Alright, if you guys are anything like the TrueNAS forums, I'll start off my apologizing for the unbelievably audacious act of not knowing everything, and then daring asking a question on top of that. I'm not sure why, but for some reason doing that really seems to tick people off over there. Also, if you're queuing up the usual "RTFM" comment, I suggest you read the full post, take a look at the current networking documentation for TrueNAS SCALE, and then reevaluate your life choices. I'd be happy to donate some time back to community and write up a guide for this specific configuration (I think my particular VPN is adding some complications) if I can get things working!

Anyway, for some context, I've been working on setting up a fairly standard media streaming pipeline (Sonarr/Radarr/Lidarr/Jackett/Transmission/Plex) for a few months now, and I've recently thrown in the towel on attempting to get it set up with TrueNAS Core - which I've been using for about 5 years now - and decided to start from scratch with TrueNAS SCALE in hopes that it's slightly more usable (read: tolerable) than its FreeBSD-based predecessor. I'll note here that I'm pretty comfortable with tech in general, but also pretty crummy when it comes to network configuration and infrastructure, so please feel free to correct me if I'm off the mark on anything here (because it certainly feels like I am).

One of the first steps I wanted to do in terms of setting up the new environment was getting TrueNAS to act as an OpenVPN Client to my VPN service - PIA. As I understand it, this is relatively straightforward via the CLI, but since TrueNAS supports OpenVPN Client configuration through its UI, I'm really hoping to use that to configure OpenVPN in order to keep the UI in sync with the actual running configuration (I've heard that this could be an issue on Core, so I'm assuming that it's a potential issue on SCALE as well). My thought process here is that I have several applications (Jackett, Transmission, etc.) that I'd like to configure to use PIA's VPN, and several others (Sonarr/Radarr/Lidarr/Plex) that don't necessarily need to. Since Sonarr/Radarr/Lidarr and co. won't be very negatively impacted by operating over a VPN, I was hoping to configure the system to use the VPN at the OS or interface-level, instead of setting up individual OpenVPN clients in every service/container/application/jail that needs them. I quickly found this guide, which I thought would be sufficient to get me there, but I think that I'm missing either some key knowledge, or some key components that VPN provider should be providing. I should also note here that I'm ok with a bit of a band-aid solution here, as my eventual goal is to replace my router with something running pfSense, which ought to be able to handle my desired setup without having to involve TrueNAS.

So, step one in any VPN configuration is get the PKI (public key infrastructure) set up, right? As I understand it, that process should look something like this for an OpenVPN client, as informed by this guide:

1. Download necessary configuration files from VPN provider.
2. Import the CA (certificate authority) for your VPN by using the "ca" key provided in the configuration files obtained in step 1.
3. Create a certificate for the VPN by using the "cert" and "key" keys provided in the configuration files obtained in step 1.
4. Configure the OpenVPN Client service using the CA created in step 2 and the certificate created in step 3.
5. Start the service and test with a ping.
6. ???
7. Profit.

I can get the CA set up easily enough (at least, I think so), but I run into lots of trouble at step 3. PIA provides both an OpenVPN Configuration Generator tool and several "default" OpenVPN configuration files, but as far as I can tell neither of those options gives me enough information to set up the PKI that TrueNAS needs to act as an OpenVPN Client with PIA. For example, downloading the available "default" configuration files provides a number of .ovpn files that can be used for different regions, but these appear to only contain the keys needed to set up a CA and revoke certificates issued by it (contained in the <ca> and <crl-verify> tags, respectively). There is a .crt file bundled along with these .ovpn files, but the key it contains is identical to those in the <ca> tags of the various .ovpn files, so I'm pretty sure this is just for the CA again. It's the same story for the .ovpn files that PIA's configuration generator creates - they only contain the <ca> and <crl-verify> keys.

It's occurred to me that PIA might be expecting me to interact/authenticate with their VPN in a different manner - perhaps I need to submit a CSR (certificate signing request) in order to get my client certificate? Additionally, I know that PIA expects its clients to authenticate with a username and password in most circumstances (duh), but I'm fairly certain that only comes into play when it's time to actually connect to the VPN, not prior to receiving the public key that I'm meant to use. My PIA account doesn't seem to have any other downloads or options available, so I'm kind of at a loss as to where or how I'm supposed to generate or obtain the missing keys here.

So, if anyone has any advice, or knows what I'm doing incorrectly here, I'd really appreciate any assistance you could provide! Is there something I'm doing wrong here? Is my entire idea fundamentally flawed in some obvious way that I've overlooked? Is what I'm hoping to achieve even possible? Should I just quit tech forever and pick up a trusty 'ol abacus for future endeavors?

Edit: Formatting.