Can't VPN to FreeNAS openVPN

[rawmetal]

I'm new to this server and VPN thing, so I'm sorry if I overlooked something really stupid. I tried looking through some of the rules, but I don't know anything about networking and I think I cried a little.

My workplace hadn't used a server prior, and we wanted employees who work remotely to be able to VPN to the server to access files. We don't have a network administrator, so I guess that makes me the network administrator. We have a server with FreeNAS 11 STABLE installed. I followed this guide and confirmed that OpenVPN was running inside the FreeNAS jail @ IP 10.1.10.2. I configured my router to forward port 1194 to the FreeNas server @ 10.1.10.225 (Maybe the wrong port?). I went home and installed the OpenVPN GUI and imported my client config file. I tried to use the GUI to VPN to the network, but I got an error about the keys and certificates not being available. I grabbed my keys and certificate and moved them to the proper location. I tried to VPN again, but I get this:

Code: Select all

Wed Sep 13 09:45:08 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Sep 13 09:45:08 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Sep 13 09:45:08 2017 MANAGEMENT: >STATE:1505321108,RESOLVE,,,,,,
Wed Sep 13 09:45:08 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]73.xx.xx.xxx:443
Wed Sep 13 09:45:08 2017 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Sep 13 09:45:08 2017 UDP link local: (not bound)
Wed Sep 13 09:45:08 2017 UDP link remote: [AF_INET]73.xx.xx.xxx:443
Wed Sep 13 09:45:08 2017 MANAGEMENT: >STATE:1505321108,WAIT,,,,,,
Wed Sep 13 09:46:08 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Sep 13 09:46:08 2017 TLS Error: TLS handshake failed
Wed Sep 13 09:46:08 2017 SIGUSR1[soft,tls-error] received, process restarting
Wed Sep 13 09:46:08 2017 MANAGEMENT: >STATE:1505321168,RECONNECTING,tls-error,,,,,

If I try to use the Windows VPN service, it gives me error 807

Code: Select all

The remote connection was not made because the attempted VPN tunnels failed. The VPN server might be unreachable. If this connection is attempting to use an L2TP/IPsec tunnel, the security parameters required for IPsec negotiation might not be configured properly.

This sounds like I may not have a configuration file set up properly? I have my openvpn client configuration file set up like so:

View OriginalClient config

client
dev tun
proto udp
remote 73.xx.xx.xxx 443
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert nickh.crt
key nickh.key
remote-cert-tls server
cipher AES-256-CBC
tls-auth ta.key 1
#dhcp-option DNS 0.0.0.0
#redirect-gateway def1
comp-lzo
verb 3
float

My OpenVPN server config file is set up like this:

View OriginalServer config

port 10011
proto udp
dev tun
ca ca.crt
cert openvpn-server.crt #Server public key
key openvpn-server.key #Server private key
dh dh.pem #Diffie-Hellman parameters
server 172.16.8.0 255.255.255.0 #Purple network
ifconfig-pool-persist ipp.txt
push "route 73.xx.xx.xxx 255.255.255.0" #Yellow network
tls-auth ta.key 0
#crl-verify crl.pem
keepalive 10 120
cipher AES-256-CBC
auth SHA256
group nobody
user nobody
comp-lzo
persist-key
persist-tun
verb 3

I feel like I'm very close here, but maybe I really screwed up somewhere. If I'm not in the right spot, please let me know. I'm going crazy here.

[rawmetal]

Bump. I tried changing ports on my router and had worse luck than port 1194 gave me. I've changed firewall settings and still not having any luck.

[TinCanTech]

I don't know anything about networking <snip>

My workplace hadn't used a server prior, and we wanted employees who work remotely to be able to VPN to the server to access files. We don't have a network administrator, so I guess that makes me the network administrator

You need someone who understands networking or you will have to learn it yourself.

I urge you to read all of this (many times, i refer back to it all the time):
HOWTO: For OpenVPN Community Edition

This error:

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

usually means something is blocking you from your server like a firewall etc.

You will also need to inspect your server log thoroughly.

This:

If I try to use the Windows VPN service, it gives me error 807

will never work .. openvpn is only compatible with openvpn.

[rawmetal]

Thanks. I'll read over that. I was able to VPN to another computer on the network using Windows VPN. I may end up just using OpenVPN that way instead of directly to the FreeNAS machine.

[PiotrG]

... confirmed that OpenVPN was running inside the FreeNAS jail @ IP 10.1.10.2. I configured my router to forward port 1194 to the FreeNas server @ 10.1.10.225

FreeNAS jail has never the same IP as FreeNAS sever itself. Jail is acting similar to a virtual server (separate networking stack).
Therefore in my opinion you should forward the port on the router to the internal IP of your jail.
Before doing this, you could verify from any other host whether the server is listening on the internal address on the port defined in config (eg. using nmap).

[rawmetal]

FreeNAS jail has never the same IP as FreeNAS sever itself. Jail is acting similar to a virtual server (separate networking stack).
Therefore in my opinion you should forward the port on the router to the internal IP of your jail.
Before doing this, you could verify from any other host whether the server is listening on the internal address on the port defined in config (eg. using nmap).

I'll give that a try then and change the IP address in my router settings.