Site Navigation

Date:      Fri, 23 Oct 2015 14:42:16 -0400
From:      Allan Jude <allanjude@freebsd.org>
To:        freebsd-jail@freebsd.org
Subject:   Re: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface
Message-ID:  <562A7F88.4070106@freebsd.org>
In-Reply-To: <VI1PR06MB1037CEABEFFBDA95CAF7691BF9260@VI1PR06MB1037.eurprd06.prod.outlook.com>
References:  <VI1PR06MB1037B08D9BEB7B207C602F43F9260@VI1PR06MB1037.eurprd06.prod.outlook.com> <562A7147.5080002@freebsd.org> <VI1PR06MB1037CEABEFFBDA95CAF7691BF9260@VI1PR06MB1037.eurprd06.prod.outlook.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--stoGrgvSdteetXeo2ATrlb6DhVIDB2n6l
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 2015-10-23 14:13, James Lodge wrote:
>> On 2015-10-23 11:37, James Lodge wrote:
>> Hello all,
>>
>>
>> I'm trying to build a jail on FreeBSD 10.1 using ezjail in order to ru=
n OpenVPN. I'm not using vimage and don't particularly want to but I'm ha=
ving an issue with networking.
>>
>>
>> OpenVPN daemon is up and running and I can connect successfully as a c=
lient. I receive an IP address as expected, but I cannot route traffic to=
/from client/server. The routing table on the client (which is a Windows =
machine) looks fine so I assume the issue is on the server side. I have a=
 tun interface created on the host and exposed to the jail via devfs rule=
s. The IP address on the tun interface is configure on the host and not f=
rom the jail. I can ping the tun interface IP from the host and the jail,=
 but not from the client when connected.
>>
>>
>> Client---------public IP --------- lo1 (Jail alias Interface)------tun=
0 (OpenVPN Interface)
>>
>> 10.8.06          x.x.x.x                   172.16.1.8                 =
             10.8.0.1
>>
>>
>>
>> OpenVPN Jail Routing Table:
>>
>> Internet:
>> Destination        Gateway            Flags      Netif Expire
>> 172.16.1.8         link#4             UH          lo1
>>
>> Jail Host Routing Table:
>> Internet:
>> Destination        Gateway            Flags      Netif Expire
>> default            x.x.0.1         UGS      vtnet0
>> 10.8.0.0           10.8.0.2           UGS        tun0
>> 10.8.0.1              link#5             UHS         lo0
>> 10.8.0.2              link#5             UH         tun0
>> x.x.0.0/18          link#1             U        vtnet0
>> x.x.x.x                 link#1             UHS         lo0
>> localhost            link#3             UH          lo0
>> 172.16.1.1         link#4             UH          lo1
>> 172.16.1.2         link#4             UH          lo1
>> 172.16.1.3         link#4             UH          lo1
>> 172.16.1.4         link#4             UH          lo1
>> 172.16.1.5         link#4             UH          lo1
>> 172.16.1.6         link#4             UH          lo1
>> 172.16.1.7         link#4             UH          lo1
>> 172.16.1.8         link#4             UH          lo1
>>
>> Client Routing Table:
>>
>> IPv4 Route Table
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
>> Active Routes:
>> Network Destination        Netmask          Gateway       Interface  M=
etric
>>           0.0.0.0          0.0.0.0         10.8.0.5         10.8.0.6  =
   20
>>          10.8.0.1  255.255.255.255         10.8.0.5         10.8.0.6  =
   20
>>          10.8.0.4  255.255.255.252         On-link          10.8.0.6  =
  276
>>          10.8.0.6  255.255.255.255         On-link          10.8.0.6  =
  276
>>          10.8.0.7  255.255.255.255         On-link          10.8.0.6  =
  276
>>
>>
>>
>> I'm a little stumped as to how to trouble shoot the issue so any help =
much appreciated.
>>
>>
>> James
>>
>>
>>
>> _______________________________________________
>> freebsd-jail@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org=
"
>>
>=20
>> Try running 'tcpdump -i tun0 -n' on the host, while pining from the
>> windows machine, and see if the packets are arriving.
>>
>> --
>> Allan Jude
>=20
>=20
> Thank you Allan,=20
>=20
> I should have thought of tcpdump. So traffic is being received at the h=
ost from the windows client.
>=20
> Results from Host tcpdump -i tun0 -n=20
>=20
> 18:44:02.464291 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 1, seq 10=
577, length 40
> 18:44:02.605212 IP 10.8.0.6.56054 > 192.168.0.112.80: Flags [S], seq 51=
2633761, win 8192, options [mss 1368,nop,nop,sackOK], length 0
> 18:44:02.872693 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi.=
com. (34)
> 18:44:03.864800 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi.=
com. (34)
>=20
> After that I thought I'd see if the traffic is reaching the jail. After=
 allow the jail access to /dev/bpf I get the same results as the host, tr=
affic is received.=20
>=20
> Results from Jail tcpdump -i tun0 -n
>=20
> 19:09:11.899714 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.=
com. (34)
> 19:09:12.728708 IP 10.8.0.6.62332 > 8.8.8.8.53: 22238+ A? dns.msftncsi.=
com. (34)
> 19:09:12.802903 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.=
com. (34)
> 19:09:13.825053 IP 10.8.0.6.57107 > 212.56.71.30.443: Flags [S], seq 31=
39281876, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], lengt=
h 0
> 19:09:13.981307 IP 10.8.0.6.57108 > 212.56.71.30.443: Flags [S], seq 41=
52048904, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], lengt=
h 0
> 19:09:14.628697 IP 10.8.0.6.57100 > 192.168.0.112.80: Flags [S], seq 31=
07463099, win 65535, options [mss 1368,nop,nop,sackOK], length 0
> 19:09:14.814392 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.=
com. (34)
>=20
>=20
> Regards
> James
> _______________________________________________
> freebsd-jail@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"=

>=20

Can you include the output of 'ifconfig' from inside the jail?, and
'netstat -rn'

It looks like the packets are reaching you on tun0

--=20
Allan Jude


--stoGrgvSdteetXeo2ATrlb6DhVIDB2n6l
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJWKn+MAAoJEBmVNT4SmAt+NSQP/A21owCgO9tkcdo6tkodlUsD
LtY0F7V/wkwuZnyVP8wU+GcXyQMJw6/hbnEDIjojfS2VGLdYi3HIBfglITHSvfZc
Ku2+0Yr/dh0bfEkZ3ulBNvRJ1spdU/UsoBz6+/FCG9wmfAHFDXy64yQXccTeZOhl
nxd8mXzJezek6ZA0KB8hIR+Os5U+eGxiIIL/s9TS2v6hSiqGYLs2EyQ6ndEtVJ5b
tYU7Gyydpk05+c/Cdsbw+FQmWMQUGxBkun7LYxHpgdWAm+jvOlvMYoffAxbRIYjn
LcKlLOSU/rPNmrutIoK0Kfa9j1XLsG7LLqzTjYSMGOFkw14GwDLjGy5s7vtvuveQ
qQW3SGPxL3joJtSo1DwCcMC4unEdNAQuDDMDbrnvy4gMZd+w+PEiOZS3enJ2TTpo
geuCkuyzRWm0K1Dn6GkPalO988k4gWMuoBbH9Y5YZwUfKBtTYrpJ3H4vxfKZ/rjL
H2KVXfuArOZ6vpmbTJQy4BmBLR6XBII3kILNEAvG3eHdlnmXZc7KNos5rFVu4+NU
Yah+Cz5WqcLqK7Yo5RryzhQTwehT/IT0DDqH48HpyeBxSnbJB0EFXO42HvC3TRYi
v3JKWw6HZeCaLPAB5d8KxLwRiwRARiFnfw31ioZjFXmGRL0nGlOBNKB4IsbJHQWe
P1+SIGafsi8G5RDsTg+e
=gsqy
-----END PGP SIGNATURE-----

--stoGrgvSdteetXeo2ATrlb6DhVIDB2n6l--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?562A7F88.4070106>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact