Site Navigation

Date:      Fri, 23 Oct 2015 18:13:31 +0000
From:      James Lodge <James@Lodge.me.uk>
To:        "freebsd-jail@freebsd.org" <freebsd-jail@freebsd.org>
Subject:   Re: Freebsd 10.1 - Ezjail - OpenVPN - Tun Interface
Message-ID:  <VI1PR06MB1037CEABEFFBDA95CAF7691BF9260@VI1PR06MB1037.eurprd06.prod.outlook.com>
In-Reply-To: <562A7147.5080002@freebsd.org>
References:  <VI1PR06MB1037B08D9BEB7B207C602F43F9260@VI1PR06MB1037.eurprd06.prod.outlook.com>, <562A7147.5080002@freebsd.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

> On 2015-10-23 11:37, James Lodge wrote:
> Hello all,
>
>
> I'm trying to build a jail on FreeBSD 10.1 using ezjail in order to run O=
penVPN. I'm not using vimage and don't particularly want to but I'm having =
an issue with networking.
>
>
> OpenVPN daemon is up and running and I can connect successfully as a clie=
nt. I receive an IP address as expected, but I cannot route traffic to/from=
 client/server. The routing table on the client (which is a Windows machine=
) looks fine so I assume the issue is on the server side. I have a tun inte=
rface created on the host and exposed to the jail via devfs rules. The IP a=
ddress on the tun interface is configure on the host and not from the jail.=
 I can ping the tun interface IP from the host and the jail, but not from t=
he client when connected.
>
>
> Client---------public IP --------- lo1 (Jail alias Interface)------tun0 (=
OpenVPN Interface)
>
> 10.8.06          x.x.x.x                   172.16.1.8                    =
          10.8.0.1
>
>
>
> OpenVPN Jail Routing Table:
>
> Internet:
> Destination        Gateway            Flags      Netif Expire
> 172.16.1.8         link#4             UH          lo1
>
> Jail Host Routing Table:
> Internet:
> Destination        Gateway            Flags      Netif Expire
> default            x.x.0.1         UGS      vtnet0
> 10.8.0.0           10.8.0.2           UGS        tun0
> 10.8.0.1              link#5             UHS         lo0
> 10.8.0.2              link#5             UH         tun0
> x.x.0.0/18          link#1             U        vtnet0
> x.x.x.x                 link#1             UHS         lo0
> localhost            link#3             UH          lo0
> 172.16.1.1         link#4             UH          lo1
> 172.16.1.2         link#4             UH          lo1
> 172.16.1.3         link#4             UH          lo1
> 172.16.1.4         link#4             UH          lo1
> 172.16.1.5         link#4             UH          lo1
> 172.16.1.6         link#4             UH          lo1
> 172.16.1.7         link#4             UH          lo1
> 172.16.1.8         link#4             UH          lo1
>
> Client Routing Table:
>
> IPv4 Route Table
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
> Active Routes:
> Network Destination        Netmask          Gateway       Interface  Metr=
ic
>           0.0.0.0          0.0.0.0         10.8.0.5         10.8.0.6     =
20
>          10.8.0.1  255.255.255.255         10.8.0.5         10.8.0.6     =
20
>          10.8.0.4  255.255.255.252         On-link          10.8.0.6    2=
76
>          10.8.0.6  255.255.255.255         On-link          10.8.0.6    2=
76
>          10.8.0.7  255.255.255.255         On-link          10.8.0.6    2=
76
>
>
>
> I'm a little stumped as to how to trouble shoot the issue so any help muc=
h appreciated.
>
>
> James
>
>
>
> _______________________________________________
> freebsd-jail@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-jail
> To unsubscribe, send any mail to "freebsd-jail-unsubscribe@freebsd.org"
>

> Try running 'tcpdump -i tun0 -n' on the host, while pining from the
> windows machine, and see if the packets are arriving.
>
>--
>Allan Jude


Thank you Allan,=20

I should have thought of tcpdump. So traffic is being received at the host =
from the windows client.

Results from Host tcpdump -i tun0 -n=20

18:44:02.464291 IP 10.8.0.6 > 10.8.0.1: ICMP echo request, id 1, seq 10577,=
 length 40
18:44:02.605212 IP 10.8.0.6.56054 > 192.168.0.112.80: Flags [S], seq 512633=
761, win 8192, options [mss 1368,nop,nop,sackOK], length 0
18:44:02.872693 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi.com.=
 (34)
18:44:03.864800 IP 10.8.0.6.57441 > 8.8.8.8.53: 44379+ A? dns.msftncsi.com.=
 (34)

After that I thought I'd see if the traffic is reaching the jail. After all=
ow the jail access to /dev/bpf I get the same results as the host, traffic =
is received.=20

Results from Jail tcpdump -i tun0 -n

19:09:11.899714 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.com.=
 (34)
19:09:12.728708 IP 10.8.0.6.62332 > 8.8.8.8.53: 22238+ A? dns.msftncsi.com.=
 (34)
19:09:12.802903 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.com.=
 (34)
19:09:13.825053 IP 10.8.0.6.57107 > 212.56.71.30.443: Flags [S], seq 313928=
1876, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], length 0
19:09:13.981307 IP 10.8.0.6.57108 > 212.56.71.30.443: Flags [S], seq 415204=
8904, win 8192, options [mss 1368,nop,wscale 8,nop,nop,sackOK], length 0
19:09:14.628697 IP 10.8.0.6.57100 > 192.168.0.112.80: Flags [S], seq 310746=
3099, win 65535, options [mss 1368,nop,nop,sackOK], length 0
19:09:14.814392 IP 10.8.0.6.58706 > 8.8.8.8.53: 33345+ A? dns.msftncsi.com.=
 (34)


Regards
James

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?VI1PR06MB1037CEABEFFBDA95CAF7691BF9260>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact