How to add a jailed server to OpenVPN?

ghostcorps

Well-Known Member

Reaction score: 2
Messages: 295

Hi Guys

I have just put my host server behind OpenVPN, but now I am trying to work out how to add a jailed server to the virtual LAN.

Here is the output of ifconfig

Code:
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        ether 00:bd:7f:e5:12:00
        inet 192.168.254.1 netmask 0xffffff00 broadcast 192.168.254.255
        Opened by PID 95424
From what I have read I thought that I could simply add this line to the the jailed servers config:

/etc/rc.conf
Code:
ifconfig_tap0="inet 192.168.254.2 netmask 255.255.255.0"
Then

Code:
#/etc/rc.d/netif restart
Followed by

Code:
#/etc/rc.d/routing restart


But after doing this I still can not contact the jailed server over the VPN.


Here is the output of ifconfig on the jailed server after doing the above:

Code:
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        ether 00:bd:7f:e5:12:00
        Opened by PID 95424
What have I done wrong?


Thanks for your time :)
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,879
Messages: 31,151

You can't set a jail's IP address from within the jail itself.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,879
Messages: 31,151

Your jail already has an IP address. Just fix the routing on the host and the traffic will be correctly send to the jail.
 
OP
OP
G

ghostcorps

Well-Known Member

Reaction score: 2
Messages: 295

Hmmm

The only IP assigned is the external IP, I am not using NAT. The traffic is currently going to and from the jailed server. It's just that once I an inside the VPN, the jailed server does not exist.

Or am I missing the point of what you are trying to tell me? If so: sorry, and thanks for your patience :)
 

Zare

Well-Known Member

Reaction score: 55
Messages: 386

If you're using bridged VPN without tap device being bridged or directly connected to DHCP server that can provide addresses from desired subnet, you need to set up an ifconfig-pool. In either case, jailed instance's IP should be on the same subnet as one used on tap device / clients.
 
OP
OP
G

ghostcorps

Well-Known Member

Reaction score: 2
Messages: 295

Hi Zare

I have been trying to find examples of an ifconfig-pool, but I can find any.

Do you have one you could show me so I can, perhaps, get my head around it?

Thanks :)
 
OP
OP
G

ghostcorps

Well-Known Member

Reaction score: 2
Messages: 295

Hi Again,

For lack of any better suggestions, I have installed OpenVPN on the jailed server and am setting it up as a client with peer-to-peer enabled, it is not ideal, but it is all I can think of :( Now I have a new issue... after starting OpenVPN on the new client I get this error:

/var/log/openvpn.log
Code:
Tue May 31 01:12:50 2011 OpenVPN 2.1.1 amd64-portbld-freebsd8.1 [SSL] [LZO2] built on May 31 2011
Tue May 31 01:12:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue May 31 01:12:50 2011 LZO compression initialized
Tue May 31 01:12:50 2011 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue May 31 01:12:50 2011 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Tue May 31 01:12:50 2011 Local Options hash (VER=V4): 'd79ca330'
Tue May 31 01:12:50 2011 Expected Remote Options hash (VER=V4): 'f7df56b8'
Tue May 31 01:12:50 2011 Socket Buffers: R=[42080->65536] S=[9216->65536]
Tue May 31 01:12:50 2011 UDPv4 link local: [undef]
Tue May 31 01:12:50 2011 UDPv4 link remote: xxx.xxx.xxx.x12:1194
Tue May 31 01:12:50 2011 TLS: Initial packet from xxx.xxx.xxx.x12:1194, sid=8f16ab2d 28e9b9bf
Tue May 31 01:12:50 2011 VERIFY OK: depth=1, /C=AU/ST=CA/L=Melbourne/O=none/CN=vpnserver/name=advoy/emailAddress=webmaster@xxx.com.au
Tue May 31 01:12:50 2011 VERIFY OK: nsCertType=SERVER
Tue May 31 01:12:50 2011 VERIFY OK: depth=0, /C=AU/ST=CA/L=Melbourne/O=none/CN=xxx.com/name=advoy/emailAddress=webmaster@xxx.com.au
Tue May 31 01:12:50 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 31 01:12:50 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 31 01:12:50 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 31 01:12:50 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 31 01:12:50 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue May 31 01:12:50 2011 [xxx.com] Peer Connection Initiated with xxx.xxx.xxx.x12:2501
Tue May 31 01:12:52 2011 SENT CONTROL [xxx.com]: 'PUSH_REQUEST' (status=1)
Tue May 31 01:12:52 2011 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.254.1,ping 10,ping-restart 120,ifconfig 192.168.254.3 255.255.255.0'
Tue May 31 01:12:52 2011 OPTIONS IMPORT: timers and/or timeouts modified
Tue May 31 01:12:52 2011 OPTIONS IMPORT: --ifconfig/up options modified
Tue May 31 01:12:52 2011 OPTIONS IMPORT: route-related options modified
[b]openvpn: writing to routing socket: No such process[/b]
Tue May 31 01:12:52 2011 Cannot allocate TUN/TAP dev dynamically
Tue May 31 01:12:52 2011 Exiting
 
OP
OP
G

ghostcorps

Well-Known Member

Reaction score: 2
Messages: 295

This really isn't fun anymore :(

Can someone please give me the answer? Obviously it is simple, or else there would be detailed info about doing it, but I can't see it...

To date:

  • Adding the jail as a client does not work

  • Adding another ip to the jails rc.conf does not work

  • Adding the jail to the ifconfig_pool using ipp.txt does not work

I should be able to assign the extra ip to the jail in the hosts rc.conf jail configurations, but this is where I get unstuck... :(

I am getting desperate.. please help :S
 
OP
OP
G

ghostcorps

Well-Known Member

Reaction score: 2
Messages: 295

With some more help from Jailed I have finally sorted this out.

In the host's rc.conf I added this line:
Code:
jail_webserver_ip_multi0="tap0|192.168.254.2 mtu 1500 netmask 255.255.255.0"
Basically it is as suggested in the tutorial above, but changing tun0 for tap0. Then in /usr/local/etc/openvpn/server.conf I uncommented and amended these lines to my purpose:

Code:
client-config-dir /usr/local/etc/openvpn/ccd
route 192.168.254.2 255.255.255.0
And finally in /usr/local/etc/openvpn/ccd/webserver I added this line:

Code:
ifconfig-push 192.168.254.2
As suspected it was very simple. :) Thanks to Jailed :) He is a star!
 
Top