How to use Openvpn & ipfw in a jail so it only connects to the VPN

jakeandchase · Dec 23, 2014

Is this still relevant?

Rilo Ravestein · Jan 16, 2015

I only have a ca.crt file and tls.key file. And a username and password (not sure if i need those). How do i use these in this tutorial?

EDIT: I think this i found the answer in here.

kyletak · Jan 17, 2015

This post has been incredibly helpful and with a little tinkering I think I'm nearly there. I'm getting openvpn to start now, but it doesn't look as though I'm able to fully establish a tunnel unfortunately. here is some sample output of what I'm seeing. It seems like I'm successfully connecting to PIA but I'm not authenticating correctly. I've tried numerous different passwords supplied by PIA, and installed it from a port to allow for password authentication. Does anyone by any chance know what I am overlooking here?

Rilo Ravestein · Jan 18, 2015

Removed.
(mistake)

gtp04 · Jan 18, 2015

Im having issues with my rules loading on boot in the jail. if I go in and due a ipfw list it only shows one rule
65535 allow ip from any to any its my understanding this is loaded from the kernel.
if I do a service ipfw start all the rules load and everything is peachy?

Any help?

Rilo Ravestein · Jan 23, 2015

jerrybme said:
And the last group allow access to local loop and deny everything else. the 10.0.0.0/8 is for AirVPN, you'll need to find out the ip range for your provider (I found this info in their forums)

Code:
add 04000 allow ip from 127.0.0.1 to any add 05000 allow ip from 10.0.0.0/8 to any add 05002 allow ip from any to 10.0.0.0/8 add 65534 deny ip from any to any

Why do you need to provide that IP range, it's a "private" address range? What does that do / what am I missing here?

EDIT: I read this info, but still the pieces don't fall together :(

gtp04 · Jan 23, 2015

gtp04 said:
Im having issues with my rules loading on boot in the jail. if I go in and due a ipfw list it only shows one rule
65535 allow ip from any to any its my understanding this is loaded from the kernel.
if I do a service ipfw start all the rules load and everything is peachy?

Any help?

I fixed this issue if you want the details see here
https://forums.freenas.org/index.php?threads/ipfw-loading-rules-in-jail.26962/

BigJ · Jan 25, 2015

Rilo Ravestein said:
Why do you need to provide that IP range, it's a "private" address range? What does that do / what am I missing here?

EDIT: I read this info, but still the pieces don't fall together :(

Hi Rilo

I'm no networking expert but this is how i understand it to work. When ipfw sees network traffic it will go through its rule list from top to bottom looking for a match to determine what action to take. If you don't include your local network in the rules, ipfw will match your local traffic to the final "catch all" rule which is a deny action. Hope that helps.

Edit: spelling

Rilo Ravestein · Jan 25, 2015

So this network can easily be identified with ifconfig after connect? (disabling firewall at first connect)

BigJ · Jan 25, 2015

Yes. Here's my network interfaces showing all three.

Code:

loopback (lo0): inet 127.0.0.1 netmask 0xff000000
jail (epair1b): inet 192.168.1.41 netmask 0xffffff00 broadcast 192.168.1.255
vpn (tun0): inet 10.4.13.38 --> 10.4.13.37 netmask 0xffffffff

Rilo Ravestein · Jan 27, 2015

BigJ said:
Yes. Here's my network interfaces showing all three.

Code:
loopback (lo0): inet 127.0.0.1 netmask 0xff000000 jail (epair1b): inet 192.168.1.41 netmask 0xffffff00 broadcast 192.168.1.255 vpn (tun0): inet 10.4.13.38 --> 10.4.13.37 netmask 0xffffffff

Based on that, what would you put in line 2 and 3 then?

jerrybme said:
And the last group allow access to local loop and deny everything else. the 10.0.0.0/8 is for AirVPN, you'll need to find out the ip range for your provider (I found this info in their forums)

Code:
add 04000 allow ip from 127.0.0.1 to any add 05000 allow ip from 10.0.0.0/8 to any add 05002 allow ip from any to 10.0.0.0/8 add 65534 deny ip from any to any

Rilo Ravestein · Jan 29, 2015

Rilo Ravestein said:
Based on that, what would you put in line 2 and 3 then?

Would this be 10.4.13.37/32 (only allowing that specific IP address)?

BigJ · Jan 29, 2015

Rilo Ravestein said:
Would this be 10.4.13.37/32 (only allowing that specific IP address)?

Hi

As my VPN provider assigns me an ip address at random every time I make a new connection, that wouldn't work. For my VPN service, "10.4.0.0/16" would be best. However, I've left my setup as "10.0.0.0/8" for now.

10.4.0.0/16 covers the address range 10.4.0.0 - 10.4.255.255
10.0.0.0/8 covers the address range 10.0.0.0 - 10.255.255.255

Edit: Typo

Rilo Ravestein · Jan 29, 2015

So you mean it's trial and error basically...? Or I need to try and find out what ip I range should be using. Wouldn't it be possible to write some script to find the is address assigned to you, write it to the firewall rules and (re)start the firewall or something like that? Maybe someone here already has done something similar?

BigJ · Jan 29, 2015

Rilo Ravestein said:
So you mean it's trial and error basically...? Or I need to try and find out what ip I range should be using. Wouldn't it be possible to write some script to find the is address assigned to you, write it to the firewall rules and (re)start the firewall or something like that? Maybe someone here already has done something similar?

Fancy scripting with FreeNAS is way beyond my experience. If your VPN provider will not give you the details, you can make a good guess but it may be overly broad. That doesn't really matter to me with my single purpose Jail. To me, the only thing using the private address range 10.0.0.0/8 is openVPN and that doesn't clash with my LAN on private range 192.168.0.0/16.

For a basic setup, check the output of ifconfig and depending on the results assign as

10.0.0.0 - 10.255.255.255 => 10.0.0.0/8 (It is very likely it will be this)
172.16.0.0 - 172.31.255.255 => 172.16.0.0/12
192.168.0.0 - 192.168.255.255 => 192.168.0.0/16

If it overlaps with your LAN, you'll probably need to dig deeper.

BigJ · Jan 29, 2015

Hi Rilo

It's possible that we are talking about different aspects of VPN now. The addresses I've been discussing are the private addresses assigned to your tun0 network interface by your VPN provider, NOT the internet ip addresses of your providers VPN servers. I apologise if I have caused any confusion.

What you're probably more interested in, I think, is jerrybme rules

Code:

add 02000 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02004 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02008 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02012 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02014 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02016 allow ip from 192.168.0.0/16 to xxx.xxx.xxx.xxx keep-state

Anything that is not in the private address ranges should be as tightly controlled as need and conveniance allow. How you go about find these, I don't know.

Rilo Ravestein · Jan 29, 2015

No, we are talking about the same thing. My own private network is in the 192.168.2.0/24 range, the tun0 is in the 10.xx.xx.xx/xx range

Rilo Ravestein · Jan 30, 2015

dkran said:
Kingedgar said:

I can successfully ping google with the vpn on, but I can also ping google with the vpn off. I have set everything up as described but this is a BIG problem for me.

Here are my firewall rules.

Code:
root@transmission_1:~ # ipfw list 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from any to ::1 00500 deny ip from ::1 to any 00600 allow ipv6-icmp from :: to ff02::/16 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 00900 allow ipv6-icmp from any to any ip6 icmp6types 1 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 01000 allow log udp from 10.69.0.0/16 to 10.69.0.3 dst-port 53 keep-state 01002 allow log udp from 10.69.0.0/16 to 10.69.0.1 dst-port 53 keep-state 01004 allow log udp from 10.69.0.0/16 to 208.67.222.222 dst-port 53 keep-state 01006 allow ip from 10.69.0.0/16 to 10.69.0.0/16 keep-state 02000 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state 02002 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state 02004 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state 02006 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state 04000 allow ip from 127.0.0.1 to any 05000 allow ip from 10.0.0.0/8 to any 05003 allow ip from any to 10.0.0.0/8 65534 deny ip from any to any 65535 allow ip from any to any

Why does the firewall have rules that I did not specify? I think the last line is causing the traffic to get through. How to get rid of this line?

Here is a cat from the file /media/ipfw_rules

Code:
root@transmission_1:~ # cat /media/ipfw_rules add 01000 allow log udp from 10.69.0.0/16 to 10.69.0.3 dst-port 53 keep-state add 01002 allow log udp from 10.69.0.0/16 to 10.69.0.1 dst-port 53 keep-state add 01004 allow log udp from 10.69.0.0/16 to 208.67.222.222 dst-port 53 keep-state add 01006 allow ip from 10.69.0.0/16 to 10.69.0.0/16 keep-state add 02000 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state add 02002 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state add 02004 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state add 02006 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state add 04000 allow ip from 127.0.0.1 to any add 05000 allow ip from 10.0.0.0/8 to any add 05003 allow ip from any to 10.0.0.0/8 add 65534 deny ip from any to any

If anyone has any suggestions I would appreciate it.

EDIT: After doing some research if the kernel is compiled with IPFIREWALL_DEFAULT_TO_ACCEPT then the last rule is created. Is this what FreeNAS does by default in their kernel config? If so how do I change it?

Click to expand...

Well since in ipfw I believe the last rule the packet matches would be the one it follows, I think that rule would screw you. I was actually trying to build a kernel to do something like this but got stuck on a compilation error I couldn't figure out

I know this is an old comment, but i want to get this right. I don't think the last comment here is correct.

Well since in ipfw I believe the last rule the packet matches would be the one it follows, I think that rule would screw you. I was actually trying to build a kernel to do something like this but got stuck on a compilation error I couldn't figure out

Read this:

When a packet enters the IPFW firewall, it is compared against the first rule in the ruleset and progresses one rule at a time, moving from top to bottom in sequence. When the packet matches the selection parameters of a rule, the rule's action is executed and the search of the ruleset terminates for that packet. This is referred to as “first match wins”.

Since your rules are:

65534 deny ip from any to any
65535 allow ip from any to any

Nothing that does not match any of the rules before would pass the firewall, since the deny rule comes first.

mjk79 · Jan 30, 2015

Disregard, figured it out.

Rilo Ravestein · Jan 31, 2015

Another question: Transmission keeps telling me the port is closed. I forwarded the used port in my router to the ip of the jail. (rules were already there, just changed the ip from my desktop to the jail, so i am sure the forwarding in the router actually works, and yes, i use the same port in Transmission in the jail as i used to use in transmission on the desktop).

Maybe some setting i need to add in the firewall?

Important Announcement for the TrueNAS Community.

How to use Openvpn & ipfw in a jail so it only connects to the VPN

Explorer

Guru

Cadet

Guru

Dabbler

Guru

Dabbler

Dabbler

Guru

Dabbler

Guru

Guru

Dabbler

Guru

Dabbler

Dabbler

Guru

Guru

Explorer

Guru

Similar threads