OpenVPN Server installation in a TrueNAS 13.0 jail and
the client OpenVPN Connect v3 configuration.
Revised on: May 24, 2024
You know of course that using a public WiFi connection is a high security risk. When you want to have access to your home or office network the connection should be by a safe pathway. A VPN Tunnel protects you from any spying eyes on the internet.
To create a VPN Tunnel you need an OpenVPN server at home (or office) and an OpenVPN Connect v3 client on each of your mobile devices. Upon a connect request by the client, the first step is handshaking between client and server: the client identifies itself with certificates and checks if the server is the correct one, and the server checks if the client is an approved one and its certificate is not revoked. If OK, the server uses the internet pathway between the two to create a virtual, direct and encrypted connection: data sent by the client is encrypted and decrypted upon arrival at the server and the other way around. To create the direct connection the server needs access to a separate firewall for NAT. The resulting internet pathway between client and server now behaves like a local network: a hacker can't penetrate it from outside.
Enjoying my cappucino in my favorite coffeebar with my iPad or macBook, I will have safe access to my Home Network, as if at home !
How-to:
This how-to is about the installation and configuration of the OpenVPN server in a jail on a TrueNAS server, and the configuration of an OpenVPN Connect client on your iPhone, Android, iPad, MacBook, PC or what have you. We will show as an example the setup of the server in a jail on TrueNAS 13.0-U6.1, and of the client on my iPad. But it's also applicable to different hardware configurations.
Overview
This is what we are going to do:
Server configuration:
- Step 1 - Create the Jail.
- Step 2 - Install OpenVPN.
- Step 3 - Create Certificate Authority Variables.
- Step 4 - Generate the certificates.
- Step 5 - Configuring OpenVPN server.
- Step 6 - Setup ipfw Firewall for NAT.
- Step 7 - OpenVPN to run automatically.
- Step 8 - Enable Port Forwarding.
Client configuration:
- Step 9 - Create for each client a .ovpn file.
- Step 10 - Testing.
Create the Jail.
On the TrueNAS GUI go to Jails --> Add --> Advanced Jail Creation an use the following settings:
- Basic Properties
- Name OpenVPN
- Release 13.3-RELEASE
- VNET (check)
- auto
- vnet0 --> ip address for the jail, for example 192.178.0.55 24
- Default Router 192.178.0.1 (for this example)
- Jail Properties
- allow set hostname
- allow raw sockets
- allow mount
- Network Properties
- vnet0:bridge0
- OpenVPN /etc/resolv.conf
- ip4.saddrsel
- ip6.saddrsel
- Custom Properties
- priority 49
- host time
- allow tun
Click SAVE.
Install OpenVPN.
In the WebGUI of TrueNAS go to Jails, click on the new Jail "OpenVPN", click start en click Shell. Type the following commands (shown in red) in the Shell:
root@OpenVPN:/ # pkg root@OpenVPN:/ # pkg update root@OpenVPN:/ # pkg upgrade root@OpenVPN:/ # pkg install openvpn root@OpenVPN:/ # pkg install nano root@OpenVPN:/ #
Create Certificate Authority Variables.
Create a new directory '/usr/local/etc/openvpn/':
$ mkdir -p /usr/local/etc/openvpn/
OpenVPN comes with easy-rsa 3 that makes generating certs and keys simple. Copy the easy-rsa directory into this new directory and copy vars.example to a new file named vars. Open it for editing.
$ cp -R /usr/local/share/easy-rsa /usr/local/etc/openvpn/ 4 cd /usr/local/etc/openvpn/easy-rsa/ $ cp vars.example vars $ nano vars
This vars file should contain the parameters that identify the Authority (you!) who will create the Certificate Authority (CA) file. Read through vars for instructions on what to edit. Here is an example how the result might look like:
set_var EASYRSA "$PWD" set_var EASYRSA_PKI "$EASYRSA/pki" set_var EASYRSA_DN "cn_only" set_var EASYRSA_REQ_COUNTRY "NL" set_var EASYRSA_REQ_PROVINCE "Noord Brabant" set_var EASYRSA_REQ_CITY "Bergen op Zoom" set_var EASYRSA_REQ_ORG "Cyberon CERTIFICATE AUTHORITY" set_var EASYRSA_REQ_EMAIL "Cyberon@example.com" set_var EASYRSA_REQ_OU "Cyberon CA" set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_ALGO rsa set_var EASYRSA_CA_EXPIRE 7500 # Number of days set_var EASYRSA_CERT_EXPIRE 365 # Number of days set_var EASYRSA_NS_SUPPORT "no" set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" set_var EASYRSA_DIGEST "sha256"
Write the file (Ctrl - w), save the file (Ctrl - o) and close nano (Ctrl - x).
Make the file executabel:
$ chmod +x vars
Generate the certificates.
Go to the '/usr/local/etc/openvpn/easy-rsa/' directory and initialize the "Public Key Infrastructure" (PKI) directory:
$ cd /usr/local/etc/openvpn/easy-rsa/ $ easyrsa init-pki
Creation of the Root Certificate.
First we will create the root certificate ca.cert without password. The option 'nopass' is used here to disable password locking the CA:
$ easyrsa build-ca nopassAs servername you may use OpenVPN of course. Creation of the Server Certificate and Key.
This certificate and key will identify your OpenVPN server to your clients. Your clients can check if they are connected to the correct server. Build it as follows:
$ easyrsa gen-req OpenVPN nopass $ easyrsa sign-req server OpenVPN $ openssl verify -CAfile pki/ca.crt pki/issued/OpenVPN.crtWrite down your PEM passphrase, you will need it later!
Creation of the Client Certificate and Key.
Each client should have it's own certificate and key. As example, let's create one for client Suzy.
$ easyrsa gen_req Suzy nopass $ easyrsa sign-req client Suzy $ openssl verify -CAfile pki/ca.crt pki/issued/Suzy.crt
For additional security we need to generate "Diffie-Hellman" parameters (this takes some time):
$ openssl dhparam -out dh2048.pem 2048Copy all certificates to the openvpn directory:
Create two new directories 'server' and 'client' in /usr/local/etc/openvpn and copy ca.crt and all server certificates and keys into them:
$ mkdir -p /usr/local/etc/openvpn/{server,client}
$ cp pki/ca.crt /usr/local/etc/openvpn/server/
$ cp pki/issued/OpenVPN.crt /usr/local/etc/openvpn/server/
$ cp pki/private/OpenVPN.key /usr/local/etc/openvpn/server/
And do the same for your client keys:
$ cp pki/ca.crt /usr/local/etc/openvpn/client/ $ cp pki/issued/Suzy.crt /usr/local/etc/openvpn/client/ $ cp pki/private/Suzy.key /usr/local/etc/openvpn/client/
Don't forget to copy dh2048.pem in the server directory:
$ cp pki/dh2048.pem /usr/local/etc/openvpn/server/
Configuring OpenVPN server.
Let's use the server.conf example that came with the openvpn installation and change it's name to openvpn.conf:
Type the following commands in the Shell:
$ cd /usr/local/share/examples/openvpn/sample-config-files/ $ cp server.conf /usr/local/etc/openvpn/openvpn.conf $ nano /usr/local/etc/openvpn/openvpn.conf
Take some time to study the content of this file and edit it as you please. Feel free to use my openvpn.conf file as guidance:
port 1194 proto udp dev tun ca /usr/local/etc/openvpn/server/ca.crt cert /usr/local/etc/openvpn/server/OpenVPN.crt key /usr/local/etc/openvpn/server/OpenVPN.key dh /usr/local/etc/openvpn/dh2048.pem topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.178.0.0 255.255.255.0" push "redirect-gateway def1 bypass-dhcp" keepalive 10 120 tls-auth /usr/local/etc/openvpn/ta.key 0 cipher AES-256-CBC user nobody group nobody persist-key persist-tun status openvpn-status.log verb 3 log openvpn.log explicit-exit-notify 1
$ cd /usr/local/etc/openvpn $ openvpn --genkey tls-auth ta.keyNOTE: Don't forget to change the local network adress 192.178.0.0 to yours!
NOTE 2: In the latest version of OpenVPN (2.6) don't use compression (comp-lzo). Using compression makes you vulnerable to the VORACLE attack.
NOTE 3: The tls-auth option ensures better protection against intruders and DDOS attacks.
Now let's start the openvpn service and check it's status.
$ service openvpn start $ service openvpn statusIn case the service starts, but the status command reports it's not running, there might be mistake in the server.conf file. Maybe the openvpn.log file points you to the error.
To make sure, check the OpenVPN port using the sockstat command:
$ sockstat -l4
Setup ipfw Firewall for NAT.
OpenVPN uses it's own ip addresses in the tunnel. So we need to setup the ipfw firewall for the OpenVPN server to convert ip addresses. OpenVPN most probably uses the interface 'tun0' to connect to the internet. Rules for this interface should allow all connections to be redirected to the external network interface 'vtnet0'.
Create a new file ipfw.rules for the firewall :
$ nano /usr/local/etc/ipfw.rulesPut the following rules in it:
#!/bin/sh
EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}
TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0
Again: Double check to avoid any mistakes !! Even when you copy and paste it from here! When you are sure, close nano.
We will check your good work in a few moments. So read on.
OpenVPN to run automatically.
To run the OpenVPN server and the firewall automatically after (re)starting your TrueNAS server, open the rc.conf file:
$ nano /etc/rc.conf
Type at the bottom the following lines:
openvpn_enable="YES" openvpn_if="tun" openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf" openvpn_dir="/usr/local/etc/openvpn" cloned_interfaces="tun" gateway_enable="YES" firewall_enable="YES" firewall_script="/usr/local/etc/ipfw.rules"
Close nano and restart the jail.
Now your OpenVPN server should run fine. Check it as follows:
root@OpenVPN# ipfw list 00100 nat 1 ip from 10.8.0.0/24 to any out via epair0b 00200 nat 1 ip from any to any in via epair0b 65535 allow ip from any to any root@OpenVPN# sockstat -l4 USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS nobody openvpn 5950 6 udp4 *:1194 *:* root@OpenVPN#
If you get a simular result, your firewall is configured correctly, and OpenVPN listens on the port configured. If not, you need to recheck the ipfw.rules file, the openvpn.conf and the openvpn.log file.
Enable Port Forwarding.
With OpenVPN running now nicely, it's time to make the server reachable from the outside world. Access your local network router and enable portforwarding of port 1194 with protocol udp to the OpenVPN jail's ip address.
Create for each client a .ovpn file.
Each of your clients should download and install OpenVPN Connect v3 from the app store of his/her device. The OpenVPN Connect client needs an .ovpn file to be able to connect to your OpenVPN server. Let's create such a file for client Suzy.
First step is to create a client config file:
$ cd /usr/local/etc/openvpn/client $ nano client.conf
In the new file type the following:
client dev tun proto udp remote myddnsdomain.com 1194 nobind cipher AES-256-CBC verb 3 key-direction 1
Check the external IPv4 addres of your router in your browser with 'whatsmyip' and replace myddnsdomain.com above with the found addres.
Next step is to combine this file and Suzy's client certificates in a new file Suzy.ovpn:
$ cat client.conf ca.crt Suzy.crt Suzy.key ../ta.key > Suzy.ovpn
Do NOT change the order of the files in the cat command! Finally we need to adapt this new file to OpenVPN's inline file protocol. Open the new file in nano, and adapt it's structure as shown below:
$ nano Suzy.ovpn
................
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
...................................
..............................
-----END CERTIFICATE----------
</ca>
<cert>
Certificate:
Data:
........................................
.............................
-----BEGIN CERTIFICATE------
...............................
..........................
-----END CERTIFICATE------
</cert>
<key>
-----BEGIN PRIVATE KEY------
....................................
....................................
-----END PRIVATE KEY--------
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1--------------
..................................
.......................
-----END OpenVPN Static key V1-----
</tls-auth>
So at the top of the file, after the line "key-direction 1 " and just before the line -----BEGIN CERTIFICATE----- type <ca>. As shown you end this section with </ca> followed by <cert>, etc. Check your work and save it.
Testing.
I assume, you already installed the OpenVPN Connect client on your device. For mobile's and tablets you may download OpenVPN Connect from your app store. For PC's and Apple's go to openvpn.net. For example me using an iMac as we speak, I went to the OpenVPN website, clicked the orange button "Download OpenVPN Connect v3" and installed it in the usual manner..
Getting the client .ovpn file on the Desktop of my iMac I used scp:
$ cd /usr/local/etc/openvpn/client $ scp Suzy.ovpn imac-username@imac-ipaddress:~/Desktop
Next start OpenVPN Connect on the iMac and drop the client file (Suzy.ovpn on my Desktop) on the app.
To check if the OpenVPN tunnel works, you need to contact the server from a different location. I am sure you have an iPhone or Android, so let's use it as hotspot. Open your browser on the iMac and google for 'whatsmyip' to find your external IPv4 address. Change your WiFi connection to the hotspot and check again your external IPv4 address. It should be different of course.
Now click 'connect' on the OpenVPN Connect client and check again your external IPv4. It should be the same you found with WiFi. If so......
What to do if OpenVPN fails to connect?
If creation of the tunnel fails, check the log file of OpenVPN Connect. It might look complicated, but be assured it tells you what went wrong. And you also might consult the openvpn.log file in the OpenVPN jail on TrueNAS.
Security Warning:
By now you will be aware that the weak spot in OpenVPN's security is the client certificate .ovpn. If it is lost, or somebody managed to make a copy, the security is compromised. Never send this file as an attachment to an e-mail! If you are not 100% sure the file is in safe hands, revoke it. See How-to revoke a client file, and create a new one for this client.