[GUIDE] VPN Killswitch inside of jail

icsy7867

Contributor
Joined
Dec 31, 2015
Messages
167
This is a bit of a work in progress. But for anyone who pays or uses openvpn to connect to a client and would like to prevent anything from leaking out into the world, I am using UFW to block all outgoing data, except through the VPN tunnel. I originally did this in my router, but the poor little dual core could only handle about 1-2 MBps through the tunnel.

I am assuming that everyone knows how to get a bash/tcsh terminal for their jails. You can use the web gui, but I prefer SSH + jls/jexec to make it easier to copy and paste. I am also assuming that you know how to use nano, or VIM. (However if you don't know I am more than happy to help!)

  1. Install the correct apps (Use whatever text editor you like)
    pkg update
    pkg install nano openvpn


  2. Copy your openvpn.ovpn file over. You will either make this yourself or download it from your VPN service. Test the connection real quick to make sure your openvpn file is working.
    openvpn --config /path/to/config/openvpn.ovpn
    You should get a success message. ctrl+c openvpn after it is successful.
    *note* to make this work automatically. You will most likely need to make a username/password file that the .ovpn file loads automatically. I am assuming you know how to do this but let me know if you dont.

  3. Let's create our rule document to run at boot!

    nano /etc/ipfw.rules


    Please note the changes needs and paste into the ipfw.rules:
    Change 172.18.30.0 to your correct internal subnet (Such as 192.168.1.0). This allows anything on your subnet to communicate.
    Change the port 1912 to whatever OpenVPN port you are running. This allows for OpenVPN to make it's external connection.
    Change epair1b to be the correct network interface for your jail.

    Code:
    #!/bin/bash
    # Flush out the list before we begin
    ipfw -q -f flush
    
    # Set rules command prefix
    cmd="ipfw -q add"
    vpn="tun0"
    
    # allow all local traffic on the loopback interface
    $cmd 00001 allow all from any to any via lo0
    
    # allow any connection to/from VPN interface
    $cmd 00010 allow all from any to any via $vpn
    
    # allow connection to/from LAN by Transmission
    $cmd 00101 allow all from me to 172.18.30.0/24
    $cmd 00102 allow all from 172.18.30.0/24 to me
    
    # deny any Transmission connection outside LAN that does not use VPN
    $cmd 00105 allow all from any to any 1912 out via epair1b
    $cmd 00106 deny all from any to any out via epair1b
    


  4. Now, let's set this sucker to run at boot
    nano /etc/rc.conf
    paste the following at the end of the file and save:
    Code:
    firewall_enable="YES"
    firewall_script="/etc/ipfw.rules"
    
  • Test!
    Flush the ipfw rules and run your script:

    ipfw -q -f flush
    sh /etc/ipfw.rules
    ping 8.8.4.4

    You should get a "Permission denied"
  • Now lets test with openvpn! Connect to your VPN server using the daemon flag so that it runs in the background:
    openvpn --config /path/to/config/openvpn.ovpn --daemon
    Verify the tunnel is created by running ifconfig, and you should see your tun0. If you aren't using "tun0" (such as tun1 for example), make sure to update the ipfw.rules section!
    Once you see the tun0, you should be able to ping out to google!

    PING 8.8.8.8 (8.8.8.8): 56 data bytes
    64 bytes from 8.8.8.8: icmp_seq=0 ttl=122 time=11.248 ms
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=122 time=19.889 ms
    64 bytes from 8.8.8.8: icmp_seq=2 ttl=122 time=10.514 ms
    64 bytes from 8.8.8.8: icmp_seq=3 ttl=122 time=35.034 ms


    *note* if you want openvpn to run at boot simply make a crontab!
    @Reboot /usr/local/sbin/openvpn --config /path/to/config/openvpn.ovpn --daemon
 

m0nkey_

MVP
Joined
Oct 27, 2015
Messages
2,739
Maybe better to put the OpenVPN daemon config in /etc/rc.conf instead of cron.
Code:
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/client.conf"
 

icsy7867

Contributor
Joined
Dec 31, 2015
Messages
167
I actually tried that. But it didn't seen to want to work for me. But crontab worked like a charm.

rc.conf would be the preferred method though.
 

Gumpwa

Cadet
Joined
May 13, 2017
Messages
3
Thanks for the guide! Works as you described, but now my other jails cannot seem to communicate with my tranmission app running in the same jail as openvpn. Any ideas?

Update: Nvm, figured it out. I needed to enable vnet on the transmission jail for it work. The other jails did not use vnet, enabling it fixed my problem.
Thanks again!
 
Last edited:

nojohnny101

Wizard
Joined
Dec 3, 2015
Messages
1,477
I am trying to get this working but my install doesn't have a .conf file to reference. I have a my own .ovpn file but where is the .conf file that installed by default?
 

Gumpwa

Cadet
Joined
May 13, 2017
Messages
3
I believe you just change the name of the .ovpn to .conf

That is what I did to my ovpn
 

nojohnny101

Wizard
Joined
Dec 3, 2015
Messages
1,477
I believe you just change the name of the .ovpn to .conf

That is what I did to my ovpn

I thought about that but I thought those were completely different files? I will try that I guess.
 

nojohnny101

Wizard
Joined
Dec 3, 2015
Messages
1,477
I got it working, that was it. Sorry for the confusion. Glad it was something simple!
 

ric

Contributor
Joined
Dec 22, 2013
Messages
180
Regarding the username/password, is this the credential when I signed up for my openvpn account/service? Please advise.

"2) Copy your openvpn.ovpn file over. You will either make this yourself or download it from your VPN service. Test the connection real quick to make sure your openvpn file is working.
openvpn --config /path/to/config/openvpn.ovpn
You should get a success message. ctrl+c openvpn after it is successful.
*note* to make this work automatically. You will most likely need to make a username/password file that the .ovpn file loads automatically. I am assuming you know how to do this but let me know if you don't."
 
Last edited:
Top