Date: Fri, 23 Oct 2015 16:24:18 -0400 From: Allan Jude <allanjude@freebsd.org> To: freebsd-jail@freebsd.org Subject: Re: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface Message-ID: <562A9772.5050408@freebsd.org> In-Reply-To: <VI1PR06MB1037DEF140BB605358BB8616F9260@VI1PR06MB1037.eurprd06.prod.outlook.com> References: <VI1PR06MB1037B08D9BEB7B207C602F43F9260@VI1PR06MB1037.eurprd06.prod.outlook.com> <562A7147.5080002@freebsd.org> <VI1PR06MB1037CEABEFFBDA95CAF7691BF9260@VI1PR06MB1037.eurprd06.prod.outlook.com> <562A7F88.4070106@freebsd.org> <VI1PR06MB1037DEF140BB605358BB8616F9260@VI1PR06MB1037.eurprd06.prod.outlook.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --aMxhkOF2U1i6Kdv5avLw1FFlnpgQQGs28 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2015-10-23 15:15, James Lodge wrote: > On 2015-10-23 14:13, James Lodge wrote: >>> On 2015-10-23 11:37, James Lodge wrote: >>> Hello all, >>> >>> >>> I'm trying to build a jail on FreeBSD 10.1 using ezjail in order to r= un OpenVPN. I'm not using vimage and don't particularly want to but I'm h= aving an issue with networking. >>> >>> >>> OpenVPN daemon is up and running and I can connect successfully as a = client. I receive an IP address as expected, but I cannot route traffic t= o/from client/server. The routing table on the client (which is a Windows= machine) looks fine so I assume the issue is on the server side. I have = a tun interface created on the host and exposed to the jail via devfs rul= es. The IP address on the tun interface is configure on the host and not = from the jail. I can ping the tun interface IP from the host and the jail= , but not from the client when connected. >>> >>> >>> Client---------public IP --------- lo1 (Jail alias Interface)------tu= n0 (OpenVPN Interface) >>> >>> 10.8.06 x.x.x.x 172.16.1.8 = 10.8.0.1 >>> >>> >>> >>> OpenVPN Jail Routing Table: >>> >>> Internet: >>> Destination Gateway Flags Netif Expire >>> 172.16.1.8 link#4 UH lo1 >>> >>> Jail Host Routing Table: >>> Internet: >>> Destination Gateway Flags Netif Expire >>> default x.x.0.1 UGS vtnet0 >>> 10.8.0.0 10.8.0.2 UGS tun0 >>> 10.8.0.1 link#5 UHS lo0 >>> 10.8.0.2 link#5 UH tun0 >>> x.x.0.0/18 link#1 U vtnet0 >>> x.x.x.x link#1 UHS lo0 >>> localhost link#3 UH lo0 >>> 172.16.1.1 link#4 UH lo1 >>> 172.16.1.2 link#4 UH lo1 >>> 172.16.1.3 link#4 UH lo1 >>> 172.16.1.4 link#4 UH lo1 >>> 172.16.1.5 link#4 UH lo1 >>> 172.16.1.6 link#4 UH lo1 >>> 172.16.1.7 link#4 UH lo1 >>> 172.16.1.8 link#4 UH lo1 >>> >>> Client Routing Table: >>> >>> IPv4 Route Table >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D >>> Active Routes: >>> Network Destination Netmask Gateway Interface = Metric >>> 0.0.0.0 0.0.0.0 10.8.0.5 10.8.0.6 = 20 >>> 10.8.0.1 255.255.255.255 10.8.0.5 10.8.0.6 = 20 >>> 10.8.0.4 255.255.255.252 On-link 10.8.0.6 = 276 >>> 10.8.0.6 255.255.255.255 On-link 10.8.0.6 = 276 >>> 10.8.0.7 255.255.255.255 On-link 10.8.0.6 = 276 >>> >>> >>> >>> I'm a little stumped as to how to trouble shoot the issue so any help= much appreciated. >>> >>> >>> James >>> >>> >>> >>> _______________________________________________ >>> freebsd-jail@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.or= g" >>> >> >>> Try running 'tcpdump -i tun0 -n' on the host, while pining from the >>> windows machine, and see if the packets are arriving. >>> >>> -- >>> Allan Jude >> >> >> Thank you Allan, >> >> I should have thought of tcpdump. So traffic is being received at the = host from the windows client. >> >> Results from Host tcpdump -i tun0 -n >> >> 18:44:02.464291 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 1, seq 1= 0577, length 40 >> 18:44:02.605212 IP 10.8.0.6.56054 > 192.168.0.112.80: Flags [S], seq 5= 12633761, win 8192, options [mss 1368,nop,nop,sackOK], length 0 >> 18:44:02.872693 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi= =2Ecom. (34) >> 18:44:03.864800 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi= =2Ecom. (34) >> >> After that I thought I'd see if the traffic is reaching the jail. Afte= r allow the jail access to /dev/bpf I get the same results as the host, t= raffic is received. >> >> Results from Jail tcpdump -i tun0 -n >> >> 19:09:11.899714 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi= =2Ecom. (34) >> 19:09:12.728708 IP 10.8.0.6.62332 > 8.8.8.8.53: 22238+ A? dns.msftncsi= =2Ecom. (34) >> 19:09:12.802903 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi= =2Ecom. (34) >> 19:09:13.825053 IP 10.8.0.6.57107 > 212.56.71.30.443: Flags [S], seq 3= 139281876, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], leng= th 0 >> 19:09:13.981307 IP 10.8.0.6.57108 > 212.56.71.30.443: Flags [S], seq 4= 152048904, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], leng= th 0 >> 19:09:14.628697 IP 10.8.0.6.57100 > 192.168.0.112.80: Flags [S], seq 3= 107463099, win 65535, options [mss 1368,nop,nop,sackOK], length 0 >> 19:09:14.814392 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi= =2Ecom. (34) >> >> >> Regards >> James >> _______________________________________________ >> freebsd-jail@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-jail >> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org= " >> >> >> Can you include the output of 'ifconfig' from inside the jail?, and >> 'netstat -rn' >> >> It looks like the packets are reaching you on tun0 >> >> -- >> Allan Jude >=20 > ifconfig from Jail > ---------------------- >=20 > vtnet0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 m= tu 1500 > options=3D6c03bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN= _HWCSUM,TSO4,TSO6,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> > ether 04:01:5d:21:c3:01 > media: Ethernet 10Gbase-T <full-duplex> > status: active >=20 > vtnet1: flags=3D8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500 > options=3D6c03bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MT= U,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6> > ether 04:01:5d:21:c3:02 > media: Ethernet 10Gbase-T <full-duplex> > status: active >=20 > lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 > options=3D600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> >=20 > lo1: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 > options=3D600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> > inet 172.16.1.8 netmask 0xffffffff >=20 > tun0: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500 > options=3D80000<LINKSTATE> > Opened by PID 9024 >=20 > pflog0: flags=3D141<UP,RUNNING,PROMISC> metric 0 mtu 33160 >=20 >=20 > netstat -rn from Jail > --------------------------- >=20 > Routing tables >=20 > Internet: > Destination Gateway Flags Netif Expire > 172.16.1.8 link#4 UH lo1 >=20 >=20 > Regards > James >=20 >=20 >=20 >=20 > _______________________________________________ > freebsd-jail@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-jail > To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"= >=20 Look at 'jls' on the host, as your jail doesn't seem to have any IP addresses on tun0. Or, where are you expecting to receive the traffic? --=20 Allan Jude --aMxhkOF2U1i6Kdv5avLw1FFlnpgQQGs28 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJWKpdyAAoJEBmVNT4SmAt+fMwQAIF9p3LusuNbsUOWzuX8fA3Y mIzfgs+FfT5rWPu3B0LDrriCGV4opTuskpt7Av4T8z0RFA8pL8MKdBGM2/aEVOZb A6FJZDjgyu1HIPKiioo6ATHQqx/tNhZw8KT+LRZ0lOROckmZOCBDhvaZ3WF14rgZ jkbn2ZAWmShxp0YHumJmdwAvZKvQ1qJbvmz937WSe7LFV9YANsar2cPklhbYTykL 8+qx2QQt1H3H4o5X2pVZfMgFAuNRr/Jc4tZjg/n2yfLVMOIdTPUU4lfiiyZ4o4TA l96K2VU7zV5lq1MgqB+/cZTVUnJ1kVGXDS7yBsB3oMAcrSGy6TxUg59HcZhZry/t YvqquZxaXrT1woeQLWrGjn7X1pnttAHMxzplFEdmhVkPpi5aTMChzv0HhD/R47Tq cICFyeAcqrHx6zzhmYzavVin0BEqwFaOhOYetFMt72SbXy08IKhEVsb0I8Qc3QA4 rVn37b4C3TzfDBdsXjJKtFcKwcNYY6Wglkf38N+FTgnUTwNrW7V51OtHaKs7TrI7 oJhiG7mAt8VYO9BqAjvBavwzjbnYHX2VEusQbyLm2ZgeZRMMXb3DTMG9o3ZjWhH7 6M5/fL/2YvmOU85SiJ/wZ2FGJTuR1AZNwPkT/7M86Oi0/59ZxwavGZ5T0dSyxIKr /woex2gUDVRVZupGKAl/ =dLvY -----END PGP SIGNATURE----- --aMxhkOF2U1i6Kdv5avLw1FFlnpgQQGs28--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?562A9772.5050408>