Re: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface

Allan Jude Fri, 23 Oct 2015 11:42:32 -0700

On 2015-10-23 14:13, James Lodge wrote:
>> On 2015-10-23 11:37, James Lodge wrote:
>> Hello all,
>>
>>
>> I'm trying to build a jail on FreeBSD 10.1 using ezjail in order to run 
>> OpenVPN. I'm not using vimage and don't particularly want to but I'm having 
>> an issue with networking.
>>
>>
>> OpenVPN daemon is up and running and I can connect successfully as a client. 
>> I receive an IP address as expected, but I cannot route traffic to/from 
>> client/server. The routing table on the client (which is a Windows machine) 
>> looks fine so I assume the issue is on the server side. I have a tun 
>> interface created on the host and exposed to the jail via devfs rules. The 
>> IP address on the tun interface is configure on the host and not from the 
>> jail. I can ping the tun interface IP from the host and the jail, but not 
>> from the client when connected.
>>
>>
>> Client---------public IP --------- lo1 (Jail alias Interface)------tun0 
>> (OpenVPN Interface)
>>
>> 10.8.06          x.x.x.x                   172.16.1.8                        
>>       10.8.0.1
>>
>>
>>
>> OpenVPN Jail Routing Table:
>>
>> Internet:
>> Destination        Gateway            Flags      Netif Expire
>> 172.16.1.8         link#4             UH          lo1
>>
>> Jail Host Routing Table:
>> Internet:
>> Destination        Gateway            Flags      Netif Expire
>> default            x.x.0.1         UGS      vtnet0
>> 10.8.0.0           10.8.0.2           UGS        tun0
>> 10.8.0.1              link#5             UHS         lo0
>> 10.8.0.2              link#5             UH         tun0
>> x.x.0.0/18          link#1             U        vtnet0
>> x.x.x.x                 link#1             UHS         lo0
>> localhost            link#3             UH          lo0
>> 172.16.1.1         link#4             UH          lo1
>> 172.16.1.2         link#4             UH          lo1
>> 172.16.1.3         link#4             UH          lo1
>> 172.16.1.4         link#4             UH          lo1
>> 172.16.1.5         link#4             UH          lo1
>> 172.16.1.6         link#4             UH          lo1
>> 172.16.1.7         link#4             UH          lo1
>> 172.16.1.8         link#4             UH          lo1
>>
>> Client Routing Table:
>>
>> IPv4 Route Table
>> ===========================================================================
>> Active Routes:
>> Network Destination        Netmask          Gateway       Interface  Metric
>>           0.0.0.0          0.0.0.0         10.8.0.5         10.8.0.6     20
>>          10.8.0.1  255.255.255.255         10.8.0.5         10.8.0.6     20
>>          10.8.0.4  255.255.255.252         On-link          10.8.0.6    276
>>          10.8.0.6  255.255.255.255         On-link          10.8.0.6    276
>>          10.8.0.7  255.255.255.255         On-link          10.8.0.6    276
>>
>>
>>
>> I'm a little stumped as to how to trouble shoot the issue so any help much 
>> appreciated.
>>
>>
>> James
>>
>>
>>
>> _______________________________________________
>> freebsd-jail@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
>> To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
>>
> 
>> Try running 'tcpdump -i tun0 -n' on the host, while pining from the
>> windows machine, and see if the packets are arriving.
>>
>> --
>> Allan Jude
> 
> 
> Thank you Allan, 
> 
> I should have thought of tcpdump. So traffic is being received at the host 
> from the windows client.
> 
> Results from Host tcpdump -i tun0 -n 
> 
> 18:44:02.464291 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 1, seq 10577, 
> length 40
> 18:44:02.605212 IP 10.8.0.6.56054 > 192.168.0.112.80: Flags [S], seq 
> 512633761, win 8192, options [mss 1368,nop,nop,sackOK], length 0
> 18:44:02.872693 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi.com. 
> (34)
> 18:44:03.864800 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi.com. 
> (34)
> 
> After that I thought I'd see if the traffic is reaching the jail. After allow 
> the jail access to /dev/bpf I get the same results as the host, traffic is 
> received. 
> 
> Results from Jail tcpdump -i tun0 -n
> 
> 19:09:11.899714 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.com. 
> (34)
> 19:09:12.728708 IP 10.8.0.6.62332 > 8.8.8.8.53: 22238+ A? dns.msftncsi.com. 
> (34)
> 19:09:12.802903 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.com. 
> (34)
> 19:09:13.825053 IP 10.8.0.6.57107 > 212.56.71.30.443: Flags [S], seq 
> 3139281876, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], length 0
> 19:09:13.981307 IP 10.8.0.6.57108 > 212.56.71.30.443: Flags [S], seq 
> 4152048904, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], length 0
> 19:09:14.628697 IP 10.8.0.6.57100 > 192.168.0.112.80: Flags [S], seq 
> 3107463099, win 65535, options [mss 1368,nop,nop,sackOK], length 0
> 19:09:14.814392 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.com. 
> (34)
> 
> 
> Regards
> James
> _______________________________________________
> freebsd-jail@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
>


Can you include the output of 'ifconfig' from inside the jail?, and
'netstat -rn'

It looks like the packets are reaching you on tun0

-- 
Allan Jude

signature.asc
Description: OpenPGP digital signature

Re: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface

Reply via email to