Help: OpenVPN w/ IPFW kill switch refuses to work

[Bizarro252]

Hello!
Running on FreeNAS 11.2-U5

I have my VPN working in a jail, and when testing it will change my outside IP, etc. However I can't seem to get the kill switch to work, it just keeps sending traffic down the default allow all rule, even though I have my deny rule much higher up in the order.
Below are my configs, as well as outputs, any help would be greatly appreciated.

IPFW Rules File (Local network is 172.16.0.1-172.16.0.255 on /24 netmask

Code:

# Allow internal traffic
add 00501 allow IP from 172.16.0.50/24 to 172.16.0.0/24 keep-state
add 00502 allow IP from 172.16.0.0/24 to 172.16.0.50/24 keep-state

# Allow access to Entrace IP for VPN
add 00503 allow IP from 172.16.0.50/24 to 209.95.36.146 keep-state

# Allow any traffic over the VPN interface
add 00504 allow IP from any to any via tun0

# Deny any other traffic
add 00505 deny IP from any to any

IPFW List (ipfw list)

Code:

root@deluge:/config # ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00501 allow ip from 172.16.0.0/24 to 172.16.0.0/24 keep-state :default
00502 allow ip from 172.16.0.0/24 to 172.16.0.0/24 keep-state :default
00503 allow ip from 172.16.0.0/24 to 209.95.36.146 keep-state :default
00504 allow ip from any to any via tun0
00505 deny ip from any to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
65535 allow ip from any to any

ifconfig

Code:

root@deluge:/config # ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether d0:50:99:56:71:78
        hwaddr 02:4c:50:00:07:0b
        inet 172.16.0.50 netmask 0xffffff00 broadcast 172.16.0.255
        nd6 options=1<PERFORMNUD>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        groups: epair
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet 10.8.1.5 --> 10.8.1.1 netmask 0xffffff00
        nd6 options=1<PERFORMNUD>
        groups: tun
        Opened by PID 12397

I stop OpenVPN and ping out, my IP changes to the non-VPN one but I still show all traffic routing to that last default rule, not hitting 00505 like I would think it should??? I dont see the VPN traffic being flagged (using ipfw -t list) as going through the tunnel rule when OpenVPN on either.

Code:

root@deluge:/config # ipfw zero
Accounting cleared.
root@deluge:/config # ping goole.com
PING goole.com (217.160.0.201): 56 data bytes
64 bytes from 217.160.0.201: icmp_seq=0 ttl=49 time=201.762 ms
64 bytes from 217.160.0.201: icmp_seq=1 ttl=49 time=198.979 ms
64 bytes from 217.160.0.201: icmp_seq=2 ttl=49 time=200.095 ms
64 bytes from 217.160.0.201: icmp_seq=3 ttl=49 time=200.100 ms
^Z
Suspended
root@deluge:/config # ipfw -t list
00100 Thu Jul  4 11:51:50 2019 allow ip from any to any via lo0
00200                         deny ip from any to 127.0.0.0/8
00300                         deny ip from 127.0.0.0/8 to any
00400                         deny ip from any to ::1
00500                         deny ip from ::1 to any
00501                         allow ip from 172.16.0.0/24 to 172.16.0.0/24 keep-state :default
00502                         allow ip from 172.16.0.0/24 to 172.16.0.0/24 keep-state :default
00503                         allow ip from 172.16.0.0/24 to 209.95.36.146 keep-state :default
00504                         allow ip from any to any via tun0
00505                         deny ip from any to any
00600                         allow ipv6-icmp from :: to ff02::/16
00700                         allow ipv6-icmp from fe80::/10 to fe80::/10
00800                         allow ipv6-icmp from fe80::/10 to ff02::/16
00900                         allow ipv6-icmp from any to any ip6 icmp6types 1
01000                         allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
65535 Thu Jul  4 11:51:52 2019 allow ip from any to any
root@deluge:/config # service openvpn stop
Stopping openvpn.
Waiting for PIDS: 12397.
root@deluge:/config # ipfw zero
Accounting cleared.
root@deluge:/config # ping google.com
PING google.com (172.217.164.110): 56 data bytes
64 bytes from 172.217.164.110: icmp_seq=0 ttl=53 time=45.506 ms
64 bytes from 172.217.164.110: icmp_seq=1 ttl=53 time=46.444 ms
64 bytes from 172.217.164.110: icmp_seq=2 ttl=53 time=46.381 ms
64 bytes from 172.217.164.110: icmp_seq=3 ttl=53 time=45.853 ms
^C
--- google.com ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 45.506/46.046/46.444/0.387 ms
root@deluge:/config # ipfw -t list
00100 Thu Jul  4 11:52:40 2019 allow ip from any to any via lo0
00200                         deny ip from any to 127.0.0.0/8
00300                         deny ip from 127.0.0.0/8 to any
00400                         deny ip from any to ::1
00500                         deny ip from ::1 to any
00501                         allow ip from 172.16.0.0/24 to 172.16.0.0/24 keep-state :default
00502                         allow ip from 172.16.0.0/24 to 172.16.0.0/24 keep-state :default
00503                         allow ip from 172.16.0.0/24 to 209.95.36.146 keep-state :default
00504                         allow ip from any to any via tun0
00505                         deny ip from any to any
00600                         allow ipv6-icmp from :: to ff02::/16
00700                         allow ipv6-icmp from fe80::/10 to fe80::/10
00800                         allow ipv6-icmp from fe80::/10 to ff02::/16
00900                         allow ipv6-icmp from any to any ip6 icmp6types 1
01000                         allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
65535 Thu Jul  4 11:52:41 2019 allow ip from any to any

 

[Bizarro252]

OK... read many different how-tos and just kept trying until something worked.. this seems to be working, here are my ipfw rules, the 209 IP I got from the config file from my VPN provider... I think I need to set up additional - but this seems to be working with kill switch!

If anyone could help explain what was wrong, still trying to figure out what exactly was the fix...
I tried removing rule 00010 and it stops working, I put it back and removed rule 00105 and that killed it too. I do not understand why it needs both? Those two lines are from two different how-to sets of directions but for some reason it seems to need both, and is showing traffic on both...

Very interested in learning whats going on as I have spent hours on this - would like to be able to replicate it again / help others down the road :)

ipfw rules:

Code:

add 00001 allow all from any to any via lo0
add 00010 allow all from any to any via tun0
add 00101 allow all from 172.16.0.50/24 to 176.16.0.0/24 keep-state
add 00102 allow all from 172.16.0.0/24 to 172.16.0.50/24 keep-state
add 00105 allow all from 172.16.0.50/24 to 209.95.36.146 keep-state
add 00110 deny all from any to any

Code:

root@deluge:/config # ipfw -a list
00001   600   166536 allow ip from any to any via lo0
00010     8     1273 allow ip from any to any via tun0
00100     0        0 allow ip from any to any via lo0
00101     0        0 allow ip from 172.16.0.0/24 to 176.16.0.0/24 keep-state :default
00102   612   202068 allow ip from 172.16.0.0/24 to 172.16.0.0/24 keep-state :default
00105     9     1767 allow ip from 172.16.0.0/24 to 209.95.36.146 keep-state :default
00110   133    18465 deny ip from any to any
00200     0        0 deny ip from any to 127.0.0.0/8
00300     0        0 deny ip from 127.0.0.0/8 to any
00400     0        0 deny ip from any to ::1
00500     0        0 deny ip from ::1 to any
00600     0        0 allow ipv6-icmp from :: to ff02::/16
00700     0        0 allow ipv6-icmp from fe80::/10 to fe80::/10
00800     0        0 allow ipv6-icmp from fe80::/10 to ff02::/16
00900     0        0 allow ipv6-icmp from any to any ip6 icmp6types 1
01000     0        0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
65535 85691 24469402 allow ip from any to any

Showing it working:

Code:

root@deluge:/config # service ipfw start
Flushed all rules.
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
00001 allow ip from any to any via lo0
00010 allow ip from any to any via tun0
00101 allow ip from 172.16.0.0/24 to 176.16.0.0/24 keep-state :default
00102 allow ip from 172.16.0.0/24 to 172.16.0.0/24 keep-state :default
00105 allow ip from 172.16.0.0/24 to 209.95.36.146 keep-state :default
00110 deny ip from any to any
Firewall rules loaded.
root@deluge:/config # service openvpn start
Starting openvpn.
root@deluge:/config # ping google.com
PING google.com (216.58.195.78): 56 data bytes
64 bytes from 216.58.195.78: icmp_seq=0 ttl=54 time=77.791 ms
64 bytes from 216.58.195.78: icmp_seq=1 ttl=54 time=74.302 ms
64 bytes from 216.58.195.78: icmp_seq=2 ttl=54 time=75.667 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 74.302/75.920/77.791/1.436 ms
root@deluge:/config # service openvpn stop
Stopping openvpn.
Waiting for PIDS: 18775.
root@deluge:/config # ping google.com
PING google.com (216.58.195.78): 56 data bytes
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
^C
--- google.com ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss