From owner-freebsd-jail@freebsd.org Fri Oct 23 18:13:43 2015 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6A892A1DD8A for ; Fri, 23 Oct 2015 18:13:43 +0000 (UTC) (envelope-from James@Lodge.me.uk) Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0115.outbound.protection.outlook.com [157.56.112.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "MSIT Machine Auth CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B8EE9144 for ; Fri, 23 Oct 2015 18:13:41 +0000 (UTC) (envelope-from James@Lodge.me.uk) Received: from VI1PR06MB1039.eurprd06.prod.outlook.com (10.162.123.158) by VI1PR06MB0990.eurprd06.prod.outlook.com (10.162.123.146) with Microsoft SMTP Server (TLS) id 15.1.306.13; Fri, 23 Oct 2015 18:13:32 +0000 Received: from VI1PR06MB1037.eurprd06.prod.outlook.com (10.162.123.156) by VI1PR06MB1039.eurprd06.prod.outlook.com (10.162.123.158) with Microsoft SMTP Server (TLS) id 15.1.306.13; Fri, 23 Oct 2015 18:13:31 +0000 Received: from VI1PR06MB1037.eurprd06.prod.outlook.com ([10.162.123.156]) by VI1PR06MB1037.eurprd06.prod.outlook.com ([10.162.123.156]) with mapi id 15.01.0306.003; Fri, 23 Oct 2015 18:13:31 +0000 From: James Lodge To: "freebsd-jail@freebsd.org" Subject: Re: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface Thread-Topic: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface Thread-Index: AQHRDaWCwzvCKcmAUUSD4bPPASu+QJ55WMqAgAABxDI= Date: Fri, 23 Oct 2015 18:13:31 +0000 Message-ID: References: , <562A7147.5080002@freebsd.org> In-Reply-To: <562A7147.5080002@freebsd.org> Accept-Language: en-GB, en-US Content-Language: en-GB X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=James@Lodge.me.uk; x-originating-ip: [81.174.132.199] x-microsoft-exchange-diagnostics: 1; VI1PR06MB1039; 5:g9Z+qnOfVokSMppMPPVOV6steaWq3yi7JwTHwK4+IhimXKQBNHqIam59yo9G633EP6OFUpH4fcGvfgnQVE8i1viyZRDS2Qn0cfcMT8Uo1ShEKkvBjI/+dsonSsqEM8phLSsCVD57wWD0y6SuoyWOhg==; 24:s8pOje5xWKXbCJbrRLlFBvUTIptrP+ol/laNtCZPceDIdpGJkIv5Fk4GMFOohhz1XKud8WiiFyUsbd46s1ORsf/4KVE9WmER+NSFw7uzEnc=; 20:O5ZmeXuYFn46Yf2M+GM9qulRk3Lu4GjoLB+cgOHbEkeNBb4HsJBObK3TMpCocM91MXkQ4t4YAVbaV3UjyEK1AQ== x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(42134001)(42139001); SRVR:VI1PR06MB1039; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(520078)(5005006)(8121501046)(3002001)(102215026); SRVR:VI1PR06MB1039; BCL:0; PCL:0; RULEID:; SRVR:VI1PR06MB1039; x-forefront-prvs: 0738AF4208 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(6009001)(199003)(24454002)(377424004)(53754006)(189002)(110136002)(122556002)(106356001)(189998001)(2501003)(107886002)(81156007)(2900100001)(5001960100002)(86362001)(5003600100002)(106116001)(15975445007)(2950100001)(92566002)(5002640100001)(450100001)(5007970100001)(5004730100002)(76576001)(2351001)(102836002)(40100003)(77096005)(11100500001)(66066001)(19580405001)(5008740100001)(10400500002)(80792005)(4001150100001)(5001920100001)(105586002)(19580395003)(87936001)(54356999)(97736004)(50986999)(33656002)(74316001)(76176999)(101416001)(74482002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:VI1PR06MB1039; H:VI1PR06MB1037.eurprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: Lodge.me.uk does not designate permitted sender hosts) spamdiagnosticoutput: 1:23 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Oct 2015 18:13:31.4706 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: ded56ae9-7c77-4cf6-bbfd-39e6a505742d X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR06MB1039 X-Microsoft-Exchange-Diagnostics: 1; VI1PR06MB0990; 2:Kf1Fa0ybUT/yeNktWE3S+X3YFa2iTipx+v3bopfPQZizes9Yb6xDAZHsPYnqIX697RZ8NC6UeLF+Iftk2BSHwcNvxFHgRPblB76R7iwnV/PEVPLQd7bzwcixBhpN8Q5silF1yi9yRvx2rkbTRhQxd/f2hjewlJ1XwxuHh79oMCM=; 23:QeDMGZnoOkkiCyryNr8hUQlXB5djHL5DfxjxkUir76CF7xayVJGZyI+djYM9nigJZP4VNnSR+HKA0Q/drZjhnld2UY7rvTGxiHEkCIEvYAYix2+Ivfx8150gmFdYyXQtzN4gZMUbe5YnQjELWQW/ReMyGN7t+nD0JN09rZAMzzpqIQZOyLu2rZ0ToTUjldCZ X-OriginatorOrg: Lodge.me.uk X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Oct 2015 18:13:43 -0000 > On 2015-10-23 11:37, James Lodge wrote: > Hello all, > > > I'm trying to build a jail on FreeBSD 10.1 using ezjail in order to run O= penVPN. I'm not using vimage and don't particularly want to but I'm having = an issue with networking. > > > OpenVPN daemon is up and running and I can connect successfully as a clie= nt. I receive an IP address as expected, but I cannot route traffic to/from= client/server. The routing table on the client (which is a Windows machine= ) looks fine so I assume the issue is on the server side. I have a tun inte= rface created on the host and exposed to the jail via devfs rules. The IP a= ddress on the tun interface is configure on the host and not from the jail.= I can ping the tun interface IP from the host and the jail, but not from t= he client when connected. > > > Client---------public IP --------- lo1 (Jail alias Interface)------tun0 (= OpenVPN Interface) > > 10.8.06 x.x.x.x 172.16.1.8 = 10.8.0.1 > > > > OpenVPN Jail Routing Table: > > Internet: > Destination Gateway Flags Netif Expire > 172.16.1.8 link#4 UH lo1 > > Jail Host Routing Table: > Internet: > Destination Gateway Flags Netif Expire > default x.x.0.1 UGS vtnet0 > 10.8.0.0 10.8.0.2 UGS tun0 > 10.8.0.1 link#5 UHS lo0 > 10.8.0.2 link#5 UH tun0 > x.x.0.0/18 link#1 U vtnet0 > x.x.x.x link#1 UHS lo0 > localhost link#3 UH lo0 > 172.16.1.1 link#4 UH lo1 > 172.16.1.2 link#4 UH lo1 > 172.16.1.3 link#4 UH lo1 > 172.16.1.4 link#4 UH lo1 > 172.16.1.5 link#4 UH lo1 > 172.16.1.6 link#4 UH lo1 > 172.16.1.7 link#4 UH lo1 > 172.16.1.8 link#4 UH lo1 > > Client Routing Table: > > IPv4 Route Table > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D > Active Routes: > Network Destination Netmask Gateway Interface Metr= ic > 0.0.0.0 0.0.0.0 10.8.0.5 10.8.0.6 = 20 > 10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 = 20 > 10.8.0.4 255.255.255.252 On-link 10.8.0.6 2= 76 > 10.8.0.6 255.255.255.255 On-link 10.8.0.6 2= 76 > 10.8.0.7 255.255.255.255 On-link 10.8.0.6 2= 76 > > > > I'm a little stumped as to how to trouble shoot the issue so any help muc= h appreciated. > > > James > > > > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org" > > Try running 'tcpdump -i tun0 -n' on the host, while pining from the > windows machine, and see if the packets are arriving. > >-- >Allan Jude Thank you Allan,=20 I should have thought of tcpdump. So traffic is being received at the host = from the windows client. Results from Host tcpdump -i tun0 -n=20 18:44:02.464291 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 1, seq 10577,= length 40 18:44:02.605212 IP 10.8.0.6.56054 > 192.168.0.112.80: Flags [S], seq 512633= 761, win 8192, options [mss 1368,nop,nop,sackOK], length 0 18:44:02.872693 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi.com.= (34) 18:44:03.864800 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi.com.= (34) After that I thought I'd see if the traffic is reaching the jail. After all= ow the jail access to /dev/bpf I get the same results as the host, traffic = is received.=20 Results from Jail tcpdump -i tun0 -n 19:09:11.899714 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.com.= (34) 19:09:12.728708 IP 10.8.0.6.62332 > 8.8.8.8.53: 22238+ A? dns.msftncsi.com.= (34) 19:09:12.802903 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.com.= (34) 19:09:13.825053 IP 10.8.0.6.57107 > 212.56.71.30.443: Flags [S], seq 313928= 1876, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], length 0 19:09:13.981307 IP 10.8.0.6.57108 > 212.56.71.30.443: Flags [S], seq 415204= 8904, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], length 0 19:09:14.628697 IP 10.8.0.6.57100 > 192.168.0.112.80: Flags [S], seq 310746= 3099, win 65535, options [mss 1368,nop,nop,sackOK], length 0 19:09:14.814392 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.com.= (34) Regards James