How to Configure OpenVPN on TrueNas 12 - Setup your own Home VPN - Part 1

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] okay today we are going to be looking at how to set up a vpn connection to our trunas server so that we can access our shared files or our nas or even other machines on our local network remotely and securely so let's take a look at how to do that so if we take a look at the current trunas smp share we can see we have our dump share here and this is just storing some files and will need to be able to access these files remotely the end user in this case is working from their house and they would like to be able to access the files on their truenast server from home and i'd like to do that in a secure fashion that makes it easy for them to connect and access those files so let's take a look at the machine that they have okay so this is the end user's machine and we can see here so they're not able to access this and the ip the ipa is something completely different okay so let's head over to our truna system and log in and take a look at what we can do to allow them access okay so here's our trunas system that we'd like to be able to access remotely so the first thing that we want to do is we want to be able to set up a secure way to authenticate the true nas server and open vpn to the trunas server as well as any remote connections we want to be able to provide a way to say that it is a legitimate connection and this server is the legitimate server that you're connecting to and the way that we do that is through certificates so unless you want to pay for a certificate which in most cases you probably don't if you're running truenas we can create our own certificate authority which will be our true nas server and this is just to authenticate the certificates that we'll be using to say that it is a genuine certificate and the connection is allowed okay so we'll come here we'll select add and we will create our certificate so we can select profile and it's going to be an open vpn root certificate authority so let's name it appropriately open vpn root ca and then we will fill out our information here appropriately this isn't really that big of a deal you can put whatever you want i'm gonna put okay so for common name you'll want to have a dynamic dns or at least a url or a domain that points to the address that this machine is located at so it could be your internet facing ip as long as this domain name resolves to that address so for us we have a dynamic ip set up so for common name it'll only accept one argument if you have multiple domains pointing to this ip address you can put them in the san or the subject alternative names you also want to have your primary common name in here as well so let's add that okay and you'll see here that once we hit enter it puts its own entry and allows you to add an additional entry whereas this one does not because this one only accepts a single entry and then that's all we need for the root certificate we can leave most of this stuff default if you want to increase this but is fairly good and a key of 2048 bits is also pretty standard and pretty good so i'll hit submit and there's our self-signed openvpn root certificate authority certificate lots of certificates here so the next certificate that we want to create we will select the certificates down here and trueness comes by default with its own ix systems certificate and we don't want to use this one we'll create a new one okay so this one is going to be the certificate for the openvpn server this one's going to be a certificate that is signed by the certificate authority that we just created okay so the name we'll call this openvpn server and the profile we have two options here openvpn server certificate and the client right now we're going to create a server certificate and the option up here you'll see that we have an openvpn root ca this is the one that we just created in the certificate authorities section we will be using that one this we can leave default and we'll fill in our information again here and the remaining stuff we can leave as default and we click on submit perfect now we have a certificate authority and a certificate for our openvpn server to provide our connection so now that that's complete we can go over to our services and here we see one of the services is openvpn server and we can configure that here okay so the first thing that we want to do is we want to use the openvpn server certificate that we have just created and the root certificate authority is going to be this true nas server so select the certificate authority certificate that we have created earlier and then for server this is going to be the network subnet that our clients will be joining when they connect to this vpn so we don't want it to be the same as the network that we're on which is 192.168.0.23 because this is going to assign addresses from the bottom up so if we assign it 192.168.0.0.24 the first client that joins is going to get dot 2 as an address and that address is likely already assigned on this network so we don't want to interfere with that so we will change the network to 1.0 24 so our clients will join this subnet instead i like to change the port here just so it's not the standard default and i think we already have another vpn service on another machine for something else separate so the authentication algorithm and the cipher this is all going to be there's a lot of selection here i'm just going to go and select the most common stuff sha sha256 is a fairly common well understood algorithm it is fairly secure and the cipher that i like to select is going to be aes 256 cbc and then we don't need any compression it's not necessary and i like to select this to tcp we're going to create a tunnel and the topology is going to be subnet we'll do tls auth enabled okay so let's save this and then we should be able to start our openvpn server and we want this also to start automatically so select start automatically with the checkbox okay so now at this point we should be able to connect to our openvpn server but there are a few more things that we need to do we need to be able to securely connect to the openvpn server so if we go here we select download client config you'll see that there isn't there's only the openvpn server we don't want to use this certificate to connect to the openvpn server so let's create another certificate that is going to allow us to connect using our openvpn client so we'll come here we'll say add this time under profile we're going to select openvpn client certificate and we'll name this one openvpn user 1. the certificate authority is again going to be this truenas server and we'll fill in this information okay now we've created a user one so if you want to have multiple people connecting or multiple remote clients connecting to this you can create multiple users to separate them and have control over who is and isn't able to connect by adding and removing these so if it's the same person or the same end user connecting and they have multiple machines maybe a couple laptops or something you can provide them with the same certificate on multiple machines and it will allow connections from those multiple machines you don't need it per machine you just need it per user and that user can use the same certificate on multiple machines if they need unless you want to have control over those specific machines and you can send them out multiple certificates for each machine and if one machine gets compromised you don't have to reissue a new certificate for all of those remote machines just the one that's been compromised it's up to you on how you want to handle that so now we have a certificate so let's go over to to our services and back to our openvpn server we will select configure and now when we go to download client config we have the option here for user01 select that and hit submit and that will download a openvpnclientconfig.ovpn file we will save that and this file we're going to take to our remote machine and it will allow us to configure our openvpn client to connect back to the trunas over the vpn service that we've just created okay and before we are able to connect to our trunas server remotely because we're on a local subnet and we are not internet facing directly we will want to forward the port that we're using from our router out on the public internet into our subnet to this port so we will have to go over to our router to configure that so most routers nowadays do support port forwarding and this should be an option in your router all rotors are different so let's take a look at the rotor that's on this network okay so i've just gone over to the port forwarding section of this router we're gonna create our port forwarding so we'll do both tcp and udp and the port range we're going to select is 1196. so that's on the public side so the client is going to be reaching out to this ip address on port 1196 and we want to forward that to the port 1196 so basically pass through and we want it to go to the true nas server that we are configuring which is 23 and apply and we can see that down here at the bottom and that should be it for the configuration on the router okay so here's our file let's send it over to the remote machine and we will look at how to configure openvpn on the remote machine okay so here we are on our remote machine and we've downloaded our ovpn file so let's download the openvpn client that we will be using to make this connection for us so we just google openvpn or we can go to openvpn.net and right on the front page for openvpn.net it should detect that we're on windows and provide a download button let's download that and we will install it okay so i would always make sure that you download the latest version if you already have this installed and your trunas version is newer make sure you re-download and install the latest version because trueness does update their server version and it may cause incompatibility issues which i have seen previously so get the latest version and install it and it gives us this icon down here and it indicates to us that we're disconnected so we don't need the onboarding tour click agree some updates okay and before we double click on this file and import it we do have to make a change to it so we can right click on it and select edit with notepad plus plus and we'll see here that the remote connection it is set to the ip address of our trunas server and we want to set this to our ddns url that we've configured our certificates with okay that's the only change that we have to make here so we will save that file and then we can go ahead and we can double click on this and the profile is for techworks so we'll select the option to connect after import and we'll say add and that's it we're connected so this isn't the end of it just because we're connected to the trunas system doesn't mean we actually get the services for it so let's take a look here we are connected to the trunas server over the vpn but do we have the ability to connect to its ip and it doesn't seem so and we don't we are able to connect to it over vpn but that didn't do anything for us so there's a couple things we can do here to remedy this so let's head back over to our trunas server and there are two ways that we can configure our trunas server to either provide vpn service for that subnet so that we have access to that subnet local network and all of the services it might provide like other servers or other shares or web services within that local subnet or we can configure it just to have access to the true nas server itself and the share that's on there so let's take a look okay and we can see here that the ip address that we received was 168.1.2 which is the ip subnet that we provided okay so for the most part when you're setting up a vpn i would generally assume that you would want to be able to access the network that the vpn server is on so in order to do that we have to configure our openvpn server a little bit further with some additional parameters so the first additional parameter that we're going to need is to push route so the route that we want to push is our local network we want to push this route out to the server ip address basically so we'll provide the subnet that the trueness server is sitting on locally which is 192.168.0.1 and then the subnet mask then we're also going to want to push and we're going to redirect the gateway and bypass dhcp so redirect okay and then we also want to push to this network our dns options so we can use google or we can use cloudflare whatever we we want so i will put in the google ip which is going to be 8.8.8 so we want to push dhcp option dns 8.8.8.8 and then if you want a secondary one we will do push dhcp option dns and we'll use a cloudflare one as our secondary okay so these are all the options that we want to have in the additional parameters select save okay the next thing that we want to do is we want to go over to our static routes and here we're going to want to add a static route basically we want traffic destined to our client's network which is 192.168.1 network we want to use the trunas system as its gateway okay so the destination is going to be our client network and the gateway is going to be this truenas server okay and we'll just label the description on there so we know what it is and submit okay and then we have one last set of configuration to perform which is going to be in the tunables section of a system so what we'll be doing in here is enabling that d on the back end of the truna system to allow nat to pass and forward traffic to our clients subnet okay so there's five or six options that we need to put here so the first one we will provide is firewall enable the value is going to be yes and the type is going to be rc.conf add that one the next one is going to be the firewall type so firewall type this is going to be open it's going to be rc.com all of these will be type rc.com so gateway enable so this this option is going to allow traffic forwarding and this is going to be yes and then we want to enable the natd services okay so then that d interface and our interface that we have connected on here is le0 and the last one we have here is going to be in that d flags and the option is going to be minus dynamic minus m and this is going to have a dynamic nat that preserves port numbers submit so you should have a tunables that looks similar to this so the last thing to do is reboot your trunas server because these are applied on boot up and they are attached to the rc.com file we need to restart the system so go ahead and do that and we'll head over to the remote client machine once this is rebooted and we'll connect okay so here we are back at the client machine we have our openvpn client here let's click on connect we should be able to click connect again okay and there we are connected and we got the same ip again so now let's take a look and see if we can enter the ip address that we had trouble connecting to previously okay you'll see that this is on the zero network while we are connected to the 1.2 network okay and it asks for our credentials we just provide a username and password that has credentials to access the samba share and there we have it we're able to connect and transfer files it's probably going to be a little bit slow not the quickest connection speed here at the clients on the client's machine but it gets the job done for what they need now we also have access to other addresses so this is another share their backup directory and their data directory and the other web services that they have on their network such as such as webmin on one of the servers that they have there at the office okay so now that this is established let's take a look at what we need to do if we don't want to provide vpn access to our entire network and we just want to limit it to the trunast system itself so we can keep pretty much all of the same options the only option we need to change here is gateway enable okay so we can edit this option select disabled select save and restart this system so basically this will stop ipv4 forwarding so the trunas system won't forward network requests out of the truenas system okay so let's restart and we'll head over to our remote system and take a look at the connection there so we're back over on the remote system after the trueness reboot let's connect back with our vpn connection and we'll take a look at what we have access to now so let's take a look if we have access to the true nas server and we do okay let's take a look if we have access to the other server that we were connecting to okay and it doesn't look like it let's try with ping okay and we get no response so it's pretty easy to switch between full subnet access and just the trunas server access if you want to limit it just to the truenas you can do that if you want the whole subnet and you want to be able to allow the client to connect to the entire subnet you just re-enable that and restart your trunas system and you should be good to go i hope this has given you some confidence and getting a vpn setup connected to your server so you can access your server from remote locations this is something that's pretty difficult going in alone but with the tutorials and help that we get on the internet and youtube this can be done within 20 minutes or so it took me a while to figure all this out with lots of help from forums from like digitalocean and reddit and a couple youtube videos we can get this accomplished i got a lot of the information for this setup from other youtube creators like space rex from forums like reddit and digitalocean's help forums i hope this video gives you some confidence in getting connected remotely over a vpn client with your true nas system i'll see you in the next video bye [Music] you

Info

Channel: Techworks

Views: 12,793

Rating: undefined out of 5

Keywords: truenas, openvpn, 12, vpn, techworks, configure, jail, subnet, remote

Id: YEkfW4aC9Rk

Channel Id: undefined

Length: 25min 24sec (1524 seconds)

Published: Sun Jun 20 2021