Cannot start OpenVPN Server in jail

[MisterPiggo]

Hi
I am using NAS4Free version 11.1.0.4 - Atomics (revision 4729) and I installed two extensions: OneButtonInstaller and TheBrig. After this I made a jail with the intention to run an OpenVPN server on it, for that I used the following tutorial: https://forums.freenas.org/index.php?th ... nat.22873/

However I ran into a problem, if I try to start OpenVPN it gives me the following error:

Code: Select all

root@openvpn:/mnt/keys # openvpn --config /mnt/keys/openvpn.conf
Tue Oct 24 00:20:28 2017 WARNING: file 'ta.key' is group or others accessible
Tue Oct 24 00:20:28 2017 OpenVPN 2.4.4 amd64-portbld-freebsd11.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 19 2017
Tue Oct 24 00:20:28 2017 library versions: OpenSSL 1.0.2k-freebsd  26 Jan 2017, LZO 2.10
Tue Oct 24 00:20:28 2017 GDG: problem writing to routing socket
Tue Oct 24 00:20:28 2017 Diffie-Hellman initialized with 2048 bit key
Tue Oct 24 00:20:28 2017 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Oct 24 00:20:28 2017 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Oct 24 00:20:28 2017 GDG: problem writing to routing socket
Tue Oct 24 00:20:28 2017 ROUTE: default_gateway=UNDEF
Tue Oct 24 00:20:28 2017 Cannot allocate TUN/TAP dev dynamically
Tue Oct 24 00:20:28 2017 Exiting due to fatal error

I immediatly started looking for something with the firewall or something so I tried to run ipfw list, however this showed me the following error:

Code: Select all

ipfw: socket: Operation not permitted

My Conclusion would be that there is something wrong with the firewall or something, but I honestly have no idea what, does anyone know the solution to this??

I generated the following keys andcertificates:

Code: Select all

root@openvpn:/mnt/keys # ls -lah /mnt/keys
total 52
drwxr-xr-x  2 root  wheel   512B Oct 24 00:08 .
drwxr-xr-x  3 root  wheel   512B Oct 24 00:04 ..
-rw-r--r--  1 root  wheel   1.1K Oct 24 00:05 ca.crt
-rw-------  1 root  wheel   1.7K Oct 24 00:05 ca.key
-rw-------  1 root  wheel   424B Oct 24 00:05 dh.pem
-rw-------  1 root  wheel     0B Oct 24 00:08 ipp.txt
-rw-r--r--  1 root  wheel   4.2K Oct 24 00:05 mark.crt
-rw-r--r--  1 root  wheel   1.7K Oct 24 00:05 mark.key
-rw-------  1 root  wheel   4.3K Oct 24 00:05 openvpn-server.crt
-rw-------  1 root  wheel   1.7K Oct 24 00:05 openvpn-server.key
-rw-r--r--  1 root  wheel   442B Oct 24 00:06 openvpn.conf
-rw-r--r--  1 root  wheel   636B Oct 24 00:05 ta.key

openvpn.conf:

Code: Select all

root@openvpn:/mnt/keys # cat openvpn.conf
port 10011
proto udp
dev tun
ca ca.crt
cert openvpn-server.crt
key openvpn-server.key
dh dh.pem
server 10.10.9.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.255.255.0"
tls-auth ta.key 0
keepalive 10 120
cipher AES-256-CBC
auth SHA256
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3

/usr/local/etc/ipfw.rules:

Code: Select all

root@openvpn:/mnt/keys # cat /usr/local/etc/ipfw.rules
#!/bin/sh

EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 10.10.9.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0

/etc/rc.conf:

Code: Select all

root@openvpn:/mnt/keys # cat /etc/rc.conf
sendmail_enable="NONE"
syslogd_flags="-ss"
rpc_bind="NO"
network_interfaces=""
cron_flags="$cron_flags -J 15"
hostname="openvpn.local"
syslogd_oomprotect="NONE"

openvpn_enable="YES"
openvpn_if="tun"
openvpn_configfile="/mnt/keys/openvpn.conf"
openvpn_dir="/mnt/keys"
cloned_interfaces="tun"
gateway_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

[raulfg3]

please use this HOWTO: https://www.nas4free.org/forums/viewtop ... 72&t=12852

this can be usefull too: https://www.nas4free.org/forums/viewtop ... 72&t=12637

and if not remember bad, you need to use vnet on jails to work properly: https://www.nas4free.org/forums/viewtop ... 79&t=12998

is for nas4Free not for FreeNAS like you use.

[MisterPiggo]

Thanks for your reply, however those tutorials are for using the OpenVPN as a client, I want a jail with OpenVPN server running. I want to run the OpenVPN server on the NAS because we do not have the resources to use another pc or device as the OpenVPN server.

[raulfg3]

please read the secon link is for VPN Server: https://www.nas4free.org/forums/viewtop ... 72&t=12637

[netware5]

I have avoided all problems with installation of OpenVPN server under N4F by creating Ubuntu Server VM and installing the OpenVPN server on it. Runs like a charm

[raulfg3]

ok, is a option but i asume that your hardware is server grade or have lots of RAM, for normal users install in a jail is better option to "preserve" resources. <- More difficult to install, better performance = less resources used