21:20 2026 GMT (3650 days) [&#8230;]<br \/>\nCertificate created at: \/usr\/local\/share\/easy-rsa\/pki\/issued\/openvpn-server.crt\u200b<\/div>\n<p>Again, answer the questions appropriately, when asked if you want to sign it and if you want to commit, type yes . Afterwards, we&#8217;ll create the Diffie-Hellman parameters (this one takes a long time):<\/p>\n<div>[root@OpenVPN \/usr\/local\/share\/easy-rsa]# <b>.\/easyrsa gen-dh<\/b><br \/>\n[&#8230;]<br \/>\nThis is going to take a long time<br \/>\n&#8230;&#8230;&#8230;&#8230;+&#8230;&#8230;.+&#8230;.+&#8230;&#8230;&#8230;&#8230;.[&#8230;]<br \/>\nDH parameters of size 2048 created at \/usr\/local\/share\/easy-rsa\/pki\/dh.pem<br \/>\n[root@vpnserver \/usr\/local\/share\/easy-rsa]# <b>openvpn &#8211;genkey &#8211;secret ta.key<\/b><br \/>\n[root@vpnserver \/usr\/local\/share\/easy-rsa]#<b> chmod 400 ta.key<\/b>\u200b<\/div>\n<p><b>Creating the User&#8217;s Certificates<\/b><br \/>\nThe next step can be repeated for as many users as you want to allow in your VPN. They will all be assigned an IP inside the purple network. First we create the user&#8217;s request:<\/p>\n<div>[root@OpenVPN \/usr\/local\/share\/easy-rsa]# <b>.\/easyrsa gen-req john.appleseed nopass<\/b><br \/>\n[&#8230;]<br \/>\nCommon Name (eg: your user, host, or server name) [john.appleseed]: <b>[return]<\/b><br \/>\n[&#8230;]<br \/>\nreq: \/usr\/local\/share\/easy-rsa\/pki\/reqs\/john.appleseed.req<br \/>\nkey: \/usr\/local\/share\/easy-rsa\/pki\/private\/john.appleseed.key\u200b<\/div>\n<p>Then we sign the new user&#8217;s request:<\/p>\n<div>[root@OpenVPN \/usr\/local\/share\/easy-rsa]# <b>.\/easyrsa sign-req client john.appleseed<\/b><br \/>\n[&#8230;]<br \/>\nType the word &#8216;yes&#8217; to continue, or any other input to abort.<br \/>\nConfirm request details: <b>yes<\/b><br \/>\n[&#8230;]<br \/>\nCertificate created at: \/usr\/local\/share\/easy-rsa\/pki\/issued\/john.appleseed.crt\u200b<\/div>\n<p>All of the generated keys are inside the pki folder: we&#8217;ll find our public keys in pki\/issued, and the private keys in pki\/private. Now copy the generated keys to your permanent storage, I mounted mine in \/mnt\/keys:<\/p>\n<div>[root@OpenVPN \/usr\/local\/share\/easy-rsa]# <b>cp pki\/issued\/* \/mnt\/keys<\/b><br \/>\n[root@OpenVPN \/usr\/local\/share\/easy-rsa]# <b>cp pki\/private\/* \/mnt\/keys<\/b><br \/>\n[root@OpenVPN \/usr\/local\/share\/easy-rsa]# <b>cp pki\/ca.crt \/mnt\/keys<\/b><br \/>\n[root@OpenVPN \/usr\/local\/share\/easy-rsa]# <b>cp pki\/dh.pem \/mnt\/keys<\/b><br \/>\n[root@OpenVPN \/usr\/local\/share\/easy-rsa]# <b>cp ta.key \/mnt\/keys<\/b><br \/>\n[root@openvpn \/usr\/local\/share\/easy-rsa]# <b>cd \/mnt\/keys<\/b><br \/>\n[root@OpenVPN \/mnt\/keys]# <b>ls -lah<\/b><br \/>\ndrwxr-xr-x\u00a0\u00a02 root\u00a0\u00a0wheel 8B Aug 15 21:06 .<br \/>\ndrwxr-xr-x\u00a0\u00a03 root\u00a0\u00a0wheel 3B Sep 29\u00a0\u00a02015 ..<br \/>\n-rw&#8212;&#8212;-\u00a0\u00a01 root\u00a0\u00a0wheel\u00a0\u00a0\u00a01.1k Aug 15 21:06 ca.crt<br \/>\n-rw&#8212;&#8212;-\u00a0\u00a01 root\u00a0\u00a0wheel\u00a0\u00a0\u00a01.7k Aug 15 21:06 ca.key<br \/>\n-rw&#8212;&#8212;-\u00a0\u00a01 root\u00a0\u00a0wheel\u00a0\u00a0\u00a0424B Aug 15 21:16 dh.pem<br \/>\n-rw&#8212;&#8212;-\u00a0\u00a01 root\u00a0\u00a0wheel\u00a0\u00a0\u00a04.3k Aug 15 21:05 john.appleseed.crt<br \/>\n-rw&#8212;&#8212;-\u00a0\u00a01 root\u00a0\u00a0wheel\u00a0\u00a0\u00a01.7k Aug 15 21:06 john.appleseed.key<br \/>\n-rw&#8212;&#8212;-\u00a0\u00a01 root\u00a0\u00a0wheel\u00a0\u00a0\u00a04.3k Aug 15 21:05 openvpn-server.crt<br \/>\n-rw&#8212;&#8212;-\u00a0\u00a01 root\u00a0\u00a0wheel\u00a0\u00a0\u00a01.7k Aug 15 21:06 openvpn-server.key<br \/>\n-rw&#8212;&#8212;-\u00a0\u00a01 root\u00a0\u00a0wheel\u00a0\u00a0\u00a0636B Aug 15 21:17 ta.key\u200b<\/div>\n<p>After listing your keys, you should see your CA, OpenVPN and user&#8217;s private and public keys (*.crt and *.key) and Diffie-Hellman file (dh.pem)<\/p>\n<p><b>OpenVPN Server Configuration<\/b><br \/>\nNow we&#8217;ll place our OpenVPN configuration in \/mnt\/keys\/openvpn.conf using nano<\/p>\n<div>[root@OpenVPN \/mnt\/keys]# <b>nano openvpn.conf<\/b>\u200b<\/div>\n<p>Insert the next configuration:<\/p>\n<div class=\"bbCodeBlock bbCodeCode\">\n<div class=\"type\">Code:<\/div>\n<pre>port 10011\r\nproto udp\r\ndev tun\r\nca ca.crt\r\ncert openvpn-server.crt #Server public key\r\nkey openvpn-server.key #Server private key\r\ndh dh.pem #Diffie-Hellman parameters\r\nserver 172.16.8.0 255.255.255.0 #Purple network\r\nifconfig-pool-persist ipp.txt\r\npush \"route 10.0.0.0 255.255.255.0\" #Yellow network\r\ntls-auth ta.key 0\r\n#crl-verify crl.pem\r\nkeepalive 10 120\r\ncipher AES-256-CBC\r\nauth SHA256\r\ngroup nobody\r\nuser nobody\r\ncomp-lzo\r\npersist-key\r\npersist-tun\r\nverb 3<\/pre>\n<\/div>\n<p>A couple of notes about this configuration:<\/p>\n<ul>\n<li>The port in which the OpenVPN service listens to is UDP 10011. That&#8217;s because my router maps <i>OpenVPN Jail<\/i>&#8216;s IP port 10011 to the 443 WAN (internet) port for security reasons.<\/li>\n<li>Change the 10.0.0.0 address to your yellow network.<\/li>\n<li>The file ipp.txt will store the active connections and give you the same IP the last time you connected.<\/li>\n<li>Note how a static route is pushed to the client, which indicates that the yellow network can be accessed through this jail (<i>OpenVPN Jail)<\/i>.<\/li>\n<\/ul>\n<p>Exit and save this file (ctrl+x in nano). Now let&#8217;s configure NAT so we can create the purple network.<\/p>\n<p><b>Server NAT Configuration<\/b><br \/>\nNext, we&#8217;ll create the firewall rules for the server:<\/p>\n<div>[root@openvpn \/mnt\/keys]# <b>nano \/usr\/local\/etc\/ipfw.rules<\/b>\u200b<\/div>\n<p>This will create a new file in \/usr\/local\/etc\/ named ipfw.rules. Insert the next rules in that file:<\/p>\n<div class=\"bbCodeBlock bbCodeCode\">\n<div class=\"type\">Code:<\/div>\n<pre>#!\/bin\/sh\r\n\r\nEPAIR=$(\/sbin\/ifconfig -l | tr \" \" \"\\n\" | \/usr\/bin\/grep epair)\r\nipfw -q -f flush\r\nipfw -q nat 1 config if ${EPAIR}\r\nipfw -q add nat 1 all from 172.16.8.0\/24 to any out via ${EPAIR}\r\nipfw -q add nat 1 all from any to any in via ${EPAIR}\r\n\r\nTUN=$(\/sbin\/ifconfig -l | tr \" \" \"\\n\" | \/usr\/bin\/grep tun)\r\nifconfig ${TUN} name tun0<\/pre>\n<\/div>\n<p>Important: Avoid copying and pasting any command from the internet. But if you have to do it, make sure that on ${EPAIR} there&#8217;s no space between the $ and the brackets.<\/p>\n<p>A couple of notes about this configuration:<\/p>\n<ul>\n<li>After EPAIR, the first line flushes any previous configuration in the firewall<\/li>\n<li>The second one, creates the purple network.<\/li>\n<li>The third one, creates a rule saying that all traffic from the purple network should be translated and outputted through the epair0b interface (the one connected to the yellow network.<\/li>\n<li>The last one accepts any traffic coming from the yellow network (i.e. the one connected through epair0b interface) back into the jail.<\/li>\n<li>This configurations are the backbone of the translation between the yellow and purple networks.<\/li>\n<\/ul>\n<p>Finally, let&#8217;s edit \/etc\/rc.conf so our configuration can be properly read:<\/p>\n<div>[root@openvpn \/mnt\/keys]# <b>nano \/etc\/rc.conf<\/b>\u200b<\/div>\n<p>Insert this after the last line:<\/p>\n<div class=\"bbCodeBlock bbCodeCode\">\n<div class=\"type\">Code:<\/div>\n<pre>openvpn_enable=\"YES\"\r\nopenvpn_if=\"tun\"\r\nopenvpn_configfile=\"\/mnt\/keys\/openvpn.conf\"\r\nopenvpn_dir=\"\/mnt\/keys\"\r\ncloned_interfaces=\"tun\"\r\ngateway_enable=\"YES\"\r\nfirewall_enable=\"YES\"\r\nfirewall_script=\"\/usr\/local\/etc\/ipfw.rules\"<\/pre>\n<\/div>\n<p>Replace \/mnt\/keys\/ for the path where you mounted your permanent storage. This enables the OpenVPN service, tells it where to find the configuration we saved and tells it where to find the NAT configuration.<\/p>\n<p>Now go to your FreeNAS Web-gui and <b>restart<\/b> the jail.<\/p>\n<p>Use jexec to get inside your jail again. Lets confirm the firewall is configured properly.<\/p>\n<div>[root@openvpn \/mnt\/keys]# <b>ipfw list<\/b><br \/>\n00100 nat 1 ip from 10.8.0.0\/24 to any out via epair0b<br \/>\n00200 nat 1 ip from any to any in via epair0b<br \/>\n65535 allow ip from any to any<br \/>\n[root@openvpn \/mnt\/keys]#\u200b<\/div>\n<p>To check that OpenVPN is listening in your configured port, run<\/p>\n<div>[root@OpenVPN \/]# <b>sockstat -4 -l<\/b><br \/>\nUSER COMMAND PID\u00a0\u00a0\u00a0FD PROTO\u00a0\u00a0LOCAL ADDRESS FOREIGN ADDRESS<br \/>\nnobody\u00a0\u00a0\u00a0openvpn 63758 6\u00a0\u00a0udp4\u00a0\u00a0\u00a0*:10010 \u00a0\u00a0\u00a0*:*<br \/>\nroot syslogd 63726 7\u00a0\u00a0udp4\u00a0\u00a0\u00a0*:514 *:*<br \/>\n[root@OpenVPN \/]#\u200b<\/div>\n<p>This means that OpenVPN is successfully listening on the configured port.<\/p>\n<p><b>Client Configuration<\/b><br \/>\nFor each client that was configured, we need to obtain their certificates and the CA root cert. Go to \/mnt\/keys and type:<\/p>\n<div>[root@vpnserver \/mnt\/keys]# <b>chmod 644 john.appleseed.key john.appleseed.crt ca.crt ta.key<\/b>\u200b<\/div>\n<p>We need to change the private key&#8217;s permissions so we can download them from the jail and insert it into our client configuration file. Do this for each client you created.<\/p>\n<p>Using any SFTP program you like, copy the files in \/mnt\/keys: ca.crt, john.appleseed.key, john.appleseed.crt and ta.key to a folder in your desktop. In a text editor, type the next client configuration:<\/p>\n<div class=\"bbCodeBlock bbCodeCode\">\n<div class=\"type\">Code:<\/div>\n<pre>client\r\ndev tun\r\nproto udp\r\nremote myddnsdomain.com 443\r\nresolv-retry infinite\r\nnobind\r\npersist-key\r\npersist-tun\r\nca ca.crt\r\ncert john.appleseed.crt\r\nkey john.appleseed.key\r\nremote-cert-tls server\r\ncipher AES-256-CBC\r\ntls-auth ta.key 1\r\n#dhcp-option DNS 0.0.0.0\r\n#redirect-gateway def1\r\ncomp-lzo\r\nverb 3<\/pre>\n<\/div>\n<p>Replace myddnsdomain.com with your DDNS domain or with your static ip. If your router is configured to another port mapping, replace 443 with your custom UDP port.<\/p>\n<p>Save that file as home-vpn.ovpn in the folder in your desktop where you saved your certificates.<\/p>\n<p>Now use any OpenVPN client you like to import the OVPN file you just created. It will automatically detect your certificates and import them into configuration. <b>Congratulations, you now have a working VPN!<\/b><\/p>\n<p><b>Know this<\/b><br \/>\nThis will only help you access clients in the yellow network. If you want to route all of your traffic (act as a default gateway), uncomment the lines dhcp-option and redirect-gateway.<\/p>\n<p>Replace 0.0.0.0 with your local DNS server. This is almost always your gateway&#8217;s IP address, in this case, it&#8217;s my ISP&#8217;s modem in the Yellow Network.<\/p>\n<p><b>Security Hardening<\/b><br \/>\nThis section is completely optional and will help you protect your server from DoS and unauthorized intruders.<\/p>\n<p><b>DoS mitigation<\/b><br \/>\nThere&#8217;s an option called tls-auth that checks for a signature in each packet so unsigned ones can be dropped much easily, it helps to obfuscate your OpenVPN service and protects against DoS by creating a static pre-shared hash-based message authentication code (HMAC) key.<\/p>\n<p>What this means is that if the someone doesn&#8217;t provide this key first, the OpenVPN server won&#8217;t even entertain the idea of authenticating any request from it.<\/p>\n<p>This key is generated in the server and must be included in each client along with the other files (ca.crt, john.appleseed.crt and john.appleseed.key). It is included in the main instructions, so if you followed them correctly, this is already implemented.<\/p>\n<div>\n\u200b<\/div>\n<p><b>Troubleshooting<\/b><\/p>\n<p><b>Is it running?<\/b><br \/>\n[root@openvpn \/]# <b>ps aux<\/b><br \/>\nUSER PID %CPU %MEM\u00a0\u00a0\u00a0VSZ\u00a0\u00a0RSS TT\u00a0\u00a0STAT STARTED TIME COMMAND<br \/>\nnobody\u00a0\u00a04977\u00a0\u00a00.0\u00a0\u00a00.0 21704 3536\u00a0\u00a0&#8211;\u00a0\u00a0SsJ\u00a0\u00a010:20PM 0:00.08 \/usr\/local\/sbin\/openvpn &#8211;cd \/usr\/local\/<br \/>\nHere I can confirm that my OpenVPN server is running inside the jail as a service. If you don&#8217;t see your process, run OpenVPN manually (next step).<\/p>\n<p><b>Check OpenVPN&#8217;s output<\/b><br \/>\nStop the OpenVPN service (if running) and run it manually to see the output.<br \/>\n[root@openvpn \/]# service openvpn stop<br \/>\n[root@openvpn \/]# openvpn &#8211;config \/mnt\/keys\/openvpn.conf<br \/>\n<b><br \/>\nReboot<\/b><br \/>\nHave you tried turning it on and off again? No seriously, FreeNAS seems to not update its routing tables properly using the newly created tunnel interface, but it seems that after a reboot, OpenVPN does connect properly.<\/p>\n<p><b>Check the firewall rules<\/b><br \/>\nYou can prompt the firewall to output its current rules, if after restarting your jail your output looks like this:<\/p>\n<div>[root@openvpn \/mnt\/keys]# <b>ipfw list<\/b><br \/>\n65535 allow ip from any to any\u200b<\/div>\n<p>Then there&#8217;s something wrong with your firewall configuration. Check if \/usr\/local\/etc\/ipfw.rules contains the proper rules and that your paths are correct in \/etc\/rc.conf.<\/p>\n<p>&#8212;<br \/>\nI hope this helps reduce the time it took me to originally figure out how to do everything without messing with static routes in the gateway router, firewall configurations and NAT issues.<\/p>\n<p><i>If you find some mistake or have a suggestion or improvement, please don&#8217;t forget to comment! <\/i><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Requirements FreeNAS 9.10+ Domain updated by DDNS or a static IP Internet access Router forwarding of your port of choice (in my case 10011 UDP internal to 443 UDP external). SFTP Client (Winscp, Transmit or plain scp) Route all traffic? If you want to route all traffic through the VPN Tunnel, be sure to read [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[730,1,79,1062,42,51,495,68],"tags":[1064,984,1066,1068,920,1065,1063,291,165,921,1067,1069,983],"class_list":["post-4306","post","type-post","status-publish","format-standard","hentry","category-clusterweb","category-viazap","category-firewall","category-freenas","category-leitura-recomendada","category-linux-linuxrs","category-profissional-de-ti","category-redes-2","tag-a-jail","tag-access","tag-freenas-9-2-1-6","tag-hosts","tag-how","tag-in","tag-inside","tag-install","tag-openvpn","tag-to","tag-to-remote","tag-via-nat","tag-with"],"_links":{"self":[{"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/posts\/4306","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4306"}],"version-history":[{"count":1,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/posts\/4306\/revisions"}],"predecessor-version":[{"id":4307,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/posts\/4306\/revisions\/4307"}],"wp:attachment":[{"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4306"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4306"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4306"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}