How to add a jailed server to OpenVPN?

ghostcorps

Well-Known Member

Thanks: 2
Messages: 295

#1
Hi Guys

I have just put my host server behind OpenVPN, but now I am trying to work out how to add a jailed server to the virtual LAN.

Here is the output of ifconfig

Code:
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        ether 00:bd:7f:e5:12:00
        inet 192.168.254.1 netmask 0xffffff00 broadcast 192.168.254.255
        Opened by PID 95424
From what I have read I thought that I could simply add this line to the the jailed servers config:

/etc/rc.conf
Code:
ifconfig_tap0="inet 192.168.254.2 netmask 255.255.255.0"
Then

Code:
#/etc/rc.d/netif restart
Followed by

Code:
#/etc/rc.d/routing restart


But after doing this I still can not contact the jailed server over the VPN.


Here is the output of ifconfig on the jailed server after doing the above:

Code:
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        ether 00:bd:7f:e5:12:00
        Opened by PID 95424
What have I done wrong?


Thanks for your time :)
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 6,617
Messages: 28,158

#4
Your jail already has an IP address. Just fix the routing on the host and the traffic will be correctly send to the jail.
 
OP
OP
G

ghostcorps

Well-Known Member

Thanks: 2
Messages: 295

#5
Hmmm

The only IP assigned is the external IP, I am not using NAT. The traffic is currently going to and from the jailed server. It's just that once I an inside the VPN, the jailed server does not exist.

Or am I missing the point of what you are trying to tell me? If so: sorry, and thanks for your patience :)
 

Zare

Well-Known Member

Thanks: 55
Messages: 386

#6
If you're using bridged VPN without tap device being bridged or directly connected to DHCP server that can provide addresses from desired subnet, you need to set up an ifconfig-pool. In either case, jailed instance's IP should be on the same subnet as one used on tap device / clients.
 
OP
OP
G

ghostcorps

Well-Known Member

Thanks: 2
Messages: 295

#7
Hi Zare

I have been trying to find examples of an ifconfig-pool, but I can find any.

Do you have one you could show me so I can, perhaps, get my head around it?

Thanks :)
 
OP
OP
G

ghostcorps

Well-Known Member

Thanks: 2
Messages: 295

#8
Hi Again,

For lack of any better suggestions, I have installed OpenVPN on the jailed server and am setting it up as a client with peer-to-peer enabled, it is not ideal, but it is all I can think of :( Now I have a new issue... after starting OpenVPN on the new client I get this error:

/var/log/openvpn.log
Code:
Tue May 31 01:12:50 2011 OpenVPN 2.1.1 amd64-portbld-freebsd8.1 [SSL] [LZO2] built on May 31 2011
Tue May 31 01:12:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue May 31 01:12:50 2011 LZO compression initialized
Tue May 31 01:12:50 2011 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue May 31 01:12:50 2011 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Tue May 31 01:12:50 2011 Local Options hash (VER=V4): 'd79ca330'
Tue May 31 01:12:50 2011 Expected Remote Options hash (VER=V4): 'f7df56b8'
Tue May 31 01:12:50 2011 Socket Buffers: R=[42080->65536] S=[9216->65536]
Tue May 31 01:12:50 2011 UDPv4 link local: [undef]
Tue May 31 01:12:50 2011 UDPv4 link remote: xxx.xxx.xxx.x12:1194
Tue May 31 01:12:50 2011 TLS: Initial packet from xxx.xxx.xxx.x12:1194, sid=8f16ab2d 28e9b9bf
Tue May 31 01:12:50 2011 VERIFY OK: depth=1, /C=AU/ST=CA/L=Melbourne/O=none/CN=vpnserver/name=advoy/emailAddress=webmaster@xxx.com.au
Tue May 31 01:12:50 2011 VERIFY OK: nsCertType=SERVER
Tue May 31 01:12:50 2011 VERIFY OK: depth=0, /C=AU/ST=CA/L=Melbourne/O=none/CN=xxx.com/name=advoy/emailAddress=webmaster@xxx.com.au
Tue May 31 01:12:50 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 31 01:12:50 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 31 01:12:50 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 31 01:12:50 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 31 01:12:50 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue May 31 01:12:50 2011 [xxx.com] Peer Connection Initiated with xxx.xxx.xxx.x12:2501
Tue May 31 01:12:52 2011 SENT CONTROL [xxx.com]: 'PUSH_REQUEST' (status=1)
Tue May 31 01:12:52 2011 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.254.1,ping 10,ping-restart 120,ifconfig 192.168.254.3 255.255.255.0'
Tue May 31 01:12:52 2011 OPTIONS IMPORT: timers and/or timeouts modified
Tue May 31 01:12:52 2011 OPTIONS IMPORT: --ifconfig/up options modified
Tue May 31 01:12:52 2011 OPTIONS IMPORT: route-related options modified
[b]openvpn: writing to routing socket: No such process[/b]
Tue May 31 01:12:52 2011 Cannot allocate TUN/TAP dev dynamically
Tue May 31 01:12:52 2011 Exiting
 
OP
OP
G

ghostcorps

Well-Known Member

Thanks: 2
Messages: 295

#10
This really isn't fun anymore :(

Can someone please give me the answer? Obviously it is simple, or else there would be detailed info about doing it, but I can't see it...

To date:

  • Adding the jail as a client does not work

  • Adding another ip to the jails rc.conf does not work

  • Adding the jail to the ifconfig_pool using ipp.txt does not work

I should be able to assign the extra ip to the jail in the hosts rc.conf jail configurations, but this is where I get unstuck... :(

I am getting desperate.. please help :S
 
OP
OP
G

ghostcorps

Well-Known Member

Thanks: 2
Messages: 295

#11
With some more help from Jailed I have finally sorted this out.

In the host's rc.conf I added this line:
Code:
jail_webserver_ip_multi0="tap0|192.168.254.2 mtu 1500 netmask 255.255.255.0"
Basically it is as suggested in the tutorial above, but changing tun0 for tap0. Then in /usr/local/etc/openvpn/server.conf I uncommented and amended these lines to my purpose:

Code:
client-config-dir /usr/local/etc/openvpn/ccd
route 192.168.254.2 255.255.255.0
And finally in /usr/local/etc/openvpn/ccd/webserver I added this line:

Code:
ifconfig-push 192.168.254.2
As suspected it was very simple. :) Thanks to Jailed :) He is a star!
 
Top