Date: Fri, 23 Oct 2015 19:41:29 -0400 From: Allan Jude <allanjude@freebsd.org> To: freebsd-jail@freebsd.org Subject: Re: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface Message-ID: <562AC5A9.1090106@freebsd.org> In-Reply-To: <VI1PR06MB103785F31B74EE8553929F48F9260@VI1PR06MB1037.eurprd06.prod.outlook.com> References: <VI1PR06MB1037B08D9BEB7B207C602F43F9260@VI1PR06MB1037.eurprd06.prod.outlook.com> <562A7147.5080002@freebsd.org> <VI1PR06MB1037CEABEFFBDA95CAF7691BF9260@VI1PR06MB1037.eurprd06.prod.outlook.com> <562A7F88.4070106@freebsd.org> <VI1PR06MB1037DEF140BB605358BB8616F9260@VI1PR06MB1037.eurprd06.prod.outlook.com> <562A9772.5050408@freebsd.org> <VI1PR06MB1037C158EDC4CB4DB9A0E31AF9260@VI1PR06MB1037.eurprd06.prod.outlook.com> <562A9D63.809@freebsd.org> <VI1PR06MB103785F31B74EE8553929F48F9260@VI1PR06MB1037.eurprd06.prod.outlook.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --OoDaa8vksQ9maweft0j6dSUtUAp1srkG5 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2015-10-23 17:25, James Lodge wrote: >=20 >> On 2015-10-23 16:45, James Lodge wrote: >> >>> On 2015-10-23 15:15, James Lodge wrote: >>> On 2015-10-23 14:13, James Lodge wrote: >>>>> On 2015-10-23 11:37, James Lodge wrote: >>>>> Hello all, >>>>> >>>>> >>>>> I'm trying to build a jail on FreeBSD 10.1 using ezjail in order to= run OpenVPN. I'm not using vimage and don't particularly want to but I'm= having an issue with networking. >>>>> >>>>> >>>>> OpenVPN daemon is up and running and I can connect successfully as = a client. I receive an IP address as expected, but I cannot route traffic= to/from client/server. The routing table on the client (which is a Windo= ws machine) looks fine so I assume the issue is on the server side. I hav= e a tun interface created on the host and exposed to the jail via devfs r= ules. The IP address on the tun interface is configure on the host and no= t from the jail. I can ping the tun interface IP from the host and the ja= il, but not from the client when connected. >>>>> >>>>> >>>>> Client---------public IP --------- lo1 (Jail alias Interface)------= tun0 (OpenVPN Interface) >>>>> >>>>> 10.8.06 x.x.x.x 172.16.1.8 = 10.8.0.1 >>>>> >>>>> >>>>> >>>>> OpenVPN Jail Routing Table: >>>>> >>>>> Internet: >>>>> Destination Gateway Flags Netif Expire >>>>> 172.16.1.8 link#4 UH lo1 >>>>> >>>>> Jail Host Routing Table: >>>>> Internet: >>>>> Destination Gateway Flags Netif Expire >>>>> default x.x.0.1 UGS vtnet0 >>>>> 10.8.0.0 10.8.0.2 UGS tun0 >>>>> 10.8.0.1 link#5 UHS lo0 >>>>> 10.8.0.2 link#5 UH tun0 >>>>> x.x.0.0/18 link#1 U vtnet0 >>>>> x.x.x.x link#1 UHS lo0 >>>>> localhost link#3 UH lo0 >>>>> 172.16.1.1 link#4 UH lo1 >>>>> 172.16.1.2 link#4 UH lo1 >>>>> 172.16.1.3 link#4 UH lo1 >>>>> 172.16.1.4 link#4 UH lo1 >>>>> 172.16.1.5 link#4 UH lo1 >>>>> 172.16.1.6 link#4 UH lo1 >>>>> 172.16.1.7 link#4 UH lo1 >>>>> 172.16.1.8 link#4 UH lo1 >>>>> >>>>> Client Routing Table: >>>>> >>>>> IPv4 Route Table >>>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D >>>>> Active Routes: >>>>> Network Destination Netmask Gateway Interface= Metric >>>>> 0.0.0.0 0.0.0.0 10.8.0.5 10.8.0.= 6 20 >>>>> 10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.= 6 20 >>>>> 10.8.0.4 255.255.255.252 On-link 10.8.0.= 6 276 >>>>> 10.8.0.6 255.255.255.255 On-link 10.8.0.= 6 276 >>>>> 10.8.0.7 255.255.255.255 On-link 10.8.0.= 6 276 >>>>> >>>>> >>>>> >>>>> I'm a little stumped as to how to trouble shoot the issue so any he= lp much appreciated. >>>>> >>>>> >>>>> James >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> freebsd-jail@freebsd.org mailing list >>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >>>>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.= org" >>>>> >>>> >>>>> Try running 'tcpdump -i tun0 -n' on the host, while pining from the= >>>>> windows machine, and see if the packets are arriving. >>>>> >>>>> -- >>>>> Allan Jude >>>> >>>> >>>> Thank you Allan, >>>> >>>> I should have thought of tcpdump. So traffic is being received at th= e host from the windows client. >>>> >>>> Results from Host tcpdump -i tun0 -n >>>> >>>> 18:44:02.464291 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 1, seq= 10577, length 40 >>>> 18:44:02.605212 IP 10.8.0.6.56054 > 192.168.0.112.80: Flags [S], seq= 512633761, win 8192, options [mss 1368,nop,nop,sackOK], length 0 >>>> 18:44:02.872693 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftnc= si.com. (34) >>>> 18:44:03.864800 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftnc= si.com. (34) >>>> >>>> After that I thought I'd see if the traffic is reaching the jail. Af= ter allow the jail access to /dev/bpf I get the same results as the host,= traffic is received. >>>> >>>> Results from Jail tcpdump -i tun0 -n >>>> >>>> 19:09:11.899714 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftnc= si.com. (34) >>>> 19:09:12.728708 IP 10.8.0.6.62332 > 8.8.8.8.53: 22238+ A? dns.msftnc= si.com. (34) >>>> 19:09:12.802903 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftnc= si.com. (34) >>>> 19:09:13.825053 IP 10.8.0.6.57107 > 212.56.71.30.443: Flags [S], seq= 3139281876, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], le= ngth 0 >>>> 19:09:13.981307 IP 10.8.0.6.57108 > 212.56.71.30.443: Flags [S], seq= 4152048904, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], le= ngth 0 >>>> 19:09:14.628697 IP 10.8.0.6.57100 > 192.168.0.112.80: Flags [S], seq= 3107463099, win 65535, options [mss 1368,nop,nop,sackOK], length 0 >>>> 19:09:14.814392 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftnc= si.com. (34) >>>> >>>> >>>> Regards >>>> James >>>> _______________________________________________ >>>> freebsd-jail@freebsd.org mailing list >>>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >>>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.o= rg" >>>> >>>> >>>> Can you include the output of 'ifconfig' from inside the jail?, and >>>> 'netstat -rn' >>>> >>>> It looks like the packets are reaching you on tun0 >>>> >>>> -- >>>> Allan Jude >>> >>> ifconfig from Jail >>> ---------------------- >>> >>> vtnet0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0= mtu 1500 >>> options=3D6c03bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VL= AN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> >>> ether 04:01:5d:21:c3:01 >>> media: Ethernet 10Gbase-T <full-duplex> >>> status: active >>> >>> vtnet1: flags=3D8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500 >>> options=3D6c03bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_= MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> >>> ether 04:01:5d:21:c3:02 >>> media: Ethernet 10Gbase-T <full-duplex> >>> status: active >>> >>> lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 >>> options=3D600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> >>> >>> lo1: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 >>> options=3D600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> >>> inet 172.16.1.8 netmask 0xffffffff >>> >>> tun0: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 150= 0 >>> options=3D80000<LINKSTATE> >>> Opened by PID 9024 >>> >>> pflog0: flags=3D141<UP,RUNNING,PROMISC> metric 0 mtu 33160 >>> >>> >>> netstat -rn from Jail >>> --------------------------- >>> >>> Routing tables >>> >>> Internet: >>> Destination Gateway Flags Netif Expire >>> 172.16.1.8 link#4 UH lo1 >>> >>> >>> Regards >>> James >>> >>> >>> >>> >>> _______________________________________________ >>> freebsd-jail@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.or= g" >>> >>> >>> Look at 'jls' on the host, as your jail doesn't seem to have any IP >>> addresses on tun0. >>> >>> Or, where are you expecting to receive the traffic? >>> >>> -- >>> Allan Jude >> >> >> I expect the traffic to be received within the jail. I find it strange= that I don't see the same IP address as what I see on the host. Could th= is be a devfs rule issue? what should I be looking for with jls? >> >> ifconfig from host >> _______________ >> >> >> tun0: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500= >> options=3D80000<LINKSTATE> >> inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff >> nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL> >> Opened by PID 9024 >> >> Regards >> James >> >> _______________________________________________ >> freebsd-jail@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org= " >> >> >> Jails are only allowed to see the IP addresses that are defined for th= at >> jail, so you need to add 10.8.0.1 to the list of IP addresses for that= >> jail. In ezjail, edit /usr/local/etc/ezjail/jail_name and add the 2nd = ip >> after the first, separated with a comma. >> >> -- >> Allan Jude >=20 > Thanks Allan,=20 >=20 > You learn something new everyday! >=20 > So now ifconfig from jail=20 >=20 > tun0: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500 > options=3D80000<LINKSTATE> > inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff > Opened by PID 11132 >=20 >=20 > and after allow ICMP through PF on the host I can now ping the tun0 fro= m the client, so thank you very much for your help. One last thing you mi= ght be able to point me in the right direction of. I need to route client= traffic on to the Internet. My understanding is IP forwarding can't be e= nabled within the jail and adding routes to the jails routing table isn't= possible either. I'm doing NAT at the host, but how do I get the traffic= from inside the jail there.=20 >=20 > Regards > James=20 >=20 >=20 >=20 >=20 > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"= >=20 You should be able to do: sysrc gateway_enable=3D"YES" (temporarily: sysctl net.inet.ip.forwarding=3D1) and that should allow packets to move between interfaces. --=20 Allan Jude --OoDaa8vksQ9maweft0j6dSUtUAp1srkG5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJWKsWsAAoJEBmVNT4SmAt+Pl8P/RZ74gL8PGaK2SUz88q3O6t/ fj/wyWrlGHrolf+8ehnPIbxCV2AtJLXpXxnBo/bvE6zRQxh5rj/3mjnBGNEqZoTQ PCSDoszC1LQ/D5IJvU7LdTAb3aOhjxlqdTPPaeq1QUx/F1+OxixEFctJoYxmbZbw 3crf+r6FGq/Zwi4KWOflvGYByZS06BDKLC7Vzm6Xrzk6q5p5iHUr5ZmBsLrlLPui 7yFBxbR54J/7qL+F3qzpiLBf6WZxyxvDcJ5LbbORVgca0gALEt4kRtucStiGCA5v QI97qWWlIP8vwFCDL6TB2iEj7nCBWB++MUeREeWph0O6bpU6IHwa6INJx8QfyKDS Yh3NvZyWsldgJgHZkrf5nj72Uhs65xFueqr1dOOGseMYRwX/0AyeOnVXhz2C7/zq 0qEa3ZKitrDgkNe+otWd8ARap5rHzVMO1DoFhwOdnRMDnA5gnsQYFqSJJs4tviNd mnKVyfGaZfukz3BqhD3NJqZRmiaMUnTY7FBxCDdm2pW8WMHQJ/Pm1JO54tFNyuDx 0IirL7FAz90+utIg5zpN1ArHZup3qCwP5sbMGm+Tpr0bliafK4Knffm7szItC9BQ fu3PElharLj2hAPFIZv1FCxSlNcfB59w2052Iq/gdC2VAgi+7XEm1kIUveFJlAOd I4o3BGcRm1epuq4kM1i/ =7eht -----END PGP SIGNATURE----- --OoDaa8vksQ9maweft0j6dSUtUAp1srkG5--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?562AC5A9.1090106>