How to use Openvpn & ipfw in a jail so it only connects to the VPN

Status
Not open for further replies.

jerrybme

Dabbler
Joined
Sep 28, 2011
Messages
40
Actually, looking back over this, I think I was wrong! Your post had less mistakes than I remember (I sort of stumbled through this process since I'm not a BSD/Linux guy). The keep-state issue was definitely one that threw me, and I believe the other was the path to the CA file in the openvpn which wasn't something in the post anyway. Thanks for a great writeup!

One last question, my private VPN provider doesn't publish IP addresses due to increased blocking, so I don't necessarily know exactly how to whitelist traffic to their IPs. Any thoughts on this?

Hmm, not really. AirVPN allows you to request resolved hosts when you generate the openvpn config file which is how I determined the ones for my whitelist. However, I don't use the config file with the resolved hosts, I just mined it for the IP addresses.

Perhaps a request to their help desk explaining what you are attempting to do might shake them loose.. Good luck
 

bendinwire

Dabbler
Joined
Feb 8, 2014
Messages
12
I would double check the file name and also check the permissions. Also double check the path to the openvpn.conf set in the rc.config to make sure there aren't typos there either.

openvpn.conf does indeed live in /usr/local/etc/openvpn/

from rc.conf:
Code:
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"


I made sure that openvpn and my ca.cert file have 777 (for now)
Code:
-rwxrwxrwx  1 root  wheel  254 Mar  6 23:07 openvpn.conf
root@sabnzbd_1 /usr/local/etc/openvpn/keys] ls -l
-rwxrwxrwx  1 root  wheel  1395 Mar  5 22:42 ca.cert


What other locations should I doublecheck (or permissions for that matter)?

I've doublechecked all my steps and still drawing a blank. One deviation that I am using is
Code:
auth-user-pass /usr/local/etc/openvpn/VPN-user_password.txt

with the .txt file in the right spot (PIA doesn't use user.crt files). Would that possibly cause what I'm seeing?

Thanks
 

jerrybme

Dabbler
Joined
Sep 28, 2011
Messages
40
bendinwire: take the "e" out of the ca.cert, it is looking for "ca.crt".
 

trnelson

Dabbler
Joined
Nov 7, 2013
Messages
16
openvpn.conf does indeed live in /usr/local/etc/openvpn/

from rc.conf:
Code:
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"


I made sure that openvpn and my ca.cert file have 777 (for now)
Code:
-rwxrwxrwx  1 root  wheel  254 Mar  6 23:07 openvpn.conf
root@sabnzbd_1 /usr/local/etc/openvpn/keys] ls -l
-rwxrwxrwx  1 root  wheel  1395 Mar  5 22:42 ca.cert


What other locations should I doublecheck (or permissions for that matter)?

I've doublechecked all my steps and still drawing a blank. One deviation that I am using is
Code:
auth-user-pass /usr/local/etc/openvpn/VPN-user_password.txt

with the .txt file in the right spot (PIA doesn't use user.crt files). Would that possibly cause what I'm seeing?

Thanks


I could not, for the life of me, get the user/pass file to work with PIA. I have to manually authenticate with it. Do you know for certain if it will work? Take out the file name on the auth-user-pass configuration and see if it will prompt you for a username and password. That's the only way it works for me. If you DO figure it out, please let me know! :)
 

bendinwire

Dabbler
Joined
Feb 8, 2014
Messages
12
Wow thanks

:eek: :embarrased:

I mv'd ca.cert to ca.crt.
ca.crt is in /usr/local/etc/openvpn/keys with 777 permissions now

Starting still gave me:
Code:
[root@sabnzbd_1 /usr/local/etc/openvpn]# /usr/local/etc/rc.d/openvpn start
Starting openvpn.
/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn
 
tail /var/log/messages
 
Mar  7 07:33:06 sabnzbd_1 openvpn[46824]: Options error: --ca fails with 'ca.crt': No such file or directory
Mar  7 07:33:06 sabnzbd_1 openvpn[46824]: Options error: Please correct these errors.
Mar  7 07:33:06 sabnzbd_1 openvpn[46824]: Use --help for more information.
Mar  7 07:33:06 sabnzbd_1 tornado: /usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn


So I hard coded the path to ca.crt and it now works, albeit with me logging in with name and password.

However it doesn't work with the
auth-user-pass /usr/local/etc/openvpn/VPN-user_password.txt
as trnelson pointed out. It looks like you have to recompile openvpn with
./configure --enable-password-save
enabled. I haven't done that yet. trnelson have you tried that already?
 

trnelson

Dabbler
Joined
Nov 7, 2013
Messages
16
Nope, not yet. I actually haven't had a chance to look into it much, but I did run across that too. It seemed like it's also a requirement of the openvpn server to support that option (I may have read wrong.) If that is the case, then you'd have to find out if PIA actually supports it. Sorry I can't be more help, but I haven't really touched my server too much in the past week or two but will definitely post back if I get a chance!
 

Kingedgar

Dabbler
Joined
Jan 30, 2014
Messages
47
I can successfully ping google with the vpn on, but I can also ping google with the vpn off. I have set everything up as described but this is a BIG problem for me.

Here are my firewall rules.

Code:
root@transmission_1:~ # ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
01000 allow log udp from 10.69.0.0/16 to 10.69.0.3 dst-port 53 keep-state
01002 allow log udp from 10.69.0.0/16 to 10.69.0.1 dst-port 53 keep-state
01004 allow log udp from 10.69.0.0/16 to 208.67.222.222 dst-port 53 keep-state
01006 allow ip from 10.69.0.0/16 to 10.69.0.0/16 keep-state
02000 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
02002 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
02004 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
02006 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
04000 allow ip from 127.0.0.1 to any
05000 allow ip from 10.0.0.0/8 to any
05003 allow ip from any to 10.0.0.0/8
65534 deny ip from any to any
65535 allow ip from any to any


Why does the firewall have rules that I did not specify? I think the last line is causing the traffic to get through. How to get rid of this line?

Here is a cat from the file /media/ipfw_rules

Code:
root@transmission_1:~ # cat /media/ipfw_rules
add 01000 allow log udp from 10.69.0.0/16 to 10.69.0.3 dst-port 53 keep-state
add 01002 allow log udp from 10.69.0.0/16 to 10.69.0.1 dst-port 53 keep-state
add 01004 allow log udp from 10.69.0.0/16 to 208.67.222.222 dst-port 53 keep-state
add 01006 allow ip from 10.69.0.0/16 to 10.69.0.0/16 keep-state
add 02000 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02002 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02004 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02006 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 04000 allow ip from 127.0.0.1 to any
add 05000 allow ip from 10.0.0.0/8 to any
add 05003 allow ip from any to 10.0.0.0/8
add 65534 deny ip from any to any


If anyone has any suggestions I would appreciate it.

EDIT: After doing some research if the kernel is compiled with IPFIREWALL_DEFAULT_TO_ACCEPT then the last rule is created. Is this what FreeNAS does by default in their kernel config? If so how do I change it?
 

Kingedgar

Dabbler
Joined
Jan 30, 2014
Messages
47
Wow thanks

:eek: :embarrased:

I mv'd ca.cert to ca.crt.
ca.crt is in /usr/local/etc/openvpn/keys with 777 permissions now

Starting still gave me:
Code:
[root@sabnzbd_1 /usr/local/etc/openvpn]# /usr/local/etc/rc.d/openvpn start
Starting openvpn.
/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn
 
tail /var/log/messages
 
Mar  7 07:33:06 sabnzbd_1 openvpn[46824]: Options error: --ca fails with 'ca.crt': No such file or directory
Mar  7 07:33:06 sabnzbd_1 openvpn[46824]: Options error: Please correct these errors.
Mar  7 07:33:06 sabnzbd_1 openvpn[46824]: Use --help for more information.
Mar  7 07:33:06 sabnzbd_1 tornado: /usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn


So I hard coded the path to ca.crt and it now works, albeit with me logging in with name and password.

However it doesn't work with the
auth-user-pass /usr/local/etc/openvpn/VPN-user_password.txt
as trnelson pointed out. It looks like you have to recompile openvpn with
./configure --enable-password-save
enabled. I haven't done that yet. trnelson have you tried that already?

I also use PIA; I compiled openvpn from ports with "--enable-password-save" (although this is done through make config in ports). The vpn starts and stays connected, only problem I have is from my post above with not blocking traffic when vpn is off.
 

dkran

Dabbler
Joined
Feb 21, 2014
Messages
35
I can successfully ping google with the vpn on, but I can also ping google with the vpn off. I have set everything up as described but this is a BIG problem for me.

Here are my firewall rules.

Code:
root@transmission_1:~ # ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
01000 allow log udp from 10.69.0.0/16 to 10.69.0.3 dst-port 53 keep-state
01002 allow log udp from 10.69.0.0/16 to 10.69.0.1 dst-port 53 keep-state
01004 allow log udp from 10.69.0.0/16 to 208.67.222.222 dst-port 53 keep-state
01006 allow ip from 10.69.0.0/16 to 10.69.0.0/16 keep-state
02000 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
02002 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
02004 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
02006 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
04000 allow ip from 127.0.0.1 to any
05000 allow ip from 10.0.0.0/8 to any
05003 allow ip from any to 10.0.0.0/8
65534 deny ip from any to any
65535 allow ip from any to any


Why does the firewall have rules that I did not specify? I think the last line is causing the traffic to get through. How to get rid of this line?

Here is a cat from the file /media/ipfw_rules

Code:
root@transmission_1:~ # cat /media/ipfw_rules
add 01000 allow log udp from 10.69.0.0/16 to 10.69.0.3 dst-port 53 keep-state
add 01002 allow log udp from 10.69.0.0/16 to 10.69.0.1 dst-port 53 keep-state
add 01004 allow log udp from 10.69.0.0/16 to 208.67.222.222 dst-port 53 keep-state
add 01006 allow ip from 10.69.0.0/16 to 10.69.0.0/16 keep-state
add 02000 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02002 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02004 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02006 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 04000 allow ip from 127.0.0.1 to any
add 05000 allow ip from 10.0.0.0/8 to any
add 05003 allow ip from any to 10.0.0.0/8
add 65534 deny ip from any to any


If anyone has any suggestions I would appreciate it.

EDIT: After doing some research if the kernel is compiled with IPFIREWALL_DEFAULT_TO_ACCEPT then the last rule is created. Is this what FreeNAS does by default in their kernel config? If so how do I change it?

Well since in ipfw I believe the last rule the packet matches would be the one it follows, I think that rule would screw you. I was actually trying to build a kernel to do something like this but got stuck on a compilation error I couldn't figure out

Sent from my Nexus 7 using Tapatalk
 

Kingedgar

Dabbler
Joined
Jan 30, 2014
Messages
47
I ran into some build problems as well. I am trying to "roll my own" as it were to remove this kernel option. I have another post on the forums dealing with that. I will post updates as they come! Thanks for your help!
 

joelmusicman

Patron
Joined
Feb 20, 2014
Messages
249
I tried to configure from source because my VPN provider uses a user/pass and couldn't figure out how to point configure at my LZO installation for the life of me (I kept screaming at it, "They're in the friggin includes!!!!"). Then I reluctantly decided to disable LZO, but the openVPN installation was still not set up to be daemonized for some reason.

Then it occurred to me to just do this on the router... I just configured the VPN client on my router and used this guide to selectively use the VPN for certain IP ranges. SOOO much easier!
 

Kingedgar

Dabbler
Joined
Jan 30, 2014
Messages
47
I tried to configure from source because my VPN provider uses a user/pass and couldn't figure out how to point configure at my LZO installation for the life of me (I kept screaming at it, "They're in the friggin includes!!!!"). Then I reluctantly decided to disable LZO, but the openVPN installation was still not set up to be daemonized for some reason.

Then it occurred to me to just do this on the router... I just configured the VPN client on my router and used this guide to selectively use the VPN for certain IP ranges. SOOO much easier!


That's great for those users that can do that with their router. Unfortunately I cannot do this in my router and have to build my own FreeNAS with a changed kernel config.

BTW: What router do you have?
 

joelmusicman

Patron
Joined
Feb 20, 2014
Messages
249
I have a Netgear N300 that's flashed with Tomato USB firmware. Update: the script wasn't working after all: all traffic was going thru the VPN with it on, or thru WAN with it off.

My next course of action is to hook up an old router I have with DD-WRT and setup openVPN on it. Then all I'll have to do is point jails that I want VPN on to the secondary router as a gateway (192.168.1.3 instead of the main router at 192.168.1.1). Second router only has one lan port active and I disabled WiFi. Wasn't able to do this last night as my internet was down for about 4 hours.
 
Joined
Mar 11, 2014
Messages
1
Thanks for this post and all the great comments!
I have openVPN up and running on FreeNAS 9.2.1.2.
However, ipfw is giving me problems. When I have ipfw started, I can not access my Transmission IP address.
I created rules based on those found in this post. When I start ipfw, I can ping google.com and my openvpn provider. When openVPN is stopped, I get permission errors, as expected.

My rules follow.
Code:
add 01000 allow log udp from 192.168.1.0/24 to 208.67.222.222 dst-port 53 keep-state
add 01002 allow log udp from 192.168.1.0/24 to 10.4.0.1 dst-port 53 keep-state
add 01004 allow log udp from 192.168.1.0/24 to 208.67.220.220 dst-port 53 keep-state
add 01006 allow ip from 192.168.1.0/24 to 196.168.1.0/24 keep-state
add 02000 allow ip from 192.168.1.0/24 to xxx.xxx.xxx.xxx keep-state
add 04000 allow ip from 127.0.0.1 to any
add 05000 allow ip from 10.8.0.0/24 to any
add 05002 allow ip from any to 10.8.0.0/24
add 65534 deny ip from any to any

I'm sure it's something simple, but I've been working on this for a while and need a second pair of eyes.
 

dkran

Dabbler
Joined
Feb 21, 2014
Messages
35
Thanks for this post and all the great comments!
I have openVPN up and running on FreeNAS 9.2.1.2.
However, ipfw is giving me problems. When I have ipfw started, I can not access my Transmission IP address.
I created rules based on those found in this post. When I start ipfw, I can ping google.com and my openvpn provider. When openVPN is stopped, I get permission errors, as expected.

My rules follow.
Code:
add 01000 allow log udp from 192.168.1.0/24 to 208.67.222.222 dst-port 53 keep-state
add 01002 allow log udp from 192.168.1.0/24 to 10.4.0.1 dst-port 53 keep-state
add 01004 allow log udp from 192.168.1.0/24 to 208.67.220.220 dst-port 53 keep-state
add 01006 allow ip from 192.168.1.0/24 to 196.168.1.0/24 keep-state
add 02000 allow ip from 192.168.1.0/24 to xxx.xxx.xxx.xxx keep-state
add 04000 allow ip from 127.0.0.1 to any
add 05000 allow ip from 10.8.0.0/24 to any
add 05002 allow ip from any to 10.8.0.0/24
add 65534 deny ip from any to any

I'm sure it's something simple, but I've been working on this for a while and need a second pair of eyes.


I can access my transmission ip from the local network but not from outside.
 

jerrybme

Dabbler
Joined
Sep 28, 2011
Messages
40
Thanks for this post and all the great comments!
I have openVPN up and running on FreeNAS 9.2.1.2.
However, ipfw is giving me problems. When I have ipfw started, I can not access my Transmission IP address.
I created rules based on those found in this post. When I start ipfw, I can ping google.com and my openvpn provider. When openVPN is stopped, I get permission errors, as expected.

My rules follow.
Code:
add 01000 allow log udp from 192.168.1.0/24 to 208.67.222.222 dst-port 53 keep-state
add 01002 allow log udp from 192.168.1.0/24 to 10.4.0.1 dst-port 53 keep-state
add 01004 allow log udp from 192.168.1.0/24 to 208.67.220.220 dst-port 53 keep-state
add 01006 allow ip from 192.168.1.0/24 to 196.168.1.0/24 keep-state
add 02000 allow ip from 192.168.1.0/24 to xxx.xxx.xxx.xxx keep-state
add 04000 allow ip from 127.0.0.1 to any
add 05000 allow ip from 10.8.0.0/24 to any
add 05002 allow ip from any to 10.8.0.0/24
add 65534 deny ip from any to any

I'm sure it's something simple, but I've been working on this for a while and need a second pair of eyes.
Is the problem you can't access from your LAN or from the Internet? If Internet access is the issue; have you forwarded ports with your VPN. Provider?

If LAN access is the issue what is the IP range for your LAN & what is the IP for your jail?
 

bendinwire

Dabbler
Joined
Feb 8, 2014
Messages
12
This is great info and just what I was looking for. Thank you!

FYI You have a typo: your portsportsnap extract line should read portsnap extract portsnap extract
 

jerrybme

Dabbler
Joined
Sep 28, 2011
Messages
40
If your VPN will not give you their IP range I suggest not using the firewall as a kill switch
There is little point and it will often break if your VPN has a decent sized range. I plan on writing a little script to run or just using this command to check my IP before torrenting.
Code:
wget http://smart-ip.net/myip -O - -q ; echo
wget http://ipecho.net/plain -O - -q ; echo

This is a great idea, please share your script if you end up writing one.

Cheers,
Jerry
 
Joined
Feb 24, 2014
Messages
3
Hey thanks a lot for this write up! This is exactly what I have been looking for, but being a newb I am a bit confused by
Note that my FreeNAS server and gateway are in the 192.168.0.0/16 range so you'll need to adjust the firewall rule reflect the IP addresses that you have established on your network
Under network summary freenas it shows my IPv4 adddress is 192.168.1.1/24, is this what I would use?

Thanks again for this, can't wait to get this all up and running!
 
Status
Not open for further replies.
Top