Date: Fri, 23 Oct 2015 19:41:29 -0400 From: Allan Jude <allanjude@freebsd.org> To: freebsd-jail@freebsd.org Subject: Re: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface Message-ID: <562AC5A9.1090106@freebsd.org> In-Reply-To: <VI1PR06MB103785F31B74EE8553929F48F9260@VI1PR06MB1037.eurprd06.prod.outlook.com> References: <VI1PR06MB1037B08D9BEB7B207C602F43F9260@VI1PR06MB1037.eurprd06.prod.outlook.com> <562A7147.5080002@freebsd.org> <VI1PR06MB1037CEABEFFBDA95CAF7691BF9260@VI1PR06MB1037.eurprd06.prod.outlook.com> <562A7F88.4070106@freebsd.org> <VI1PR06MB1037DEF140BB605358BB8616F9260@VI1PR06MB1037.eurprd06.prod.outlook.com> <562A9772.5050408@freebsd.org> <VI1PR06MB1037C158EDC4CB4DB9A0E31AF9260@VI1PR06MB1037.eurprd06.prod.outlook.com> <562A9D63.809@freebsd.org> <VI1PR06MB103785F31B74EE8553929F48F9260@VI1PR06MB1037.eurprd06.prod.outlook.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--OoDaa8vksQ9maweft0j6dSUtUAp1srkG5
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
On 2015-10-23 17:25, James Lodge wrote:
>=20
>> On 2015-10-23 16:45, James Lodge wrote:
>>
>>> On 2015-10-23 15:15, James Lodge wrote:
>>> On 2015-10-23 14:13, James Lodge wrote:
>>>>> On 2015-10-23 11:37, James Lodge wrote:
>>>>> Hello all,
>>>>>
>>>>>
>>>>> I'm trying to build a jail on FreeBSD 10.1 using ezjail in order to=
run OpenVPN. I'm not using vimage and don't particularly want to but I'm=
having an issue with networking.
>>>>>
>>>>>
>>>>> OpenVPN daemon is up and running and I can connect successfully as =
a client. I receive an IP address as expected, but I cannot route traffic=
to/from client/server. The routing table on the client (which is a Windo=
ws machine) looks fine so I assume the issue is on the server side. I hav=
e a tun interface created on the host and exposed to the jail via devfs r=
ules. The IP address on the tun interface is configure on the host and no=
t from the jail. I can ping the tun interface IP from the host and the ja=
il, but not from the client when connected.
>>>>>
>>>>>
>>>>> Client---------public IP --------- lo1 (Jail alias Interface)------=
tun0 (OpenVPN Interface)
>>>>>
>>>>> 10.8.06 x.x.x.x 172.16.1.8 =
10.8.0.1
>>>>>
>>>>>
>>>>>
>>>>> OpenVPN Jail Routing Table:
>>>>>
>>>>> Internet:
>>>>> Destination Gateway Flags Netif Expire
>>>>> 172.16.1.8 link#4 UH lo1
>>>>>
>>>>> Jail Host Routing Table:
>>>>> Internet:
>>>>> Destination Gateway Flags Netif Expire
>>>>> default x.x.0.1 UGS vtnet0
>>>>> 10.8.0.0 10.8.0.2 UGS tun0
>>>>> 10.8.0.1 link#5 UHS lo0
>>>>> 10.8.0.2 link#5 UH tun0
>>>>> x.x.0.0/18 link#1 U vtnet0
>>>>> x.x.x.x link#1 UHS lo0
>>>>> localhost link#3 UH lo0
>>>>> 172.16.1.1 link#4 UH lo1
>>>>> 172.16.1.2 link#4 UH lo1
>>>>> 172.16.1.3 link#4 UH lo1
>>>>> 172.16.1.4 link#4 UH lo1
>>>>> 172.16.1.5 link#4 UH lo1
>>>>> 172.16.1.6 link#4 UH lo1
>>>>> 172.16.1.7 link#4 UH lo1
>>>>> 172.16.1.8 link#4 UH lo1
>>>>>
>>>>> Client Routing Table:
>>>>>
>>>>> IPv4 Route Table
>>>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D
>>>>> Active Routes:
>>>>> Network Destination Netmask Gateway Interface=
Metric
>>>>> 0.0.0.0 0.0.0.0 10.8.0.5 10.8.0.=
6 20
>>>>> 10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.=
6 20
>>>>> 10.8.0.4 255.255.255.252 On-link 10.8.0.=
6 276
>>>>> 10.8.0.6 255.255.255.255 On-link 10.8.0.=
6 276
>>>>> 10.8.0.7 255.255.255.255 On-link 10.8.0.=
6 276
>>>>>
>>>>>
>>>>>
>>>>> I'm a little stumped as to how to trouble shoot the issue so any he=
lp much appreciated.
>>>>>
>>>>>
>>>>> James
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> freebsd-jail@freebsd.org mailing list
>>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
>>>>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.=
org"
>>>>>
>>>>
>>>>> Try running 'tcpdump -i tun0 -n' on the host, while pining from the=
>>>>> windows machine, and see if the packets are arriving.
>>>>>
>>>>> --
>>>>> Allan Jude
>>>>
>>>>
>>>> Thank you Allan,
>>>>
>>>> I should have thought of tcpdump. So traffic is being received at th=
e host from the windows client.
>>>>
>>>> Results from Host tcpdump -i tun0 -n
>>>>
>>>> 18:44:02.464291 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 1, seq=
10577, length 40
>>>> 18:44:02.605212 IP 10.8.0.6.56054 > 192.168.0.112.80: Flags [S], seq=
512633761, win 8192, options [mss 1368,nop,nop,sackOK], length 0
>>>> 18:44:02.872693 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftnc=
si.com. (34)
>>>> 18:44:03.864800 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftnc=
si.com. (34)
>>>>
>>>> After that I thought I'd see if the traffic is reaching the jail. Af=
ter allow the jail access to /dev/bpf I get the same results as the host,=
traffic is received.
>>>>
>>>> Results from Jail tcpdump -i tun0 -n
>>>>
>>>> 19:09:11.899714 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftnc=
si.com. (34)
>>>> 19:09:12.728708 IP 10.8.0.6.62332 > 8.8.8.8.53: 22238+ A? dns.msftnc=
si.com. (34)
>>>> 19:09:12.802903 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftnc=
si.com. (34)
>>>> 19:09:13.825053 IP 10.8.0.6.57107 > 212.56.71.30.443: Flags [S], seq=
3139281876, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], le=
ngth 0
>>>> 19:09:13.981307 IP 10.8.0.6.57108 > 212.56.71.30.443: Flags [S], seq=
4152048904, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], le=
ngth 0
>>>> 19:09:14.628697 IP 10.8.0.6.57100 > 192.168.0.112.80: Flags [S], seq=
3107463099, win 65535, options [mss 1368,nop,nop,sackOK], length 0
>>>> 19:09:14.814392 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftnc=
si.com. (34)
>>>>
>>>>
>>>> Regards
>>>> James
>>>> _______________________________________________
>>>> freebsd-jail@freebsd.org mailing list
>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
>>>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.o=
rg"
>>>>
>>>>
>>>> Can you include the output of 'ifconfig' from inside the jail?, and
>>>> 'netstat -rn'
>>>>
>>>> It looks like the packets are reaching you on tun0
>>>>
>>>> --
>>>> Allan Jude
>>>
>>> ifconfig from Jail
>>> ----------------------
>>>
>>> vtnet0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0=
mtu 1500
>>> options=3D6c03bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VL=
AN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
>>> ether 04:01:5d:21:c3:01
>>> media: Ethernet 10Gbase-T <full-duplex>
>>> status: active
>>>
>>> vtnet1: flags=3D8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
>>> options=3D6c03bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_=
MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
>>> ether 04:01:5d:21:c3:02
>>> media: Ethernet 10Gbase-T <full-duplex>
>>> status: active
>>>
>>> lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>>> options=3D600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
>>>
>>> lo1: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>>> options=3D600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
>>> inet 172.16.1.8 netmask 0xffffffff
>>>
>>> tun0: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 150=
0
>>> options=3D80000<LINKSTATE>
>>> Opened by PID 9024
>>>
>>> pflog0: flags=3D141<UP,RUNNING,PROMISC> metric 0 mtu 33160
>>>
>>>
>>> netstat -rn from Jail
>>> ---------------------------
>>>
>>> Routing tables
>>>
>>> Internet:
>>> Destination Gateway Flags Netif Expire
>>> 172.16.1.8 link#4 UH lo1
>>>
>>>
>>> Regards
>>> James
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> freebsd-jail@freebsd.org mailing list
>>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
>>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.or=
g"
>>>
>>>
>>> Look at 'jls' on the host, as your jail doesn't seem to have any IP
>>> addresses on tun0.
>>>
>>> Or, where are you expecting to receive the traffic?
>>>
>>> --
>>> Allan Jude
>>
>>
>> I expect the traffic to be received within the jail. I find it strange=
that I don't see the same IP address as what I see on the host. Could th=
is be a devfs rule issue? what should I be looking for with jls?
>>
>> ifconfig from host
>> _______________
>>
>>
>> tun0: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500=
>> options=3D80000<LINKSTATE>
>> inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
>> nd6 options=3D29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
>> Opened by PID 9024
>>
>> Regards
>> James
>>
>> _______________________________________________
>> freebsd-jail@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org=
"
>>
>>
>> Jails are only allowed to see the IP addresses that are defined for th=
at
>> jail, so you need to add 10.8.0.1 to the list of IP addresses for that=
>> jail. In ezjail, edit /usr/local/etc/ezjail/jail_name and add the 2nd =
ip
>> after the first, separated with a comma.
>>
>> --
>> Allan Jude
>=20
> Thanks Allan,=20
>=20
> You learn something new everyday!
>=20
> So now ifconfig from jail=20
>=20
> tun0: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
> options=3D80000<LINKSTATE>
> inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff
> Opened by PID 11132
>=20
>=20
> and after allow ICMP through PF on the host I can now ping the tun0 fro=
m the client, so thank you very much for your help. One last thing you mi=
ght be able to point me in the right direction of. I need to route client=
traffic on to the Internet. My understanding is IP forwarding can't be e=
nabled within the jail and adding routes to the jails routing table isn't=
possible either. I'm doing NAT at the host, but how do I get the traffic=
from inside the jail there.=20
>=20
> Regards
> James=20
>=20
>=20
>=20
>=20
> _______________________________________________
> freebsd-jail@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"=
>=20
You should be able to do:
sysrc gateway_enable=3D"YES"
(temporarily: sysctl net.inet.ip.forwarding=3D1)
and that should allow packets to move between interfaces.
--=20
Allan Jude
--OoDaa8vksQ9maweft0j6dSUtUAp1srkG5
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQIcBAEBAgAGBQJWKsWsAAoJEBmVNT4SmAt+Pl8P/RZ74gL8PGaK2SUz88q3O6t/
fj/wyWrlGHrolf+8ehnPIbxCV2AtJLXpXxnBo/bvE6zRQxh5rj/3mjnBGNEqZoTQ
PCSDoszC1LQ/D5IJvU7LdTAb3aOhjxlqdTPPaeq1QUx/F1+OxixEFctJoYxmbZbw
3crf+r6FGq/Zwi4KWOflvGYByZS06BDKLC7Vzm6Xrzk6q5p5iHUr5ZmBsLrlLPui
7yFBxbR54J/7qL+F3qzpiLBf6WZxyxvDcJ5LbbORVgca0gALEt4kRtucStiGCA5v
QI97qWWlIP8vwFCDL6TB2iEj7nCBWB++MUeREeWph0O6bpU6IHwa6INJx8QfyKDS
Yh3NvZyWsldgJgHZkrf5nj72Uhs65xFueqr1dOOGseMYRwX/0AyeOnVXhz2C7/zq
0qEa3ZKitrDgkNe+otWd8ARap5rHzVMO1DoFhwOdnRMDnA5gnsQYFqSJJs4tviNd
mnKVyfGaZfukz3BqhD3NJqZRmiaMUnTY7FBxCDdm2pW8WMHQJ/Pm1JO54tFNyuDx
0IirL7FAz90+utIg5zpN1ArHZup3qCwP5sbMGm+Tpr0bliafK4Knffm7szItC9BQ
fu3PElharLj2hAPFIZv1FCxSlNcfB59w2052Iq/gdC2VAgi+7XEm1kIUveFJlAOd
I4o3BGcRm1epuq4kM1i/
=7eht
-----END PGP SIGNATURE-----
--OoDaa8vksQ9maweft0j6dSUtUAp1srkG5--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?562AC5A9.1090106>