I have a feeling this is an issue with my VPN and/or router not being set up to properly direct traffic rather than with FreeBSD itself, but I don't know where exactly that would be occurring or how to debug to figure that out, so I'm hoping that even if that does wind up being the case, y'all can still help me get to the next step (and give the next people more info to go off of).
My setup revolves around a single, everyday-use workstation that I'm working on getting FreeBSD up on (after Gentoo's anti-systemd walls have started showing signs of crumbling). I like the idea of using jails to provide another layer of security around network and/or untrusted applications by hiding the majority of the system from view. However, I also route nearly all of my network use through a VPN (AirVPN) since I, A, don't trust my local internet provider and, B, follow the school of thought that if everything is obscured then they can't tell when I'm doing anything specifically suspicious (which is actually rare, but...)
When I've disconnected the VPN, I can successfully access the internet through my jails:
(The
Does anyone have an idea of what might be going on here? So far as I can tell, there's no firewall running on my router or my computer -- and while I do have a minimal
My setup revolves around a single, everyday-use workstation that I'm working on getting FreeBSD up on (after Gentoo's anti-systemd walls have started showing signs of crumbling). I like the idea of using jails to provide another layer of security around network and/or untrusted applications by hiding the majority of the system from view. However, I also route nearly all of my network use through a VPN (AirVPN) since I, A, don't trust my local internet provider and, B, follow the school of thought that if everything is obscured then they can't tell when I'm doing anything specifically suspicious (which is actually rare, but...)
When I've disconnected the VPN, I can successfully access the internet through my jails:
Code:
# ping -c 5 airvpn.org
PING airvpn.org (5.196.64.52): 56 data bytes
64 bytes from 5.196.64.52: icmp_seq=0 ttl=49 time=164.626 ms
64 bytes from 5.196.64.52: icmp_seq=1 ttl=49 time=243.320 ms
64 bytes from 5.196.64.52: icmp_seq=2 ttl=49 time=165.525 ms
64 bytes from 5.196.64.52: icmp_seq=3 ttl=49 time=167.484 ms
64 bytes from 5.196.64.52: icmp_seq=4 ttl=49 time=182.517 ms
--- airvpn.org ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 164.626/184.695/243.320/30.027 ms
# cat /usr/local/bastille/jails/browser/jail.conf
browser {
devfs_ruleset = 4;
enforce_statfs = 2;
exec.clean;
exec.consolelog = /var/log/bastille/browser_console.log;
exec.start = '/bin/sh /etc/rc';
exec.stop = '/bin/sh /etc/rc.shutdown';
host.hostname = browser;
mount.devfs;
mount.fstab = /usr/local/bastille/jails/browser/fstab;
path = /usr/local/bastille/jails/browser/root;
securelevel = 2;
osrelease = 14.1-RELEASE;
interface = wlan0;
ip4.addr = 192.168.3.0;
ip6 = disable;
allow.raw_sockets = 1;
}
# bastille start browser
[browser]:
browser: created
# ifconfig
re0: flags=8803<UP,BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=60251b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,TSO4,LRO,WOL_MAGIC,RXCSUM_IPV6,TXCSUM_IPV6>
ether XX:XX:XX:XX:XX:XX
media: Ethernet autoselect
status: no carrier
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=100<PROMISC> metric 0 mtu 33152
options=0
groups: pflog
bastille0: flags=8008<LOOPBACK,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=0
ether XX:XX:XX:XX:XX:XX
inet 192.168.0.17 netmask 0xffffff00 broadcast 192.168.0.255
inet 192.168.3.0 netmask 0xffffffff broadcast 192.168.3.0
groups: wlan
ssid NetworkName channel 11 (2462 MHz 11g) bssid XX:XX:XX:XX:XX:XX
regdomain FCC country US authmode WPA2/802.11i privacy ON
deftxkey UNDEF AES-CCM 2:128-bit txpower 30 bmiss 7 scanvalid 60
protmode CTS wme roaming MANUAL
parent interface: iwlwifi0
media: IEEE 802.11 Wireless Ethernet DS/1Mbps mode 11g
status: associated
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
# bastille cmd browser ping -c 5 airvpn.org
[browser]:
PING airvpn.org (5.196.64.52): 56 data bytes
64 bytes from 5.196.64.52: icmp_seq=0 ttl=49 time=167.029 ms
64 bytes from 5.196.64.52: icmp_seq=1 ttl=49 time=170.183 ms
64 bytes from 5.196.64.52: icmp_seq=2 ttl=49 time=168.040 ms
64 bytes from 5.196.64.52: icmp_seq=3 ttl=49 time=164.554 ms
64 bytes from 5.196.64.52: icmp_seq=4 ttl=49 time=168.072 ms
--- airvpn.org ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 164.554/167.576/170.183/1.827 ms
[browser]: 0(The
bastille0 interface is a remnant of other experiments trying to get this to work.) However, when I do go through the VPN, the jails specifically have trouble connecting:
Code:
# service openvpn_airvpn start
Starting openvpn_airvpn.
# ping -c 5 airvpn.org
PING airvpn.org (5.196.64.52): 56 data bytes
64 bytes from 5.196.64.52: icmp_seq=0 ttl=53 time=154.249 ms
64 bytes from 5.196.64.52: icmp_seq=1 ttl=53 time=157.023 ms
64 bytes from 5.196.64.52: icmp_seq=2 ttl=53 time=184.651 ms
64 bytes from 5.196.64.52: icmp_seq=3 ttl=53 time=157.114 ms
64 bytes from 5.196.64.52: icmp_seq=4 ttl=53 time=157.086 ms
--- airvpn.org ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 154.249/162.025/184.651/11.366 ms
# bastille stop browser
[browser]:
browser: removed
# sed -e 's/wlan0/tun0/' -i .bak /usr/local/bastille/jails/browser/jail.conf
# bastille start browser
[browser]:
browser: created
# ifconfig
re0: flags=8803<UP,BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=60251b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,TSO4,LRO,WOL_MAGIC,RXCSUM_IPV6,TXCSUM_IPV6>
ether XX:XX:XX:XX:XX:XX
media: Ethernet autoselect
status: no carrier
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=100<PROMISC> metric 0 mtu 33152
options=0
groups: pflog
bastille0: flags=8008<LOOPBACK,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
groups: lo
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=0
ether XX:XX:XX:XX:XX:XX
inet 192.168.0.17 netmask 0xffffff00 broadcast 192.168.0.255
groups: wlan
ssid Sindrataro channel 11 (2462 MHz 11g) bssid XX:XX:XX:XX:XX:XX
regdomain FCC country US authmode WPA2/802.11i privacy ON
deftxkey UNDEF AES-CCM 2:128-bit txpower 30 bmiss 7 scanvalid 60
protmode CTS wme roaming MANUAL
parent interface: iwlwifi0
media: IEEE 802.11 Wireless Ethernet DS/1Mbps mode 11g
status: associated
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
tun0: flags=1008043<UP,BROADCAST,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 1500
options=80000<LINKSTATE>
inet 10.68.XX.XX netmask 0xffffff00 broadcast 10.68.XX.255
inet 192.168.3.0 netmask 0xffffffff broadcast 192.168.3.0
inet6 XX:XX:XX:XX:XX:XX prefixlen 64
inet6 XX:XX:XX:XX:XX:XX%tun0 prefixlen 64 scopeid 0x6
groups: tun
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Opened by PID 79265
# time bastille cmd browser ping -c 5 airvpn.org
[browser]:
ping: cannot resolve airvpn.org: Address family for hostname not supported
[browser]: 68
88.48 real 0.00 user 0.01 sysDoes anyone have an idea of what might be going on here? So far as I can tell, there's no firewall running on my router or my computer -- and while I do have a minimal
pf config (again, from previous tries at following guides on this) it doesn't seem to have any effect on the outcome, good or bad. Do I need to get some form of port forwarding set up to distinguish the destinations, despite the fact that packets find their way to the jail perfectly well without the VPN (hopefully not, AirVPN limits the number of ports I can forward, to a lower number than the number of jails I'll probably create).