Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface
James Lodge
James at Lodge.me.uk
Fri Oct 23 19:30:13 UTC 2015
On 2015-10-23 14:13, James Lodge wrote:
>> On 2015-10-23 11:37, James Lodge wrote:
>> Hello all,
>>
>>
>> I'm trying to build a jail on FreeBSD 10.1 using ezjail in order to run OpenVPN. I'm not using vimage and don't particularly want to but I'm having an issue with networking.
>>
>>
>> OpenVPN daemon is up and running and I can connect successfully as a client. I receive an IP address as expected, but I cannot route traffic to/from client/server. The routing table on the client (which is a Windows machine) looks fine so I assume the issue is on the server side. I have a tun interface created on the host and exposed to the jail via devfs rules. The IP address on the tun interface is configure on the host and not from the jail. I can ping the tun interface IP from the host and the jail, but not from the client when connected.
>>
>>
>> Client---------public IP --------- lo1 (Jail alias Interface)------tun0 (OpenVPN Interface)
>>
>> 10.8.06 x.x.x.x 172.16.1.8 10.8.0.1
>>
>>
>>
>> OpenVPN Jail Routing Table:
>>
>> Internet:
>> Destination Gateway Flags Netif Expire
>> 172.16.1.8 link#4 UH lo1
>>
>> Jail Host Routing Table:
>> Internet:
>> Destination Gateway Flags Netif Expire
>> default x.x.0.1 UGS vtnet0
>> 10.8.0.0 10.8.0.2 UGS tun0
>> 10.8.0.1 link#5 UHS lo0
>> 10.8.0.2 link#5 UH tun0
>> x.x.0.0/18 link#1 U vtnet0
>> x.x.x.x link#1 UHS lo0
>> localhost link#3 UH lo0
>> 172.16.1.1 link#4 UH lo1
>> 172.16.1.2 link#4 UH lo1
>> 172.16.1.3 link#4 UH lo1
>> 172.16.1.4 link#4 UH lo1
>> 172.16.1.5 link#4 UH lo1
>> 172.16.1.6 link#4 UH lo1
>> 172.16.1.7 link#4 UH lo1
>> 172.16.1.8 link#4 UH lo1
>>
>> Client Routing Table:
>>
>> IPv4 Route Table
>> ===========================================================================
>> Active Routes:
>> Network Destination Netmask Gateway Interface Metric
>> 0.0.0.0 0.0.0.0 10.8.0.5 10.8.0.6 20
>> 10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 20
>> 10.8.0.4 255.255.255.252 On-link 10.8.0.6 276
>> 10.8.0.6 255.255.255.255 On-link 10.8.0.6 276
>> 10.8.0.7 255.255.255.255 On-link 10.8.0.6 276
>>
>>
>>
>> I'm a little stumped as to how to trouble shoot the issue so any help much appreciated.
>>
>>
>> James
>>
>>
>>
>> _______________________________________________
>> freebsd-jail at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe at freebsd.org"
>>
>
>> Try running 'tcpdump -i tun0 -n' on the host, while pining from the
>> windows machine, and see if the packets are arriving.
>>
>> --
>> Allan Jude
>
>
> Thank you Allan,
>
> I should have thought of tcpdump. So traffic is being received at the host from the windows client.
>
> Results from Host tcpdump -i tun0 -n
>
> 18:44:02.464291 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 1, seq 10577, length 40
> 18:44:02.605212 IP 10.8.0.6.56054 > 192.168.0.112.80: Flags [S], seq 512633761, win 8192, options [mss 1368,nop,nop,sackOK], length 0
> 18:44:02.872693 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi.com. (34)
> 18:44:03.864800 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi.com. (34)
>
> After that I thought I'd see if the traffic is reaching the jail. After allow the jail access to /dev/bpf I get the same results as the host, traffic is received.
>
> Results from Jail tcpdump -i tun0 -n
>
> 19:09:11.899714 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.com. (34)
> 19:09:12.728708 IP 10.8.0.6.62332 > 8.8.8.8.53: 22238+ A? dns.msftncsi.com. (34)
> 19:09:12.802903 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.com. (34)
> 19:09:13.825053 IP 10.8.0.6.57107 > 212.56.71.30.443: Flags [S], seq 3139281876, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], length 0
> 19:09:13.981307 IP 10.8.0.6.57108 > 212.56.71.30.443: Flags [S], seq 4152048904, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], length 0
> 19:09:14.628697 IP 10.8.0.6.57100 > 192.168.0.112.80: Flags [S], seq 3107463099, win 65535, options [mss 1368,nop,nop,sackOK], length 0
> 19:09:14.814392 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.com. (34)
>
>
> Regards
> James
> _______________________________________________
> freebsd-jail at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscribe at freebsd.org"
>
>
> Can you include the output of 'ifconfig' from inside the jail?, and
> 'netstat -rn'
>
> It looks like the packets are reaching you on tun0
>
> --
> Allan Jude
ifconfig from Jail
----------------------
vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=6c03bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
ether 04:01:5d:21:c3:01
media: Ethernet 10Gbase-T <full-duplex>
status: active
vtnet1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=6c03bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
ether 04:01:5d:21:c3:02
media: Ethernet 10Gbase-T <full-duplex>
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet 172.16.1.8 netmask 0xffffffff
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
Opened by PID 9024
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
netstat -rn from Jail
---------------------------
Routing tables
Internet:
Destination Gateway Flags Netif Expire
172.16.1.8 link#4 UH lo1
Regards
James
More information about the freebsd-jail
mailing list