Solved Configure tun device for OpenVPN in a jail

Ununnilium

New Member


Messages: 2

#1
I tried to configure OpenVPN liked in this http://forums.freebsd.org/threads/openvpn-server-in-jail-using-a-tun-device.22143 tutorial. I am using FreeBSD 10.0. If I add
Code:
export jail_openvpn_ip_multi0="tun0|10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255"
to my ezjail configuration file, I get the error
Code:
ifconfig: ioctl (SIOCAIFADDR): Destination address required
jail: openvpn: /sbin/ifconfig tun0 inet 10.8.0.1/32 alias: failed
I tried to use
Code:
export jail_openvpn_exec_prestart0="ifconfig tun0 10.8.0.1 10.8.0.2 netmask 255.255.255.0"
instead, but then the tun0 interface in the jail does not get an IP address. Does someone know where the problem could be?
 

Oko

Daemon

Thanks: 767
Messages: 1,620

#2
This is a really interesting thread! If you were not in the jail your mistake will be obvious. tun0 is going to be down as long as the OpenVPN daemon is not working on your local host and as long as a lease to your OpenVPN client is not granted by the server. Now a jail makes things different. If I had to play with it I would not assign any IP to the jail from the host machine but rather install a complete system and configure the network from within a jail.
 

junovitch@

Daemon
Developer

Thanks: 613
Messages: 1,773

#3
I wish I remember the reason why I changed it, but I found the multi syntax didn't work alright for me when I went from FreeBSD 9.2 to 10.0. Try something along this line:

Make a ruleset that allows devfs(8) access within the jail.
/etc/devfs.rules
Code:
[devfsrules_jail_with_vpn=5]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path tun0 unhide
add path zfs unhide
/usr/local/etc/ezjail/<openvpn_jail_name_here>
Code:
export jail_<openvpn_jail_name_here>_devfs_ruleset="5"
export jail_<openvpn_jail_name_here>_exec_prestart0="/sbin/ifconfig tun0 inet 10.100.103.1/32 10.100.103.2"'
export jail_<openvpn_jail_name_here>_exec_prestart1="/sbin/route add -net 10.100.103.0/24 10.100.103.2"
Do be aware that if you stop OpenVPN inside the jail, it will close the tunnel interface and you will have to restart the jail from the host.

If I had to play with it I would not assign any IP to the jail from the host machine but rather install a complete system and configure the network from within a jail.
With regards to this, the jail doesn't have permissions to make a new interface or assign addresses. So the only option is to pre-configure everything on the host.
 

Oko

Daemon

Thanks: 767
Messages: 1,620

#4
With regards to this, the jail doesn't have permissions to make a new interface or assign addresses. So the only option is to pre-configure everything on the host.
Thanks for educating me! Are you familiar with Warden for Jail management? I am playing with it right now. How do I change assigned subnet for a Jail with Warden? It is the part of PCBSD utilities port if you are on vanilla FreeBSD.
 

Ben

Well-Known Member

Thanks: 2
Messages: 259

#6
Hi,
I followed the instructions, can connect to the OpenVPN-Server inside the jail but I can't see the IP address which is assigned to the tun0 interface.

On the host I can see the following:
Code:
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
   options=80000<LINKSTATE>
   inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
   nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
   Opened by PID 35449
Inside the jail only:
Code:
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
   options=80000<LINKSTATE>
   Opened by PID 35449
Any idea what could be missing? I am using the devfs.rules which seem to work as I can connect and OpenVPN is running. Should I be seeing the IP address or is it ok not to see it?

I added the prestart-commands to assign the IP on the host and add the route.

Thanks for help.
 

junovitch@

Daemon
Developer

Thanks: 613
Messages: 1,773

#7
Interesting. I can't remember about what I saw in the jail. After I upgraded my router I didn't need to run OpenVPN in a jail on my NAS anymore so it's been on my FreeBSD router running on the host. The "Opened by" seems to show what I would expect for OpenVPN having the device open and the fact that it works seems a good sign. Perhaps the original poster may have his output to show.
 
Top