How to Configure OpenVPN on TrueNas 12 - Setup your own Home VPN - Part 1
Published June 7, 2023, 9:20 p.m. by Jerald Waisoki
configure and setup openvpn without a jail on truenas 12 and allow remote access connections to the truenas subnet or just to the truenas system itself safely and securely. Use this Virtual Private Network to securely connect back to your home network without worrying about hacker attacks on the connection!
https://mytechworks.online/?p=1
if your Jails disconnect after entering the tunables:
create a new jail with NAT selected in basic properties.
power the jail on, then off, do not delete the jail. it creates a NAT network interface that the jails will use to get out of the truenas server.
Additional Parameters:
push "route 192.168.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 1.1.1.1"
Tunables:
firewall_enable
firewall_type
gateway_enable
natd_enable
natd_interface
natd_flags
-dynamic -m
You may also like to read about:
[Music]
okay
today we are going to be looking at how
to set up a vpn connection
to our trunas server so that we can
access
our shared files or our nas or
even other machines on our local network
remotely
and securely so let's take a look at how
to do that
so if we take a look at the current
trunas smp share
we can see we have our dump share here
and this is just storing some files
and will need to be able to access these
files
remotely the end user in this case
is working from their house and they
would like to be able to access
the files on their truenast server from
home
and i'd like to do that in a secure
fashion that makes it easy for them to
connect
and access those files so let's take a
look at the machine that they have
okay so this is the end user's machine
and we can see here
so they're not able to access this
and the ip the ipa is something
completely different
okay so let's head over to our truna
system and log in
and take a look at what we can do to
allow them access
okay so here's our trunas system
that we'd like to be able to access
remotely so the first thing that we want
to do is we want to be able to set up a
secure way
to authenticate the true nas server and
open vpn to the trunas server
as well as any remote connections we
want to be able to provide
a way to say that it is a legitimate
connection
and this server is the legitimate server
that you're connecting to
and the way that we do that is through
certificates
so unless you want to pay for a
certificate
which in most cases you probably don't
if you're running truenas
we can create our own certificate
authority which will be
our true nas server and this is just to
authenticate the
certificates that we'll be using to say
that it is a genuine
certificate and the connection is
allowed
okay so we'll come here we'll select add
and we will create
our certificate so we can select
profile and it's going to be an open vpn
root certificate authority so let's name
it appropriately
open vpn
root ca and then we will fill out our
information here appropriately this
isn't really that big of a deal
you can put whatever you want
i'm gonna put
okay so for common name you'll want to
have
a dynamic dns or at least a
url or a domain that points to the
address that this machine is located at
so it could be your internet facing ip
as long as
this domain name resolves to that
address
so for us we have a dynamic ip set up
so for common name it'll only accept one
argument
if you have multiple domains pointing to
this ip address
you can put them in the san or the
subject alternative names
you also want to have your primary
common name in here as well
so let's add that
okay and you'll see here that once we
hit enter it puts its own entry and
allows you to
add an additional entry whereas this one
does not because this one only accepts
a single entry and then that's all we
need for
the root certificate we can leave most
of this stuff default
if you want to increase this but
is fairly good and a key of 2048 bits
is also pretty standard and pretty good
so i'll hit submit and there's our
self-signed
openvpn root certificate authority
certificate
lots of certificates here so the next
certificate that we want to create
we will select the certificates down
here and trueness comes
by default with its own ix systems
certificate and we don't want to use
this one
we'll create a new one okay so this one
is going to be the certificate for the
openvpn server
this one's going to be a certificate
that is signed by
the certificate authority that we just
created
okay so the name we'll call this openvpn
server
and the profile we have two options here
openvpn server certificate and the
client
right now we're going to create a server
certificate
and the option up here you'll see that
we have an openvpn
root ca this is the one that we just
created
in the certificate authorities section
we will be using that one this we can
leave default and we'll fill in our
information
again here
and the remaining stuff we can leave as
default and we click on
submit perfect now we have a certificate
authority
and a certificate for our openvpn server
to provide
our connection so now that that's
complete we can go over to our services
and here we see one of the services is
openvpn server
and we can configure that here okay so
the first thing that we want to do is we
want to use the openvpn
server certificate that we have just
created and the root certificate
authority is going to be
this true nas server so select the
certificate authority
certificate that we have created earlier
and then for
server this is going to be the network
subnet that
our clients will be joining when they
connect
to this vpn so we don't want it to be
the same as the network that we're on
which is 192.168.0.23
because this is going to assign
addresses
from the bottom up so if we assign it
192.168.0.0.24
the first client that joins is going to
get dot 2 as
an address and that address is likely
already assigned on this network
so we don't want to interfere with that
so we will change the network
to 1.0 24
so our clients will join this subnet
instead i like to change the port here
just so it's not the standard default
and i think we already have
another vpn service on another machine
for something else separate so the
authentication algorithm and the cipher
this is all going to be there's a lot of
selection here
i'm just going to go and select the most
common stuff
sha sha256 is a fairly common
well understood algorithm it is fairly
secure
and the cipher that i like to select is
going to be aes
256 cbc and then we don't need any
compression
it's not necessary and i like to select
this
to tcp we're going to create a
tunnel and the topology is going to be
subnet we'll do tls auth enabled
okay so let's save this and then we
should be able to
start our openvpn server
and we want this also to start
automatically so select
start automatically with the checkbox
okay so now at this point we should be
able to connect
to our openvpn server but there are a
few more things that we need to do
we need to be able to securely connect
to the openvpn
server so if we go here we select
download client config you'll see that
there isn't
there's only the openvpn server we don't
want to use this certificate to connect
to
the openvpn server so let's create
another certificate
that is going to allow us to connect
using our
openvpn client so we'll come here we'll
say add
this time under profile we're going to
select openvpn client certificate and
we'll name this one
openvpn
user 1. the certificate authority is
again going to be this truenas server
and we'll fill in this information
okay now we've created a user one
so if you want to have multiple people
connecting or multiple
remote clients connecting to this you
can create multiple
users to separate them and have control
over
who is and isn't able to connect by
adding and removing these
so if it's the same person or the same
end user connecting and they have
multiple machines maybe a couple laptops
or something
you can provide them with the same
certificate on multiple machines and it
will allow connections from those
multiple machines you don't need it per
machine
you just need it per user and that user
can use the same certificate on multiple
machines if they need
unless you want to have control over
those specific machines
and you can send them out multiple
certificates for each machine and if one
machine gets compromised
you don't have to reissue a new
certificate for
all of those remote machines just the
one that's been compromised
it's up to you on how you want to handle
that so now we have a certificate
so let's go over to to our services and
back to our openvpn
server we will select configure
and now when we go to download client
config we have the option here
for user01 select that and hit
submit and that will download a
openvpnclientconfig.ovpn
file we will save that and this file
we're going to take to our remote
machine
and it will allow us to configure our
openvpn
client to connect back to the trunas
over the vpn service
that we've just created
okay and before we are able to connect
to our trunas server remotely
because we're on a local subnet and we
are not
internet facing directly we will want to
forward the
port that we're using from our router
out on the public internet into our
subnet
to this port so we will have to go over
to our
router to configure that so most routers
nowadays
do support port forwarding and this
should be an option
in your router all rotors are different
so
let's take a look at the rotor that's on
this network
okay so i've just gone over to the port
forwarding section of this router
we're gonna create our port forwarding
so we'll do
both tcp and udp and the port range
we're going to select
is 1196.
so that's on the public side so the
client is going to be reaching out to
this ip address on port 1196 and we want
to forward that
to the port 1196 so basically pass
through
and we want it to go to the true nas
server that we are configuring
which is 23 and apply
and we can see that down here at the
bottom
and that should be it for the
configuration on the router
okay so here's our file let's send it
over to the remote machine
and we will look at how to configure
openvpn on the remote machine
okay so here we are on our remote
machine and we've downloaded our
ovpn file so let's download the openvpn
client that we will be using to make
this connection for us
so we just google openvpn or we can go
to
openvpn.net and right on the front page
for openvpn.net
it should detect that we're on windows
and provide a download button
let's download that
and we will install it
okay so i would always make sure that
you download the latest version if you
already have this installed
and your trunas version is newer make
sure you re-download
and install the latest version because
trueness does update their
server version and it may cause
incompatibility issues
which i have seen previously so get the
latest version
and install it and it gives us this icon
down here
and it indicates to us that we're
disconnected
so we don't need the onboarding tour
click agree
some updates
okay and before we double click on this
file and
import it we do have to make a change to
it so we can right click on it
and select edit with notepad plus plus
and we'll see here
that the remote connection it is set to
the ip address
of our trunas server and we want to set
this to
our ddns url that we've configured our
certificates with
okay that's the only change that we have
to make here
so we will save that file and then we
can go ahead and we can double click on
this
and the profile is for techworks so
we'll select the
option to connect after import and we'll
say add
and that's it we're connected
so this isn't the end of it just because
we're connected to the trunas system
doesn't mean we actually
get the services for it
so let's take a look here we are
connected to the trunas server over the
vpn
but do we have the ability to connect to
its ip and it doesn't seem so
and we don't we are able to connect to
it
over vpn but that didn't do anything for
us
so there's a couple things we can do
here to remedy this
so let's head back over to our trunas
server and there are two ways that we
can configure
our trunas server to either provide vpn
service for
that subnet so that we have access to
that subnet local network
and all of the services it might provide
like other
servers or other shares or web services
within
that local subnet or we can configure it
just to have access to the true nas
server itself
and the share that's on there so let's
take a look okay and we can see here
that the
ip address that we received was 168.1.2
which is the ip subnet that we provided
okay so for the most part when you're
setting up a vpn
i would generally assume that you would
want to be able to access
the network that the vpn server is on so
in order to do that we have to configure
our
openvpn server a little bit further with
some additional parameters
so the first additional parameter that
we're going to need
is to push route
so the route that we want to push is our
local network we want to push this route
out to the
server ip address basically so we'll
provide the subnet that the trueness
server is
sitting on locally which is 192.168.0.1
and then the subnet mask
then we're also going to want to push
and we're going to redirect the gateway
and bypass dhcp
so redirect
okay and then we also want to push to
this network our dns
options so we can use google or we can
use cloudflare whatever we
we want so i will put in the google ip
which is going to be 8.8.8
so we want to push dhcp
option dns 8.8.8.8
and then if you want a secondary one we
will do
push dhcp
option dns and we'll use
a cloudflare one as our secondary okay
so
these are all the options that we want
to have in the additional parameters
select save
okay the next thing that we want to do
is we want to go over to our static
routes
and here we're going to want to add a
static route
basically we want traffic destined to
our client's network which is 192.168.1
network
we want to use the trunas system as its
gateway
okay so the destination is going to be
our client network
and the gateway is going to be this
truenas server
okay
and we'll just label the description on
there so we know what it is
and submit okay and then we have one
last set of configuration to perform
which is going to be in the tunables
section
of a system so what we'll be doing in
here is enabling that d
on the back end of the truna system to
allow
nat to pass and forward traffic to our
clients
subnet okay so there's five or six
options that we need to put here so the
first one we will
provide is firewall
enable the value is going to be
yes and the type is going to be
rc.conf add that one
the next one is going to be the firewall
type so firewall
type this is going to be open
it's going to be rc.com all of these
will be type rc.com
so gateway enable so this
this option is going to allow traffic
forwarding and this is going to be
yes
and then we want to enable the natd
services
okay so then that d interface and our
interface that we have connected on here
is
le0
and the last one we have here is going
to be
in that d flags
and the option is going to be minus
dynamic
minus m and this is going to have a
dynamic
nat that preserves port numbers submit
so you should have a tunables that looks
similar to this
so the last thing to do is reboot your
trunas server
because these are applied on boot up and
they are attached to the rc.com file
we need to restart the system so go
ahead and do that
and we'll head over to the remote client
machine once this is rebooted and we'll
connect
okay so here we are back at the client
machine we have our openvpn client here
let's click on connect we should be able
to click connect again okay
and there we are connected and we got
the same ip again
so now let's take a look and see if we
can enter the ip address that we
had trouble connecting to previously
okay you'll see that this is on the
zero network while we are connected to
the
1.2 network
okay and it asks for our credentials
we just provide a username and password
that has credentials to access the samba
share
and there we have it we're able to
connect and
transfer files it's probably going to be
a little bit slow
not the quickest connection speed here
at the clients
on the client's machine
but it gets the job done for what they
need
now we also have access to
other addresses so this is another share
their backup directory and
their data directory and the other web
services that they have
on their network such as
such as webmin on one of the servers
that they have there
at the office okay so now that this is
established let's take a look at what we
need to do
if we don't want to provide vpn access
to our entire network
and we just want to limit it to the
trunast system itself
so we can keep pretty much all of the
same options
the only option we need to change here
is gateway enable
okay so we can edit this option
select disabled select save
and restart this system so basically
this will
stop ipv4 forwarding so the trunas
system won't
forward network requests out of the
truenas system
okay so let's restart and we'll head
over to our remote system and take a
look at the connection there
so we're back over on the remote system
after the trueness reboot let's connect
back with
our vpn connection and we'll take a look
at what we have access to now
so let's take a look if we have access
to the true nas server
and we do
okay let's take a look if we have access
to
the other server that we were connecting
to
okay and it doesn't look like it let's
try with
ping
okay and we get no response so
it's pretty easy to switch between full
subnet access and just the trunas server
access
if you want to limit it just to the
truenas you can do that
if you want the whole subnet and you
want to be able to allow the client to
connect to the entire subnet
you just re-enable that and restart your
trunas system
and you should be good to go
i hope this has given you some
confidence and getting a vpn
setup connected to your server so you
can access your server from remote
locations
this is something that's pretty
difficult going in alone but with the
tutorials and help that we get on the
internet and youtube this can be done
within 20 minutes or so
it took me a while to figure all this
out with lots of help from
forums from like digitalocean and reddit
and a couple youtube videos
we can get this accomplished i got a lot
of the information for this
setup from other youtube creators like
space rex
from forums like reddit and
digitalocean's help forums
i hope this video gives you some
confidence in getting connected remotely
over a vpn client with your true nas
system
i'll see you in the next video bye
[Music]
you
