How to use Openvpn & ipfw in a jail so it only connects to the VPN

[mjk79]

Another question: Transmission keeps telling me the port is closed. I forwarded the used port in my router to the ip of the jail. (rules were already there, just changed the ip from my desktop to the jail, so i am sure the forwarding in the router actually works, and yes, i use the same port in Transmission in the jail as i used to use in transmission on the desktop).

Maybe some setting i need to add in the firewall?

Mine says the same thing, I had the same issue with uTorrent on Bitsoup when not using a vpn, then I had to open a port on the router.
If you're on the VPN and it's not keeping you from downloading or seeding, I think you can just ignore it.

 

[BigJ]

Another question: Transmission keeps telling me the port is closed. I forwarded the used port in my router to the ip of the jail. (rules were already there, just changed the ip from my desktop to the jail, so i am sure the forwarding in the router actually works, and yes, i use the same port in Transmission in the jail as i used to use in transmission on the desktop).

Maybe some setting i need to add in the firewall?

I thought I had a problem with this too when I did some testing. So I went looking for a torrent with a large number of peers/leechs where I was likely to recieve incoming requests. When I checked after letting transmission run for a good while, I found the port was showing 'open'.

 

[fmdx]

So, I'm close to getting this to run. Standalone, I was able to get my vpn connection up and running! When it came to installing the IPFW rules, things worked when it came to pinging Google with the VPN on, and off. I was able to see the status of the connection on my VPN's site as well, so it's running. Huzzah!

But, when it came to restarting my box, SABnzb (where I'm installing the VPN into instead of Transmission) refuses to start until I removed the IPFW rules file. Aside from console, there was not much in terms of output of errors to help me out, except that once the rules file was gone SABnzb would start.

Here is a copy of my rules (which leads me to be the cause of the problem):

Code:

add 01000 allow log udp from 192.168.1.0/24 to 192.168.1.1 dst-port 53 keep-state
add 01002 allow log udp from 192.168.1.0/24 to X.X.X.X dst-port 53 keep-state
add 01004 allow log udp from 192.168.1.0/24 to X.X.X.X dst-port 53 keep-state

My router's DNS is 192.168.1.1. The other 2 entries are for my ISP. Are those entries needed, or can I rely specifically on my Router's connection?

Code:

add 01006 allow ip from 192.168.1.0/24 to 196.168.1.0/24 keep-state

This is my network's range.

Code:

add 02000 allow ip from 192.168.1.0/24 to X.X.X.X keep-state

Language for VPN's servers. There are approximately 20 of them, I cut the extra IP's out since they were formatted correctly...

Code:

add 04000 allow ip from 127.0.0.1 to any
add 05000 allow ip from 10.0.0.0/8 to any
add 05002 allow ip from any to 10.0.0.0/8
add 65534 deny ip from any to any

Loopback info.

Any help would be nice! It was sort of awesome to have everything working from this guide, right up until that "OH HEY SABnzb WON'T START?" moment of confusion.

 

[white_noise]

Moved my question to support forum

 

[Bobbyg387]

Has anyone attempted to use this method with the Newshosting VPN? I have not for the life of me been able to get this going. I really would like to use Transmission through my VPN utilizing my login for the Newshosting VPN.

 

[Bageland2000]

Trying to redo this and got the error "Shared object "libiconv.so.2" not found, required by "bash"" when trying to enter jexec N bash. Any ideas?

edit: I'm still learning this stuff, but i followed a guide to make a clean install of libiconv:

1. # cd /usr/ports/converters/libiconv/
2. # make clean deinstall
3. # make clean install

worked like a charm...

 

[idconvict]

For anyone having issues with pinging other servers on their local network, the issue is with this line.
The from is 192 and the to address is 196. I had to change 196 to 192 in my config and everything works fine

Code:

add 01006 allow ip from 192.168.0.0/16 to 196.168.0.0/16 keep-state

should be (at least in my case)

Code:

add 01006 allow ip from 192.168.0.0/16 to 192.168.0.0/16 keep-state

Trying to redo this and got the error "Shared object "libiconv.so.2" not found, required by "bash"" when trying to enter jexec N bash. Any ideas?

edit: I'm still learning this stuff, but i followed a guide to make a clean install of libiconv:

1. # cd /usr/ports/converters/libiconv/
2. # make clean deinstall
3. # make clean install

worked like a charm...

I just did a pkg upgrade and that fixed the problem

 

[Nystro0m]

Trying to redo this and got the error "Shared object "libiconv.so.2" not found, required by "bash"" when trying to enter jexec N bash. Any ideas?

edit: I'm still learning this stuff, but i followed a guide to make a clean install of libiconv:

1. # cd /usr/ports/converters/libiconv/
2. # make clean deinstall
3. # make clean install

worked like a charm...

I just did a pkg upgrade and that fixed the problem[/QUOTE]

I tried both pkg update, fetch -u and nothing works.
Also i dont have a folder named /usr/ports/


Any1 got any ideas?

 

[idconvict]

I tried both pkg update, fetch -u and nothing works.
Also i dont have a folder named /usr/ports/


Any1 got any ideas?

Did you do pkg upgrade?

Also, make sure you're in the jail when you're doing this stuff. You'll need to use tcsh until you get bash working

 

[Nystro0m]

Did you do pkg upgrade?

Also, make sure you're in the jail when you're doing this stuff. You'll need to use tcsh until you get bash working

Yes, ive tried to both do a pkg upgrade and a fetch -u, then upgrade.
All this in the jail.
I still get the ""Shared object "libiconv.so.2" not found, required by "bash"" message.

 

[idconvict]

Yes, ive tried to both do a pkg upgrade and a fetch -u, then upgrade.
All this in the jail.
I still get the ""Shared object "libiconv.so.2" not found, required by "bash"" message.

Don't know then. You should be able to just use tcsh for the entire tutorial. That's what I'd do at this point

 

[ChrisUK1978]

Thanks jerrybme for your excellent work and thorough guide, and to Zettadox for this corollary.

If your VPN will not give you their IP range I suggest not using the firewall as a kill switch
There is little point and it will often break if your VPN has a decent sized range. I plan on writing a little script to run or just using this command to check my IP before torrenting.

If the connection range is not known, a single rule permitting all outbound traffic on the OpenVPN default port (1194) or alternate port as specified by your VPN service provider allows the use of the firewall kill switch method as described previously:

Code:

add 02000 allow ip from 192.168.0.0/24 to any 1194 keep-state

This single rule, in its simplest form, replaces all the 0200xx rules from the original post. I appreciate this is less secure, and is obviously better if further limited by an outbound address (range).

This method does allow you to switch VPN providers or for the VPN provider to modify IP address ranges to his hearts content.

I have this working with PIA, and it provides adequate VPN-failure protection for what I need.

I do hope this helps others.

All best,
Chris.

 

[jerrybme]

Don't know then. You should be able to just use tcsh for the entire tutorial. That's what I'd do at this point

I think a pkg install libiconv solved the problem for me.


Sent from my iPhone using Tapatalk

 

[jerrybme]

Thanks jerrybme for your excellent work and thorough guide, and to Zettadox for this corollary.


If the connection range is not known, a single rule permitting all outbound traffic on the OpenVPN default port (1194) or alternate port as specified by your VPN service provider allows the use of the firewall kill switch method as described previously:

Code:

add 02000 allow ip from 192.168.0.0/24 to any 1194 keep-state

This single rule, in its simplest form, replaces all the 0200xx rules from the original post. I appreciate this is less secure, and is obviously better if further limited by an outbound address (range).

This method does allow you to switch VPN providers or for the VPN provider to modify IP address ranges to his hearts content.

I have this working with PIA, and it provides adequate VPN-failure protection for what I need.

I do hope this helps others.

All best,
Chris.

Great alternative solution! Well done. Don't visit this forum much anymore as my FreeNAS has been rock-solid. I haven't had to do much problem solving [emoji12]


Sent from my iPhone using Tapatalk

 

[nickt]

Hi all,

I've recently set up transmission and OpenVPN with PIA - which has gone very well, made much easier by the great information in this and other guides on the forum.

Like others, I also wanted to ensure that transmission could only use the VPN. But I just couldn't get my head around the IPFW rules discussed in this thread. So I thought I'd try something a little simpler based on binding the transmission user to specific adapters. Here is what I came up with:

Code:

ipfw -f flush

ipfw -q add 00010 allow ip from any to any via tun0

ipfw -q add 00101 allow ip from me to 10.0.0.0/24 via epair0b uid transmission
ipfw -q add 00102 allow ip from 10.0.0.0/24 to me via epair0b uid transmission
ipfw -q add 00103 deny ip from any to any via epair0b uid transmission

ipfw -q add 65535 allow all from any to any

The first rule isn't really needed, but it means that I get statistics on how much the VPN is being used when i do a ipfw show, which is a nice confirmation that the VPN is being used. Note that my LAN subnet/mask is 10.0.0.0/24.

It works!

So I thought I would share with the good folk on the forum as well as ask the experts whether there could be any gotchas with this approach. So far it has held up well to my testing.

 

[jerrybme]

nickt,
Another great alternative. Much simpler than my original solution, no need to ID the VPN server addresses. I've had to update my rules from time to time as the VPN service changes their servers. I think I'll give this a try. Simpler is always better ;-) Thanks for sharing.

 

[fmdx]

Hi all,

I've recently set up transmission and OpenVPN with PIA - which has gone very well, made much easier by the great information in this and other guides on the forum.

Like others, I also wanted to ensure that transmission could only use the VPN. But I just couldn't get my head around the IPFW rules discussed in this thread. So I thought I'd try something a little simpler based on binding the transmission user to specific adapters. Here is what I came up with:

Code:

ipfw –f flush

ipfw –q add 00010 allow ip from any to any via tun0

ipfw –q add 00101 allow ip from me to 10.0.0.0/24 via epair0b uid transmission
ipfw –q add 00102 allow ip from 10.0.0.0/24 to me via epair0b uid transmission
ipfw –q add 00103 deny ip from any to any via epair0b uid transmission

ipfw –q add 65535 allow all from any to any

The first rule isn't really needed, but it means that I get statistics on how much the VPN is being used when i do a ipfw show, which is a nice confirmation that the VPN is being used. Note that my LAN subnet/mask is 10.0.0.0/24.

It works!

So I thought I would share with the good folk on the forum as well as ask the experts whether there could be any gotchas with this approach. So far it has held up well to my testing.

Will those work without having the -q flags? Also, that goes into your ipfw_rules file, correct?

 

[nickt]

To be honest, I'm not too sure about the -q flags - I was just following a FreeBSD guide on ifpw, and they always used it so I did too.

Yes, these go into a rules file. I used /etc/ifpw.rules

I also added the following to /etc/rc.conf

Code:

firewall_enable="YES"               # Starting IPFW daemon
firewall_script="/etc/ipfw.rules"   # Use my custom rules. 

 

[Maq]

I wrote a quick python script for generating the firewall rules. It's useful if you have a vpn provider with a lot of different IP addresses. Probably better than using the hosts file to specify the ip address for the server.

Code:

#!/usr/local/bin/python2.7
import sys
import socket
import subprocess


url = '<server address>'

try:
    # Raise if it can't ping the server or openvpn isn't running
    subprocess.check_output(['service', 'openvpn', 'status'])
    subprocess.check_output(['ping', '-c', '1', url])
except subprocess.CalledProcessError:
    pass
else:
    sys.exit()


hostname, aliaslist, ipaddrlist = socket.gethostbyname_ex(url)

content = '''
add 01006 allow ip from 192.168.1.0/24 to 192.168.1.0/24 keep-state
'''

rule_number = 2001

for ip in ipaddrlist:
    content += '''
add {} allow ip from 192.168.1.0/24 to {} keep-state
add {} allow ip from {} to 192.168.1.0/24 keep-state
'''.format(rule_number, ip, rule_number + 1, ip)
    rule_number += 2

content += '''
add 04000 allow ip from 127.0.0.1 to any
add 05000 allow ip from 10.0.0.0/8 to any
add 05002 allow ip from any to 10.0.0.0/8
add 65534 deny ip from any to any
'''

# Stop ipfw
subprocess.call(['service', 'openvpn', 'stop'])
subprocess.call(['service', 'ipfw', 'stop'])

f = open('/etc/ipfw.rules', 'w')
f.write(content)
f.close()

# Start ipfw
subprocess.call(['service', 'ipfw', 'start'])

# Check if running
if 'ipfw' in subprocess.check_output(['service', '-e']):
    subprocess.call(['service', 'openvpn', 'start'])

sys.exit()

Let me know what you think.

 

[Rilo Ravestein]

Why not let it check for the exact address connected and just allow that one instead of the whole wide subnet?