Register for the iXsystems Community to get an ad-free experience

OpenVPN client in jail, cannot connect to jail from different private subnet

S1RC

Dabbler
Joined
Jul 28, 2016
Messages
28
I've got an .ovpn file from my VPN provider and using
Code:
openvpn-client
and the provided .ovpn file I am able to connect to their VPN.

When connected I can access the jail from other computers or jails in the same subnet. However when I try to access the jail from a different private subnet I cannot connect. i.e.:
- jail with OpenVPN client at 10.0.0.80 can be accessed from another jail at 10.0.0.50
- jail with OpenVPN client at 10.0.0.80 cannot be accessed from computer 10.0.10.100

I'm pretty new to OpenVPN, is there a client config I can change in the .ovpn file? I don't have access to the OpenVPN server config.

ifconfig output from jail with OpenVPN client:
Code:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo
epair0b: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 02:ff:60:14:fa:0a
        hwaddr 02:29:d0:00:09:0b
        inet 10.0.0.80 netmask 0xffffff00 broadcast 10.0.0.255
        nd6 options=1<PERFORMNUD>
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
        status: active
        groups: epair
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet 10.2.0.227 --> 10.2.0.1 netmask 0xffffff00
        nd6 options=1<PERFORMNUD>
        groups: tun
        Opened by PID 13511
 

drinking12many

Contributor
Joined
Apr 8, 2012
Messages
142

S1RC

Dabbler
Joined
Jul 28, 2016
Messages
28
The jail was setup with standard UI options a while ago, it has been user for Plex for a year plus. I have set the `allow_tun` to true in the FreeNAS UI for the jail prior to setting up the openvpn-client.

When the openvpn-client is connected I cannot connect to Plex running on the same jail from a different subnet. If I move a laptop onto the same subnet as the jail I can connect to Plex just fine, and through the CLI inside the jail I can see that I am connected to the VPN with a different external IP.
 

G8One2

Patron
Joined
Jan 2, 2017
Messages
242
This is a router issue, not FreeNas. Your network needs to be configured to do this.
 

drinking12many

Contributor
Joined
Apr 8, 2012
Messages
142
This is a router issue, not FreeNas. Your network needs to be configured to do this.

Thats what it sounds like to me as well, if not that its IPFW. How are you routing stuff to this other subnet? For example I have a Cisco switch with routing and I made the Cisco IP the gateway to that subnet so then I had to go into my Linksys router and add a rule for that subnet. I also have an OpenVPN server on my network so I had to make a rule for that as well.

1575928573521.png
 

G8One2

Patron
Joined
Jan 2, 2017
Messages
242
Pretty sure you have to set up trunk, though Im not 100% sure since I have not needed to do that.
 

S1RC

Dabbler
Joined
Jul 28, 2016
Messages
28
I guess I should have specified, when the OpenVPN client is not connected in the jail, I can access that jail from other private subnets. i.e.:
- jail with OpenVPN client connected at 10.0.0.80 can be accessed from another jail at 10.0.0.50
- jail with OpenVPN client connected at 10.0.0.80 cannot be accessed from computer 10.0.10.100
- jail with OpenVPN client disconnected at 10.0.0.80 can be accessed from computer at 10.0.10.100
 

G8One2

Patron
Joined
Jan 2, 2017
Messages
242
Well a VPN is a tunnel, so your effectively cut it off from the rest of your network. I suspect you need to run all clients through the VPN to do what your attempting.
 

drinking12many

Contributor
Joined
Apr 8, 2012
Messages
142
Did you reboot after you enabled the TUN adapter or has it been there a while? You can see some weird things if you enabled it and didn't do a full reboot of your Freenas. I mean it doesn't sound like it but it is worth a shot. Does your jail have the IP Firewall installed and if so what rules are there?

For example here are the firewall rules on my transmission box, I can access the web interface from any machine on my internal network because of the two transmission lines you could do something similar to Plex. The last line and the cmd 0010 line forces transmission to push all the traffic to the VPN if the VPN isnt up it wont connect. Generally speaking I create a jail for every purpose I don't put say plex and transmission on the same jail.

Code:
#!/bin/bash
# Flush out the list before we begin
ipfw -q -f flush

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun1

# Set rules command prefix
cmd="ipfw -q add"
vpn="tun1"

# allow all local traffic on the loopback interface
$cmd 00001 allow all from any to any via lo0

# allow any connection to/from VPN interface
$cmd 00010 allow all from any to any via $vpn

# allow connection to/from LAN by Transmission
$cmd 00101 allow all from me to 192.168.1.0/24 uid transmission
$cmd 00102 allow all from 192.168.1.0/24 to me uid transmission

# deny any Transmission connection outside LAN that does not use VPN
$cmd 00103 deny all from any to any uid transmission
 
Last edited:

S1RC

Dabbler
Joined
Jul 28, 2016
Messages
28
Well a VPN is a tunnel, so your effectively cut it off from the rest of your network. I suspect you need to run all clients through the VPN to do what your attempting.
True I get that part, though if it was completely cut off I shouldn't be able to connect from the same subnet while the VPN is connect no?

Did you reboot after you enabled the TUN adapter or has it been there a while? You can see some weird things if you enabled it and didn't do a full reboot of your Freenas. I mean it doesn't sound like it but it is worth a shot. Does your jail have the IP Firewall installed and if so what rules are there?

No firewalls installed, I will try rebooting later today, but no I hadn't rebooted the server yet. I'm trying to set up xTeve for Plex IPTV, connecting to the IPTV feeds over VPN. Perhaps if I did this in it's own jail on the same subnet as Plex I wouldn't have an issue accessing Plex since the VPN would be in the xTeve jail.
 

G8One2

Patron
Joined
Jan 2, 2017
Messages
242
True I get that part, though if it was completely cut off I shouldn't be able to connect from the same subnet while the VPN is connect no?

Well yes, because your putting yourself on that subnet to connect. So obviously, your on that network, but you wouldnt be able to connect to any other network in your LAN while connected through that subnet while the OPENVPN connection is established. The subnet that has the VPN connection will be isolated from the rest of your network, even though you can connect to it by joining that particular subnet.
 

drinking12many

Contributor
Joined
Apr 8, 2012
Messages
142
Well yes, because your putting yourself on that subnet to connect. So obviously, your on that network, but you wouldnt be able to connect to any other network in your LAN while connected through that subnet while the OPENVPN connection is established. The subnet that has the VPN connection will be isolated from the rest of your network, even though you can connect to it by joining that particular subnet.

His ifconfig showed that the tunnel was using 10.2.0.227 for example mine shows this. My internal is 192.168.1.28, tunnel is 10.5.10.6. I wouldnt be surprised based on what you are saying if it would start working after a reboot.

1575934201328.png
 

G8One2

Patron
Joined
Jan 2, 2017
Messages
242
I dont think VPN's work that way, but Im no networking guru, my knowledge is limited. Hopefully you get this figured out so i learn something new.
 

drinking12many

Contributor
Joined
Apr 8, 2012
Messages
142
Sure can work that way that's exactly what I am doing, my tun1 interface is connected to PIA for my VPN, transmission sits on an internal IP which I can access and also transfers files around internally for sonarr, radarr, lidarr, plex etc. Thats all PFsense and others do as well. You are creating a point to point VPN then routing the traffic from your internal network across the VPN to them. I don't do it for my full network, but could. For example I have a pfsense VM and all I have to do to get an internal machine to route across it is take my default gateway and change it from 192.168.1.1 to 192.168.1.3 and all of its external traffic goes encrypted across that VPN tunnel instead of unencrypted to my ISP.

I also have a jail that is the opposite its a VPN server. I use that to connect to my house when I am out traveling. I can connect into my network from both my phone and laptop and can restart jails, start my esxi servers through their IDRACs etc. It is quite useful when I am not home provided the VPN server jail itself isn't borked.
 
Last edited:

S1RC

Dabbler
Joined
Jul 28, 2016
Messages
28
I rebooted the server last night and there was no change. drinking12many are you running all your jails and computers/servers on the same subnet?

OpenVPN is new to me, I use the VPN/Radius auth built into my gateway (UniFi) so I'm less familiar with OpenVPN config. Could there be an issue in the .ovpn file?
 

drinking12many

Contributor
Joined
Apr 8, 2012
Messages
142
not everything on my network is the same subnet but my jails and freenas are on the same subnet. Did you modify they openvpn file at all or use it as is? There are lines in the openvpn config that usually affect routing but thats usually when its set up as a server for just a client it shouldn't use those. For a basic client config it is generally a really short file for example this is mine for my transmission the only thing I removed was all the certificate hashes.

Code:
client
dev tun
proto udp
remote us-east.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-nocache
auth-user-pass /usr/local/etc/openvpn/pass.txt
ca /usr/local/etc/openvpn/ca.crt
crl-verify /usr/local/etc/openvpn.crl.pem
disable-occ
compress
verb 1
reneg-sec 0
 

colmconn

Contributor
Joined
Jul 28, 2015
Messages
174
I guess I should have specified, when the OpenVPN client is not connected in the jail, I can access that jail from other private subnets. i.e.:
- jail with OpenVPN client connected at 10.0.0.80 can be accessed from another jail at 10.0.0.50
- jail with OpenVPN client connected at 10.0.0.80 cannot be accessed from computer 10.0.10.100
- jail with OpenVPN client disconnected at 10.0.0.80 can be accessed from computer at 10.0.10.100

I suspect that the computer at 10.0.10.100 can send packets to the jail when open vpn connected. You could investigate this by using tcpdump on epair0b within the jail and watch for packets coming in from 10.0.10.100. If you see inbound packets but do not see outbound packets going back in response, then your problem is more than likely with routing. You should also examine the routing table within the jail while openvpn is up, running and connected. The solution, if this is the problem, is to add static routes within the jail.

Your problem sounds almost exactly the issue I experienced when running openvpn within a jail and trying to access said jail from the vpn running on my router. The solution was to add a static route in the jail so that the network stack knew which gateway to use for the VPN subnet on my router.

To inspect the routing table within the jail
Code:
netstat -nr

To run tcpdump within the jail looking for all packets to/from 10.0.10.100
Code:
 tcpdump -i epair0b host 10.0.10.100

To add a static route within the jail
Code:
sysrc static_routes="vpn2"
ssyrc route_vpn2="-net 192.168.2.0/24 192.168.1.1"


Note that the route name and IP address in the static route are based on mine. You will have to modify them based on your network configuration.
More details are at https://www.freebsd.org/doc/handbook/network-routing.html You don't want to turn the jail into a gateway so don't set gateway_enable="YES". Look at the examples just above 31.2.3.
 
Last edited:

S1RC

Dabbler
Joined
Jul 28, 2016
Messages
28
To run tcpdump within the jail looking for all packets to/from 10.0.10.100
Code:
 tcpdump -i epair0b host 10.0.10.100


Note that the route name and IP address in the static route are based on mine. You will have to modify them based on your network configuration.
More details are at https://www.freebsd.org/doc/handbook/network-routing.html You don't want to turn the jail into a gateway so don't set gateway_enable="YES". Look at the examples just above 31.2.3.

Wow I think you're right. With OpenVPN client running I can run tcpdump and still see incoming connections. I tried quickly adding static routes but it didn't work yet, but at least I think this is the right path.
 

colmconn

Contributor
Joined
Jul 28, 2015
Messages
174
That probably just means your static route isn'r right yet. Tell us what your subnets and corresponding masks are and the gateway that knows how to route between them. Note that I fixed a typo in the static route example above. I hope that was not the cause of your subnet issue.
 

S1RC

Dabbler
Joined
Jul 28, 2016
Messages
28
Sorry for the delay in replying, my laptop died and I'm restoring it.

Here are my routing tables for the jail:
Code:
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
0.0.0.0/1          10.2.0.1           UGS        tun1
default            10.0.0.1           UGS     epair0b
10.0.0.0/24        link#2             U       epair0b
10.0.0.80          link#2             UHS         lo0
10.2.0.0/24        10.2.0.1           UGS        tun1
10.2.0.1           link#3             UH         tun1
10.2.0.104         link#3             UHS         lo0
127.0.0.1          link#1             UH          lo0
128.0.0.0/1        10.2.0.1           UGS        tun1
209.99.63.33/32    10.0.0.1           UGS     epair0b

Internet6:
Destination                       Gateway                       Flags     Netif Expire
::/96                             ::1                           UGRS        lo0
::1                               link#1                        UH          lo0
::ffff:0.0.0.0/96                 ::1                           UGRS        lo0
fe80::/10                         ::1                           UGRS        lo0
fe80::%lo0/64                     link#1                        U           lo0
fe80::1%lo0                       link#1                        UHS         lo0
ff02::/16                         ::1                           UGRS        lo0


The static route I added from /etc/rc.conf:
Code:
static_routes="office"
route_office="-net 10.0.100.0/24 10.0.0.1"
 
Last edited:
Top