Openvpn the easy way

VPN
1

so i am trying to use the built-in openvpn server on scale. its not straightforward.

my issue is the certs. im watching all the youtube vids and thats where i am getting hung up for 2 reasons:

  1. im on scale and all of youtube seems to be dedicated to core, which is not the same in some cases
  2. i use a static IP not a FQDN, so that makes certs so much more fun

does anyone know how to setup an openvpn server on scale with a static ip using the proper certs like i described above?

thanks so much for the help.

**UPDATE**

the solution is in this video: https://www.youtube.com/watch?v=S8I-IiQYVas which even though is for core works perfectly on scale as long as u realize the boxes he is typing in are named the same but are in a different place on his screen. easy tutorial, just remember to add the Common Name to your certs otherwise you wont be able to download the client ones.

to get your remote clients access to your local assets, add these additional parameters to the Additional Parameters box in the Open VPN Server settings in Services:

push “route 192.168.1.0 255.255.255.0

push “redirect-gateway def1”

you should replace 192.168.1.0 with whatever net your truenas server sits on.

in network, add this static route:

destination = 192.168.2.0/24

gateway = [ip of your truenas]

in System Settings → Advanced → Init/Shutdown Scripts, add this command post-init

iptables -t nat -A POSTROUTING -s 192.168.2.0 -o enp3s0 -j MASQUERADE

where the 192.168.2.0 is the net my openvpn is giving out IPs on and enp3s0 is the ethernet adapter when i run ifconfig. restart your server for this to take effect, or just open the shell and run it from there, but also make sure to include it in the init/shutdown scripts to make it persistent across reboots.

**UPDATE 2**

use this guide for a much easier experience

https://github.com/imjustleaving/trueNAS/wiki/Installing-an-OpenVPN-Server-on-TrueNAS-Scale

2

With a static IP on a LAN, you could do self-signed certs, but that is a bit like cheating.

I’m not a expert at certs, but I don’t know any way to do it without a domain and “cheating”.

Maybe you could do it with your own DNS to bounce back certbot’s requests for generating new certs with a DNS challenge.

3

I used to accomplish this by modifying /etc/nftables.conf and /etc/sysctl.conf but those were reset anytime I updated the system.

Your solution seems to be working, and I thank you for that, one think that bugged me and I couldn’t for the life of me figure out why it wasn’t forking for me is this:

iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o enp3s0 -j MASQUERADE

Maybe you should update the post to specify the mask there as this is probably the only resource specific to OpenVPN Server on Scale that I found on the internet. Thank you!

4

Thanks to you I just got OpenVPN working on my TrueNAS in about 30 minutes, when weeks ago I gave up after following a different tutorial for 4 hours while failing to make a connection. Thanks for the info!

5

Not sure what your use case is, but I ended up running Tailscale in a VM. Was up and working in about 15 minutes.

6

I don’t know if this might suites your needs but U could do a little Ubuntu VM and run pihole+ piholevpn pretty easy to setup with ovpn or wireguard.
Or if you don’t need the pihole just don’t install it and just run the piholevpn script

7

in addition to the video you posted, I’ve had some help over there because I wasn’t able to access my LAN over VPN and it works perfectly

8

Why not just sign up for dynamic DNS so you have a FQDN?

9

Since version 10 or so, TrueNAS has built-in support for wireguard. I set it up last week and I don’t think I’d go back to OpenVPN unless I need DHCP support or something. It’s just so much simpler to setup on both server and client (with qr code scanning). Almost as simple as setting up SSH.

10

Apologize if this is out of scope for the thread.

I’ve setup openvpn on my router EdgeOS. I can access my home LAN from an external client like my phone on cellular. However, the only host in my home I can’t ping or ssh to is TrueNAS scale despite it being assigned a valid ip in the same range/subnet as my other clients 192/24. I feel this may be an iptables issue as the source OpenVPN ip is 172.x.x.x and dest is 192.x.x.x. I’ve added a tcp accept to the ip tables and when I do a watch ip tables I see my connection attempt traffic on the accept but nothing get through. What might I be missing?

11

I followed your steps and was successfully able to connect to my TrueNAS Scale server using OpenVPN. However, when I’m connected it kills the rest of my internet on the client. Any way around this? If I switch to wg-easy will that allow me internet access on the client?

12

im perfectly ok with cheating. do u have a good vid or walkthrough for doing this with self-signed certs?

13

im glad this is working for you.

i actually just abandoned the openvpn server for the truecharts app wg-easy. i cant tell u how much happier i am with it. not just bc i dont have to do anything listed above for it to work perfectly, but also bc cert mgmt is sooooooooo much better.

if u can use wireguard in your setup, i recommend this route over openvpn now.

14

its no problem man. im glad u got something from this post.

as i told another redditor in the comments, ive actually switched to wg-easy (the app from the truecharts catalog). i like it a lot more and think its way easier to configure for a just-works solution. consider it in the future if u get stuck again or are setting up another truenas server. im much happier now that ive switched and have shut down my openvpn server.

15

ive got a server install going into a client and they need a vpn. since i have truenas scale installed already, and it has a built in openvpn server, i was thinking thats probably the best way, but im not sure…