From owner-freebsd-jail@freebsd.org Fri Oct 23 20:49:34 2015 Return-Path: Delivered-To: freebsd-jail@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F1FCDA1D884 for ; Fri, 23 Oct 2015 20:49:34 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from mx1.scaleengine.net (mx1.scaleengine.net [209.51.186.6]) by mx1.freebsd.org (Postfix) with ESMTP id C418A9AA for ; Fri, 23 Oct 2015 20:49:34 +0000 (UTC) (envelope-from allanjude@freebsd.org) Received: from [10.1.1.2] (unknown [10.1.1.2]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id 2CA45D485 for ; Fri, 23 Oct 2015 20:49:34 +0000 (UTC) Subject: Re: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface To: freebsd-jail@freebsd.org References: <562A7147.5080002@freebsd.org> <562A7F88.4070106@freebsd.org> <562A9772.5050408@freebsd.org> From: Allan Jude Message-ID: <562A9D63.809@freebsd.org> Date: Fri, 23 Oct 2015 16:49:39 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="998BUA1nRAN1oAnNIK8q8W8tS50wEVijp" X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Oct 2015 20:49:35 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --998BUA1nRAN1oAnNIK8q8W8tS50wEVijp Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2015-10-23 16:45, James Lodge wrote: >=20 >> On 2015-10-23 15:15, James Lodge wrote: >> On 2015-10-23 14:13, James Lodge wrote: >>>> On 2015-10-23 11:37, James Lodge wrote: >>>> Hello all, >>>> >>>> >>>> I'm trying to build a jail on FreeBSD 10.1 using ezjail in order to = run OpenVPN. I'm not using vimage and don't particularly want to but I'm = having an issue with networking. >>>> >>>> >>>> OpenVPN daemon is up and running and I can connect successfully as a= client. I receive an IP address as expected, but I cannot route traffic = to/from client/server. The routing table on the client (which is a Window= s machine) looks fine so I assume the issue is on the server side. I have= a tun interface created on the host and exposed to the jail via devfs ru= les. The IP address on the tun interface is configure on the host and not= from the jail. I can ping the tun interface IP from the host and the jai= l, but not from the client when connected. >>>> >>>> >>>> Client---------public IP --------- lo1 (Jail alias Interface)------t= un0 (OpenVPN Interface) >>>> >>>> 10.8.06 x.x.x.x 172.16.1.8 = 10.8.0.1 >>>> >>>> >>>> >>>> OpenVPN Jail Routing Table: >>>> >>>> Internet: >>>> Destination Gateway Flags Netif Expire >>>> 172.16.1.8 link#4 UH lo1 >>>> >>>> Jail Host Routing Table: >>>> Internet: >>>> Destination Gateway Flags Netif Expire >>>> default x.x.0.1 UGS vtnet0 >>>> 10.8.0.0 10.8.0.2 UGS tun0 >>>> 10.8.0.1 link#5 UHS lo0 >>>> 10.8.0.2 link#5 UH tun0 >>>> x.x.0.0/18 link#1 U vtnet0 >>>> x.x.x.x link#1 UHS lo0 >>>> localhost link#3 UH lo0 >>>> 172.16.1.1 link#4 UH lo1 >>>> 172.16.1.2 link#4 UH lo1 >>>> 172.16.1.3 link#4 UH lo1 >>>> 172.16.1.4 link#4 UH lo1 >>>> 172.16.1.5 link#4 UH lo1 >>>> 172.16.1.6 link#4 UH lo1 >>>> 172.16.1.7 link#4 UH lo1 >>>> 172.16.1.8 link#4 UH lo1 >>>> >>>> Client Routing Table: >>>> >>>> IPv4 Route Table >>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D >>>> Active Routes: >>>> Network Destination Netmask Gateway Interface = Metric >>>> 0.0.0.0 0.0.0.0 10.8.0.5 10.8.0.6= 20 >>>> 10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6= 20 >>>> 10.8.0.4 255.255.255.252 On-link 10.8.0.6= 276 >>>> 10.8.0.6 255.255.255.255 On-link 10.8.0.6= 276 >>>> 10.8.0.7 255.255.255.255 On-link 10.8.0.6= 276 >>>> >>>> >>>> >>>> I'm a little stumped as to how to trouble shoot the issue so any hel= p much appreciated. >>>> >>>> >>>> James >>>> >>>> >>>> >>>> _______________________________________________ >>>> freebsd-jail@freebsd.org mailing list >>>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >>>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.o= rg" >>>> >>> >>>> Try running 'tcpdump -i tun0 -n' on the host, while pining from the >>>> windows machine, and see if the packets are arriving. >>>> >>>> -- >>>> Allan Jude >>> >>> >>> Thank you Allan, >>> >>> I should have thought of tcpdump. So traffic is being received at the= host from the windows client. >>> >>> Results from Host tcpdump -i tun0 -n >>> >>> 18:44:02.464291 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 1, seq = 10577, length 40 >>> 18:44:02.605212 IP 10.8.0.6.56054 > 192.168.0.112.80: Flags [S], seq = 512633761, win 8192, options [mss 1368,nop,nop,sackOK], length 0 >>> 18:44:02.872693 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncs= i.com. (34) >>> 18:44:03.864800 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncs= i.com. (34) >>> >>> After that I thought I'd see if the traffic is reaching the jail. Aft= er allow the jail access to /dev/bpf I get the same results as the host, = traffic is received. >>> >>> Results from Jail tcpdump -i tun0 -n >>> >>> 19:09:11.899714 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncs= i.com. (34) >>> 19:09:12.728708 IP 10.8.0.6.62332 > 8.8.8.8.53: 22238+ A? dns.msftncs= i.com. (34) >>> 19:09:12.802903 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncs= i.com. (34) >>> 19:09:13.825053 IP 10.8.0.6.57107 > 212.56.71.30.443: Flags [S], seq = 3139281876, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], len= gth 0 >>> 19:09:13.981307 IP 10.8.0.6.57108 > 212.56.71.30.443: Flags [S], seq = 4152048904, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], len= gth 0 >>> 19:09:14.628697 IP 10.8.0.6.57100 > 192.168.0.112.80: Flags [S], seq = 3107463099, win 65535, options [mss 1368,nop,nop,sackOK], length 0 >>> 19:09:14.814392 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncs= i.com. (34) >>> >>> >>> Regards >>> James >>> _______________________________________________ >>> freebsd-jail@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.or= g" >>> >>> >>> Can you include the output of 'ifconfig' from inside the jail?, and >>> 'netstat -rn' >>> >>> It looks like the packets are reaching you on tun0 >>> >>> -- >>> Allan Jude >> >> ifconfig from Jail >> ---------------------- >> >> vtnet0: flags=3D8843 metric 0 = mtu 1500 >> options=3D6c03bb >> ether 04:01:5d:21:c3:01 >> media: Ethernet 10Gbase-T >> status: active >> >> vtnet1: flags=3D8802 metric 0 mtu 1500 >> options=3D6c03bb >> ether 04:01:5d:21:c3:02 >> media: Ethernet 10Gbase-T >> status: active >> >> lo0: flags=3D8049 metric 0 mtu 16384 >> options=3D600003 >> >> lo1: flags=3D8049 metric 0 mtu 16384 >> options=3D600003 >> inet 172.16.1.8 netmask 0xffffffff >> >> tun0: flags=3D8051 metric 0 mtu 1500= >> options=3D80000 >> Opened by PID 9024 >> >> pflog0: flags=3D141 metric 0 mtu 33160 >> >> >> netstat -rn from Jail >> --------------------------- >> >> Routing tables >> >> Internet: >> Destination Gateway Flags Netif Expire >> 172.16.1.8 link#4 UH lo1 >> >> >> Regards >> James >> >> >> >> >> _______________________________________________ >> freebsd-jail@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org= " >> >> >> Look at 'jls' on the host, as your jail doesn't seem to have any IP >> addresses on tun0. >> >> Or, where are you expecting to receive the traffic? >> >> -- >> Allan Jude >=20 >=20 > I expect the traffic to be received within the jail. I find it strange = that I don't see the same IP address as what I see on the host. Could thi= s be a devfs rule issue? what should I be looking for with jls? >=20 > ifconfig from host > _______________ >=20 >=20 > tun0: flags=3D8051 metric 0 mtu 1500 > options=3D80000 > inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff > nd6 options=3D29 > Opened by PID 9024 >=20 > Regards > James >=20 > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"= >=20 Jails are only allowed to see the IP addresses that are defined for that jail, so you need to add 10.8.0.1 to the list of IP addresses for that jail. In ezjail, edit /usr/local/etc/ezjail/jail_name and add the 2nd ip after the first, separated with a comma. --=20 Allan Jude --998BUA1nRAN1oAnNIK8q8W8tS50wEVijp Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJWKp1mAAoJEBmVNT4SmAt+a5gP+gO6TzZOrKrcjyHlJoWx1t+J LsoZmH7Wbb5Fd776keL84AUlbGg7PEEV416PQTGqf59XFxr+Juu7GXpSZ+JR7fmu OyJqIDlKt1MEH+7fi2uec4orLgTP1pEgUlB8YTJRfXyIgUTjkPUBJYPlXlVCviYj qYrIcKwoX/OU0XhqDNXpVrTZp77ht8tnB4dNw5k6+S+l8ID8s+VMd5oNuS+vfYMS 5DeR5IdzTJJpPP+nBfYtmmXGWb05LUac5LbXw0HKwKmRBkgeuIoxMngiWHHnDY8p 3DbpMqrm9SgBc2LOcvVxs0ZtEyVf5JCTji9gbRLw0SgR3kugmUqQ8un5zVQUgXom Uu85wZP6342MKJ0ALCoupWf6XjwvSJ9TG9Qwwy0ARKfUJOYnRCffHmkdj1tX4ZY3 j195CwGorUa+1tl8qeUDgILYQ820nutFBeX9vANB2AOeuXr2BlnU/paaCZYU+kgI YLvM0+DymtiJbbpOFYvDGVyM7lygCmvhtA7pVUxWVvUUcxgc2ClebDn3vTvddvlD y8JW0bluFx3WkydDwlhEdR63blERIVIb5b5fuVsGbx193AoBT+zgupuoFgffx55p BvX+rArHms9JW5Zoi2WDxWLsFM6XzKvUdMkI9y0oKeFYWDQA9kNI7hML0AOFaK9g 9qICarlp57cg4R0VYSAM =q6u+ -----END PGP SIGNATURE----- --998BUA1nRAN1oAnNIK8q8W8tS50wEVijp--