Restarting OpenVPN in jail erase tun0 configuration

Hi all,

I'm trying to use OpenVPN in a jail. I mostly used the guide at http://forums.freebsd.org:8080/showthread.php?p=136028 to achieve my setup. When started normally, the service is working perfectly.

My problem is: when openvpn is restarted in the jail (/usr/local/etc/rc.d/openvpn restart), the configuration set by the host for the interface tun0 is erased; and so the service stop working.

My openvpn network is 10.42.0.0/24. Openvpn is configured in routed mode.

On boot, or when the jail is restarted, everything is fine:
Code:
[U]server[/U]# ifconfig tun0
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        [B]inet 10.42.0.1 --> 10.42.0.2 netmask 0xff000000[/B]
        Opened by PID 15213

[U]server[/U]# netstat -rn | grep 10.42
[B]10.42.0.0/24       10.42.0.1          US          0     4510   tun0[/B]
10.42.0.1          link#6             UHS         1       52    lo0
10.42.0.2          link#6             UH          0        0   tun0

Now if I restart openvpn in the jail:
Code:
[U]jail[/U]# /usr/local/etc/rc.d/openvpn restart
Stopping openvpn.
Starting openvpn.

The network configuration is gone, and the vpn stop working.
Code:
[U]server[/U]# ifconfig tun0
tun0: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        Opened by PID 29732

[U]server[/U]# netstat -rn | grep 10.42
10.42.0.1          link#6             UHS         0       52    lo0

If I set the configuration manually, everything starts working again.
Code:
[U]server[/U]# ifconfig tun0 10.42.0.1 10.42.0.2
[U]server[/U]# route add -net 10.42.0.0/24 10.42.0.1
add net 10.42.0.0: gateway 10.42.0.1

########

Here is what happens in the logs:
Code:
[U]server[/U]# tail /var/log/messages
Nov 25 10:13:04 server kernel: tun0: link state changed to DOWN
Nov 25 10:13:04 server kernel: tun0: link state changed to UP

Code:
[U]jail[/U]# cat /var/log/openvpn.log
Fri Nov 25 10:40:51 2011 us=3100 670 variation(s) on previous 20 message(s) suppressed by --mute
Fri Nov 25 10:40:51 2011 us=3173 TCP/UDP: Closing socket
Fri Nov 25 10:40:51 2011 us=3233 Closing TUN/TAP interface
Fri Nov 25 10:40:51 2011 us=3393 PID packet_id_free
Fri Nov 25 10:40:51 2011 us=3500 SIGTERM[hard,] received, process exiting
Fri Nov 25 10:40:51 2011 us=20640 Current Parameter Settings:
Fri Nov 25 10:40:51 2011 us=21074   config = '/usr/local/etc/openvpn/server.conf'
Fri Nov 25 10:40:51 2011 us=21109   mode = 1
Fri Nov 25 10:40:51 2011 us=21193   show_ciphers = DISABLED
Fri Nov 25 10:40:51 2011 us=21242   show_digests = DISABLED
Fri Nov 25 10:40:51 2011 us=21285   show_engines = DISABLED
Fri Nov 25 10:40:51 2011 us=21328   genkey = DISABLED
Fri Nov 25 10:40:51 2011 us=21373   key_pass_file = '[UNDEF]'
Fri Nov 25 10:40:51 2011 us=21407   show_tls_ciphers = DISABLED
Fri Nov 25 10:40:51 2011 us=21458 Connection profiles [default]:
Fri Nov 25 10:40:51 2011 us=21501   proto = tcp-server
Fri Nov 25 10:40:51 2011 us=21555   local = '10.2.0.141'
Fri Nov 25 10:40:51 2011 us=21601   local_port = 1194
Fri Nov 25 10:40:51 2011 us=21650   remote = '[UNDEF]'
Fri Nov 25 10:40:51 2011 us=21696   remote_port = 1194
Fri Nov 25 10:40:51 2011 us=21744   remote_float = DISABLED
Fri Nov 25 10:40:51 2011 us=21790   bind_defined = DISABLED
Fri Nov 25 10:40:51 2011 us=21838   bind_local = ENABLED
Fri Nov 25 10:40:51 2011 us=21872   connect_retry_seconds = 5
Fri Nov 25 10:40:51 2011 us=21922   connect_timeout = 10
Fri Nov 25 10:40:51 2011 us=21962 NOTE: --mute triggered...
Fri Nov 25 10:40:51 2011 us=22025 197 variation(s) on previous 20 message(s) suppressed by --mute
Fri Nov 25 10:40:51 2011 us=22077 OpenVPN 2.2.1 amd64-portbld-freebsd8.2 [SSL] [LZO2] [eurephia] built on Nov 23 2011
openvpn: writing to routing socket: No such process
Fri Nov 25 10:40:51 2011 us=22470 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Nov 25 10:40:51 2011 us=25198 Diffie-Hellman initialized with 1024 bit key
Fri Nov 25 10:40:51 2011 us=26458 PRNG init md=SHA1 size=36
Fri Nov 25 10:40:51 2011 us=26510 MTU DYNAMIC mtu=0, flags=1, 0 -> 140
Fri Nov 25 10:40:51 2011 us=26548 TLS-Auth MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Fri Nov 25 10:40:51 2011 us=26608 MTU DYNAMIC mtu=1450, flags=2, 1544 -> 1450
Fri Nov 25 10:40:51 2011 us=26700 Socket Buffers: R=[65536->65536] S=[32768->65536]
openvpn: writing to routing socket: No such process
openvpn: writing to routing socket: No such process
Fri Nov 25 10:40:51 2011 us=27292 ROUTE: default_gateway=UNDEF
Fri Nov 25 10:40:51 2011 us=27405 TUN/TAP device /dev/tun0 opened
Fri Nov 25 10:40:51 2011 us=27475 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Nov 25 10:40:51 2011 us=29384 GID set to openvpn
Fri Nov 25 10:40:51 2011 us=29680 UID set to openvpn
Fri Nov 25 10:40:51 2011 us=29819 STREAM: RESET
Fri Nov 25 10:40:51 2011 us=29857 STREAM: INIT maxlen=1544
Fri Nov 25 10:40:51 2011 us=30022 Listening for incoming TCP connection on 10.2.0.141:1194
Fri Nov 25 10:40:51 2011 us=30122 TCPv4_SERVER link local (bound): 10.2.0.141:1194
Fri Nov 25 10:40:51 2011 us=30177 TCPv4_SERVER link remote: [undef]
Fri Nov 25 10:40:51 2011 us=30234 MULTI: multi_init called, r=256 v=256
Fri Nov 25 10:40:51 2011 us=30349 IFCONFIG POOL: base=10.42.0.4 size=62
Fri Nov 25 10:40:51 2011 us=30431 IFCONFIG POOL LIST
Fri Nov 25 10:40:51 2011 us=30480 test,10.42.0.4
Fri Nov 25 10:40:51 2011 us=30523 zewaren,10.42.0.8
Fri Nov 25 10:40:51 2011 us=30575 PO_INIT maxevents=1028 flags=0x00000000
Fri Nov 25 10:40:51 2011 us=30643 MULTI: TCP INIT maxclients=1024 maxevents=1028
Fri Nov 25 10:40:51 2011 us=30721 Initialization Sequence Completed
Fri Nov 25 10:40:51 2011 us=30767 SCHEDULE: schedule_find_least NULL
Fri Nov 25 10:40:51 2011 us=30891 PO_CTL rwflags=0x0001 ev=5 arg=0x00000001
Fri Nov 25 10:40:51 2011 us=30969 PO_CTL rwflags=0x0001 ev=6 arg=0x00000002
Fri Nov 25 10:41:01 2011 us=32257 MULTI: REAP range 0 -> 16
Fri Nov 25 10:41:01 2011 us=32596 MULTI TCP: multi_tcp_action a=TA_TIMEOUT p=0
Fri Nov 25 10:41:01 2011 us=32625 MULTI TCP: multi_tcp_dispatch a=TA_TIMEOUT mi=0x00000000
Fri Nov 25 10:41:01 2011 us=32649 MULTI TCP: multi_tcp_post TA_TIMEOUT -> TA_UNDEF
Fri Nov 25 10:41:01 2011 us=32672 SCHEDULE: schedule_find_least NULL

#########

Here is the relevant content of some configuration files:

/etc/rc.conf:
Code:
cloned_interfaces="tun0"
ifconfig_tun0="10.42.0.1 10.42.0.2"

...
jail_jailname_ip_multi0="tun0|10.42.0.1 10.42.0.2 mtu 1500 netmask 255.255.255.255"
jail_jailname_devfs_ruleset="devfsrules_jail_jailname"

/etc/devfs.rules:
Code:
[devfsrules_unhide_tun=10]
add path tun0 unhide

[devfsrules_jail_jailname=11]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add include $devfsrules_unhide_tun

/usr/local/etc/openvpn/server.conf:
Code:
local [jail_ip]
port 1194
proto tcp
dev tun0

server 10.42.0.0 255.255.255.0
push "dhcp-option DNS [internet_dns1]"
push "dhcp-option DNS [internet_dns2]"
push "redirect-gateway def1"
ifconfig-pool-persist /var/tmp/openvpn.pool
ifconfig-noexec
route-noexec

ca ca-openvpn.crt
cert crt-openvpn.crt
key key-openvpn.key
dh dh1024.pem

keepalive 10 120
comp-lzo
client-to-client
user openvpn
group openvpn
persist-key
persist-tun
script-security 2

status /var/tmp/openvpn.status
log-append /var/log/openvpn.log
verb 9
mute 20
 
Same problem, solved with patch.

FreeBSD-9.1-PRE

In ezjail:
export jail_vpntest_ip_access0="tun1|10.0.0.1"

Patch for /etc/rc.d/jail:

Code:
 # diff -u jail_o jail
--- jail_o    2012-12-15 20:57:16.000000000 +0700
+++ jail    2012-12-16 13:17:21.000000000 +0700
@@ -558,6 +558,21 @@
             ;;
         esac
     done
+
+    # Handle jail_xxx_ip_access
+    alias=0
+    while : ; do
+        eval _x=\"\$jail_${_jail}_ip_access${alias}\"
+        case "${_x}" in
+        "")    break ;;
+        *)    if [ "${_action}" = "add" ];then
+                jail_handle_ips_option ${_action} "${_x}"
+            fi
+            alias=$((${alias} + 1))
+            ;;
+        esac
+    done
+
 }

 jail_prestart()

#
Source (http://blog.wolf-a.ru/2012/12/freebsd-openvpn-in-jail-jail-resart-vpn.html)
 
Back
Top