[TrueNAS] OpenVPN server configuration breaks VM network configuration

AbydosOne · November 29, 2021

(cross posted from the TrueNAS forum because a) it's a lot more dead there than I remember and b) this a borderline-hyper-specific problem that I don't actually expect anyone to just waltz in a fix it with one post, but at this point I just want this to work without me reading through the entirety of TrueNAS 12's source code to figure it out... Hail Mary!)

I've been attempting to get a OpenVPN server configured on my TrueNAS server, and following the directions from here, it's up and running and properly routing traffic to both my internal network and the external Internet.

So far so good.

However, my Windows VM (running in the standard TrueNAS VM manner) loses its connection to the network (thank goodness for noVNC) once the following tunables are enabled:

natd_enable [yes]
natd_interface [igb0]
natd_flags [-dynamic -m]

(note: natd_interface edited from tutorial to match system's main interface)

TrueNAS version: TrueNAS-12.0-U4.1 (U6.1 has a bug regarding SMB file modification dates, long story...)

Windows VM version: 21H1 19043.1165

Windows VM typically gets IP 192.168.1.239/24; currently has IP 169.254.57.193/16. OpenVPN is configured to use the 192.168.2.0/24 subnet.

I suspect that my tunable natd configurations are overwriting some hidden natd (or some other routing backend) configurations necessary for the VM to pass traffic, but I don't know enough of the inner workings to even know where to begin investigating this.

I'm not the only person I've encountered with this issue it seems (including in the comments of the linked video above), and it seems like a non-trivial use-case combination (using the same server to have an OpenVPN host and a VM host).

So, my questions are two-fold:

Is there a way to fix this, either through routing settings or natd flags or something else entirely?
If my suspicion above is correct, is there a way to find the VM routing configurations so they can manually added back?

Let me know if you need any other information. Thanks for the help!

Other potentially useful info:

root@(server):~ # ipfw list

00050 divert 8668 ip4 from any to any via igb0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any icmp6types 1
01000 allow ipv6-icmp from any to any icmp6types 2,135,136
65000 allow ip from any to any
65535 allow ip from any to any

root@(server):~ # ifconfig
em0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=81249b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LRO,WOL_MAGIC,VLAN_HWFILTER>
        ether 00:25:90:b5:62:93
        media: Ethernet autoselect
        status: no carrier
        nd6 options=1<PERFORMNUD>
igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: GigNIC
        options=a500b9<RXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6>
        ether 00:25:90:b5:62:92
        inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=9<PERFORMNUD,IFDISABLED>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=0<> metric 0 mtu 33160
        groups: pflog
mlxen0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 9000
        description: 10GigNIC
        options=ed07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWFILTER,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        ether e4:1d:2d:dc:43:e0
        inet 192.168.7.2 netmask 0xffffff00 broadcast 192.168.7.255
        media: Ethernet autoselect (10Gbase-CX4 <full-duplex,rxpause,txpause>)
        status: active
        nd6 options=9<PERFORMNUD,IFDISABLED>
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet 192.168.2.1 --> 192.168.2.2 netmask 0xffffff00
        groups: tun
        nd6 options=1<PERFORMNUD>
        Opened by PID 1646
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 02:06:1d:02:71:00
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto stp-rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: vnet0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 9 priority 128 path cost 2000000
        member: vnet0.1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 8 priority 128 path cost 2000
        member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 2 priority 128 path cost 20000
        groups: bridge
        nd6 options=1<PERFORMNUD>
vnet0.1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: associated with jail: Plex as nic: epair0b
        options=8<VLAN_MTU>
        ether 02:25:90:31:41:ea
        hwaddr 02:77:b8:03:a5:0a
        groups: epair
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        nd6 options=1<PERFORMNUD>
vnet0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        ether fe:a0:98:65:44:79
        hwaddr 58:9c:fc:10:e8:47
        groups: tap
        media: Ethernet autoselect
        status: active
        nd6 options=1<PERFORMNUD>
        Opened by PID 2145

root@(server):~ # netstat -r
Routing tables
Internet:
Destination        Gateway            Flags     Netif Expire
default            RackGateway        UGS        igb0
localhost          link#3             UH          lo0
192.168.1.0/24     link#2             U          igb0
192.168.1.2        link#2             UHS         lo0
192.168.2.0/24     192.168.1.2        UGS        igb0
192.168.2.1        link#6             UHS         lo0
192.168.2.2        link#6             UH         tun0
192.168.7.0/24     link#5             U        mlxen0
192.168.7.2        link#5             UHS         lo0
Internet6:
Destination        Gateway            Flags     Netif Expire
::/96              localhost          UGRS        lo0
localhost          link#3             UH          lo0
::ffff:0.0.0.0/96  localhost          UGRS        lo0
fe80::/10          localhost          UGRS        lo0
fe80::%lo0/64      link#3             U           lo0
fe80::1%lo0        link#3             UHS         lo0
ff02::/16          localhost          UGRS        lo0