Configuring OpenVPN
5 minute read.
Last Modified 2022-09-23 10:11 -0400A virtual private network (VPN) is an extension of a private network over public resources. It allows remote clients on a public network to access a private network via a secure connection. TrueNAS provides OpenVPN as a system level service that provides VPN server or client functionality. TrueNAS uses a single TCP or UDP port to act as a primary VPN server. This allows remote clients access to data stored on the system. VPN integration is possible even if the system is in a separate physical location, or only has access to public networks.
Public key infrastructure (PKI) must be in place before configuring TrueNAS as either an OpenVPN server or client. PKI utilizes certificates and certificate authorities created in or imported to TrueNAS.
The general process to configure OpenVPN (server or client) on TrueNAS is to:
- Select the networking credentials
- Set the connection detail
- Choose any additional security or protocol options
Go to the Services page and find the OpenVPN Client entry. Click the edit to configure the service.
Choose the certificate to use as an OpenVPN client. This certificate must exist in TrueNAS and be in an active (unrevoked) state.
Enter the host name or IP address of the Remote OpenVPN server.
Select any other connection settings that fit with your network environment. Check for performance requirements. The Device Type must match with the OpenVPN server Device Type. Nobind prevents using a fixed port for the client. Enabled by default, it allows the OpenVPN client and server to run at the same time.
Review the Security Options and select settings that meet your network security requirements. Determine if the OpenVPN server is using TLS Encryption. If so, copy the static TLS encryption key and paste into the TLS Crypt Auth field.
Go to the Services page and find the OpenVPN Server entry. Click the edit to configure the service.
Choose a Server Certificate for this OpenVPN server. This certificate must exist in TrueNAS and be in an active (unrevoked) state.
Define a IP address and netmask for the OpenVPN. Enter these values in Server. Continue to select the remaining Connection Settings that fit with your network environment and performance requirements. When selecting TUN in Device Type, you can select a virtual addressing method for the server in Topology. Options are:
- NET30: Use one /30 subnet per client in a point-to-point topology. Designed for use when connecting clients are Windows systems.
- P2P: Point-to-point topology. Points the local server and remote client endpoints to each other. One IP address given to each client. This is only recommmended when none of the clients are a Windows system.
- SUBNET: The interface uses an IP address and subnet. One IP address given to each client. Windows clients need the TAP-Win32 driver version 8.2 or newer. TAP devices always use the SUBNET specified in Topology.
The Topology selection is automatically applied to any connected clients.
When TLS Crypt Auth Enabled is selected, TrueNAS generates a static key for the TLS Crypt Auth field after saving the options. To change this key, click RENEW STATIC KEY. Any clients connecting to the server need this key. Keys stored in the system database are included in a generated client config file. A good practice is to back up keys in a secure location.
Review the Security Options and choose settings that meet your network security requirements.
Configure and save your OpenVPN server settings.
OpenVPN client systems that are connecting to this server will need to import client configuration files. To generate client configuration files, you need the client certificate from the client system. The client certificate was previously imported to the client system. Click DOWNLOAD CLIENT CONFIG and select the Client Certificate.
See OpenVPN Screens for more information on the client and server settings.
Connecting to a private network still sends data over less secure public resources. OpenVPN includes several security features that are optional. These optional security features help protect the data sent into or out of the private network.
- Authentication Algorithm: This is used to validate packets that are sent over the network connection. Your network environment might require a specific algorithm. SHA1 HMAC is a good standard algorithm to use if a particular algorithm is not required.
- Cipher: This is an algorithm to encrypt data packets sent through the connection. While not required, choosing a cipher can increase connection security. Verify the required ciphers for your networking environment. If there are no specific cipher requirements, AES-256-GCM is a good default choice.
- TLS Encryption: Selecting TLS Crypt Auth Enabled encrypts all TLS handshake messages. This adds another layer of security. OpenVPN server and clients share a required static key.
When finished configuring the server or client service, click SAVE. Start the service by clicking the related toggle in Services. To check the current state of the service, hover over the toggle.
Start Automatically: Selecting this option starts the OpenVPN service whenever TrueNAS completes booting. The network and data pools must be running.