Re: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface

James Lodge Fri, 23 Oct 2015 14:42:07 -0700

>On 2015-10-23 16:45, James Lodge wrote:
>
>> On 2015-10-23 15:15, James Lodge wrote:
>> On 2015-10-23 14:13, James Lodge wrote:
>>>> On 2015-10-23 11:37, James Lodge wrote:
>>>> Hello all,
>>>>
>>>>
>>>> I'm trying to build a jail on FreeBSD 10.1 using ezjail in order to run 
>>>> OpenVPN. I'm not using vimage and don't particularly want to but I'm 
>>>> having an issue with networking.
>>>>
>>>>
>>>> OpenVPN daemon is up and running and I can connect successfully as a 
>>>> client. I receive an IP address as expected, but I cannot route traffic 
>>>> to/from client/server. The routing table on the client (which is a Windows 
>>>> machine) looks fine so I assume the issue is on the server side. I have a 
>>>> tun interface created on the host and exposed to the jail via devfs rules. 
>>>> The IP address on the tun interface is configure on the host and not from 
>>>> the jail. I can ping the tun interface IP from the host and the jail, but 
>>>> not from the client when connected.
>>>>
>>>>
>>>> Client---------public IP --------- lo1 (Jail alias Interface)------tun0 
>>>> (OpenVPN Interface)
>>>>
>>>> 10.8.06          x.x.x.x                   172.16.1.8                      
>>>>         10.8.0.1
>>>>
>>>>
>>>>
>>>> OpenVPN Jail Routing Table:
>>>>
>>>> Internet:
>>>> Destination        Gateway            Flags      Netif Expire
>>>> 172.16.1.8         link#4             UH          lo1
>>>>
>>>> Jail Host Routing Table:
>>>> Internet:
>>>> Destination        Gateway            Flags      Netif Expire
>>>> default            x.x.0.1         UGS      vtnet0
>>>> 10.8.0.0           10.8.0.2           UGS        tun0
>>>> 10.8.0.1              link#5             UHS         lo0
>>>> 10.8.0.2              link#5             UH         tun0
>>>> x.x.0.0/18          link#1             U        vtnet0
>>>> x.x.x.x                 link#1             UHS         lo0
>>>> localhost            link#3             UH          lo0
>>>> 172.16.1.1         link#4             UH          lo1
>>>> 172.16.1.2         link#4             UH          lo1
>>>> 172.16.1.3         link#4             UH          lo1
>>>> 172.16.1.4         link#4             UH          lo1
>>>> 172.16.1.5         link#4             UH          lo1
>>>> 172.16.1.6         link#4             UH          lo1
>>>> 172.16.1.7         link#4             UH          lo1
>>>> 172.16.1.8         link#4             UH          lo1
>>>>
>>>> Client Routing Table:
>>>>
>>>> IPv4 Route Table
>>>> ===========================================================================
>>>> Active Routes:
>>>> Network Destination        Netmask          Gateway       Interface  Metric
>>>>           0.0.0.0          0.0.0.0         10.8.0.5         10.8.0.6     20
>>>>          10.8.0.1  255.255.255.255         10.8.0.5         10.8.0.6     20
>>>>          10.8.0.4  255.255.255.252         On-link          10.8.0.6    276
>>>>          10.8.0.6  255.255.255.255         On-link          10.8.0.6    276
>>>>          10.8.0.7  255.255.255.255         On-link          10.8.0.6    276
>>>>
>>>>
>>>>
>>>> I'm a little stumped as to how to trouble shoot the issue so any help much 
>>>> appreciated.
>>>>
>>>>
>>>> James
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> freebsd-jail@freebsd.org mailing list
>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
>>>> To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
>>>>
>>>
>>>> Try running 'tcpdump -i tun0 -n' on the host, while pining from the
>>>> windows machine, and see if the packets are arriving.
>>>>
>>>> --
>>>> Allan Jude
>>>
>>>
>>> Thank you Allan,
>>>
>>> I should have thought of tcpdump. So traffic is being received at the host 
>>> from the windows client.
>>>
>>> Results from Host tcpdump -i tun0 -n
>>>
>>> 18:44:02.464291 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 1, seq 10577, 
>>> length 40
>>> 18:44:02.605212 IP 10.8.0.6.56054 > 192.168.0.112.80: Flags [S], seq 
>>> 512633761, win 8192, options [mss 1368,nop,nop,sackOK], length 0
>>> 18:44:02.872693 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi.com. 
>>> (34)
>>> 18:44:03.864800 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi.com. 
>>> (34)
>>>
>>> After that I thought I'd see if the traffic is reaching the jail. After 
>>> allow the jail access to /dev/bpf I get the same results as the host, 
>>> traffic is received.
>>>
>>> Results from Jail tcpdump -i tun0 -n
>>>
>>> 19:09:11.899714 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.com. 
>>> (34)
>>> 19:09:12.728708 IP 10.8.0.6.62332 > 8.8.8.8.53: 22238+ A? dns.msftncsi.com. 
>>> (34)
>>> 19:09:12.802903 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.com. 
>>> (34)
>>> 19:09:13.825053 IP 10.8.0.6.57107 > 212.56.71.30.443: Flags [S], seq 
>>> 3139281876, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], 
>>> length 0
>>> 19:09:13.981307 IP 10.8.0.6.57108 > 212.56.71.30.443: Flags [S], seq 
>>> 4152048904, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], 
>>> length 0
>>> 19:09:14.628697 IP 10.8.0.6.57100 > 192.168.0.112.80: Flags [S], seq 
>>> 3107463099, win 65535, options [mss 1368,nop,nop,sackOK], length 0
>>> 19:09:14.814392 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.com. 
>>> (34)
>>>
>>>
>>> Regards
>>> James
>>> _______________________________________________
>>> freebsd-jail@freebsd.org mailing list
>>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
>>> To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
>>>
>>>
>>> Can you include the output of 'ifconfig' from inside the jail?, and
>>> 'netstat -rn'
>>>
>>> It looks like the packets are reaching you on tun0
>>>
>>> --
>>> Allan Jude
>>
>> ifconfig from Jail
>> ----------------------
>>
>> vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
>>   
>> options=6c03bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
>>         ether 04:01:5d:21:c3:01
>>         media: Ethernet 10Gbase-T <full-duplex>
>>         status: active
>>
>> vtnet1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
>>         
>> options=6c03bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
>>         ether 04:01:5d:21:c3:02
>>         media: Ethernet 10Gbase-T <full-duplex>
>>         status: active
>>
>> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>>         options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
>>
>> lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>>         options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
>>         inet 172.16.1.8 netmask 0xffffffff
>>
>> tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
>>         options=80000<LINKSTATE>
>>         Opened by PID 9024
>>
>> pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
>>
>>
>> netstat -rn from Jail
>> ---------------------------
>>
>> Routing tables
>>
>> Internet:
>> Destination        Gateway            Flags      Netif Expire
>> 172.16.1.8         link#4             UH          lo1
>>
>>
>> Regards
>> James
>>
>>
>>
>>
>> _______________________________________________
>> freebsd-jail@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
>> To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
>>
>>
>> Look at 'jls' on the host, as your jail doesn't seem to have any IP
>> addresses on tun0.
>>
>> Or, where are you expecting to receive the traffic?
>>
>> --
>> Allan Jude
>
>
> I expect the traffic to be received within the jail. I find it strange that I 
> don't see the same IP address as what I see on the host. Could this be a 
> devfs rule issue? what should I be looking for with jls?
>
> ifconfig from host
> _______________
>
>
> tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
>         options=80000<LINKSTATE>
>         inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
>         nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>         Opened by PID 9024
>
> Regards
> James
>
> _______________________________________________
> freebsd-jail@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
>
>
> Jails are only allowed to see the IP addresses that are defined for that
> jail, so you need to add 10.8.0.1 to the list of IP addresses for that
> jail. In ezjail, edit /usr/local/etc/ezjail/jail_name and add the 2nd ip
> after the first, separated with a comma.
> 
> --
> Allan Jude


Thanks Allan, 

You learn something new everyday!

So now ifconfig from jail 

tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
        Opened by PID 11132


and after allow ICMP through PF on the host I can now ping the tun0 from the 
client, so thank you very much for your help. One last thing you might be able 
to point me in the right direction of. I need to route client traffic on to the 
Internet. My understanding is IP forwarding can't be enabled within the jail 
and adding routes to the jails routing table isn't possible either. I'm doing 
NAT at the host, but how do I get the traffic from inside the jail there. 

Regards
James 




_______________________________________________
freebsd-jail@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"

Re: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface

Reply via email to