OpenVPN bridged configuration inside a jail fails

[mamalos]

Hello everybody,

I've been trying to set up openvpn inside a jail using a bridged configuration (tap interface), but my config fails. The directions I've been using are for tun interfaces from this thread, and I thought that I would make them work by making a few modifications, but I was wrong.

Here's my output when I run openvpn /usr/local/etc/openvpn/server.conf as root:

Thu May 31 07:32:37 2012 OpenVPN 2.2.2 amd64-portbld-freebsd9.0 [SSL] [LZO2] [eurephia] built on May 30 2012
Thu May 31 07:32:37 2012 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter
 will often take on its own IP address that is different from what the LAN adapter was previously set to
openvpn: writing to routing socket: No such process
Thu May 31 07:32:37 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts
 or executables
Thu May 31 07:32:37 2012 Note: cannot open ipp.txt for READ/WRITE
Thu May 31 07:32:37 2012 Diffie-Hellman initialized with 2048 bit key
Thu May 31 07:32:37 2012 WARNING: file '/usr/local/etc/openvpn/keys/server.key' is group or others accessible
Thu May 31 07:32:37 2012 TLS-Auth MTU parms [ L:1590 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu May 31 07:32:37 2012 Socket Buffers: R=[42080->65536] S=[9216->65536]
Thu May 31 07:32:37 2012 Cannot allocate TUN/TAP dev dynamically
Thu May 31 07:32:37 2012 Exiting

And here's what I've done so far:
excerpt from /etc/rc.conf on jail 0:

cloned_interfaces="tap0 tap1 tap2"

jail_enable="YES"
jail_set_hostname_allow="NO"
jail_list="apache openvpn"

jail_openvpn_hostname="openvpn.lala"
jail_openvpn_rootdir="/jails/j/openvpn"
jail_openvpn_devfs_enable="YES"
jail_openvpn_ip="192.168.13.3/24"
jail_openvpn_ip_multi0="tap2|10.8.0.1 mtu 1500 netmask 255.255.255.0"
jail_openvpn_interface="tap1"

Inside my openvpn jail, the /usr/local/etc/openvpn/server.conf reads:

port 1194
proto udp
dev tap
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/server.crt
key /usr/local/etc/openvpn/keys/server.key  # This file should be kept secret
dh /usr/local/etc/openvpn/keys/dh2048.pem
ifconfig-pool-persist ipp.txt
server-bridge 10.8.0.1 255.255.255.0 10.8.0.100 10.8.0.200
push "route 192.168.100.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC   # AES
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status /var/log/openvpn-status.log
log         /var/log/openvpn.log
log-append  /var/log/openvpn.log
verb 3
ifconfig-noexec

Moreover, I've changed my /etc/devfs.rules on jail 0 to allow access from inside the openvpn jail, so inside my openvpn-jail I have:

[root@openvpn-jail /]# ls -rlta /dev/tap*
crw-------  1 root  wheel  -   0,  89 23 Μαϊ 11:48 /dev/tap0
crw-------  1 root  wheel  -   0, 108 30 Μαϊ 14:20 /dev/tap1
crw-------  1 root  wheel  -   0, 109 30 Μαϊ 14:20 /dev/tap2

and finally, inside my openvpn-jail my interfaces read:

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
	ether 00:0c:29:a2:98:85
ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported
	media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported
pflog0: flags=0<> metric 0 mtu 33152
ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported
pfsync0: flags=0<> metric 0 mtu 1500
ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported
	syncpeer: 0.0.0.0 maxupd: 128
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=3<RXCSUM,TXCSUM>
ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	ether 00:bd:a4:04:00:00
ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported
tap1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	ether 00:bd:55:d4:a7:01
	inet 192.168.13.3 netmask 0xffffff00 broadcast 192.168.13.255
ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported
tap2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	ether 00:bd:6b:d7:a7:02
	inet 10.8.0.1 netmask 0xffffff00 broadcast 10.8.0.255
ifconfig: socket(AF_INET6, SOCK_DGRAM): Protocol not supported

I've tried to start openvpn without reduced privileges, with no luck.

I haven't set up any bridge configuration, yet, since I am unable to even start my service. I've looked at this thread where ghostcorps has finally achieved a similar configuration to mine, but the problems he's facing are not the same as mine.

Anyone any suggestions?

Thanks in advance!

 

[SirDice]

You can't create or modify interfaces from within a jail.

 

[mamalos]

OK, I understand that, but the guide I've been following is for configuring openvpn within a jail, and throughout this procedure, interfaces are setup from outside the jail.

Which part of my configuration is trying to update the interface within the jail? Because ifconfig-noexec from my /usr/local/etc/openvpn/server.conf is supposed to mitigate this exact problem.

 

[SirDice]

Not sure but I think it's this one:

server-bridge 10.8.0.1 255.255.255.0 10.8.0.100 10.8.0.200

 

[mamalos]

SirDice,

First of all, thanks for your answers. Now, to your last suggestion: if I take this off, the server responds with an error:

Options error: Parameter ca_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.
Use --help for more information.

which, I don't think is a real problem, I think this error masks the real one. If I take server-bridge out of the configuration file, and since I don't have a server option either, how will the service know what type of tunnel I wish to set up?

I think the problem is elsewhere. It's as if ifconfig-noexec option is not honored.

Thanks again!

 

[SirDice]

As I said, I'm not sure. But your config looks different compared to the thread you referered to.

It's also possible the error is because of the route being added. A jail can't change the routing table. Routes also need to be set on the host.

 

[mamalos]

OK,

My problem was that on my configuration I was not giving a specific interface. I changed it to include tap2. Then, I had the following error:

Fri Jun  1 07:33:33 2012 OpenVPN 2.2.2 amd64-portbld-freebsd9.0 [SSL] [LZO2] [eurephia] built on May 30 2012
Fri Jun  1 07:33:33 2012 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge
 adapter will often take on its own IP address that is different from what the LAN adapter was previously
 set to
openvpn: writing to routing socket: No such process
Fri Jun  1 07:33:33 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined
 scripts or executables
Fri Jun  1 07:33:33 2012 Diffie-Hellman initialized with 2048 bit key
Fri Jun  1 07:33:33 2012 WARNING: file '/usr/local/etc/openvpn/keys/server.key' is group or others accessible
Fri Jun  1 07:33:33 2012 TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Jun  1 07:33:33 2012 Socket Buffers: R=[42080->65536] S=[9216->65536]
Fri Jun  1 07:33:33 2012 Cannot open TUN/TAP dev /dev/tap2: Operation not permitted (errno=1)
Fri Jun  1 07:33:33 2012 Exiting

When I followed the thread's directions on changing the following sysctls:

net.link.tap.up_on_open: 1
net.link.tap.user_open: 1

This problem was mitigated too.

Thanks again for your help.

 

[mamalos]

...and here we're back again.

After I rebooted the system, I realized that openvpn failed to start on boot, giving the same error as before:

Thu Jun 21 12:14:07 2012 Cannot open TUN/TAP dev /dev/tap2: Operation not permitted (errno=1)

Once the jail has started, if I run /usr/local/etc/rc.d/openvpn start inside it, openvpn starts normally. Hence, in order to address this issue, I have placed cron-job that checks if the service is up, and if not it starts it.

The strange thing is that when I run this script via /etc/rc.local, openvpn still refuses to start. Here's some info with respect to my config:

Excerpt from jail 0's /etc/rc.conf:

cloned_interfaces="tap0 tap1 tap2"
ifconfig_tap0="192.168.13.1/24"
ifconfig_tap1="up"
ifocnfig_tap2="inet 10.8.0.2/24 up"

jail_enable="YES"
jail_set_hostname_allow="NO"
jail_list="apache openvpn"

jail_openvpn_hostname="openvpn.example.com"
jail_openvpn_rootdir="/jails/j/openvpn"
jail_openvpn_devfs_enable="YES"
jail_openvpn_ip="192.168.13.3/24"
jail_openvpn_ip_multi0="tap2|10.8.0.1 mtu 1500 netmask 255.255.255.0"
jail_openvpn_interface="tap1"

I use tap0 for my apache jail, tap1 for my openvpn jail, and tap2 for the interface openvpn runs on inside the jail. Once I will manage to start openvpn smoothly, I'll bridge tap2 with my real interface.

openvpn's configuration is the same as above, and /etc/rc.conf inside the openvpn jail looks like this:

sshd_enable="YES"
syslogd_flags="-ss"
mysql_enable="YES"
hostname="openvpn.example.com"
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/server.conf"

Any suggestions on why the interface is not configurable when the jail starts, but works fine thereafter?

Thanx all in advance!

 

[mamalos]

Hmmm...

after changing my /etc/rc.conf to read this:

ifconfig_em0="inet 192.168.100.13/24 up"
defaultrouter="192.168.100.1"
ifconfig_bridge0="addm em0 addm tap2 up"
cloned_interfaces="tap0 tap1 tap2 bridge0"
ifconfig_tap0="192.168.13.1/24"
ifconfig_tap1="up"
ifconfig_tap2="up"

jail_openvpn_hostname="openvpn.example.com"
jail_openvpn_rootdir="/jails/j/openvpn"
jail_openvpn_devfs_enable="YES"
jail_openvpn_ip="192.168.13.3/24"
jail_openvpn_interface="tap1"

My configuration seems to work fine (openvpn starts normally; I haven't checked whether /usr/local/etc/openvpn/server.conf works as expected. If not, I will update this thread). This way, I am not assigning any IP on tap2 (which is the interface openvpn listens on), em0 (which is my external interface) has my external ip, and bridge0 bridges those two interfaces. When I tried to assign the external ip on the bridge interface, it wouldn't work.

I still haven't figured out why my previous network configuration did not work, but since it seems that this is what I really want, I will not delve into it any deeper.