How to use Openvpn & ipfw in a jail so it only connects to the VPN

bendinwire · Mar 20, 2014

Finally spent some time doing your steps and it worked out swimmingly. I have left ipfw off as it is beyond my pay grade to figure out the IP range. If someone figures it out let me know. Thanks again Zettadox.

Code:

tornado@sabnzbd_1:~$ wget http://ipecho.net/plain -O - -q ; echo
37.130.2XX.XX

bendinwire · Mar 20, 2014

I was trying to confirm that it was still running and I ran a

Code:

service openvpn status
Will not 'status' openvpn because openvpn_enable is NO.

So I went and confirmed that it is in /etc/rc.conf:

Code:

openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
openvpn_if="tun"

Can anyone shed light on why I can't seem to get the status? The wget still shows the IP as being from UK, but I wanted to confirm it with the status.

qwerion · Apr 27, 2014

For those of us with PIA and wanting to setup an ipfw killswitch, there's two things to make it happen. Spent ~5 hours this afternoon sorting through this.

PIA only gives the hostname of their servers. To get some ip addresses of the connection servers to be able to put them into ipfw, use the dig or nslookup command, eg/
Code:
```
[root@transmission_1 /]# dig <insert server>.privateinternetaccess.com
```
This doesn't appear to give all ips (I only get 4, and they change from time to time), but OpenVPN will try again until it can get one that your firewall rules allow it to connect to. Start-up will be notably delayed due to this though.

EDIT: Something additional you can do to grab more addresses is to search the log for denied connections:
Code:
```
[root@transmission_1 /]# cat /var/log/messages | grep -B 1 "write UDPv4: Permission denied (code=13)"
Apr 27 17:04:44 transmission_1 openvpn[92128]: UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Apr 27 17:04:44 transmission_1 openvpn[92128]: write UDPv4: Permission denied (code=13)
```
To setup ipfw rules correctly, we need 2 entries instead of the 1 entry in jerrybme's OP. I believe this is due to the password authentication needing a response from the server.
Code:
```
add 02001 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx
add 02002 allow ip from xxx.xxx.xxx.xxx  to 192.168.0.0/16
```

marcFL · Apr 30, 2014

Great article - really helped me out!

For anyone using PIA VPN - the following ipfw rules worked for me (I'm connecting to the Florida server - so those will be different).

add 01000 allow log udp from 192.168.1.0/24 to 192.168.1.1 dst-port 53 keep-state
add 01002 allow log udp from 192.168.1.0/24 to 8.8.8.8 dst-port 53 keep-state
add 01004 allow log udp from 192.168.1.0/24 to 8.8.4.4 dst-port 53 keep-state
add 01006 allow ip from 192.168.1.0/24 to 192.168.1.0/24 keep-state
add 02001 allow ip from 192.168.1.0/24 to 198.178.124.69 keep-state
add 02002 allow ip from 198.178.124.69 to 192.168.1.0/24 keep-state
add 02003 allow ip from 192.168.1.0/24 to 96.31.87.158 keep-state
add 02004 allow ip from 96.31.87.158 to 192.168.1.0/24 keep-state
add 02005 allow ip from 192.168.1.0/24 to 198.178.120.118 keep-state
add 02006 allow ip from 198.178.120.118 to 192.168.1.0/24 keep-state
add 02007 allow ip from 192.168.1.0/24 to 198.178.127.20 keep-state
add 02008 allow ip from 198.178.127.20 to 192.168.1.0/24 keep-state
add 02009 allow ip from 192.168.1.0/24 to 199.193.119.20 keep-state
add 02010 allow ip from 199.193.119.20 to 192.168.1.0/24 keep-state
add 02011 allow ip from 192.168.1.0/24 to 199.193.117.47 keep-state
add 02012 allow ip from 199.193.117.47 to 192.168.1.0/24 keep-state
add 02013 allow ip from 192.168.1.0/24 to 68.233.228.140 keep-state
add 02014 allow ip from 68.223.228.140 to 192.168.1.0/24 keep-state
add 02015 allow ip from 192.168.1.0/24 to 198.178.127.23 keep-state
add 02008 allow ip from 198.178.127.23 to 192.168.1.0/24 keep-state
add 04000 allow ip from 127.0.0.1 to any
add 05000 allow ip from 10.0.0.0/7 to any
add 05002 allow ip from any to 10.0.0.0/7
add 65534 deny ip from any to any

Also - since PIA uses username & password I installed OpenVPN by this method. SSH into the jail:

# portsnap fetch
# portsnap extract
# cd /usr/ports/security/openvpn
# make install clean

After the last command has run for a while a blue screen will flash up, where you can select to build so that you can specify the username / password in a file.

After this is done, you can proceed with the steps outlined in this thread. However, there will be no user key files - PIA uses username / password auth. Create a text password file with 2 lines, the first contains your PIA VPN username, and the second line contains your password. Save the file with a name of your choosing, and then open up your ovpn file, and change this line from:

auth-user-pass

to:

auth-user-pass pass.txt

where "pass.txt" is the name of the password file you created.

Also - upload all your files (ovpn file - renamed as stated in the original instuctions, ca.crt and pass.txt) to the openvpn folder, NOT openvpn/keys. The PIA config doesn't look there.

I ended up installing Transmission & SABnzbd in the same jail. Installed SABnzbd via the regular plugin method, and then downloaded Transmission via this link (http://www.appcafe.org/freenas), selected the SABnzbd jail in the Web ui, and then clicked the "Upload" button and uploaded the Transmission plugin into the same jail. Both will then use the same VPN connection. Works like a charm! SABnzbd complained about folder permissions for download folders, but a quick chown sorted that out.

Hope this helps someone!

Prasanth · May 13, 2014

Scott Torrance said:
Thanks for this post and all the great comments!
I have openVPN up and running on FreeNAS 9.2.1.2.
However, ipfw is giving me problems. When I have ipfw started, I can not access my Transmission IP address.
I created rules based on those found in this post. When I start ipfw, I can ping google.com and my openvpn provider. When openVPN is stopped, I get permission errors, as expected.

My rules follow.

Code:
add 01000 allow log udp from 192.168.1.0/24 to 208.67.222.222 dst-port 53 keep-state add 01002 allow log udp from 192.168.1.0/24 to 10.4.0.1 dst-port 53 keep-state add 01004 allow log udp from 192.168.1.0/24 to 208.67.220.220 dst-port 53 keep-state add 01006 allow ip from 192.168.1.0/24 to 196.168.1.0/24 keep-state add 02000 allow ip from 192.168.1.0/24 to xxx.xxx.xxx.xxx keep-state add 04000 allow ip from 127.0.0.1 to any add 05000 allow ip from 10.8.0.0/24 to any add 05002 allow ip from any to 10.8.0.0/24 add 65534 deny ip from any to any

I'm sure it's something simple, but I've been working on this for a while and need a second pair of eyes.

I have the exact same issue. With ipfw on i can ping google, but can't access transmission web page from local devices. The following are my rules(I'm also using airvpn

Code:

add 01000 allow log udp from 192.168.2.0/24 to 192.168.2.1 dst-port 53 keep-state
add 01002 allow log udp from 192.168.2.0/24 to 8.8.8.8 dst-port 53 keep-state
add 01004 allow log udp from 192.168.2.0/24 to 8.8.4.4 dst-port 53 keep-state
add 01006 allow ip from 192.168.2.0/24 to 196.168.2.0/24 keep-state
add 02000 allow ip from 192.168.2.0/24 to XXX.XXX.XXX.XXX keep-state
add 02002 allow ip from 192.168.2.0/24 to XXX.XXX.XXX.XXX keep-state
add 02004 allow ip from 192.168.2.0/24 to XXX.XXX.XXX.XXX keep-state
add 02008 allow ip from 192.168.2.0/24 to XXX.XXX.XXX.XXX keep-state
add 02012 allow ip from 192.168.2.0/24 to XXX.XXX.XXX.XXX keep-state
add 02016 allow ip from 192.168.2.0/24 to XXX.XXX.XXX.XXX keep-state
add 02020 allow ip from 192.168.2.0/24 to XXX.XXX.XXX.XXX keep-state
add 02024 allow ip from 192.168.2.0/24 to XXX.XXX.XXX.XXX keep-state
add 02028 allow ip from 192.168.2.0/24 to XXX.XXX.XXX.XXX keep-state
add 02032 allow ip from 192.168.2.0/24 to XXX.XXX.XXX.XXX keep-state
add 02036 allow ip from 192.168.2.0/24 to XXX.XXX.XXX.XXX keep-state
add 02040 allow ip from 192.168.2.0/24 to XXX.XXX.XXX.XXX keep-state
add 02044 allow ip from 192.168.2.0/24 to XXX.XXX.XXX.XXX keep-state
add 04000 allow ip from 127.0.0.1 to any
add 05000 allow ip from 10.0.0.0/8 to any
add 05002 allow ip from any to 10.0.0.0/8
add 65534 deny ip from any to any

I'm not seeing the mistake I'm making. Thanks for the help

jerrybme · May 14, 2014

@Prasanth: What is your IP range for your local network?

Sent from a internet connected device

Prasanth · May 14, 2014

It's 192.168.2.1(router) to 192.168.2.254

marian78 · May 14, 2014

Hi,

is there any solution to modify this tutorial to access local LAN from internet with openvpn (freenas jail will be used as openvpn server for incoming vpn connection from internet to local lan computers or other jails)?

openvpn client --> internet --> router (NAT/port forward to freenas jail with openvpn server) --> LAN --> freenas jail with openvpn server --> other jails on freens or lan computers

Thx,

Marian.

sandvaer · May 27, 2014

I tried to use this but everything gets blocked, i can't ping www.google.com
I use VPN from IPredator.se

First IP address: 46.246.32.0
Last IP address: 46.246.63.255
Net mask: 255.255.224.0

DNS

IP: 194.132.32.32
IP: 46.246.46.246

My network IP is 192.168.1.1 to 192.168.1.254.
Is there anyone who know what I'm doing wrong and can help me set the rules correctly?

I put my rules (ipfw.conf) as this:

add 01000 allow log udp from 192.168.0.0/16 to 46.246.46.46 dst-port 53 keep-state
add 01002 allow log udp from 192.168.0.0/16 to 194.132.32.23 dst-port 53 keep-state

add 01006 allow ip from 192.168.0.0/16 to 196.168.0.0/16 keep-state

add 02000 allow ip from 192.168.0.0/16 to 46.246.37.130/32 keep-state
add 02004 allow ip from 192.168.0.0/16 to 46.246.41.130/32 keep-state
add 02008 allow ip from 192.168.0.0/16 to 46.24.43.130/32 keep-state
add 02012 allow ip from 192.168.0.0/16 to 46.246.47.52/19 keep-state
add 02014 allow ip from 192.168.0.0/16 to 46.246.47.0/24 keep-state
add 02016 allow ip from 192.168.0.0/16 to 46.246.47.2/32 keep-state
add 02018 allow ip from 192.168.0.0/16 to 46.246.47.52 keep-state
add 02022 allow ip from 192.168.0.0/16 to 46.246.47.1 keep-state
add 02024 allow ip from 192.168.0.0/16 to 46.246.47.87/19 keep-state

add 04000 allow ip from 127.0.0.1 to any
add 05000 allow ip from 0.0.0.0/1 to any
add 05002 allow ip from any to 0.0.0.0/1
add 65534 deny ip from any to any

jerrybme · May 29, 2014

@sandvaer, it looks like you are using the wrong IP range for your internal network try changing 192.168.0.0/16 to 192.168.1.0/16

Sent from my iPhone using Tapatalk

Chris Dill · May 29, 2014

I tried this setup using privateinternetaccess.com as a VPN and could not get it to work, so I cancelled my account and created an AirVPN account :)
I do not know if this is already mentioned, but the code you posted might be missing a line:

I believe it also needs to include:

Code:

[root@transmission_1 /]# cp /media/ta.key /usr/local/etc/openvpn/keys/ta.key

Also, I was getting failure messages when starting the VPN. When I looked at the logs with nano /var/logs/messages I saw that the openvpn.conf was unable to find my key files.

So I went in and edited the openvpn.conf and changed the key file locates to the full paths of: "/usr/local/etc/openvpn/keys/user.key" instead of just "user.key"

Also, according to the AirVPN forums (https://airvpn.org/topic/1483-actual-ip-address-ranges/) the firewall rules might use 10.4.0.0/16 instead of 10.0.0.0/8

After that everything started working great.

jerrybme · May 29, 2014

Chris,
Good point, I'll update the first post. AirVPN changed their authentication method after the Heartbleed Open SSL bug was announced and my How-To was based on their pre-Heartbleed methodology.
Jerry

Chris Dill · Jun 16, 2014

Need a little bit of help on this if anyone is able to provide it. Alright, go everything working well following the guide nearly to the letter. Only thing I did different was add some extra firewall rules. When I start the Jail with VIMAGE on, the tun0 lights up and connects. But the Transmission plugin fails to start at all. Here are the error messages when this happens:

Jun 16 16:06:05 freenas manage.py: [freeadmin.navtree:526] Couldn't retrieve http://192.168.2.28:8880/plugins/transmission/3/_s/treemenu: HTTP Error 502: Bad Gateway
Jun 16 16:12:26 freenas manage.py: [plugins.utils:92] Couldn't retrieve http://192.168.2.28:8880/plugins/transmission/3/_s/status: HTTP Error 502: Bad Gateway
When I ping my home LAN default gateway from inside the jail it cannot ping.

If I DISABLE vimage, then transmission starts correctly, but the tunnel does not start. If you manually start it it connects and then drops right away. I have tried to setup the jail with vimage on and default gateway configured, and it does not work. I have checked networking, and everything else works- I can reach the jail from the outisde, I can ping across my VPN and DL content. I do get error messages from the jail about mounting my NAS- it says that the directories are bad host names and cannot resolve the IP address.

So no matter what I do, I cannot ping FreeNAS resources on my LAN. I cannot start the transmission plugin with vimage on, and I cannot start the tunnel with vimage off. I disabled my deny rule and still cannot reach FreeNAS resources my LAN. Here is my firewall in its current state:

Code:

#Google Public DNS
add 01000 allow log udp from 192.168.0.0/16 to 8.8.8.8 dst-port 53 keep-state
add 01001 allow log udp from 192.168.0.0/16 to 8.8.4.4 dst-port 53 keep-state
#AirVPN DNS 443
add 01002 allow log udp from 192.168.0.0/16 to 10.4.0.1 dst-port 53 keep-state
#AirVPN DNS 53
add 01003 allow log udp from 192.168.0.0/16 to 10.8.0.1 dst-port 53 keep-state
add 01004 allow log tcp from 192.168.0.0/16 to 10.9.0.1 dst-port 53 keep-state
#Local Network Traffic
add 01006 allow ip from 192.168.0.0/16 to 196.168.0.0/16 keep-state
add 01007 allow ip from 192.168.2.12 to any
#Allow ICMP
add 01010 allow icmp from any to any out
#Allow TO VPN IP
add 02000 allow ip from 192.168.0.0/16 to 192.96.200.18 keep-state
#Allow Loopback
add 04000 allow ip from 127.0.0.1 to any
#Allow VPN In
add 05000 allow ip from 10.0.0.0/8 to any
#Allow Remote Mgmt In
add 05001 allow ip from any to 192.168.0.0/16 dst-port 9091 keep-state
#Allow Out to VPN
add 05002 allow ip from any to 10.0.0.0/8
#Deny All Else
#add 65534 deny ip from any to any

FreeNAS IP: 192.168.2.28
Jail IP: 192.168.2.12
GW: 192.168.2.1
Local DNS: 192.168.2.254

It seems to me that cutting off communication between the jail and my LAN is blocking communication between Transmission and the FreeNAS Gui as well. I CAN ping 192.168.2.254 or other PC's on my network, but I cannot hit the NAS or default GW.

Lastly, I can reach Transmission GUI- the plugin is up and working, but the FreeNAS GUI says it is off and is spitting out 504 errors frequently.

Thanks in advance for any help!

Ryan Beall · Jul 8, 2014

I had to updgrade openvpn and now I'm having VPN connection issues. If I use my original script which has tls-remote I get: http://pastebin.com/0ZfjYenf

If I turn tls-remote off I get: http://pastebin.com/6PKFJuXh

I'v messed around with giving the direct address to the .crt
The opvn file that I got from vyprvpn has the cert attached in txt format at the bottom of the file so I'm not exactly sure what's going on.

I think downgrading to the older version of openvpn might solve the problem but I don't know how to do that? Any thoughts?

Update: I figured this all out. My VPN service provider hadn't updated their TLS setting syntax in the conf file. Fixed that for the new version of openvpn and solved half of my problem. The other was completely un-related. They gave me the wrong server lists which I didn't have an account for. So I'm back in the game.

spili · Jul 12, 2014

Hi all

Just started with Freenas; managed to get the server running and then found this thing to do...

So first of all, a big thank you to jerrybme for the guide, and Zettadox for fixing my problem with the password... plus the rest of the contributors...

I have a quick question regarding the firewall; I chatted with the customer service of my VPN provider (Torguard) regarding this topic, and they told me that i dont need to set the ip range in the firewall; I couldnt find their IP Range anywhere on their website or internet...
So, if I dont include this part in my firewall, what will happen if the connection to the server fails? will openVPN try to connect to one of the other servers that are set in the openvpn.conf or drop the VPN and go through the normal non-protected internet? just double checking if my toughts are correct...

Cheers

Y

Ryan Beall · Jul 12, 2014

Yeah, that's basically correct. I skipped the firewall part because I couldn't get it to work either. I have the ipchecker.tor so I just manually make sure I'm good. I'm not the best at all of this stuff so I was just trying to get something to work at all and I at least got it to switch my ip to the vpn. I have to restart transmission in order for it to switch however but then it's good. I asked my vpn provider to give me the ip list as well and they were as reluctant to give it out as yours. I guess you could just start writing them down as you connect every time. You are bound to get most of them I imagine.

alifeinhifi · Jul 28, 2014

Thank you for this post - this is exactly what this noob was looking for.

Forum@G · Aug 7, 2014

Hi and Thanks for the guide, i almost reached 100%. :)
I have strange behavior, no problems with the ipfw and the openvpn also works. Except when the openvpn is active i'am having conection problems to transmission web page.
I use proxpn as my vpn provider!
Any suggestions?

Best regards Forum@g

quantumnerd · Aug 25, 2014

I can understand the need to communicate with computers on the same network, the local loop, and the VPN servers, but why are DNS requests being allowed through? Wouldn't that constitute a DNS leak? Aren't DNS requests supposed to go through the VPN?

Prasanth · Aug 25, 2014

Prasanth said:

I did make the address changes for airvpn as recommended http://forums.freenas.org/index.php...-connects-to-the-vpn.18669/page-3#post-123168

Still having this issue. Transmission runs fine when openVPN and ipfw are off. as soon as I start openvpn I am unable to load transmission page on the local network. Not sure what is going on here.

Another interesting thing. when I start openvpn and ping google it works. then start ipfw and pinging google continues to work. Then I shut off openvpn and i get permission denied as I wanted. Finally I turn back on openvpn and it still gives me permission denied error. Only after i do a ipfw start does it successfully ping google.

Any help is greatly appreciated

Important Announcement for The TrueNAS Community.

How to use Openvpn & ipfw in a jail so it only connects to the VPN

Dabbler

Dabbler

Dabbler

Cadet

Contributor

Dabbler

Contributor

Patron

Cadet

Dabbler

Contributor

Dabbler

Contributor

Dabbler

Cadet

Dabbler

Cadet

Cadet

Dabbler

Contributor

Similar threads