Mattias
February 28th, 2011, 02:23
This text tries to describe how to get an OpenVPN (security/openvpn) server running inside a jail. The server will use a TUN device, but the same general procedures might work out with a TAP device.
Contents
Assumptions
The problem
The solution
Troubleshooting
References
Assumptions
Assumptions
The jail setup is similar to the one described in the handbook, 15.6 Application of Jails. [1]
OpenVPN is installed inside the jail and configured to use a TUN device. See the official how-to [2] and the sample configuration under Troubleshooting.
Personal customizations are taken into account. I.e firewall settings, built-in and left-out jail capabilities, security considerations etc.
TheProblem
The problem
On startup OpenVPN tries to (re-)establish a TUN/TAP device and some routes along with it. Since jails doesn't allow this we might be left with some of the following error messages (in log, if not on stdout):
openvpn: writing to routing socket: No such process
Cannot open TUN/TAP dev /dev/tun0: No such file or directory (errno=2)
ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
ifconfig: ioctl (set mtu): Operation not permitted
ifconfig: up: permission denied
ifconfig failed: external program exited with error status: 1
TheSolution
The solution
Create the TUN device on the host. [3, 4]
Give the jail access to the device. [5, 6]
Configure the TUN interface when jail boots. [7]
Prevent OpenVPN from trying to configure interfaces. [8]
Start off at the host by creating the TUN device...:
# ifconfig tun create
tun0
...on every boot:
vi /etc/rc.conf
Add the following line before any jail settings:
cloned_interfaces="tun"
Check for the new tun interface:
% ifconfig
tun0: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
Back-up the file defining rules for device access...:
cp /etc/defaults/devfs.rules /etc/defaults/devfs.rules_$(date +%F_%H%M)
...and edit it:
vi /etc/defaults/devfs.rules
Add the following lines, but make sure it fits with your existing rules. Also, substitute <rule #> with the appropriate rule ID's and <jail name> with the name of your jail:
# Support for TUN devices
#
[devfsrules_unhide_tun=<rule #>]
add path tun0 unhide
# Rules for jail <jail name>
#
[devfsrules_jail_<jail name>=<rule #>]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add include $devfsrules_unhide_tun
Add the necessary settings for the jail:
vi /etc/rc.conf
Depending on your current jail and OpenVPN settings you may need to change some of the values:
see rc.conf for information on jail_⟨jname⟩_ip_multi⟨n⟩
the TUN settings wary with your OpenVPN server option, which in the following case is:
server 10.8.0.0 255.255.255.0
With that in mind add the following lines where suitable:
jail_<jail name>_ip_multi0="tun0|10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255"
jail_<jail name>_devfs_enable="YES"
jail_<jail name>_devfs_ruleset="devfsrules_jail_<jail name>"
Restart the jail and step in:
/etc/rc.d/jail restart <jail name>
jexec <jail ID> su
In the jail, make sure the TUN interface shows up configured and ready for use by OpenVPN:
% ifconfig
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
Finally, a very crucial option needs to be added to the OpenVPN configuration:
echo 'ifconfig-noexec' >> /path/to/openvpn/server.conf
To start the server...:
openvpn /path/to/openvpn/server.conf
...on every jail boot:
vi /etc/rc.conf
Add the following lines, but change the path to your configuration file:
openvpn_enable="YES"
openvpn_configfile="/path/to/openvpn/server.conf"
From the host, you should now be able to see the jail listening on port 1194:
# netstat -anf inet
[...]
udp4 0 <jail IP>.1194 *.*
[...]
A successful port scan from a remote host could look something like this:
# nmap -sU <jail IP> -p1194-1195
[...]
1194/udp open|filtered openvpn
1195/udp closed unknown
[...]
Troubleshooting
Troubleshooting
When following the above steps, take careful notice on possible differences in path and device names, jail name and IP, devfs rule names and ID's.
Make sure the TUN device exists on the host and in the jail:
ls -l /dev/tun*
Start off with a basic OpenVPN settings. Example:
local <jail IP>
port 1194
proto udp
dev tun0
server 10.8.0.0 255.255.255.0
ca /path/to/ca.crt
cert /path/to/server.crt
key /path/to/server.key
dh /path/to/dh2048.pem
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
ifconfig-pool-persist /var/tmp/openvpn.pool
status /var/tmp/openvpn.status
log-append /var/log/openvpn.log
verb 4
mute 20
ifconfig-noexec
When asking for help include:
configuration files (host and jail rc.conf, OpenVPN config)
output from ifconfig, netstat -r and netstat -anf inet.
information on firewalling etc.
References
References
The Handbook: 15.6 Application of Jails, http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-application.html
WWW: OpenVPN HOWTO, http://openvpn.net/index.php/open-source/documentation/howto.html
Man page: ifconfig, see 'create'.
Man page: rc.conf, see 'cloned_interfaces'.
Mail: isc-dhcp3-server in a jail?, David N, http://lists.freebsd.org/pipermail/freebsd-questions/2007-June/151008.html
Mail: dhcpd possible within jail?, Bjoern A. Zeeb, http://lists.freebsd.org/pipermail/freebsd-jail/2008-November/000579.html
Man page: rc.conf, see 'jail_⟨jname⟩_ip_multi⟨n⟩'.
WWW: Linux VServer FAQs, http://linux-vserver.org/Frequently_Asked_Questions#Can_I_run_an_OpenVPN_Se rver_in_a_guest.3F
Contents
Assumptions
The problem
The solution
Troubleshooting
References
Assumptions
Assumptions
The jail setup is similar to the one described in the handbook, 15.6 Application of Jails. [1]
OpenVPN is installed inside the jail and configured to use a TUN device. See the official how-to [2] and the sample configuration under Troubleshooting.
Personal customizations are taken into account. I.e firewall settings, built-in and left-out jail capabilities, security considerations etc.
TheProblem
The problem
On startup OpenVPN tries to (re-)establish a TUN/TAP device and some routes along with it. Since jails doesn't allow this we might be left with some of the following error messages (in log, if not on stdout):
openvpn: writing to routing socket: No such process
Cannot open TUN/TAP dev /dev/tun0: No such file or directory (errno=2)
ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
ifconfig: ioctl (set mtu): Operation not permitted
ifconfig: up: permission denied
ifconfig failed: external program exited with error status: 1
TheSolution
The solution
Create the TUN device on the host. [3, 4]
Give the jail access to the device. [5, 6]
Configure the TUN interface when jail boots. [7]
Prevent OpenVPN from trying to configure interfaces. [8]
Start off at the host by creating the TUN device...:
# ifconfig tun create
tun0
...on every boot:
vi /etc/rc.conf
Add the following line before any jail settings:
cloned_interfaces="tun"
Check for the new tun interface:
% ifconfig
tun0: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
Back-up the file defining rules for device access...:
cp /etc/defaults/devfs.rules /etc/defaults/devfs.rules_$(date +%F_%H%M)
...and edit it:
vi /etc/defaults/devfs.rules
Add the following lines, but make sure it fits with your existing rules. Also, substitute <rule #> with the appropriate rule ID's and <jail name> with the name of your jail:
# Support for TUN devices
#
[devfsrules_unhide_tun=<rule #>]
add path tun0 unhide
# Rules for jail <jail name>
#
[devfsrules_jail_<jail name>=<rule #>]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add include $devfsrules_unhide_tun
Add the necessary settings for the jail:
vi /etc/rc.conf
Depending on your current jail and OpenVPN settings you may need to change some of the values:
see rc.conf for information on jail_⟨jname⟩_ip_multi⟨n⟩
the TUN settings wary with your OpenVPN server option, which in the following case is:
server 10.8.0.0 255.255.255.0
With that in mind add the following lines where suitable:
jail_<jail name>_ip_multi0="tun0|10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255"
jail_<jail name>_devfs_enable="YES"
jail_<jail name>_devfs_ruleset="devfsrules_jail_<jail name>"
Restart the jail and step in:
/etc/rc.d/jail restart <jail name>
jexec <jail ID> su
In the jail, make sure the TUN interface shows up configured and ready for use by OpenVPN:
% ifconfig
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
Finally, a very crucial option needs to be added to the OpenVPN configuration:
echo 'ifconfig-noexec' >> /path/to/openvpn/server.conf
To start the server...:
openvpn /path/to/openvpn/server.conf
...on every jail boot:
vi /etc/rc.conf
Add the following lines, but change the path to your configuration file:
openvpn_enable="YES"
openvpn_configfile="/path/to/openvpn/server.conf"
From the host, you should now be able to see the jail listening on port 1194:
# netstat -anf inet
[...]
udp4 0 <jail IP>.1194 *.*
[...]
A successful port scan from a remote host could look something like this:
# nmap -sU <jail IP> -p1194-1195
[...]
1194/udp open|filtered openvpn
1195/udp closed unknown
[...]
Troubleshooting
Troubleshooting
When following the above steps, take careful notice on possible differences in path and device names, jail name and IP, devfs rule names and ID's.
Make sure the TUN device exists on the host and in the jail:
ls -l /dev/tun*
Start off with a basic OpenVPN settings. Example:
local <jail IP>
port 1194
proto udp
dev tun0
server 10.8.0.0 255.255.255.0
ca /path/to/ca.crt
cert /path/to/server.crt
key /path/to/server.key
dh /path/to/dh2048.pem
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
ifconfig-pool-persist /var/tmp/openvpn.pool
status /var/tmp/openvpn.status
log-append /var/log/openvpn.log
verb 4
mute 20
ifconfig-noexec
When asking for help include:
configuration files (host and jail rc.conf, OpenVPN config)
output from ifconfig, netstat -r and netstat -anf inet.
information on firewalling etc.
References
References
The Handbook: 15.6 Application of Jails, http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-application.html
WWW: OpenVPN HOWTO, http://openvpn.net/index.php/open-source/documentation/howto.html
Man page: ifconfig, see 'create'.
Man page: rc.conf, see 'cloned_interfaces'.
Mail: isc-dhcp3-server in a jail?, David N, http://lists.freebsd.org/pipermail/freebsd-questions/2007-June/151008.html
Mail: dhcpd possible within jail?, Bjoern A. Zeeb, http://lists.freebsd.org/pipermail/freebsd-jail/2008-November/000579.html
Man page: rc.conf, see 'jail_⟨jname⟩_ip_multi⟨n⟩'.
WWW: Linux VServer FAQs, http://linux-vserver.org/Frequently_Asked_Questions#Can_I_run_an_OpenVPN_Se rver_in_a_guest.3F