This text tries to describe how to get an OpenVPN (security/openvpn) server running inside a jail. The server will use a TUN device, but the same general procedures might work out with a TAP device.
Contents
Assumptions
The problem
On startup OpenVPN tries to (re-)establish a TUN/TAP device and some routes along with it. Since jails doesn't allow this we might be left with some of the following error messages (in log, if not on stdout):
The solution
Start off at the host by creating the TUN device...:
...on every boot:
Add the following line before any jail settings:
Check for the new tun interface:
Back-up the file defining rules for device access...:
...and edit it:
Add the following lines, but make sure it fits with your existing rules. Also, substitute <rule #> with the appropriate rule ID's and <jail name> with the name of your jail:
Add the necessary settings for the jail:
Depending on your current jail and OpenVPN settings you may need to change some of the values:
Restart the jail and step in:
In the jail, make sure the TUN interface shows up configured and ready for use by OpenVPN:
Finally, a very crucial option needs to be added to the OpenVPN configuration:
To start the server...:
...on every jail boot:
Add the following lines, but change the path to your configuration file:
From the host, you should now be able to see the jail listening on port 1194:
A successful port scan from a remote host could look something like this:
Troubleshooting
References
Contents
- [jump=Assumptions]Assumptions[/jump]
- [jump=TheProblem]The problem[/jump]
- [jump=TheSolution]The solution[/jump]
- [jump=Troubleshooting]Troubleshooting[/jump]
- [jump=References]References[/jump]
Assumptions
- The jail setup is similar to the one described in the handbook, 15.6 Application of Jails. [[jump=References]1[/jump]]
- OpenVPN is installed inside the jail and configured to use a TUN device. See the official how-to [[jump=References]2[/jump]] and the sample configuration under [jump=Troubleshooting]Troubleshooting[/jump].
- Personal customizations are taken into account. I.e firewall settings, built-in and left-out jail capabilities, security considerations etc.
The problem
On startup OpenVPN tries to (re-)establish a TUN/TAP device and some routes along with it. Since jails doesn't allow this we might be left with some of the following error messages (in log, if not on stdout):
Code:
openvpn: writing to routing socket: No such process
Cannot open TUN/TAP dev /dev/tun0: No such file or directory (errno=2)
ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
ifconfig: ioctl (set mtu): Operation not permitted
ifconfig: up: permission denied
ifconfig failed: external program exited with error status: 1
The solution
- Create the TUN device on the host. [[jump=References]3[/jump], [jump=References]4[/jump]]
- Give the jail access to the device. [[jump=References]5[/jump], [jump=References]6[/jump]]
- Configure the TUN interface when jail boots. [[jump=References]7[/jump]]
- Prevent OpenVPN from trying to configure interfaces. [[jump=References]8[/jump]]
Start off at the host by creating the TUN device...:
Code:
# ifconfig tun create
tun0
...on every boot:
# vi [FILE]/etc/rc.conf[/FILE]
Add the following line before any jail settings:
Code:
cloned_interfaces="tun"
Check for the new tun interface:
Code:
% ifconfig
tun0: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
Back-up the file defining rules for device access...:
# cp [FILE]/etc/defaults/devfs.rules[/FILE] [FILE]/etc/defaults/devfs.rules_[b]$(date +%F_%H%M)[/b][/FILE]
...and edit it:
# vi [FILE]/etc/defaults/devfs.rules[/FILE]
Add the following lines, but make sure it fits with your existing rules. Also, substitute <rule #> with the appropriate rule ID's and <jail name> with the name of your jail:
Code:
# Support for TUN devices
#
[devfsrules_unhide_tun=[highlight]<rule #>[/highlight]]
add path tun0 unhide
# Rules for jail [highlight]<jail name>[/highlight]
#
[devfsrules_jail_[highlight]<jail name>[/highlight]=[highlight]<rule #>[/highlight]]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add include $devfsrules_unhide_tun
Add the necessary settings for the jail:
# vi [FILE]/etc/rc.conf[/FILE]
Depending on your current jail and OpenVPN settings you may need to change some of the values:
- see rc.conf(5) for information on jail_⟨jname⟩_ip_multi⟨n⟩
- the TUN settings wary with your OpenVPN server option, which in the following case is:
Code:server 10.8.0.0 255.255.255.0
Code:
jail_[highlight]<jail name>[/highlight]_ip_multi0="tun0|10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255"
jail_[highlight]<jail name>[/highlight]_devfs_enable="YES"
jail_[highlight]<jail name>[/highlight]_devfs_ruleset="devfsrules_jail_[highlight]<jail name>[/highlight]"
Restart the jail and step in:
# /etc/rc.d/jail restart [highlight]<jail name>[/highlight]
# jexec [highlight]<jail ID>[/highlight] su
In the jail, make sure the TUN interface shows up configured and ready for use by OpenVPN:
Code:
% ifconfig
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
Finally, a very crucial option needs to be added to the OpenVPN configuration:
# echo '[b]ifconfig-noexec[/b]' >> [highlight]/path/to/openvpn/server.conf[/highlight]
To start the server...:
# openvpn [highlight]/path/to/openvpn/server.conf[/highlight]
...on every jail boot:
# vi [FILE]/etc/rc.conf[/FILE]
Add the following lines, but change the path to your configuration file:
Code:
openvpn_enable="YES"
openvpn_configfile="[highlight]/path/to/openvpn/server.conf[/highlight]"
From the host, you should now be able to see the jail listening on port 1194:
Code:
# netstat -anf inet
[I][...][/I]
udp4 0 [highlight]<jail IP>[/highlight].1194 *.*
[I][...][/I]
A successful port scan from a remote host could look something like this:
Code:
# nmap -sU [highlight]<jail IP>[/highlight] -p1194-1195
[I][...][/I]
1194/udp open|filtered openvpn
1195/udp closed unknown
[I][...][/I]
Troubleshooting
- When following the above steps, take careful notice on possible differences in path and device names, jail name and IP, devfs rule names and ID's.
- Make sure the TUN device exists on the host and in the jail:
% ls -l /dev/tun*
- Start off with a basic OpenVPN settings. Example:
Code:local [highlight]<jail IP>[/highlight] port 1194 proto udp dev tun0 server 10.8.0.0 255.255.255.0 ca /path/to/ca.crt cert /path/to/server.crt key /path/to/server.key dh /path/to/dh2048.pem keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun ifconfig-pool-persist /var/tmp/openvpn.pool status /var/tmp/openvpn.status log-append /var/log/openvpn.log verb 4 mute 20 ifconfig-noexec
- When asking for help include:
- configuration files (host and jail rc.conf, OpenVPN config)
- output from ifconfig, netstat -r and netstat -anf inet.
- information on firewalling etc.
References
- The Handbook: 15.6 Application of Jails, http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-application.html
- WWW: OpenVPN HOWTO, http://openvpn.net/index.php/open-source/documentation/howto.html
- Man page: ifconfig(8), see 'create'.
- Man page: rc.conf(5), see 'cloned_interfaces'.
- Mail: isc-dhcp3-server in a jail?, David N, http://lists.freebsd.org/pipermail/freebsd-questions/2007-June/151008.html
- Mail: dhcpd possible within jail?, Bjoern A. Zeeb, http://lists.freebsd.org/pipermail/freebsd-jail/2008-November/000579.html
- Man page: rc.conf(5), see 'jail_⟨jname⟩_ip_multi⟨n⟩'.
- WWW: Linux VServer FAQs, http://linux-vserver.org/Frequently_Asked_Questions#Can_I_run_an_OpenVPN_Server_in_a_guest.3F