SOLVED OpenVPN Client Jail

[outragedpeanut]

Hey,

I have OpenVPN setup in its own jail and connected, but I can't figure out how to point and route the other 2 jails through the OpenVPN jail. I was looking at doing router level OpenVPN but that would route all traffic via the VPN which is not what I want.

Thank you in advance for any help.

 

[Allan Wilmath]

The router that connects your network, the one with the IP that the computers on your network uses as 'default gateway' is hands down the easiest and most sensible place to install and run OpenVPN. When you configure OpenVPN, you can choose to not route all traffic through it, it is called split routing. Only he traffic you want to go between the client and the gateway will go through the tunnel based on the IP address of the packets.

You don't have to do this, you can optionally do it the way you are, this requires you to put in a static rule in the routing table of your gateway that forwards traffic for the OpenVPN clients IP address space toward the IP being used by your OpenVPN server. Seems odd to forward packets originating on the local network, back on to the local network doesn't it? It is better than adding a static route to every client on the network.

The issue in doing what you are doing is that when a machine on your local network replies, it sends the packet to the gateway since the IP address is for a foreign network just like it does for all of the internet packets. The gateway has no idea about where to send those packets because it is not running the VPN. So it probably drops them since they are private IP address by default in OpenVPN. Adding a rule will instead forward those packets it receives back to the OpenVPN server's IP.

This rule is something you will have to figure out on it's own since I have no idea what you are using for a gateway. It will be called something like 'static routes'. If you only want to access one server remotely, you could add the static route to that single server.

Good luck.

 

[outragedpeanut]

Thanks Allan for you advice, unfortunately the OpenVPN conf file is provided by the VPN company and therefore I am unable to configure which traffic goes via OpenVPN and which does not.

I have successfully setup a jail with OpenVPN installed in, however for some reason, when OpenVPN is enabled, traffic from Jail 1, is unable to pass through Jail 2. But when OpenVPN is disabled, traffic for Jail 1 passes through Jail 2 and to the outside world correctly. Not sure what I am missing, but below is the routing table and ipfw rules:

Code:

Routing tables:

Internet:
Destination		Gateway			Flags	  Netif Expire
0.0.0.0/1		10.1.1.1		 UGS		 tun0
default			router.asus.com		 UGS		 epair1b
10.1.1.0		10.1.1.1		 UGS		 tun0
10.1.1.1		link#3			 UH		 tun0
10.1.1.23		link#3			 UHS		 lo0
localhost		link#1			 UH		 lo0
128.0.0.0/1		10.1.1.1		 UGS		 tun0
xxx.xx.xx.xxx/32	router.asus.com		 UGS		 epair1b (I have blanked this out)
192.168.3.0		link#2			 U		 epair1b
openvpn			link#2			 UHS		 lo0

Code:

ipfw list:

00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65535 allow ip from any to any

Would anyone be able to point me in the right direction on how to pass traffic from Jail 1 through Jail 2 while OpenVPN is enabled.

Thanks in advance.

 

[outragedpeanut]

Just incase anyone stumbles across this I have managed to solve the issue by doing the following:

Adding the following to /etc/rc.conf:

Code:

gateway_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

Adding the following to /usr/local/etc/ipfw.rules:

Code:

ipfw -q -f flush
ipfw -q nat 1 config if tun0
ipfw -q add nat 1 all from any to any via any

I then set the OpenVPN jail IP address as the gateway for the jails that I want to pass through the VPN.

Hopefully this helps anyone else wishing to achieve the same setup.

 

[Scharbag]

That is pretty neat.

I cheated because PIA allows for 5 concurrent connections, so I use 2 for the 2 jails that I use OpenVPN on :)

Cheers,

 

[Grinas]

Just incase anyone stumbles across this I have managed to solve the issue by doing the following:

Adding the following to /etc/rc.conf:

Code:

gateway_enable="YES"
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

Adding the following to /usr/local/etc/ipfw.rules:

Code:

ipfw -q -f flush
ipfw -q nat 1 config if tun0
ipfw -q add nat 1 all from any to any via any

I then set the OpenVPN jail IP address as the gateway for the jails that I want to pass through the VPN.

Hopefully this helps anyone else wishing to achieve the same setup.

hey,

Thanks a lot for this, I spend days trying to figure this out. I just said i would add my config here so others can use it

ON VPN JAIL add to /etc/rc.conf

Code:

openvpn_enable="YES" #autostarts openvpn
openvpn_if="tun" #the int openvpn uses
openvpn_configfile="/media/openvpn.conf" #where the vpn config is located
gateway_enable="YES" #enable the jail to be used as a defualt gateway
firewall_enable="YES" #enable ipfw
firewall_script="/usr/local/etc/ipfw.rules" #where the ipfw rules are located

ON VPN JAIL add to /usr/local/etc.ipfw.rules

Code:

ipfw -q -f flush #deletes all old rules
ipfw -q nat 1 config if tun1 #add a rule to the nat table. it may be tun0 depending on what interfave the VPN uses. 
ipfw -q add nat 1 all from any to any via any #allow any to any

use netstat -i to find the interface the vpn uses.


ON the Client jail or any machine on your network. add to /etc/rc.conf
Please note you will have to use a IP address in your local net Ip range and the correct subnet mask.

Code:

ifconfig_epair3b="inet 192.168.0.2 netmask 255.255.255.0" #IP of the client and the network subnet mask
defaultrouter="192.168.0.8" # IP of the VPN Jail

 

[kydiwl]

@Allan Kelly Thanks for posting your config settings and firewall rules. These had the couple of pieces I was missing.

 

[afmiller]

hey,

Thanks a lot for this, I spend days trying to figure this out. I just said i would add my config here so others can use it

ON VPN JAIL add to /etc/rc.conf

Code:

openvpn_enable="YES" #autostarts openvpn
openvpn_if="tun" #the int openvpn uses
openvpn_configfile="/media/openvpn.conf" #where the vpn config is located
gateway_enable="YES" #enable the jail to be used as a defualt gateway
firewall_enable="YES" #enable ipfw
firewall_script="/usr/local/etc/ipfw.rules" #where the ipfw rules are located

ON VPN JAIL add to /usr/local/etc.ipfw.rules

Code:

ipfw -q -f flush #deletes all old rules
ipfw -q nat 1 config if tun1 #add a rule to the nat table. it may be tun0 depending on what interfave the VPN uses.
ipfw -q add nat 1 all from any to any via any #allow any to any

use netstat -i to find the interface the vpn uses.


ON the Client jail or any machine on your network. add to /etc/rc.conf
Please note you will have to use a IP address in your local net IP range and the correct subnet mask.

Code:

ifconfig_epair3b="inet 192.168.0.2 netmask 255.255.255.0" #IP of the client and the network subnet mask
defaultrouter="192.168.0.8" # IP of the VPN Jail

Allan, This is what I was looking for. Have you successfully set up the kill switch / DNS leak? I have PIA and wanting to set up both.

 

[Grinas]

Alan, This is what I was looking for. Have you successfully set up the kill switch / DNS leak? I have PIA and wanting to set up both.

Hi,

No i didnt try setting up a kill switch or dns leak and I'm not on PIA. I was running into issues if i had a power outage, the VPN wouldnt be able to restart after the server reboot, which meant my whole network lost internet access as the VPN was the gateway for my whole network.

i can't remember why exactly but i think i was something to do with interface number changing. I just recently found out how to rectify the issue if it was interface number related, but i haven't had time to test it as it is way down my priority list.

When i do test it, i will post the solution here.

I'm surprised to be honest that more people aren't interested in doing this as not too many routers provide the ability to use a VPN.

 

[afmiller]

Hi,

No i didnt try setting up a kill switch or dns leak and I'm not on PIA. I was running into issues if i had a power outage, the VPN wouldnt be able to restart after the server reboot, which meant my whole network lost internet access as the VPN was the gateway for my whole network.

i can't remember why exactly but i think i was something to do with interface number changing. I just recently found out how to rectify the issue if it was interface number related, but i haven't had time to test it as it is way down my priority list.

When i do test it, i will post the solution here.

I'm surprised to be honest that more people aren't interested in doing this as not too many routers provide the ability to use a VPN.

Are you running them in the iocages? I could set up a second router of mine that is flashed with DD WRT but I don't want to deal with the double NAT. This solution is a lot easier as I can static the addresses I want to go out via the VPN


This is what I have to sort out later that makes the kill switch

# Allow internal traffic
add 03000 allow IP from 172.16.0.14/32 to 172.16.0.0/23 keep-state
add 03000 allow IP from 172.16.0.0/23 to 172.16.0.14/32 keep-state

# Allow access to Entrace IP for VPN
add 04000 allow IP from 172.16.0.14/32 to <IP of VPN Entrance Node> keep-state

# Allow any traffic over the VPN interface
add 05000 allow IP from any to any via tun*

# Deny any other traffic
add 65534 deny IP from any to any

 

[Grinas]

Are you running them in the iocages? I could set up a second router of mine that is flashed with DD WRT but I don't want to deal with the double NAT. This solution is a lot easier as I can static the addresses I want to go out via the VPN

No i just created them in a standard jail created via the web GUI. is there an advantage in running them in iocages?

I used static addresses too but sometimes it would take me a while before i noticed that the servers connected to the vpn were unreachable because of the VPN.

I was going to look into some kinda IP monitor with email notifications to let me know when the VPN tun was down. While i waiting to find the time to look into that, I just set the VPN as my default gateway so i would know straight away when the kids or myself couldn't access the web that the VPN was down.

 

[afmiller]

No i just created them in a standard jail created via the web GUI. is there an advantage in running them in iocages?

I used static addresses too but sometimes it would take me a while before i noticed that the servers connected to the vpn were unreachable because of the VPN.

I was going to look into some kinda IP monitor with email notifications to let me know when the VPN tun was down. While i waiting to find the time to look into that, I just set the VPN as my default gateway so i would know straight away when the kids or myself couldn't access the web that the VPN was down.

the iocage jails are going to be replacing the warden jails. So all of the jails I am doing are iocage so I don't have to recreate them once the warden ones goes away. You wont be able to manage the jail via the current GUI it is via CLI or the new GUI for FreeNAS 11.1

 

[Grinas]

the iocage jails are going to be replacing the warden jails. So all of the jails I am doing are iocage so I don't have to recreate them once the warden ones goes away. You won't be able to manage the jail via the current GUI it is via CLI or the new GUI for FreeNAS 11.1

well im on freenas 11.1 and im able to manage them. Im assuming that means they are iocage jails??

 

[afmiller]

well im on freenas 11.1 and im able to manage them. Im assuming that means they are iocage jails??

Are you under the same GUI that was with freenas 9.x? If so then they are the warden (older) jails. The new space age looking GUI is the one where you can manage the iocage ones

 

[Grinas]

Are you under the same GUI that was with freenas 9.x? If so then they are the warden (older) jails. The new space age looking GUI is the one where you can manage the iocage ones

yeah in the old Web GUI,

Ill have to look into upgrading them, more work to add to my list. I wish i spotted it last week im after adding 3 jails since then.

Thanks