After OpenVPN setup, jails lose connection to internet - firewall problem

TrueNAS General
1

Hi,
i’m trying to configure OpenVPN on my system to get remote access without exposing my nas on the net.
1 - i dont have a static ip, but i have access to a domain… so i create a free record on duckdns → i keep it updated via cronjob/api → i add a CNAME on the domain pointing to duckdns; tricky but work
2 - I have created a dedicated cas, server and client certificate
3 - this is the config of the server:

Screenshot 2024-06-09 104527
Screenshot 2024-06-09 104527968×502 31.4 KB

192.168.20.0 is the address i give to VPN, 192.168.1.1 is my default gateway
4 - setup tunables like this:
Screenshot 2024-06-09 105123
Screenshot 2024-06-09 1051231561×611 29 KB

(yes, i had to disable them and reboot :frowning: )
5 - i add a statick root: 192.168.20.0 → 192.168.1.150 (nas binding)
6 - port forwarded as image below
Screenshot 2024-06-10 191650
7 - reboot the nas

What happening: i tested from my smarthphone, using the openvpn app, and i could easy connect… but i realize that all my jails are “isolated” from the net (example, uptimekuma can’t ping any site).
From nas shell, ping for example google.com work well, but inside the jail not working.

What im doing wrong?
If info are not enough tell me whatever you need :disguised_face:

2

Hope someone can help me, i add those info:

  • i tried change nameserver from 1.1.1.1 1.0.0.1 to 8.8.8.8 8.8.4.4 and nothing change
  • i tried change the default gateway of jails and nothing change
  • i tried enabled the allow_raw_sockets but nothing change
  • i can’t see the jails neither in my router (normally i see them running with theyr ip)
3

still hoping someone can help me :laughing: after several attempts I managed to identify the cause of the problem: the firewall.

ping on gateway: works

ping on 8.8.8.8 works

ping on dns not working

So I tried the same tests again by temporarily disabling the firewall with

ipfw disable firewall

and the jails resolved the addresses correctly.

But now… I don’t have the faintest idea on how to fix this “in the right way”(assuming that deactivating the firewall doesn’t seem like a sensible choice to me)

edit: forget to attach this:

00050 divert 8668 ip4 from any to any via em0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any icmp6types 1
01000 allow ipv6-icmp from any to any icmp6types 2,135,136
65000 allow ip from any to any
65535 allow ip from any to any