*New 11.3 series Release:
2019-10-19: XigmaNAS 11.3.0.4.7014 - released

*New 12.0 series Release:
2019-10-05: XigmaNAS 12.0.0.4.6928 - released!

*New 11.2 series Release:
2019-09-23: XigmaNAS 11.2.0.4.6881 - released!

We really need "Your" help on XigmaNAS https://translations.launchpad.net/xigmanas translations. Please help today!

Producing and hosting XigmaNAS costs money. Please consider donating for our project so that we can continue to offer you the best.
We need your support! eg: PAYPAL

[SOLVED] Use VPN and access your NAS from the internet.

Everything to improve your speed, LAGG, VLAN, VPN, Port Forwarding, DNS, Gateway
Forum rules
Set-Up GuideFAQsForum Rules
Post Reply
rav
NewUser
NewUser
Posts: 13
Joined: 09 Oct 2015 02:20
Status: Offline

[SOLVED] Use VPN and access your NAS from the internet.

#1

Post by rav » 14 Oct 2015 12:58

Hi everyone, I'm new at this forum but I'm using NAS4Free for some time and now I'm stuck with this issue.

What I'm trying to achieve is to put my traffic (like torrents) through a VPN (PIA is the one I'm considering) and on the other hand still have access to to a web server or WebGUI from the internet. PIA won't open any ports for me and I also don't want to depend on a VPN provider if my web server is reachable or not.
So my question is how to put torrents (and maybe some other services) through a VPN and other traffic (like ssh, http) over normal internet connection? I was thinking about two NICs. Configure OpenVPN to use first NIC for all traffic that my NAS is initiating and then forward some ports on my ISP router to point to the second NIC's IP when I want to access services from outside.
I hope I explain it clear enough... :)

Is it possible to do that? I'm new in VPN so I don't know if it's even possible to setup OpenVPN to use a specific NIC for all traffic inside a VPN?

Thanks in advance!
Last edited by rav on 26 Oct 2015 01:54, edited 1 time in total.

User avatar
Parkcomm
Advanced User
Advanced User
Posts: 389
Joined: 21 Sep 2012 12:58
Location: Australia
Status: Offline

Re: Use VPN and access your NAS from the internet.

#2

Post by Parkcomm » 14 Oct 2015 14:09

So my question is how to put torrents (and maybe some other services) through a VPN and other traffic (like ssh, http) over normal internet connection? I was thinking about two NICs. Configure OpenVPN to use first NIC for all traffic that my NAS is initiating and then forward some ports on my ISP router to point to the second NIC's IP when I want to access services from outside.
I hope I explain it clear enough... :)
yep - use vnet jails
NAS4Free Embedded 10.2.0.2 - Prester (revision 2003), HP N40L Microserver (AMD Turion) with modified BIOS, ZFS Mirror 4 x WD Red + L2ARC 128M Apple SSD, 10G ECC Ram, Intel 1G CT NIC + inbuilt broadcom

rav
NewUser
NewUser
Posts: 13
Joined: 09 Oct 2015 02:20
Status: Offline

Re: Use VPN and access your NAS from the internet.

#3

Post by rav » 14 Oct 2015 14:40

yep - use vnet jails
Ok, I'll try that later and post my results.

Anyway, if anyone will be kind enough to point me some HOWTO about vnet jails I will be even more glad. ;)

User avatar
Parkcomm
Advanced User
Advanced User
Posts: 389
Joined: 21 Sep 2012 12:58
Location: Australia
Status: Offline

Re: Use VPN and access your NAS from the internet.

#4

Post by Parkcomm » 14 Oct 2015 23:03

Not a tute - but the poster here was trying to do something similar. Laos covers the limitation I mentioned viewtopic.php?f=57&t=9516
NAS4Free Embedded 10.2.0.2 - Prester (revision 2003), HP N40L Microserver (AMD Turion) with modified BIOS, ZFS Mirror 4 x WD Red + L2ARC 128M Apple SSD, 10G ECC Ram, Intel 1G CT NIC + inbuilt broadcom

rav
NewUser
NewUser
Posts: 13
Joined: 09 Oct 2015 02:20
Status: Offline

Re: Use VPN and access your NAS from the internet.

#5

Post by rav » 19 Oct 2015 03:44

Ok, so I'm stuck pretty much at the beginning...

I made a jail with theBrig, enable VNET, fill Side A with 192.168.1.101/24 and Side B with 192.168.1.102/24 and choose my second NIC in "Attach to interface". Now, when I start this jail my kernel panics and the system is rebooting infinitely:

Code: Select all

kernel: bridge20: link state changed to UP
kernel: ue0: promiscuous mode enabled
kernel: epair2a: Ethernet address: 02:ff:60:00:05:0a
kernel: epair2b: Ethernet address: 02:ff:b0:00:06:0b
kernel: epair2a: link state changed to UP
kernel: epair2b: link state changed to UP
kernel: Sleeping thread (tid 100149, pid 3509) owns a non-sleepable lock
kernel: KDB: stack backtrace of thread 100149:
kernel: #0 0xffffffff80a53861 at mi_switch+0xe1
kernel: #1 0xffffffff80a9208a at sleepq_wait+0x3a
kernel: #2 0xffffffff809f4d4d at _cv_wait+0x16d
kernel: #3 0xffffffff80875890 at usb_proc_mwait+0x50
kernel: #4 0xffffffff8361868f at ue_init+0x6f
kernel: #5 0xffffffff83612612 at axe_ioctl+0x112
kernel: #6 0xffffffff80b18eb3 at bridge_mutecaps+0xa3
kernel: #7 0xffffffff80b17198 at bridge_ioctl_add+0x498
kernel: #8 0xffffffff80b1bea7 at bridge_ioctl+0x2a7
kernel: #9 0xffffffff80b805d4 at in_control+0x214
kernel: #10 0xffffffff80b1488c at ifioctl+0x131c
kernel: #11 0xffffffff80a9e975 at kern_ioctl+0x255
kernel: #12 0xffffffff80a9e670 at sys_ioctl+0x140
kernel: #13 0xffffffff80ecb857 at amd64_syscall+0x357
kernel: #14 0xffffffff80eb0fbb at Xfast_syscall+0xfb
kernel: panic: sleeping thread
kernel: cpuid = 1
kernel: KDB: stack backtrace:
kernel: #0 0xffffffff80a86a80 at kdb_backtrace+0x60
kernel: #1 0xffffffff80a4a1e6 at vpanic+0x126
kernel: #2 0xffffffff80a4a0b3 at panic+0x43
kernel: #3 0xffffffff80a97bd9 at propagate_priority+0x259
kernel: #4 0xffffffff80a9865e at turnstile_wait+0x3fe
kernel: #5 0xffffffff80a3023b at __mtx_lock_sleep+0x26b
kernel: #6 0xffffffff80b1be8c at bridge_ioctl+0x28c
kernel: #7 0xffffffff80b148e1 at ifioctl+0x1371
kernel: #8 0xffffffff80a9e975 at kern_ioctl+0x255
kernel: #9 0xffffffff80a9e670 at sys_ioctl+0x140
kernel: #10 0xffffffff80ecb857 at amd64_syscall+0x357
I need to detach physically that second ethernet out of USB to boot normally without a reboot.

Am I doing something wrong here? Or is it a bug?

User avatar
Parkcomm
Advanced User
Advanced User
Posts: 389
Joined: 21 Sep 2012 12:58
Location: Australia
Status: Offline

Re: Use VPN and access your NAS from the internet.

#6

Post by Parkcomm » 19 Oct 2015 10:39

Not quite enough information to see if you did anything wrong - for instance reuse an ip address that is already active on the host.

I can see in the trace you have two epair2as and two epair2bs with different hardware addresses. Epairs are assigned based on Jail number, and since you cannot have two jails with the same number, you should not be able to have this clash.

Having said that, when Alexy released theBrig with VNET support I hammered it, including doing every wrong config I could think of and I didn't see one panic.
NAS4Free Embedded 10.2.0.2 - Prester (revision 2003), HP N40L Microserver (AMD Turion) with modified BIOS, ZFS Mirror 4 x WD Red + L2ARC 128M Apple SSD, 10G ECC Ram, Intel 1G CT NIC + inbuilt broadcom

rav
NewUser
NewUser
Posts: 13
Joined: 09 Oct 2015 02:20
Status: Offline

Re: Use VPN and access your NAS from the internet.

#7

Post by rav » 19 Oct 2015 12:51

What else do you want to know? I will tell you everything. :)

I didn't reuse any IP address. Side A and Side B are assigned to free ones.
Also I don't see two epair2as and two epair2bs. Those are just different infos about address and link UP:

Code: Select all

kernel: epair2a: Ethernet address: 02:ff:60:00:05:0a
kernel: epair2b: Ethernet address: 02:ff:b0:00:06:0b
kernel: epair2a: link state changed to UP
kernel: epair2b: link state changed to UP
If that's what you mean?
Having said that, when Alexy released theBrig with VNET support I hammered it, including doing every wrong config I could think of and I didn't see one panic.
Well, it's always like this when a little kid gets his hands on a phone (or even a calculator) and suddenly it turns out that he gain access to rebuild a kernel and turn it to a brick... and you didn't even know it's possible. :)

rav
NewUser
NewUser
Posts: 13
Joined: 09 Oct 2015 02:20
Status: Offline

Re: Use VPN and access your NAS from the internet.

#8

Post by rav » 19 Oct 2015 20:46

Ok, so I switched the NICs and it creates VLAN without panicking on my motherboard integrated Ethernet. It turns out that it can't handle making VLAN on a USB Ethernet card.

So I'm moving on...

User avatar
Parkcomm
Advanced User
Advanced User
Posts: 389
Joined: 21 Sep 2012 12:58
Location: Australia
Status: Offline

Re: Use VPN and access your NAS from the internet.

#9

Post by Parkcomm » 19 Oct 2015 21:52

rav wrote:Those are just different infos about address and link UP:
Apparently my dyslexia kicked in ;)
NAS4Free Embedded 10.2.0.2 - Prester (revision 2003), HP N40L Microserver (AMD Turion) with modified BIOS, ZFS Mirror 4 x WD Red + L2ARC 128M Apple SSD, 10G ECC Ram, Intel 1G CT NIC + inbuilt broadcom

rav
NewUser
NewUser
Posts: 13
Joined: 09 Oct 2015 02:20
Status: Offline

Re: Use VPN and access your NAS from the internet.

#10

Post by rav » 21 Oct 2015 15:28

I finally managed to set up a jail with correct gateway in a separated network etc. (thank to this thread you mention Parkcomm: viewtopic.php?f=57&t=9516).

Now, I'm trying to get OpenVPN to work in that jail but it stops on this:

Code: Select all

[root@test /usr/local/etc/openvpn]# openvpn --config openvpn.conf
Wed Oct 21 13:55:29 2015 OpenVPN 2.3.8 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Oct  4 2015
Wed Oct 21 13:55:29 2015 library versions: OpenSSL 1.0.1p-freebsd 9 Jul 2015, LZO 2.09
Enter Auth Username:
Enter Auth Password:
Wed Oct 21 13:55:43 2015 UDPv4 link local: [undef]
Wed Oct 21 13:55:43 2015 UDPv4 link remote: [AF_INET]5.153.234.74:1194
Wed Oct 21 13:55:43 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Oct 21 13:55:45 2015 [Private Internet Access] Peer Connection Initiated with [AF_INET]5.153.234.74:1194
Wed Oct 21 13:55:48 2015 Cannot allocate TUN/TAP dev dynamically
Wed Oct 21 13:55:48 2015 Exiting due to fatal error
[root@test /usr/local/etc/openvpn]#
ifconfig now gives me this:

Code: Select all

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
	inet 127.0.0.1 netmask 0xff000000 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
epair1b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:ff:b0:00:06:0b
	inet6 fe80::ff:b0ff:fe00:60b%epair1b prefixlen 64 scopeid 0x2 
	inet 192.168.0.202 netmask 0xffffff00 broadcast 192.168.0.255 
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
	status: active
tun0: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
tun1: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
tun2: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
tun3: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
tun4: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
...........

tun252: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
tun253: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
tun254: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
tun255: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
creating 256 tun devices...(?!)

Here's my openvpn.conf if needed (downloaded from PIA site, not modified, and working on my Debian notebook):

Code: Select all

client
dev tun
proto udp
remote sweden.privateinternetaccess.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
auth-user-pass
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.pem


After reading all the posts and articles uncle Google found for me about that "Cannot allocate TUN/TAP dev dynamically" error, I did the following:
a) add if_tap_load="YES" and if_tun_load="YES" to loader.conf (both host and jail)
but I suppose it's not necessary because I also did:
b) kldload if_tun (and kldload if_tap) and on the host it says:
kldload: can't load if_tun: module already loaded or in kernel
and in the jail:
kldload: can't load if_tun: Operation not permitted
So it seems to be loaded and problem is not here. (Am I right?)
c) even though I know it's for autostart but I put openvpn_if="tun" in the rc.conf (both host and jail) anyway, just to be sure...

Of course those solutions changed nothing.
So the problem seems not to be anywhere here... I think it might be related to devfs and maybe some permissions, I don't know. But it looks like OpenVPN creates this tun device and then cannot gain access to it so it creates another and another and so on...

Any ideas what to do with it?

rav
NewUser
NewUser
Posts: 13
Joined: 09 Oct 2015 02:20
Status: Offline

Re: Use VPN and access your NAS from the internet.

#11

Post by rav » 22 Oct 2015 02:15

A little progress here but not much...
I thought I'll point OpenVPN directly on tun0 device in the config file and then different error appeared:

Code: Select all

Cannot open TUN/TAP dev /dev/tun0: No such file or directory (errno=2)
I discovered that ifconfig creates the interface inside the jail but put actual tun0 device on the host in /dev/tun0

So... inside the jail OpenVPN uses ifconfig to create tun0, then looks in /dev/ for it and finds none, so creates tun1 and so on...
Why is that? How to force ifconfig to make those devices inside the jail's /dev/ and not on the host?

User avatar
Parkcomm
Advanced User
Advanced User
Posts: 389
Joined: 21 Sep 2012 12:58
Location: Australia
Status: Offline

Re: Use VPN and access your NAS from the internet.

#12

Post by Parkcomm » 22 Oct 2015 06:43

I just tried the following:
Jail

Code: Select all

# ifconfig tap0 create
ifconfig: SIOCIFCREATE2: Invalid argument
Host

Code: Select all

#ifconfig tap0 create
ifconfig shows tap0 exists
Host

Code: Select all

#ifconfig tap0 destroy
tap0 id gone
Jail

Code: Select all

#ifconfig tap0 create
#ifconfig
tap0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	ether 00:bd:fa:c8:e9:00
	nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
	media: Ethernet autoselect
	status: no carrier
Weird huh?
NAS4Free Embedded 10.2.0.2 - Prester (revision 2003), HP N40L Microserver (AMD Turion) with modified BIOS, ZFS Mirror 4 x WD Red + L2ARC 128M Apple SSD, 10G ECC Ram, Intel 1G CT NIC + inbuilt broadcom

User avatar
Parkcomm
Advanced User
Advanced User
Posts: 389
Joined: 21 Sep 2012 12:58
Location: Australia
Status: Offline

Re: Use VPN and access your NAS from the internet.

#13

Post by Parkcomm » 22 Oct 2015 06:46

rav wrote:How to force ifconfig to make those devices inside the jail's /dev/ and not on the host?
Thats not possible - you are passing the /devs/ through to the jail
NAS4Free Embedded 10.2.0.2 - Prester (revision 2003), HP N40L Microserver (AMD Turion) with modified BIOS, ZFS Mirror 4 x WD Red + L2ARC 128M Apple SSD, 10G ECC Ram, Intel 1G CT NIC + inbuilt broadcom

rav
NewUser
NewUser
Posts: 13
Joined: 09 Oct 2015 02:20
Status: Offline

Re: Use VPN and access your NAS from the internet.

#14

Post by rav » 26 Oct 2015 01:53

Finally, I have some time to clean up this topic and post my results as I solved this issue.
Starting from the beginning...
I've installed theBrig and found it as a great extension to manage jails! So I would base on theBrig's options and descriptions for creating a jail for OpenVPN.

Created jail should have:
  1. "In jail allow:" add "allow.mount.devfs"
  2. check "Enable mount devfs"
  3. In section "Devfs ruleset:" add the following:

    Code: Select all

    add path tun0 unhide
    This will allow OpenVPN to create and configure tun0 device inside the jail.
    Without this rule OpenVPN will exit with errors like this:

    Code: Select all

    Cannot open TUN/TAP dev /dev/tun0: No such file or directory (errno=2)
    Cannot allocate TUN/TAP dev dynamically
  4. check "Enable virtual network stack (vnet)"
  5. Put your IPs: Side A is the host side IP, and Side B is the IP inside your jail (the one you can for example ssh into)
  6. In section "Attach to interface:" I chose my second ethernet NIC
    NOTE: IP attached to the second NIC used for jail, Side A IP, Side B IP and gateway IP inside a jail - all should be within the same IP range, for example 192.168.1.xxx
    NOTE 2: Don't try to make a VNET on a USB Ethernet card. My kernel panics and fall into rebooting loop after I tried, so I switched to motherboard integrated NIC for jail's VNET.
  7. Add those two afterstart_for_jail commands in "Jail commands" section:

    Code: Select all

    route del default
    route add default 'jail_gateway_ip'
And now you have an OpenVPN friendly jail. :)

The next thing is to install OpenVPN, transmission and other stuff. If you want to autostart VPN using login/password authentication method, you need to compile OpenVPN from ports to enable reading login/password from a file.

I hope this helps someone trying to deal with the same problems I had. I know I would appreciate those tricks two weeks ago. ;)
Thanks to Parkcomm for helping me with this stuff!

Here are some links I've used to get to this point:
  1. viewtopic.php?f=57&t=9516
  2. https://forums.freenas.org/index.php?th ... vpn.18669/
  3. https://forums.freenas.org/index.php?th ... ost-108802
  4. https://forums.freebsd.org/threads/open ... ice.22143/

zirum
NewUser
NewUser
Posts: 13
Joined: 13 Mar 2013 09:08
Status: Offline

Re: [SOLVED] Use VPN and access your NAS from the internet.

#15

Post by zirum » 20 Nov 2016 17:29

Hi!

Seems like this post is onto something critical for me (as well as a bunch of other user with same problem), that I have been trying to fix for almost a year without luck... :) Really appretiate you efforts for making it easy in the last post!

But I am still not able to launch openvpn in my jail unfortunatly. It might be due to problems with configuring the vnet, as I am really unfamiliar with how that stuff works. Whenever I try to configure it, the jail does not want to boot at all. So I have a couple of questions I hope someone would be able to help with.

1) Does the vnet require multiple nics? I only have one on the motherboard. I suspect/fear crappy onboard nic...
2) The Side A of the vlan, is that the host ip, or should it be on different subnet? My server is at 192.168.0.*, but it defaults to 192.168.1.*.
3) What does it use the netmask for? I noticed it defaults to /24, which implies the whole range of the 192.168.1.*, right?
4) Is it required to use vnet to allow tun devices in the jail?

zirum
NewUser
NewUser
Posts: 13
Joined: 13 Mar 2013 09:08
Status: Offline

Re: [SOLVED] Use VPN and access your NAS from the internet.

#16

Post by zirum » 20 Nov 2016 19:46

I think my problem is somewhere with the jail_gateway_ip... Jail does not start while I use those two commands. Is the "Nice" attribute important, or just the execution sequence? Is this supposed to be my router ip?

I have assigned the vnet to:
Side A: 192.168.1.5/24
Side B: 192.168.1.17/24

Nas4Free is 192.168.0.5, router is 192.168.0.1

zirum
NewUser
NewUser
Posts: 13
Joined: 13 Mar 2013 09:08
Status: Offline

Re: [SOLVED] Use VPN and access your NAS from the internet.

#17

Post by zirum » 20 Nov 2016 19:54

Shame on me i guess...

Using Side A as host ip, and Side B within same range, all is good :-)

My VPN is finally up and running within the jail! So awesome.

My wife was not impressed though :/

boverkant
NewUser
NewUser
Posts: 1
Joined: 15 Jun 2014 04:16
Status: Offline

Re: [SOLVED] Use VPN and access your NAS from the internet.

#18

Post by boverkant » 09 Jan 2017 00:01

I've tried to follow the steps 1 to 7 from but I cannot get an internet connection in my vnet jail. I use thebrig to manage my jails. Can someone tell my what ipaddress I have to use for side A, side B and gateway?
Nas4free is on 192.168.0.100 and the standard gateway of the host system is on ip 192.168.0.1.
When I'm inside the jail I've no internet connection and I cannot ping 92.168.0.100 nor 192.168.0.1 or 8.8.8.8.
Do I need to make some adjustments on host system also to get this working. (viewtopic.php?f=57&t=9516 is a dead link).

Post Reply

Return to “XigmaNAS Networking Tune-up”