Site Navigation

Date:      Fri, 23 Oct 2015 16:24:18 -0400
From:      Allan Jude <allanjude@freebsd.org>
To:        freebsd-jail@freebsd.org
Subject:   Re: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface
Message-ID:  <562A9772.5050408@freebsd.org>
In-Reply-To: <VI1PR06MB1037DEF140BB605358BB8616F9260@VI1PR06MB1037.eurprd06.prod.outlook.com>
References:  <VI1PR06MB1037B08D9BEB7B207C602F43F9260@VI1PR06MB1037.eurprd06.prod.outlook.com> <562A7147.5080002@freebsd.org> <VI1PR06MB1037CEABEFFBDA95CAF7691BF9260@VI1PR06MB1037.eurprd06.prod.outlook.com> <562A7F88.4070106@freebsd.org> <VI1PR06MB1037DEF140BB605358BB8616F9260@VI1PR06MB1037.eurprd06.prod.outlook.com>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--aMxhkOF2U1i6Kdv5avLw1FFlnpgQQGs28
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 2015-10-23 15:15, James Lodge wrote:
> On 2015-10-23 14:13, James Lodge wrote:
>>> On 2015-10-23 11:37, James Lodge wrote:
>>> Hello all,
>>>
>>>
>>> I'm trying to build a jail on FreeBSD 10.1 using ezjail in order to r=
un OpenVPN. I'm not using vimage and don't particularly want to but I'm h=
aving an issue with networking.
>>>
>>>
>>> OpenVPN daemon is up and running and I can connect successfully as a =
client. I receive an IP address as expected, but I cannot route traffic t=
o/from client/server. The routing table on the client (which is a Windows=
 machine) looks fine so I assume the issue is on the server side. I have =
a tun interface created on the host and exposed to the jail via devfs rul=
es. The IP address on the tun interface is configure on the host and not =
from the jail. I can ping the tun interface IP from the host and the jail=
, but not from the client when connected.
>>>
>>>
>>> Client---------public IP --------- lo1 (Jail alias Interface)------tu=
n0 (OpenVPN Interface)
>>>
>>> 10.8.06          x.x.x.x                   172.16.1.8                =
              10.8.0.1
>>>
>>>
>>>
>>> OpenVPN Jail Routing Table:
>>>
>>> Internet:
>>> Destination        Gateway            Flags      Netif Expire
>>> 172.16.1.8         link#4             UH          lo1
>>>
>>> Jail Host Routing Table:
>>> Internet:
>>> Destination        Gateway            Flags      Netif Expire
>>> default            x.x.0.1         UGS      vtnet0
>>> 10.8.0.0           10.8.0.2           UGS        tun0
>>> 10.8.0.1              link#5             UHS         lo0
>>> 10.8.0.2              link#5             UH         tun0
>>> x.x.0.0/18          link#1             U        vtnet0
>>> x.x.x.x                 link#1             UHS         lo0
>>> localhost            link#3             UH          lo0
>>> 172.16.1.1         link#4             UH          lo1
>>> 172.16.1.2         link#4             UH          lo1
>>> 172.16.1.3         link#4             UH          lo1
>>> 172.16.1.4         link#4             UH          lo1
>>> 172.16.1.5         link#4             UH          lo1
>>> 172.16.1.6         link#4             UH          lo1
>>> 172.16.1.7         link#4             UH          lo1
>>> 172.16.1.8         link#4             UH          lo1
>>>
>>> Client Routing Table:
>>>
>>> IPv4 Route Table
>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D
>>> Active Routes:
>>> Network Destination        Netmask          Gateway       Interface  =
Metric
>>>           0.0.0.0          0.0.0.0         10.8.0.5         10.8.0.6 =
    20
>>>          10.8.0.1  255.255.255.255         10.8.0.5         10.8.0.6 =
    20
>>>          10.8.0.4  255.255.255.252         On-link          10.8.0.6 =
   276
>>>          10.8.0.6  255.255.255.255         On-link          10.8.0.6 =
   276
>>>          10.8.0.7  255.255.255.255         On-link          10.8.0.6 =
   276
>>>
>>>
>>>
>>> I'm a little stumped as to how to trouble shoot the issue so any help=
 much appreciated.
>>>
>>>
>>> James
>>>
>>>
>>>
>>> _______________________________________________
>>> freebsd-jail@freebsd.org mailing list
>>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
>>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.or=
g"
>>>
>>
>>> Try running 'tcpdump -i tun0 -n' on the host, while pining from the
>>> windows machine, and see if the packets are arriving.
>>>
>>> --
>>> Allan Jude
>>
>>
>> Thank you Allan,
>>
>> I should have thought of tcpdump. So traffic is being received at the =
host from the windows client.
>>
>> Results from Host tcpdump -i tun0 -n
>>
>> 18:44:02.464291 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 1, seq 1=
0577, length 40
>> 18:44:02.605212 IP 10.8.0.6.56054 > 192.168.0.112.80: Flags [S], seq 5=
12633761, win 8192, options [mss 1368,nop,nop,sackOK], length 0
>> 18:44:02.872693 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi=
=2Ecom. (34)
>> 18:44:03.864800 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi=
=2Ecom. (34)
>>
>> After that I thought I'd see if the traffic is reaching the jail. Afte=
r allow the jail access to /dev/bpf I get the same results as the host, t=
raffic is received.
>>
>> Results from Jail tcpdump -i tun0 -n
>>
>> 19:09:11.899714 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi=
=2Ecom. (34)
>> 19:09:12.728708 IP 10.8.0.6.62332 > 8.8.8.8.53: 22238+ A? dns.msftncsi=
=2Ecom. (34)
>> 19:09:12.802903 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi=
=2Ecom. (34)
>> 19:09:13.825053 IP 10.8.0.6.57107 > 212.56.71.30.443: Flags [S], seq 3=
139281876, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], leng=
th 0
>> 19:09:13.981307 IP 10.8.0.6.57108 > 212.56.71.30.443: Flags [S], seq 4=
152048904, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], leng=
th 0
>> 19:09:14.628697 IP 10.8.0.6.57100 > 192.168.0.112.80: Flags [S], seq 3=
107463099, win 65535, options [mss 1368,nop,nop,sackOK], length 0
>> 19:09:14.814392 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi=
=2Ecom. (34)
>>
>>
>> Regards
>> James
>> _______________________________________________
>> freebsd-jail@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
>> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org=
"
>>
>>
>> Can you include the output of 'ifconfig' from inside the jail?, and
>> 'netstat -rn'
>>
>> It looks like the packets are reaching you on tun0
>>
>> --
>> Allan Jude
>=20
> ifconfig from Jail
> ----------------------
>=20
> vtnet0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 m=
tu 1500
>   options=3D6c03bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN=
_HWCSUM,TSO4,TSO6,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
>         ether 04:01:5d:21:c3:01
>         media: Ethernet 10Gbase-T <full-duplex>
>         status: active
>=20
> vtnet1: flags=3D8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
>         options=3D6c03bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MT=
U,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
>         ether 04:01:5d:21:c3:02
>         media: Ethernet 10Gbase-T <full-duplex>
>         status: active
>=20
> lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>         options=3D600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
>=20
> lo1: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>         options=3D600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
>         inet 172.16.1.8 netmask 0xffffffff
>=20
> tun0: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
>         options=3D80000<LINKSTATE>
>         Opened by PID 9024
>=20
> pflog0: flags=3D141<UP,RUNNING,PROMISC> metric 0 mtu 33160
>=20
>=20
> netstat -rn from Jail
> ---------------------------
>=20
> Routing tables
>=20
> Internet:
> Destination        Gateway            Flags      Netif Expire
> 172.16.1.8         link#4             UH          lo1
>=20
>=20
> Regards
> James
>=20
>=20
>=20
>=20
> _______________________________________________
> freebsd-jail@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"=

>=20

Look at 'jls' on the host, as your jail doesn't seem to have any IP
addresses on tun0.

Or, where are you expecting to receive the traffic?

--=20
Allan Jude


--aMxhkOF2U1i6Kdv5avLw1FFlnpgQQGs28
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJWKpdyAAoJEBmVNT4SmAt+fMwQAIF9p3LusuNbsUOWzuX8fA3Y
mIzfgs+FfT5rWPu3B0LDrriCGV4opTuskpt7Av4T8z0RFA8pL8MKdBGM2/aEVOZb
A6FJZDjgyu1HIPKiioo6ATHQqx/tNhZw8KT+LRZ0lOROckmZOCBDhvaZ3WF14rgZ
jkbn2ZAWmShxp0YHumJmdwAvZKvQ1qJbvmz937WSe7LFV9YANsar2cPklhbYTykL
8+qx2QQt1H3H4o5X2pVZfMgFAuNRr/Jc4tZjg/n2yfLVMOIdTPUU4lfiiyZ4o4TA
l96K2VU7zV5lq1MgqB+/cZTVUnJ1kVGXDS7yBsB3oMAcrSGy6TxUg59HcZhZry/t
YvqquZxaXrT1woeQLWrGjn7X1pnttAHMxzplFEdmhVkPpi5aTMChzv0HhD/R47Tq
cICFyeAcqrHx6zzhmYzavVin0BEqwFaOhOYetFMt72SbXy08IKhEVsb0I8Qc3QA4
rVn37b4C3TzfDBdsXjJKtFcKwcNYY6Wglkf38N+FTgnUTwNrW7V51OtHaKs7TrI7
oJhiG7mAt8VYO9BqAjvBavwzjbnYHX2VEusQbyLm2ZgeZRMMXb3DTMG9o3ZjWhH7
6M5/fL/2YvmOU85SiJ/wZ2FGJTuR1AZNwPkT/7M86Oi0/59ZxwavGZ5T0dSyxIKr
/woex2gUDVRVZupGKAl/
=dLvY
-----END PGP SIGNATURE-----

--aMxhkOF2U1i6Kdv5avLw1FFlnpgQQGs28--

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?562A9772.5050408>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact