Solved Accessing OpenVPN Client network from jail

C

cr4sh

Hello. I have question.
I have FreeBSD Host with one JAIL.
On Host i setup OpenVPN client and i get routing to 192.168.0.1/24 over 10.4.44.109.
From host i can ping 192.168.0.1 and that works fine.
But from JAIL, i cant ping 192.168.0.1 and even 10.4.44.110 (my end of openVPN tunnel)
Can i ask, for help, to set it up correctly ?
Best regards.
 
Are you aware of this?
Code: 
             allow.raw_sockets
                     The jail root is allowed to create raw sockets.  Setting
                     this parameter allows utilities like ping(8) and
                     traceroute(8) to operate inside the jail.  If this is
                     set, the source IP addresses are enforced to comply with
                     the IP address bound to the jail, regardless of whether
                     or not the IP_HDRINCL flag has been set on the socket.
                     Since raw sockets can be used to configure and interact
                     with various network subsystems, extra caution should be
                     used where privileged access to jails is given out to
                     untrusted parties.
 
Hello. I have raw.sockets enabled. I can ping my local networks. Only network from OpenVPN Client is unreachable.
 
Please specify IP's of host and jail. It is important to understand how jail comunicate with host.
If jail DO NOT HAVE an IP of host's external (WAN) interface you must make NAT or PROXY for traffic of jail.

So if the jail is on the loopback interface with private IP - try to research how jail's traffic will leave the Host.
 
Did you add gateway_enable="YES" on the host? There will be no routing if this isn't enabled.
 
SOLVED : I add nat in PF :
nat on tun2 from 192.168.32.3 to any -> ( tun2 )
Click to expand...
Where tun2 is my OpenVPN Client tunnel and 192.168.32.3 is my Jail IP



Ok. Then one more time :)
I have gateway_enabled. Networking on host working fine. Network in jail works fine too.
Code: 
#cat /etc/pf.conf | grep 192.168.34.3
binat pass on $ext_if inet from 192.168.32.3 to any -> $ext_214
This is binat for my jail and 192.168.34.3 is ip of my jail.
Code: 
#ifconfig tun2
tun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet 10.4.44.110 --> 10.4.44.109 netmask 0xffffffff
        groups: tun
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        Opened by PID 75336
This is tun from OpenVPN client.
Code: 
# ping 192.168.0.99
PING 192.168.0.99 (192.168.0.99): 56 data bytes
64 bytes from 192.168.0.99: icmp_seq=0 ttl=127 time=46.502 ms
64 bytes from 192.168.0.99: icmp_seq=1 ttl=127 time=46.891 ms
64 bytes from 192.168.0.99: icmp_seq=2 ttl=127 time=46.605 ms
This is ping from host to ip OpenVPN client network.

Code: 
# ping google.com
PING google.com (216.58.215.78): 56 data bytes
64 bytes from 216.58.215.78: icmp_seq=0 ttl=121 time=12.243 ms
64 bytes from 216.58.215.78: icmp_seq=1 ttl=121 time=12.004 ms
This is ping from jail to google.com
Code: 
ping 192.168.0.99
PING 192.168.0.99 (192.168.0.99): 56 data bytes
^C
--- 192.168.0.99 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
This is ping from jail to 192.168.0.99

Code: 
# netstat -nr | grep 192.168.0.
192.168.0.0/24     10.4.44.109        UGS        tun2
This is routingtable from host to OpenVPN client network
 
You must log in or register to reply here.
Back
Top