From owner-freebsd-jail@freebsd.org Fri Oct 23 18:42:14 2015 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6FABEA1D1F1 for ; Fri, 23 Oct 2015 18:42:14 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from mx1.scaleengine.net (mx1.scaleengine.net [209.51.186.6]) by mx1.freebsd.org (Postfix) with ESMTP id 4E35496 for ; Fri, 23 Oct 2015 18:42:13 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from [10.1.1.2] (unknown [10.1.1.2]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id D4497D200 for ; Fri, 23 Oct 2015 18:42:12 +0000 (UTC) Subject: Re: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface To: freebsd-jail@freebsd.org References: <562A7147.5080002@freebsd.org> From: Allan Jude Message-ID: <562A7F88.4070106@freebsd.org> Date: Fri, 23 Oct 2015 14:42:16 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="stoGrgvSdteetXeo2ATrlb6DhVIDB2n6l" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Oct 2015 18:42:14 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --stoGrgvSdteetXeo2ATrlb6DhVIDB2n6l Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2015-10-23 14:13, James Lodge wrote: >> On 2015-10-23 11:37, James Lodge wrote: >> Hello all, >> >> >> I'm trying to build a jail on FreeBSD 10.1 using ezjail in order to ru= n OpenVPN. I'm not using vimage and don't particularly want to but I'm ha= ving an issue with networking. >> >> >> OpenVPN daemon is up and running and I can connect successfully as a c= lient. I receive an IP address as expected, but I cannot route traffic to= /from client/server. The routing table on the client (which is a Windows = machine) looks fine so I assume the issue is on the server side. I have a= tun interface created on the host and exposed to the jail via devfs rule= s. The IP address on the tun interface is configure on the host and not f= rom the jail. I can ping the tun interface IP from the host and the jail,= but not from the client when connected. >> >> >> Client---------public IP --------- lo1 (Jail alias Interface)------tun= 0 (OpenVPN Interface) >> >> 10.8.06 x.x.x.x 172.16.1.8 = 10.8.0.1 >> >> >> >> OpenVPN Jail Routing Table: >> >> Internet: >> Destination Gateway Flags Netif Expire >> 172.16.1.8 link#4 UH lo1 >> >> Jail Host Routing Table: >> Internet: >> Destination Gateway Flags Netif Expire >> default x.x.0.1 UGS vtnet0 >> 10.8.0.0 10.8.0.2 UGS tun0 >> 10.8.0.1 link#5 UHS lo0 >> 10.8.0.2 link#5 UH tun0 >> x.x.0.0/18 link#1 U vtnet0 >> x.x.x.x link#1 UHS lo0 >> localhost link#3 UH lo0 >> 172.16.1.1 link#4 UH lo1 >> 172.16.1.2 link#4 UH lo1 >> 172.16.1.3 link#4 UH lo1 >> 172.16.1.4 link#4 UH lo1 >> 172.16.1.5 link#4 UH lo1 >> 172.16.1.6 link#4 UH lo1 >> 172.16.1.7 link#4 UH lo1 >> 172.16.1.8 link#4 UH lo1 >> >> Client Routing Table: >> >> IPv4 Route Table >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D >> Active Routes: >> Network Destination Netmask Gateway Interface M= etric >> 0.0.0.0 0.0.0.0 10.8.0.5 10.8.0.6 = 20 >> 10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 = 20 >> 10.8.0.4 255.255.255.252 On-link 10.8.0.6 = 276 >> 10.8.0.6 255.255.255.255 On-link 10.8.0.6 = 276 >> 10.8.0.7 255.255.255.255 On-link 10.8.0.6 = 276 >> >> >> >> I'm a little stumped as to how to trouble shoot the issue so any help = much appreciated. >> >> >> James >> >> >> >> _______________________________________________ >> freebsd-jail@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org= " >> >=20 >> Try running 'tcpdump -i tun0 -n' on the host, while pining from the >> windows machine, and see if the packets are arriving. >> >> -- >> Allan Jude >=20 >=20 > Thank you Allan,=20 >=20 > I should have thought of tcpdump. So traffic is being received at the h= ost from the windows client. >=20 > Results from Host tcpdump -i tun0 -n=20 >=20 > 18:44:02.464291 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 1, seq 10= 577, length 40 > 18:44:02.605212 IP 10.8.0.6.56054 > 192.168.0.112.80: Flags [S], seq 51= 2633761, win 8192, options [mss 1368,nop,nop,sackOK], length 0 > 18:44:02.872693 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi.= com. (34) > 18:44:03.864800 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi.= com. (34) >=20 > After that I thought I'd see if the traffic is reaching the jail. After= allow the jail access to /dev/bpf I get the same results as the host, tr= affic is received.=20 >=20 > Results from Jail tcpdump -i tun0 -n >=20 > 19:09:11.899714 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.= com. (34) > 19:09:12.728708 IP 10.8.0.6.62332 > 8.8.8.8.53: 22238+ A? dns.msftncsi.= com. (34) > 19:09:12.802903 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.= com. (34) > 19:09:13.825053 IP 10.8.0.6.57107 > 212.56.71.30.443: Flags [S], seq 31= 39281876, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], lengt= h 0 > 19:09:13.981307 IP 10.8.0.6.57108 > 212.56.71.30.443: Flags [S], seq 41= 52048904, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], lengt= h 0 > 19:09:14.628697 IP 10.8.0.6.57100 > 192.168.0.112.80: Flags [S], seq 31= 07463099, win 65535, options [mss 1368,nop,nop,sackOK], length 0 > 19:09:14.814392 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.= com. (34) >=20 >=20 > Regards > James > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"= >=20 Can you include the output of 'ifconfig' from inside the jail?, and 'netstat -rn' It looks like the packets are reaching you on tun0 --=20 Allan Jude --stoGrgvSdteetXeo2ATrlb6DhVIDB2n6l Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJWKn+MAAoJEBmVNT4SmAt+NSQP/A21owCgO9tkcdo6tkodlUsD LtY0F7V/wkwuZnyVP8wU+GcXyQMJw6/hbnEDIjojfS2VGLdYi3HIBfglITHSvfZc Ku2+0Yr/dh0bfEkZ3ulBNvRJ1spdU/UsoBz6+/FCG9wmfAHFDXy64yQXccTeZOhl nxd8mXzJezek6ZA0KB8hIR+Os5U+eGxiIIL/s9TS2v6hSiqGYLs2EyQ6ndEtVJ5b tYU7Gyydpk05+c/Cdsbw+FQmWMQUGxBkun7LYxHpgdWAm+jvOlvMYoffAxbRIYjn LcKlLOSU/rPNmrutIoK0Kfa9j1XLsG7LLqzTjYSMGOFkw14GwDLjGy5s7vtvuveQ qQW3SGPxL3joJtSo1DwCcMC4unEdNAQuDDMDbrnvy4gMZd+w+PEiOZS3enJ2TTpo geuCkuyzRWm0K1Dn6GkPalO988k4gWMuoBbH9Y5YZwUfKBtTYrpJ3H4vxfKZ/rjL H2KVXfuArOZ6vpmbTJQy4BmBLR6XBII3kILNEAvG3eHdlnmXZc7KNos5rFVu4+NU Yah+Cz5WqcLqK7Yo5RryzhQTwehT/IT0DDqH48HpyeBxSnbJB0EFXO42HvC3TRYi v3JKWw6HZeCaLPAB5d8KxLwRiwRARiFnfw31ioZjFXmGRL0nGlOBNKB4IsbJHQWe P1+SIGafsi8G5RDsTg+e =gsqy -----END PGP SIGNATURE----- --stoGrgvSdteetXeo2ATrlb6DhVIDB2n6l--