-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum has become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
OpenVPN Service
- Thread starter RSVP
- Start date
ElectraFish
Dabbler
- Joined
- May 20, 2020
- Messages
- 13
[Bump]
Is there any documentation for how this service works yet?
Is there any documentation for how this service works yet?
ElectraFish
Dabbler
- Joined
- May 20, 2020
- Messages
- 13
[Double bump] With the TrueNAS 12 RELEASE, I still don't see any documentation regarding how to setup either the OpenVPN Client nor Server service. Anybody know of guide published anywhere?
I got the OpenVPN client to work with TrueNAS, here are the steps I followed, I hope this helps:
This is how my OpenVPN configuration file looks like:
This is how my OpenVPN configuration file looks like:
Code:
dev tun persist-tun persist-key cipher AES-128-CBC auth SHA512 tls-client client resolv-retry infinite remote vpn.domain.org 1194 udp lport 0 verify-x509-name "vpn.domain.org " name auth-user-pass remote-cert-tls server comp-lzo adaptive <ca> -----BEGIN CERTIFICATE----- MIIFgNGGD2bjNiJRSeJfugreDJkqhgh57w0BER8GFADBrMtMwEQYJYRRDEwuPcGVu UW+LBmf6rq+7zqi4UH+f+zB566FOpEwwSjEGA1UETMBEAxMKT3BlblZQTi1DQTEL ... 9Iw5MNx9phXRlZjwMX0L3pteGKNUNJlmgQZSjI1ZNw7K3CZsIB47QFwalqkGFqGr L0nObyspUxbcdqZVO/vbo3hFjNqVPjqkO4bP94G7D6w+W0ZHF6TXPmScvo2c9XVs qnpyhawELAHtDy3keG1Hf/A+D6nTGMUb5+7E9Lw9WS+M1B6jrE -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- MIIGGTCCBAGgIBgAwIBABqhkiG9TANBgkw0BABKJZMQsFADwEQYDIEAZEwcGpPVy iSFcYvI0l24r3zcIF836KryNpb1FKFaYzFszG3bCVSIp9LwVDrz1irMahq/W43Zb ... D3kash6QiMfbVoxts2TEGMw18tz3ptf5R9QuGAILlfdZbVC9i0hj2wZvIMXZ+MDu zwjY8zVQnfyxT9gc2rYwZTx057ldXZRqds7H2znKzIDZC9iu+UrQzCmq+s/YXUjy KyLQVgOUIT6n2vyGuikiOvUczf1S8E8MBZtrvhM= -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- MIIJQgkqhkiG9IBADANBgw0BAASCQEFACSwgkoAwggEAAQCAoIC71VfhS9wOaSNJ DCBpBfPtUc6iMzeezb0Dld1TGNmbujIAqOdmcnikE87lnQXA+w1ZIwKouFx2b7zr ... 6IEehZNciHpOU8zGE1RSNH1mqQKT6t0pK7hjGhlbZRsHmE8tGy7aBQi9z38pkunR M7Dird0Be9Ua6r90+lDczcggzwzHTZ== -----END PRIVATE KEY----- </key> key-direction 1 <tls-auth> # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- 31201c2093539a034a3549b8f109f7a0 ... c0224e25d9ed3d2b562e94bed507fcac -----END OpenVPN Static key V1----- </tls-auth>
- In"System\CAs"
- Add a new certificate
View attachment 41908 - The certificat can be found between the tags
<ca>and</ca>of the OpenVPN config file - Give it a name (here VPN_CA) and select "Import CA" as type
View attachment 41909 - Copy/paste the certificate from the configuration file
View attachment 41910
- Add a new certificate
- In "System\Certificate"
- Add a certificate
View attachment 41911 - It can be found in the OpenVPN config file between the tags
<cert>and</cert> - Give it a name (here VPN) and select "Import Certificate" as type and copy and paste the certificate and the key between the tags
<key>and</key>from the configuration file
View attachment 41912 - So, so far we have a CA and a certificate for the VPN connexion as below
View attachment 41913
- Add a certificate
- In "Services\OpenVPN client" some configuration fields need to be filled based on the OpenVPN configuration
- Get to the configuration of the service
View attachment 41914 - Client certificate: select the certificat that has been configured in #2
- Root CA: select the certificate that has been configured in #1
- The rest of the parameters are found in the OpenVPN configuration file
- In "Additional parameters" you can add options that are in the configuration files, like the TLS key for authentication or user login/password
View attachment 41915
- Get to the configuration of the service
- Start the service
- Start the service
View attachment 41916 - Test if the connection is working using
curl ifconfig.mein a terminal for example - Logs of the OpenVPN client can be found in
/var/log/messagesand/var/log/daemon
- Start the service
ElectraFish
Dabbler
- Joined
- May 20, 2020
- Messages
- 13
Thanks for the guide @Pitfrr ! I also found it really helpful! It honestly should go into the official documentation.
If it's not too much to ask, I'm having issues with my jails ability to talk to one another when the OVPN client is running. A particular example is Sonarr and Radarr not being able to communicate with Jackett. Any idea what's causing this?
If it's not too much to ask, I'm having issues with my jails ability to talk to one another when the OVPN client is running. A particular example is Sonarr and Radarr not being able to communicate with Jackett. Any idea what's causing this?
Unfortunately, my experience with jails (and network routing) is limited since I'm not using them...
I was planning on getting OpenVPN in a jail with FreeNAS 11 but then TrueNAS 12 came with OpenVPN integrated natively so I jumped on it and it solved my problem!
Haha, all good mate! I was in exactly the same boat, though I was struggling getting it to run properly inside a jail. Much easier to do it system wide than to install it in each jail anyway.
I did some more diagnostics anyway, and it turns out that my jails can communicate with each other. However, there's no WAN access from inside the jails. WAN access outside a jail is fine however. So I assume it's either an IPtables issue on the VPN server, or maybe something wrong with the network properties of my jails. If I get it fixed, I'll post my solution here. Though if anyone else has some suggestions, I'd love to hear them!
I did some more diagnostics anyway, and it turns out that my jails can communicate with each other. However, there's no WAN access from inside the jails. WAN access outside a jail is fine however. So I assume it's either an IPtables issue on the VPN server, or maybe something wrong with the network properties of my jails. If I get it fixed, I'll post my solution here. Though if anyone else has some suggestions, I'd love to hear them!
Check also on the network parameters of the jails in the GUI. Maybe the gateway is not right in the jails?
I remember, in TrueNAS, to be able to get WAN access once the VPN is active, I had to add a primary DNS server in the Network / Global configuration which was the DNS server of the network the VPN was connecting to.
I try to explain it a bit differently here with IP addresses examples:
I remember, in TrueNAS, to be able to get WAN access once the VPN is active, I had to add a primary DNS server in the Network / Global configuration which was the DNS server of the network the VPN was connecting to.
I try to explain it a bit differently here with IP addresses examples:
- TrueNAS VPN (on local LAN: 192.168.1.x):
- IP on local LAN: 192.168.1.44
- IP on VPN: 192.168.20.44
- Remote LAN (192.168.10.x)
- VPN server on remote LAN: 192.168.10.44
- Creating a VPN network on 192.168.20.x
- One host on this network will be TrueNAS with 192.168.20.44 once connected
- DNS server on remote LAN: 192.168.10.1
- TrueNAS needs to be configured with this DNS server otherwise, once connected to the VPN he won't be able to access WAN (at least that was the case for me...)
- VPN server on remote LAN: 192.168.10.44
CY Lau
Cadet
- Joined
- Oct 29, 2020
- Messages
- 2
Well unfortunately I won't be of much help because... I don't know! :-O
The only thing I can think of is the check box in the CA settings "Key Usage" (or the extended key usage).
I don't know what this option does and since I imported the CA, I don't have the check box anymore...
So my guess would be also to have a look at the VPN configuration and create a certificate for the VPN that does not use this option maybe...
The only thing I can think of is the check box in the CA settings "Key Usage" (or the extended key usage).
I don't know what this option does and since I imported the CA, I don't have the check box anymore...
So my guess would be also to have a look at the VPN configuration and create a certificate for the VPN that does not use this option maybe...
@CY Lau I'm having the exact same issue. I tried for a couple hours but got nowhere. Importing a CA does not give you the option to choose the "CRL sign" option and the post above from @Pitfrr is showing the creation of a new internal CA instead of importing a CA (which would allow you select that option). I'm not sure how they got it working with the steps given. But thanks for the help so far Pitfrr, it's much more than what we can get from the official docs. I went to the thread you linked above about the state of the documentation on v12 vs v11 and it's very frustrating seeing the direction the devs are going.
Yes I get the frustration and I was also a bit surprised not to say disappointed but this has been raised by the community and let's see what comes out of the discussion ongoing about the documentation. I'm pretty confident something interesting will come out of it. Even though I think it will take some more time...
belli
Cadet
- Joined
- Oct 30, 2020
- Messages
- 3
How did you generate the file?
Does your ASUS router allow you to create a VPN server? Sorry I'm new to this VPN topic. Wouldn't it be easier just to install the OpenVPN Server plugin from TrueNAS?
Hey @CY Lau, I think I have a better handle on this now after digging into it. It was all quite new to me! The error we are getting in Truenas, "Root CA must have CRL Sign set for KeyUsage extension", is telling us that the CA certificate does not have the ability to sign CRLs. That ability can be granted by adding a flag to the config file for openssl wherever the certificates were generated (for us through the router gui). Unfortunately for me that file appears to be read only after connecting through ssh to the router. That's ok, there are many ways to generate the correct certificates/keys, but for us, none of them involve the router interface.
One way to do this is using the router itself by connecting through ssh and spending some time in the command line. Follow the guide at https://github.com/RMerl/asuswrt-merlin.ng/wiki/Generating-OpenVPN-keys-using-Easy-RSA. This could be done on any *nix machine though really and there are windows options too. There's one catch, the config file for openssl does not have the sign CRL option enabled by default. In the easy-rsa folder, open the openssl.cnf and un-comment the following line: keyUsage = cRLSign, keyCertSign. You should be good to follow the guide and start generating certs/keys now that will work with truenas.
Another way that I'm looking into is to use an actual key manager/generator like XCA (https://hohnstaedt.de/xca/). It's a openssl based gui used to generate and store certificates in a password protected file.
Good luck!
One way to do this is using the router itself by connecting through ssh and spending some time in the command line. Follow the guide at https://github.com/RMerl/asuswrt-merlin.ng/wiki/Generating-OpenVPN-keys-using-Easy-RSA. This could be done on any *nix machine though really and there are windows options too. There's one catch, the config file for openssl does not have the sign CRL option enabled by default. In the easy-rsa folder, open the openssl.cnf and un-comment the following line: keyUsage = cRLSign, keyCertSign. You should be good to follow the guide and start generating certs/keys now that will work with truenas.
Another way that I'm looking into is to use an actual key manager/generator like XCA (https://hohnstaedt.de/xca/). It's a openssl based gui used to generate and store certificates in a password protected file.
Good luck!
