Afenioux's Blog page

3am; darkness; Maintenance window closing. Safety net: rollback.

FreeBSD10 Ezjail and OpenVPN

Written by Arnaud no comments

WARNING : This is probably a bad idea to use OpenVPN in a Jail (you will lose *a lot* of time to configure it) but it work's.

I really recommand to read the sources a the bottom of this articles, they were great help.

First things, prepare the host :

ifconfig tun create
echo 'cloned_interfaces="tun0"' >> /etc/rc.conf

Create you Jail (eg named openvpn) with ezjail (cf my previous posts) and change some settings in /usr/local/etc/ezjail/openvpn  (you MUST use ifconfig, *_ip_multi0 is NOT supported) :

#export jail_services_devfs_ruleset="devfsrules_jail"
export jail_services_devfs_ruleset="5"
export jail_services_exec_prestart0="/sbin/ifconfig tun0 inet 192.168.40.1/32 192.168.40.2"
export jail_services_exec_prestart1="/sbin/route add -net 192.168.40.0/24 192.168.40.2"

 

This is what you should put in /etc/devfs.rules in order to allow openVPN to bind on tun interface :

# Rules for jail <VPN>
[devfsrules_jail_openvpn=5]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path tun0 unhide

If you have a Warning like this in /var/log/messages :

WARNING: devfs_init_rulesets: could not read rules from /etc/devfs.rules

You sould try to copy the default file, and then clean it and copy only your few lines again (yes, it worked for me...)

cp /etc/defaults/devfs.rules /etc/devfs.rules
echo '' > /etc/devfs.rules

 

Now you can start the Jail and install OpenVPN in the jail

ezjail-admin start openvpn
ezjail-admin console openvpn
pkg install openvpn

Here is the config I made for the OpenVPN server in the jail /usr/local/etc/openvpn/openvpn.conf (the 2 last lines are really important):

port 1194
proto udp
dev tun
ca /etc/ssl/CA/cacert.pem
cert /etc/ssl/CA/certs/srv.crt
key /etc/ssl/CA/certs/srv.key
crl-verify /etc/ssl/CA/crls/crl.pem
dh /etc/ssl/CA/certs/dh2048.pem
server 192.168.40.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher BF-CBC
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
mute 20
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
# needed in jail
ifconfig-noexec
route-noexec

I have followed this french page in order to setup SSL and OpenVPN : http://blog.nicolargo.com/2009/04/installation-dun-serveur-vpn-sous-free...

Enable OpenVPN at boot in the jail (no, you dont need to enable, neither set, the gateway in the jail) :

echo 'openvpn_enabled="YES"' >> /etc/rc.conf

From the host, you can now restart the jail, check that the tun interface of YOUR host (NOT THE JAIL) has the IP, verify OpenVPN is listening :
ezjail-admin restart openvpn
ifconfig tun0
sockstat -4
 

BTW, did you remember to redirrct UDP port 1194 to the jail, like I explained in my previons ticket? If yes, did you thought to enable NAT for VPN IP? change your /etc/rc.conf and reload conf (with pfctl -vf /etc/pf.conf) :
rdr on em0 proto udp to port 1194 -> 10.11.12.1 port 1194
nat on em0 from lo1:network -> (em0)
nat on em0 from 192.168.40.0/24 -> (em0)
 

If you have some troubles getting an IP on the tun interface, you may (but should not need) try to :

sysrc devfs_load_rulesets=YES ; service devfs restart ; ezjail-admin restart
echo 'devfs_load_rulesets="YES"' >> /etc/rc.conf

 

Sources : https://forums.freebsd.org/threads/openvpn-server-in-jail-using-a-tun-de...
https://github.com/junovitch/my-freebsd-build/blob/master/openvpn-jail-H...
https://forums.freebsd.org/threads/freebsd-update-9-2-10-ezjail-config.4...

 
Classified in : UNIX Tags : none

Comments are closed.

Rss feed of the article's comments