Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

How to use Openvpn & ipfw in a jail so it only connects to the VPN

Status
Not open for further replies.

jerrybme

Member
Joined
Sep 28, 2011
Messages
40
I wanted to use Openvpn with my Transmission plugin but didn't want any of my other network traffic to go through the VPN. Additionally, I didn't want Transmission to access the internet except through the VPN. This "how-to" assumes you have a VPN service you're connecting to and have downloaded the config file, certs and user keys.

It was rather easy; here's how:

Once you've installed the Transmission plugin, have the jail running and storage attached, ssh into your jail
Code:
jls
to list the jails, then
Code:
jexec N tcsh
where "N" is equal to your jail number.

Now you'll need to add packages, I prefer to use bash rather than tcsh and nano over vi. Make sure to use not to use pkg_add
Code:
[root@transmission_1 /]# pkg install bash
[root@transmission_1 /]# pkg install nano
[root@transmission_1 /]# pkg install openvpn


Next time you enter the jail you can use:
Code:
jexec N bash

For now we'll just drop into the bash shell
Code:
[root@transmission_1 /]# bash


Next we need to create the directory for the config file and certs and keys for Openvpn
Code:
[root@transmission_1 /]# mkdir /usr/local/etc/openvpn
[root@transmission_1 /]# mkdir /usr/local/etc/openvpn/keys


Next you need to add the lines to the rc.conf so openvpn and ipfw starts when the jail starts. go to the /etc directory and fire up nano
Code:
[root@transmission_1 /]# cd /etc
 
[root@transmission_1 /etc]# nano rc.conf

Note: to save files in nano Ctrl+o will write the file and Ctrl+x will exit.

Once you've got the rc.conf file opened in nano add the following lines:


Code:
firewall_enable="YES"
 
firewall_type="/media/ipfw_rules"
 
openvpn_enable="YES"
 
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"


Note that "firewall_type=" tells ipfw where the rules are to be loaded so make sure change the path to reflect where you are storing the file with the rules.
Now copy over your openvpn config file (usually your VPN service provider will supply this) make sure to name it openvpn.conf.
Code:
[root@transmission_1 /]# cp /media/VPNproviderfile.ovpn /usr/local/etc/openvpn/openvpn.conf

Double check the paths to the location of the keys and certs listed in the config file match where you will be placing them (/usr/local/etc/openvpn/keys).

Then copy over the certs and keys
Code:
[root@transmission_1 /]# cp /media/ca.crt /usr/local/etc/openvpn/keys/ca.crt
[root@transmission_1 /]# cp /media/user.crt /usr/local/etc/openvpn/keys/user.crt
[root@transmission_1 /]# cp /media/user.key /usr/local/etc/openvpn/keys/user.key
[root@transmission_1 /]# cp /media/ta.key /usr/local/etc/openvpn/keys/ta.key


Now let's fire it up and see if it works:
Code:
[root@transmission_1 /]# /usr/local/etc/rc.d/openvpn start

If it works you should see
Code:
Starting openvpn.
[root@transmission_1 /]#


Assuming that is all working now it's time to setup the the firewall to only allow connections to your VPN service. ipfw is already installed in the jail so the main trick is getting the IP addresses of your VPN service provider. I use AirVPN and when you generate the config file you can specify them to resolve the hosts and it will list all of the IP addresses. You will also need the IP addresses for your DNS servers. I use a combo of OpenDNS and the AirVPN DNS. I put the firewall rules in my attached storage so I can easily change them if needed. Note that my FreeNAS server and gateway are in the 192.168.0.0/16 range so you'll need to adjust the firewall rule reflect the IP addresses that you have established on your network.
Code:
[root@transmission_1 /etc]# cd /media
[root@transmission_1 /media]# nano ipfw_rules


The first set of rules allow access to the DNS servers
Code:
add 01000 allow log udp from 192.168.0.0/16 to 208.67.222.222 dst-port 53 keep-$
add 01002 allow log udp from 192.168.0.0/16 to 10.4.0.1 dst-port 53 keep-state
add 01004 allow log udp from 192.168.0.0/16 to 208.67.220.220 dst-port 53 keep-$


The next rule allows access on my local network to and from the jail:
Code:
add 01006 allow ip from 192.168.0.0/16 to 196.168.0.0/16 keep-state


The next set allow access to the ip addresses provided by your VPN service provider. You'll need to add as many as you are given:
Code:
add 02000 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02004 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02008 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02012 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02014 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02016 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state


Please note that each of the above lines end with "keep-state" but the forum website sometimes shortens them to "keep-$" (see MarchHare's post below).
And the last group allow access to local loop and deny everything else. the 10.0.0.0/8 is for AirVPN, you'll need to find out the ip range for your provider (I found this info in their forums)
Code:
add 04000 allow ip from 127.0.0.1 to any
add 05000 allow ip from 10.0.0.0/8 to any
add 05002 allow ip from any to 10.0.0.0/8
add 65534 deny ip from any to any


All of these go into the ipfw_rules, I just broke them down to explain their function.

Now fire up ipfw
Code:
[root@transmission_1 /etc]# /etc/rc.d/ipfw start


Test by pinging www.google.com then stop your vpn
Code:
[root@transmission_1 /etc]# usr/local/etc/rc.d/openvpn stop


If it is setup correctly you will get the following with the vpn off:
Code:
[root@transmission_1 /etc]# ping www.google.com
PING www.google.com (74.125.225.82): 56 data bytes
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
^C
--- www.google.com ping statistics ---
7 packets transmitted, 0 packets received, 100.0% packet loss
[root@transmission_1 /etc]#


The final test is to make sure your work survives a reboot, so turn the jail off from the Freenas GUI and start it up again. Then ssh back into your jail and verify openvpn is running and the firewall rules are loaded:
Code:
[root@transmission_1 /etc]# ipfw list


Thanks to all of the folks who have posted on the AirVPN and Freenas forums, I just pulled all of the info together.

Cheers
 

dkran

Member
Joined
Feb 21, 2014
Messages
35
root@transmission_1:/ # pkg install bash
Updating repository catalogue
root@transmission_1:/ # pkg install nano
Updating repository catalogue
root@transmission_1:/ # pkg install openvpn
Updating repository catalogue
root@transmission_1:/ # bash
bash: Command not found.

root@transmission_1:/ #

I'm probably just a newbie, but what is my issue here? looks like pkg doesn't work well in my jail. 9.2.1.
 

jerrybme

Member
Joined
Sep 28, 2011
Messages
40
Hmm, for some reason /usr/local/bin is in my jails path statement so I don't have to use the full path.

Try
Code:
 # jexec N /usr/local/bin/bash

With "N" being the jail number
 

dkran

Member
Joined
Feb 21, 2014
Messages
35
still doesn't work. Looks like pkg install doesn't work at all in my jail. I've instead used ports and it worked successfully. Thanks for the guide, this is pretty much what I wanted to do!
 

jerrybme

Member
Joined
Sep 28, 2011
Messages
40
still doesn't work. Looks like pkg install doesn't work at all in my jail. I've instead used ports and it worked successfully. Thanks for the guide, this is pretty much what I wanted to do!
Out of curiosity which version of Freenas are you running? This guide was done with 9.2.0-RELEASE-x64.
 

dkran

Member
Joined
Feb 21, 2014
Messages
35
9.2.1 release x64 I believe. The 9.2.1 listed on the site.

EDIT: my other plugin jail, plex, also does this.
 

cyberjock

Inactive Account
Joined
Mar 25, 2012
Messages
19,526
Yes, and that is why 9.2.1.1 exists. It fixes a few nasty nasty bugs, including this one.
 

dkran

Member
Joined
Feb 21, 2014
Messages
35
Yes, and that is why 9.2.1.1 exists. It fixes a few nasty nasty bugs, including this one.
As a newbie to this distro (and bsd, at least in my recent years. maybe 5 years ago I messed around), I didn't expect an actual bug to be in my way, more user error ;) Thanks so much though it would've been the last spot I looked.

jerrybme, my openvpn works great in the jail!

On a side note, if I wanted to do all internet traffic through openvpn, can I just run the service outside of the jail, or do I have to install the kernel ipfw support?
 

jerrybme

Member
Joined
Sep 28, 2011
Messages
40
On a side note, if I wanted to do all internet traffic through openvpn, can I just run the service outside of the jail, or do I have to install the kernel ipfw support?
No, ipfw should already be installed, you will however need to make your file system writable to edit rc.conf if you want ipfw to load rules on boot.
 

fullmetaljester

Junior Member
Joined
Dec 24, 2013
Messages
15
thank you so much for this, i'm still very new to BSD and this is exactly what i needed!
 

MarchHare

Junior Member
Joined
Oct 14, 2013
Messages
12
I followed this guide. Few things:

1. You can just use the openvpn.conf if it includes the certs and keys.
2. You can edit /etc/rc.conf for the location of your ipfw_rules.
3. I think keep-$ should read keep-state? Otherwise it throws up errors.
4. You can use service ipfw start instead of /etc/rc.d/ipfw start
5. Lastly mine loads the rules but does not work.

Any advice? Also I am using airvpn. Is this using port 53?
 

MarchHare

Junior Member
Joined
Oct 14, 2013
Messages
12
I got it to block when i comment out
  1. add 04000 allow ip from 127.0.0.1 to any
  2. add 05000 allow ip from 10.0.0.0/8 to any
  3. add 05002 allow ip from any to 10.0.0.0/8
But now it also blocks after I start openvpn as well. My gateway is 10.0.1.1 does that change things?
 

jerrybme

Member
Joined
Sep 28, 2011
Messages
40
I followed this guide. Few things:

1. You can just use the openvpn.conf if it includes the certs and keys.
2. You can edit /etc/rc.conf for the location of your ipfw_rules.
3. I think keep-$ should read keep-state? Otherwise it throws up errors.
4. You can use service ipfw start instead of /etc/rc.d/ipfw start
5. Lastly mine loads the rules but does not work.

Any advice? Also I am using airvpn. Is this using port 53?

MarchHare:
1. Good to know about the openvpn.conf file.
2. Yes, that is mentioned in my post on the edits to the rc.conf, I just didn't explain what the entry did
Code:
firewall_type="/media/ipfw_rules"

3. Yes, the line should end with keep-state. The line I had copied over was long enough that depending on how or which browser you use renders this page, it may shorten the line with the "$" showing there is more text.
4. Good point, that's the beauty of linux, there are many ways to accomplish the same outcome.
5. I'll comment on your rules in the next post, but port 53 is used to communicate with the DNS servers.

I've updated the how-to, thanks for your feedback.
 

jerrybme

Member
Joined
Sep 28, 2011
Messages
40
I got it to block when i comment out
  1. add 04000 allow ip from 127.0.0.1 to any
  2. add 05000 allow ip from 10.0.0.0/8 to any
  3. add 05002 allow ip from any to 10.0.0.0/8
But now it also blocks after I start openvpn as well. My gateway is 10.0.1.1 does that change things?
The lines:
Code:
 add 05000 all ip from 10.0.0.0/8
add 05002 allow ip from any to 10.0.0.0/8

are to allow communication to AirVPN's servers, but your gateway is in the same CIDR notation range so if you remove those lines your jail can't communicate with your gateway and AirVPN's so it makes sense VPN wouldn't work.

It would be easier to help you if you post all of your rules (but remove the actual IP addresses of the AirVPN servers as they don't need those advertised).
 

bendinwire

Junior Member
Joined
Feb 8, 2014
Messages
12
Mine is failing when trying to start it :
Code:
root@sabnzbd_1:/etc # /usr/local/etc/rc.d/openvpn start
Starting openvpn.
/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn


when I tail the log I get
Code:
Mar  5 23:18:39 sabnzbd_1 openvpn[19748]: Options error: --ca fails with 'ca.crt': No such file or directory
Mar  5 23:18:39 sabnzbd_1 openvpn[19748]: Options error: Please correct these errors.
Mar  5 23:18:39 sabnzbd_1 openvpn[19748]: Use --help for more information.
Mar  5 23:18:39 sabnzbd_1 tornado: /usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn


I have the ca.crt file in /usr/local/etc/openvpn/keys. Any thoughts on why I'd get this? Thanks in advance.
 

jerrybme

Member
Joined
Sep 28, 2011
Messages
40
Mine is failing when trying to start it :
Code:
root@sabnzbd_1:/etc # /usr/local/etc/rc.d/openvpn start
Starting openvpn.
/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn


when I tail the log I get
Code:
Mar  5 23:18:39 sabnzbd_1 openvpn[19748]: Options error: --ca fails with 'ca.crt': No such file or directory
Mar  5 23:18:39 sabnzbd_1 openvpn[19748]: Options error: Please correct these errors.
Mar  5 23:18:39 sabnzbd_1 openvpn[19748]: Use --help for more information.
Mar  5 23:18:39 sabnzbd_1 tornado: /usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn


I have the ca.crt file in /usr/local/etc/openvpn/keys. Any thoughts on why I'd get this? Thanks in advance.
I would double check the file name and also check the permissions. Also double check the path to the openvpn.conf set in the rc.config to make sure there aren't typos there either.
 

trnelson

Junior Member
Joined
Nov 7, 2013
Messages
16
Mine is failing when trying to start it :
Code:
root@sabnzbd_1:/etc # /usr/local/etc/rc.d/openvpn start
Starting openvpn.
/usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn


when I tail the log I get
Code:
Mar  5 23:18:39 sabnzbd_1 openvpn[19748]: Options error: --ca fails with 'ca.crt': No such file or directory
Mar  5 23:18:39 sabnzbd_1 openvpn[19748]: Options error: Please correct these errors.
Mar  5 23:18:39 sabnzbd_1 openvpn[19748]: Use --help for more information.
Mar  5 23:18:39 sabnzbd_1 tornado: /usr/local/etc/rc.d/openvpn: WARNING: failed to start openvpn


I have the ca.crt file in /usr/local/etc/openvpn/keys. Any thoughts on why I'd get this? Thanks in advance.
Agree with jerrybme. There were some mistakes in the original post specifically related to paths. Double check all of those to make sure the paths are correct. I had the exact same issues but was able to get through them by checking this.
 

trnelson

Junior Member
Joined
Nov 7, 2013
Messages
16
trnelson: Can you point out the errors so I can fix them?
Thanks!

Actually, looking back over this, I think I was wrong! Your post had less mistakes than I remember (I sort of stumbled through this process since I'm not a BSD/Linux guy). The keep-state issue was definitely one that threw me, and I believe the other was the path to the CA file in the openvpn which wasn't something in the post anyway. Thanks for a great writeup!

One last question, my private VPN provider doesn't publish IP addresses due to increased blocking, so I don't necessarily know exactly how to whitelist traffic to their IPs. Any thoughts on this?
 
Status
Not open for further replies.
Top