Hi all,
I'm trying to use OpenVPN in a jail. I mostly used the guide at http://forums.freebsd.org:8080/showthread.php?p=136028 to achieve my setup. When started normally, the service is working perfectly.
My problem is: when openvpn is restarted in the jail (/usr/local/etc/rc.d/openvpn restart), the configuration set by the host for the interface tun0 is erased; and so the service stop working.
My openvpn network is 10.42.0.0/24. Openvpn is configured in routed mode.
On boot, or when the jail is restarted, everything is fine:
Now if I restart openvpn in the jail:
The network configuration is gone, and the vpn stop working.
If I set the configuration manually, everything starts working again.
########
Here is what happens in the logs:
#########
Here is the relevant content of some configuration files:
/etc/rc.conf:
/etc/devfs.rules:
/usr/local/etc/openvpn/server.conf:
I'm trying to use OpenVPN in a jail. I mostly used the guide at http://forums.freebsd.org:8080/showthread.php?p=136028 to achieve my setup. When started normally, the service is working perfectly.
My problem is: when openvpn is restarted in the jail (/usr/local/etc/rc.d/openvpn restart), the configuration set by the host for the interface tun0 is erased; and so the service stop working.
My openvpn network is 10.42.0.0/24. Openvpn is configured in routed mode.
On boot, or when the jail is restarted, everything is fine:
Code:
[U]server[/U]# ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
[B]inet 10.42.0.1 --> 10.42.0.2 netmask 0xff000000[/B]
Opened by PID 15213
[U]server[/U]# netstat -rn | grep 10.42
[B]10.42.0.0/24 10.42.0.1 US 0 4510 tun0[/B]
10.42.0.1 link#6 UHS 1 52 lo0
10.42.0.2 link#6 UH 0 0 tun0
Now if I restart openvpn in the jail:
Code:
[U]jail[/U]# /usr/local/etc/rc.d/openvpn restart
Stopping openvpn.
Starting openvpn.
The network configuration is gone, and the vpn stop working.
Code:
[U]server[/U]# ifconfig tun0
tun0: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
Opened by PID 29732
[U]server[/U]# netstat -rn | grep 10.42
10.42.0.1 link#6 UHS 0 52 lo0
If I set the configuration manually, everything starts working again.
Code:
[U]server[/U]# ifconfig tun0 10.42.0.1 10.42.0.2
[U]server[/U]# route add -net 10.42.0.0/24 10.42.0.1
add net 10.42.0.0: gateway 10.42.0.1
########
Here is what happens in the logs:
Code:
[U]server[/U]# tail /var/log/messages
Nov 25 10:13:04 server kernel: tun0: link state changed to DOWN
Nov 25 10:13:04 server kernel: tun0: link state changed to UP
Code:
[U]jail[/U]# cat /var/log/openvpn.log
Fri Nov 25 10:40:51 2011 us=3100 670 variation(s) on previous 20 message(s) suppressed by --mute
Fri Nov 25 10:40:51 2011 us=3173 TCP/UDP: Closing socket
Fri Nov 25 10:40:51 2011 us=3233 Closing TUN/TAP interface
Fri Nov 25 10:40:51 2011 us=3393 PID packet_id_free
Fri Nov 25 10:40:51 2011 us=3500 SIGTERM[hard,] received, process exiting
Fri Nov 25 10:40:51 2011 us=20640 Current Parameter Settings:
Fri Nov 25 10:40:51 2011 us=21074 config = '/usr/local/etc/openvpn/server.conf'
Fri Nov 25 10:40:51 2011 us=21109 mode = 1
Fri Nov 25 10:40:51 2011 us=21193 show_ciphers = DISABLED
Fri Nov 25 10:40:51 2011 us=21242 show_digests = DISABLED
Fri Nov 25 10:40:51 2011 us=21285 show_engines = DISABLED
Fri Nov 25 10:40:51 2011 us=21328 genkey = DISABLED
Fri Nov 25 10:40:51 2011 us=21373 key_pass_file = '[UNDEF]'
Fri Nov 25 10:40:51 2011 us=21407 show_tls_ciphers = DISABLED
Fri Nov 25 10:40:51 2011 us=21458 Connection profiles [default]:
Fri Nov 25 10:40:51 2011 us=21501 proto = tcp-server
Fri Nov 25 10:40:51 2011 us=21555 local = '10.2.0.141'
Fri Nov 25 10:40:51 2011 us=21601 local_port = 1194
Fri Nov 25 10:40:51 2011 us=21650 remote = '[UNDEF]'
Fri Nov 25 10:40:51 2011 us=21696 remote_port = 1194
Fri Nov 25 10:40:51 2011 us=21744 remote_float = DISABLED
Fri Nov 25 10:40:51 2011 us=21790 bind_defined = DISABLED
Fri Nov 25 10:40:51 2011 us=21838 bind_local = ENABLED
Fri Nov 25 10:40:51 2011 us=21872 connect_retry_seconds = 5
Fri Nov 25 10:40:51 2011 us=21922 connect_timeout = 10
Fri Nov 25 10:40:51 2011 us=21962 NOTE: --mute triggered...
Fri Nov 25 10:40:51 2011 us=22025 197 variation(s) on previous 20 message(s) suppressed by --mute
Fri Nov 25 10:40:51 2011 us=22077 OpenVPN 2.2.1 amd64-portbld-freebsd8.2 [SSL] [LZO2] [eurephia] built on Nov 23 2011
openvpn: writing to routing socket: No such process
Fri Nov 25 10:40:51 2011 us=22470 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Nov 25 10:40:51 2011 us=25198 Diffie-Hellman initialized with 1024 bit key
Fri Nov 25 10:40:51 2011 us=26458 PRNG init md=SHA1 size=36
Fri Nov 25 10:40:51 2011 us=26510 MTU DYNAMIC mtu=0, flags=1, 0 -> 140
Fri Nov 25 10:40:51 2011 us=26548 TLS-Auth MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri Nov 25 10:40:51 2011 us=26608 MTU DYNAMIC mtu=1450, flags=2, 1544 -> 1450
Fri Nov 25 10:40:51 2011 us=26700 Socket Buffers: R=[65536->65536] S=[32768->65536]
openvpn: writing to routing socket: No such process
openvpn: writing to routing socket: No such process
Fri Nov 25 10:40:51 2011 us=27292 ROUTE: default_gateway=UNDEF
Fri Nov 25 10:40:51 2011 us=27405 TUN/TAP device /dev/tun0 opened
Fri Nov 25 10:40:51 2011 us=27475 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Nov 25 10:40:51 2011 us=29384 GID set to openvpn
Fri Nov 25 10:40:51 2011 us=29680 UID set to openvpn
Fri Nov 25 10:40:51 2011 us=29819 STREAM: RESET
Fri Nov 25 10:40:51 2011 us=29857 STREAM: INIT maxlen=1544
Fri Nov 25 10:40:51 2011 us=30022 Listening for incoming TCP connection on 10.2.0.141:1194
Fri Nov 25 10:40:51 2011 us=30122 TCPv4_SERVER link local (bound): 10.2.0.141:1194
Fri Nov 25 10:40:51 2011 us=30177 TCPv4_SERVER link remote: [undef]
Fri Nov 25 10:40:51 2011 us=30234 MULTI: multi_init called, r=256 v=256
Fri Nov 25 10:40:51 2011 us=30349 IFCONFIG POOL: base=10.42.0.4 size=62
Fri Nov 25 10:40:51 2011 us=30431 IFCONFIG POOL LIST
Fri Nov 25 10:40:51 2011 us=30480 test,10.42.0.4
Fri Nov 25 10:40:51 2011 us=30523 zewaren,10.42.0.8
Fri Nov 25 10:40:51 2011 us=30575 PO_INIT maxevents=1028 flags=0x00000000
Fri Nov 25 10:40:51 2011 us=30643 MULTI: TCP INIT maxclients=1024 maxevents=1028
Fri Nov 25 10:40:51 2011 us=30721 Initialization Sequence Completed
Fri Nov 25 10:40:51 2011 us=30767 SCHEDULE: schedule_find_least NULL
Fri Nov 25 10:40:51 2011 us=30891 PO_CTL rwflags=0x0001 ev=5 arg=0x00000001
Fri Nov 25 10:40:51 2011 us=30969 PO_CTL rwflags=0x0001 ev=6 arg=0x00000002
Fri Nov 25 10:41:01 2011 us=32257 MULTI: REAP range 0 -> 16
Fri Nov 25 10:41:01 2011 us=32596 MULTI TCP: multi_tcp_action a=TA_TIMEOUT p=0
Fri Nov 25 10:41:01 2011 us=32625 MULTI TCP: multi_tcp_dispatch a=TA_TIMEOUT mi=0x00000000
Fri Nov 25 10:41:01 2011 us=32649 MULTI TCP: multi_tcp_post TA_TIMEOUT -> TA_UNDEF
Fri Nov 25 10:41:01 2011 us=32672 SCHEDULE: schedule_find_least NULL
#########
Here is the relevant content of some configuration files:
/etc/rc.conf:
Code:
cloned_interfaces="tun0"
ifconfig_tun0="10.42.0.1 10.42.0.2"
...
jail_jailname_ip_multi0="tun0|10.42.0.1 10.42.0.2 mtu 1500 netmask 255.255.255.255"
jail_jailname_devfs_ruleset="devfsrules_jail_jailname"
/etc/devfs.rules:
Code:
[devfsrules_unhide_tun=10]
add path tun0 unhide
[devfsrules_jail_jailname=11]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add include $devfsrules_unhide_tun
/usr/local/etc/openvpn/server.conf:
Code:
local [jail_ip]
port 1194
proto tcp
dev tun0
server 10.42.0.0 255.255.255.0
push "dhcp-option DNS [internet_dns1]"
push "dhcp-option DNS [internet_dns2]"
push "redirect-gateway def1"
ifconfig-pool-persist /var/tmp/openvpn.pool
ifconfig-noexec
route-noexec
ca ca-openvpn.crt
cert crt-openvpn.crt
key key-openvpn.key
dh dh1024.pem
keepalive 10 120
comp-lzo
client-to-client
user openvpn
group openvpn
persist-key
persist-tun
script-security 2
status /var/tmp/openvpn.status
log-append /var/log/openvpn.log
verb 9
mute 20