How to use Openvpn & ipfw in a jail so it only connects to the VPN

[Louc918]

Awesome guide!! Worked like a charm.

I'm having one issue however. When I connect to the VPN into my local network, I'm unable to access jail resources when the jail is logged into the jail's VPN. I've accommodated the IPFW rules to allow access from my VPN subnet. And, when I disconnect OpenVPN on the jail, I'm able to access the jail resources when connected to my local VPN. When connected to my local network, I'm able to connect to all jail resources with no issues. I'm assuming I'm missing some rule which is preventing me from accessing my jail resources when it's connected to the external OpenVPN connection. Any help is greatly appreciated.

Local Network Subnet: 10.110.1.0/24
Local VPN Subnet: 10.110.4.0/24
IPFW Rules:
##DNS
01000 allow log udp from 10.110.0.0/16 to 208.67.222.222 dst-port 53 keep-state
01002 allow log udp from 10.110.0.0/16 to 205.171.3.25 dst-port 53 keep-state
01004 allow log udp from 10.110.0.0/16 to 8.8.4.4 dst-port 53 keep-state
01006 allow log udp from 10.110.0.0/16 to 129.250.35.250 dst-port 53 keep-state
01008 allow log udp from 10.110.0.0/16 to 10.110.1.1 dst-port 53 keep-state
##Local Network
01010 allow ip from 10.110.0.0/16 to 10.110.0.0/16 keep-state
##OpenVPN Provider
02000 allow ip from 10.110.0.0/16 to 104.156.240.160 keep-state
02004 allow ip from 10.110.0.0/16 to 104.156.240.152 keep-state
02008 allow ip from 10.110.0.0/16 to 104.156.240.168 keep-state
02012 allow ip from 10.110.0.0/16 to 104.156.240.161 keep-state
02018 allow ip from 10.110.0.0/16 to 104.156.240.147 keep-state
##Loopback
04000 allow ip from 127.0.0.1 to any
04300 allow ip from 10.30.0.0/16 to any
04302 allow ip from any to 10.30.0.0/16
04310 allow ip from 10.31.0.0/16 to any
04312 allow ip from any to 10.31.0.0/16
04320 allow ip from 10.32.0.0/16 to any
04322 allow ip from any to 10.32.0.0/16
65534 deny ip from any to any

 

[JoeB]

My VPN provider doesn't publish the IP ranges (i've asked them, they said no.).

So does anyone know how to block traffic to/from a specific IP address, and allow everything else?
Kinda the opposite that this thread describes.
My ISP issues a static IP address, so I'd like to block all traffic that is using that IP, e.g. not using the VPN.

Could another jail get my IP address every hour for example and store it, then the VPN-only jail could read that, and block it?

 

[mjk79]

My VPN provider doesn't publish the IP ranges (i've asked them, they said no.).

So does anyone know how to block traffic to/from a specific IP address, and allow everything else?
Kinda the opposite that this thread describes.
My ISP issues a static IP address, so I'd like to block all traffic that is using that IP, e.g. not using the VPN.

Could another jail get my IP address every hour for example and store it, then the VPN-only jail could read that, and block it?

Access list on your router would do that for sure.

 

[ric]

Then copy over the certs and keys

Code:

[root@transmission_1 /]# cp /media/ca.crt /usr/local/etc/openvpn/keys/ca.crt
[root@transmission_1 /]# cp /media/user.crt /usr/local/etc/openvpn/keys/user.crt
[root@transmission_1 /]# cp /media/user.key /usr/local/etc/openvpn/keys/user.key
[root@transmission_1 /]# cp /media/ta.key /usr/local/etc/openvpn/keys/ta.key

Cheers

I've got the ca.crt file along with openvpn file.

But not sure how to find or generate the below files?

user.crt
user.key
ta.key

 

[Jacopx]

I've got the ca.crt file along with openvpn file.

But not sure how to find or generate the below files?

user.crt
user.key
ta.key

What VPN service are you using, something is everything in only one file and it's working! ;)

 

[JoeB]

Try connecting with just the files you have, did it work?

 

[ctowle]

How would I add a firewall rule to allow access through port 9091 so that I can remotely access transmission from outside of my network?

 

[Glorious1]

How would I add a firewall rule to allow access through port 9091 so that I can remotely access transmission from outside of my network?

Access from the internet is not as simple as a firewall rule. In fact, it doesn't require a different one. I suggest you consider the recommendations here:
https://forums.freenas.org/index.ph...r-freenas-server-remotely-and-securely.27376/

 

[ric]

I wanted to use Openvpn with my Transmission plugin but didn't want any of my other network traffic to go through the VPN. Additionally, I didn't want Transmission to access the internet except through the VPN. This "how-to" assumes you have a VPN service you're connecting to and have downloaded the config file, certs and user keys.

It was rather easy; here's how:

Once you've installed the Transmission plugin, have the jail running and storage attached, ssh into your jail

Code:

jls

to list the jails, then

Code:

jexec N tcsh

where "N" is equal to your jail number.

Now you'll need to add packages, I prefer to use bash rather than tcsh and nano over vi. Make sure to use not to use pkg_add

Code:

[root@transmission_1 /]# pkg install bash
[root@transmission_1 /]# pkg install nano
[root@transmission_1 /]# pkg install openvpn

Next time you enter the jail you can use:

Code:

jexec N bash

For now we'll just drop into the bash shell

Code:

[root@transmission_1 /]# bash

Next we need to create the directory for the config file and certs and keys for Openvpn

Code:

[root@transmission_1 /]# mkdir /usr/local/etc/openvpn
[root@transmission_1 /]# mkdir /usr/local/etc/openvpn/keys

Next you need to add the lines to the rc.conf so openvpn and ipfw starts when the jail starts. go to the /etc directory and fire up nano

Code:

[root@transmission_1 /]# cd /etc

[root@transmission_1 /etc]# nano rc.conf

Note: to save files in nano Ctrl+o will write the file and Ctrl+x will exit.

Once you've got the rc.conf file opened in nano add the following lines:

Code:

firewall_enable="YES"

firewall_type="/media/ipfw_rules"

openvpn_enable="YES"

openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"

Note that "firewall_type=" tells ipfw where the rules are to be loaded so make sure change the path to reflect where you are storing the file with the rules.
Now copy over your openvpn config file (usually your VPN service provider will supply this) make sure to name it openvpn.conf.

Code:

[root@transmission_1 /]# cp /media/VPNproviderfile.ovpn /usr/local/etc/openvpn/openvpn.conf

Double check the paths to the location of the keys and certs listed in the config file match where you will be placing them (/usr/local/etc/openvpn/keys).

Then copy over the certs and keys

Code:

[root@transmission_1 /]# cp /media/ca.crt /usr/local/etc/openvpn/keys/ca.crt
[root@transmission_1 /]# cp /media/user.crt /usr/local/etc/openvpn/keys/user.crt
[root@transmission_1 /]# cp /media/user.key /usr/local/etc/openvpn/keys/user.key
[root@transmission_1 /]# cp /media/ta.key /usr/local/etc/openvpn/keys/ta.key

Now let's fire it up and see if it works:

Code:

[root@transmission_1 /]# /usr/local/etc/rc.d/openvpn start

If it works you should see

Code:

Starting openvpn.
[root@transmission_1 /]#

Assuming that is all working now it's time to setup the the firewall to only allow connections to your VPN service. ipfw is already installed in the jail so the main trick is getting the IP addresses of your VPN service provider. I use AirVPN and when you generate the config file you can specify them to resolve the hosts and it will list all of the IP addresses. You will also need the IP addresses for your DNS servers. I use a combo of OpenDNS and the AirVPN DNS. I put the firewall rules in my attached storage so I can easily change them if needed. Note that my FreeNAS server and gateway are in the 192.168.0.0/16 range so you'll need to adjust the firewall rule reflect the IP addresses that you have established on your network.

Code:

[root@transmission_1 /etc]# cd /media
[root@transmission_1 /media]# nano ipfw_rules

The first set of rules allow access to the DNS servers

Code:

add 01000 allow log udp from 192.168.0.0/16 to 208.67.222.222 dst-port 53 keep-$
add 01002 allow log udp from 192.168.0.0/16 to 10.4.0.1 dst-port 53 keep-state
add 01004 allow log udp from 192.168.0.0/16 to 208.67.220.220 dst-port 53 keep-$

The next rule allows access on my local network to and from the jail:

Code:

add 01006 allow ip from 192.168.0.0/16 to 196.168.0.0/16 keep-state

The next set allow access to the ip addresses provided by your VPN service provider. You'll need to add as many as you are given:

Code:

add 02000 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02004 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02008 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02012 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02014 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02016 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state

Please note that each of the above lines end with "keep-state" but the forum website sometimes shortens them to "keep-$" (see MarchHare's post below).
And the last group allow access to local loop and deny everything else. the 10.0.0.0/8 is for AirVPN, you'll need to find out the ip range for your provider (I found this info in their forums)

Code:

add 04000 allow ip from 127.0.0.1 to any
add 05000 allow ip from 10.0.0.0/8 to any
add 05002 allow ip from any to 10.0.0.0/8
add 65534 deny ip from any to any

Where did the IP Address 10.4.0.1 came from? Thanks.

 

[Glorious1]

Where is the IP Address 10.4.0.1 came from? Thanks.

I don't know, but you might consider @nickt's much simpler rule set, which has been working great for me (without the "via epair0b")

 

[denist]

I wrote a quick python script for generating the firewall rules. It's useful if you have a vpn provider with a lot of different IP addresses. Probably better than using the hosts file to specify the ip address for the server.

Code:

#!/usr/local/bin/python2.7
import sys
import socket
import subprocess


url = '<server address>'

try:
	# Raise if it can't ping the server or openvpn isn't running
	subprocess.check_output(['service', 'openvpn', 'status'])
	subprocess.check_output(['ping', '-c', '1', url])
except subprocess.CalledProcessError:
	pass
else:
	sys.exit()


hostname, aliaslist, ipaddrlist = socket.gethostbyname_ex(url)

content = '''
add 01006 allow ip from 192.168.1.0/24 to 192.168.1.0/24 keep-state
'''

rule_number = 2001

for ip in ipaddrlist:
	content += '''
add {} allow ip from 192.168.1.0/24 to {} keep-state
add {} allow ip from {} to 192.168.1.0/24 keep-state
'''.format(rule_number, ip, rule_number + 1, ip)
	rule_number += 2

content += '''
add 04000 allow ip from 127.0.0.1 to any
add 05000 allow ip from 10.0.0.0/8 to any
add 05002 allow ip from any to 10.0.0.0/8
add 65534 deny ip from any to any
'''

# Stop ipfw
subprocess.call(['service', 'openvpn', 'stop'])
subprocess.call(['service', 'ipfw', 'stop'])

f = open('/etc/ipfw.rules', 'w')
f.write(content)
f.close()

# Start ipfw
subprocess.call(['service', 'ipfw', 'start'])

# Check if running
if 'ipfw' in subprocess.check_output(['service', '-e']):
	subprocess.call(['service', 'openvpn', 'start'])

sys.exit()

Let me know what you think.

How can i run this in cron inside Jail. It works fine when i run the cron from Freenas GUI but it does not work in Jail cron in shell it works fine.

 

[denist]

Thank you nickt! This is brilliant! I know it's been a while, but I've been banging my head against the wall for a day and a half trying to get these rules to work. Your solution is simple, and it works. I can do anything in the jail, transmission works, I can access it via the GUI remote, but when openvpn stops, transmission traffic comes to a screeching halt. Perfect!

FYI, after restarting, I found that my epair0b interface was now epair2b. So I simply removed "via epair0b" from all the above. Hopefully that will still do the job?

This way only stop transmission, but what about Sabnzbd. I have Transmission Jail and in that jail i have sickrage,sabnzbd and couchpotato. Will this block all access.????

 

[Glorious1]

This way only stop transmission, but what about Sabnzbd. I have Transmission Jail and in that jail i have sickrage,sabnzbd and couchpotato. Will this block all access.????

I'm not sure. You could test that by stopping openvpn, and see if those programs are still functioning or unable to communicate with the internet.

 

[XanALaOM00]

I can't seem to get this to work period, I am on FreeNAS-9.3-STABLE-201604150515; Portsnap installation doesn't appear to work as I get errors with regards to make install clean:

make install clean
"/usr/ports/Mk/bsd.port.mk", line 1038: Unknown directive
make: fatal errors encountered -- cannot continue

I can give you the file for /usr/ports/Mk/bsd.port.mk if it helps, though... I find it rather odd that this would be a problem given I just installed the thing and have never touched that file.

So Instead I attempted the below and am getting more issues... yay..
in this build, using pkg-install openvpn I am getting the following errors:

May 6 22:05:59 sabnzbd_1 openvpn[60119]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
May 6 22:05:59 sabnzbd_1 openvpn[60119]: [84863bf223b3b6ebfc008dc8a2b4c49e] Peer Connection Initiated with [AF_INET]107.182.231.37:1198
May 6 22:06:00 sabnzbd_1 openvpn[60119]: GDG: problem writing to routing socket
May 6 22:06:00 sabnzbd_1 openvpn[60119]: TUN/TAP device /dev/tun0 opened
May 6 22:06:00 sabnzbd_1 openvpn[60119]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
May 6 22:06:00 sabnzbd_1 openvpn[60119]: /sbin/ifconfig tun0 10.49.10.6 10.49.10.5 mtu 1500 netmask 255.255.255.255 up
May 6 22:06:00 sabnzbd_1 openvpn[60119]: FreeBSD ifconfig failed: external program exited with error status: 1
May 6 22:06:00 sabnzbd_1 openvpn[60119]: Exiting due to fatal error

I'm looking for the solution to that error now, seems much more akin to mis-matched configuration for server side stuff, but that just can't be the case here.

long story short, should I upgrade to 9.10 to see if it resolves? I haven't seen anyone else in this forum have this problem yet so I figured I'd see if any help could be given or be had.

Thank you very much for any help folks may be able to provide. Very appreciated

 

[adamgoldberg]

May 6 22:06:00 sabnzbd_1 openvpn[60119]: FreeBSD ifconfig failed: external program exited with error status: 1

Is this the same problem as here: https://forums.freenas.org/index.php?threads/openvpn-tun-tun-device-problem.44348/

 

[Glorious1]

I can't seem to get this to work period, I am on FreeNAS-9.3-STABLE-201604150515; Portsnap installation doesn't appear to work as I get errors with regards to make install clean:

make install clean
"/usr/ports/Mk/bsd.port.mk", line 1038: Unknown directive
make: fatal errors encountered -- cannot continue

I can give you the file for /usr/ports/Mk/bsd.port.mk if it helps, though... I find it rather odd that this would be a problem given I just installed the thing and have never touched that file.

So Instead I attempted the below and am getting more issues... yay..
in this build, using pkg-install openvpn I am getting the following errors:

It would help to have some context. Are you in a jail? What directory are you in when you type make install clean, and what are you trying to install? What else have you installed in the jail? Also, please show the full command from the console rather than just output. I doubt you really typed pkg-install; that is not a command.

Jails can get messed up when you make mistakes. I don't know how much you have invested in it, but I would suggest you nuke it and start over. You don't need portsnap to install openvpn. Here's what I do after I log into a freshly installed jail (I use the transmission plugin to create it), and it works:

Code:

pkg install bash
pkg install openvpn
bash
mkdir /usr/local/etc/openvpn
cd /usr/local/etc/openvpn
wget https://www.privateinternetaccess.com/openvpn/openvpn.zip --no-check-certificate
unzip openvpn.zip
ee pass.txt  # Easy Editor
# Paste your PIA username and password on separate lines in that order, then save/exit

# Edit each server file you might want to use as follows:
ee Netherlands.ovpn
# After "auth-user-pass", add a space and "pass.txt".  Then save/exit.

# Then copy a server file you just edited to "openvpn.conf"

You still need to set up your storage, firewall rules, etc, but this is the actual openvpn installation.

 

[XanALaOM00]

Is this the same problem as here: https://forums.freenas.org/index.php?threads/openvpn-tun-tun-device-problem.44348/

Hey, thank you for the quick follow-up! and to answer, that doesn't appear to be the problem. I checked my /etc/rc.conf file in both the Host and the jail. I do not have the cloned_interfaces variable defined, there are no duplicate interfaces. I see a tun0 and a tun1 adapter

Is this the same problem as here: https://forums.freenas.org/index.php?threads/openvpn-tun-tun-device-problem.44348/

I have done a lot of different things to get this to work and I honestly feel like upgrading my OS to 9.10 and upgrading all of my jails or above is going to fix or simply rolling this on a different host entirely.

to give some more background on all of the things I have tried:

1) first attempted portsnaps, configured everything manually, make install clean under the openvpn directory within the portsnap folder
2) attemped pkg install openvpn and bash as the second method that makes the most sense.

The tunnel DOES come up briefly, but then fails with the following error:

May 6 22:06:00 sabnzbd_1 openvpn[60119]: FreeBSD ifconfig failed: external program exited with error status: 1
May 6 22:06:00 sabnzbd_1 openvpn[60119]: Exiting due to fatal error

so basically everything is actually working, but, openvpn believes there is some sort of interface condition which cannot exist.

re-creating a fresh jail to use as a permanent solution is not an option as I am not going to go-through rebuilding sickrage and sab (time consuming to get it all working exactly the way I want it to).

I might go ahead and create a fresh brand-new jail and test out OpenVPN in that though and see how that goes and what exactly the difference is between that Jail (if OpenVPN works that is) and my SAB jail.

/crosses fingers

 

[XanALaOM00]

It would help to have some context. Are you in a jail? What directory are you in when you type make install clean, and what are you trying to install? What else have you installed in the jail? Also, please show the full command from the console rather than just output. I doubt you really typed pkg-install; that is not a command.

Jails can get messed up when you make mistakes. I don't know how much you have invested in it, but I would suggest you nuke it and start over. You don't need portsnap to install openvpn. Here's what I do after I log into a freshly installed jail (I use the transmission plugin to create it), and it works:

Code:

pkg install bash
pkg install openvpn
bash
mkdir /usr/local/etc/openvpn
cd /usr/local/etc/openvpn
wget https://www.privateinternetaccess.com/openvpn/openvpn.zip --no-check-certificate
unzip openvpn.zip
ee pass.txt  # Easy Editor
# Paste your PIA username and password on separate lines in that order, then save/exit

# Edit each server file you might want to use as follows:
ee Netherlands.ovpn
# After "auth-user-pass", add a space and "pass.txt".  Then save/exit.

# Then copy a server file you just edited to "openvpn.conf"

You still need to set up your storage, firewall rules, etc, but this is the actual openvpn installation.

Hi,

Yes, I have done all of this my first attempt; and I have also repeated all of these steps exactly in a fresh/new jail instance and I get the exact same error message. The vpn tun0 interface gets an IP address and then it immediately fails out with the following:

May 6 22:05:59 sabnzbd_1 openvpn[60119]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
May 6 22:05:59 sabnzbd_1 openvpn[60119]: [84863bf223b3b6ebfc008dc8a2b4c49e] Peer Connection Initiated with [AF_INET]107.182.231.37:1198
May 6 22:06:00 sabnzbd_1 openvpn[60119]: GDG: problem writing to routing socket
May 6 22:06:00 sabnzbd_1 openvpn[60119]: TUN/TAP device /dev/tun0 opened
May 6 22:06:00 sabnzbd_1 openvpn[60119]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
May 6 22:06:00 sabnzbd_1 openvpn[60119]: /sbin/ifconfig tun0 10.49.10.6 10.49.10.5 mtu 1500 netmask 255.255.255.255 up
May 6 22:06:00 sabnzbd_1 openvpn[60119]: FreeBSD ifconfig failed: external program exited with error status: 1
May 6 22:06:00 sabnzbd_1 openvpn[60119]: Exiting due to fatal error

I have absolutely no clue at this point where to look, the only thing that is unique about my configuration is that I am using a bonded interface, but that aside, it shouldn't create this error with a fresh Jail instance. The jail instance is very generic, NO VI Image, straight forward configuration, Sysctls: allow.raw_sockets=true

generic default configuration that defines NIC: lagg0.

if any of the above would cause a problem with openvpn please school me because I am missing something glaring.

I have invested quite a bit of time and tried different methods of accomplishing the same thing, I am considering using a Raspberry-Pi with this sort of setup and simply mount my torrent downloads folder on my NAS as a NFS share and call this solved. Though that is another 50 bucks spent on something that I should be able to natively accomplish in the jail environment. I must have something totally borked somewhere, I am unsure of where to look though for that specific error message with regards to setting this up as an OpenVPN client. The error message is TOO generic to work with

GDG: problem writing to routing socket
May 6 22:06:00 sabnzbd_1 openvpn[60119]: FreeBSD ifconfig failed: external program exited with error status: 1
May 6 22:06:00 sabnzbd_1 openvpn[60119]: Exiting due to fatal error


Thank you all for your time! Very Appreciated! :)

 

[Glorious1]

What is the command that results in the output you pasted above?

 

[Basil Hendroff]

Curious. Had OpenVPN working perfectly with AirVPN as per this post under Transmission 2.44 (?). Last week, I upgraded to Transmission 2.92 and now downloads have mysteriously stopped. I've cheked OpenVPN and ipfw status and both appear to be working okay. Has anyone else experienced this? Unless someone has a magic fix, I'm going to try to rebuild from first principles. If that's unsuccessful, does anyone have any idea how to get back to Transmission 2.44?