This is a bit of a work in progress. But for anyone who pays or uses openvpn to connect to a client and would like to prevent anything from leaking out into the world, I am using UFW to block all outgoing data, except through the VPN tunnel. I originally did this in my router, but the poor little dual core could only handle about 1-2 MBps through the tunnel.
I am assuming that everyone knows how to get a bash/tcsh terminal for their jails. You can use the web gui, but I prefer SSH + jls/jexec to make it easier to copy and paste. I am also assuming that you know how to use nano, or VIM. (However if you don't know I am more than happy to help!)
I am assuming that everyone knows how to get a bash/tcsh terminal for their jails. You can use the web gui, but I prefer SSH + jls/jexec to make it easier to copy and paste. I am also assuming that you know how to use nano, or VIM. (However if you don't know I am more than happy to help!)
- Install the correct apps (Use whatever text editor you like)
pkg update
pkg install nano openvpn
- Copy your openvpn.ovpn file over. You will either make this yourself or download it from your VPN service. Test the connection real quick to make sure your openvpn file is working.
openvpn --config /path/to/config/openvpn.ovpn
You should get a success message. ctrl+c openvpn after it is successful.
*note* to make this work automatically. You will most likely need to make a username/password file that the .ovpn file loads automatically. I am assuming you know how to do this but let me know if you dont.
- Let's create our rule document to run at boot!
nano /etc/ipfw.rules
Please note the changes needs and paste into the ipfw.rules:
Change 172.18.30.0 to your correct internal subnet (Such as 192.168.1.0). This allows anything on your subnet to communicate.
Change the port 1912 to whatever OpenVPN port you are running. This allows for OpenVPN to make it's external connection.
Change epair1b to be the correct network interface for your jail.
Code:#!/bin/bash # Flush out the list before we begin ipfw -q -f flush # Set rules command prefix cmd="ipfw -q add" vpn="tun0" # allow all local traffic on the loopback interface $cmd 00001 allow all from any to any via lo0 # allow any connection to/from VPN interface $cmd 00010 allow all from any to any via $vpn # allow connection to/from LAN by Transmission $cmd 00101 allow all from me to 172.18.30.0/24 $cmd 00102 allow all from 172.18.30.0/24 to me # deny any Transmission connection outside LAN that does not use VPN $cmd 00105 allow all from any to any 1912 out via epair1b $cmd 00106 deny all from any to any out via epair1b
- Now, let's set this sucker to run at boot
nano /etc/rc.conf
paste the following at the end of the file and save:
Code:firewall_enable="YES" firewall_script="/etc/ipfw.rules"
- Test!
Flush the ipfw rules and run your script:
ipfw -q -f flush
sh /etc/ipfw.rules
ping 8.8.4.4
You should get a "Permission denied"
- Now lets test with openvpn! Connect to your VPN server using the daemon flag so that it runs in the background:
openvpn --config /path/to/config/openvpn.ovpn --daemon
Verify the tunnel is created by running ifconfig, and you should see your tun0. If you aren't using "tun0" (such as tun1 for example), make sure to update the ipfw.rules section!
Once you see the tun0, you should be able to ping out to google!
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=122 time=11.248 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=122 time=19.889 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=122 time=10.514 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=122 time=35.034 ms
*note* if you want openvpn to run at boot simply make a crontab!
@Reboot /usr/local/sbin/openvpn --config /path/to/config/openvpn.ovpn --daemon