OpenVPN IPFW issue

[afmiller]

So I got an iocage jail set up running on a 192.168.1.2 with the default gateway being 192.168.1.1. I successfully got PIA up and running with openvpn but running into an issue with the ipfw kill switch. ipfw is running as service, I ran ipfw flush and cleared every thing out. Then proceeded to add the single line of 65543. In theory this should not allow me to ping / verify my outside ip address. Any thoughts?

wget -qO- http://ipecho.net/plain ; echo - pulls my normal ip address instead of being blank


65543 deny up from any to any
65535 allow IP from any to any

 

[nightshade00013]

The wget command should pull your remote IP address if configured correctly.

I would suggest posting your full IPFW in code tags.

I use this setup for mine which works perfectly to force access to only my local net or force the rest across the VPN

Code:

add 00010 allow all from any to any via tun* uid USER
add 00101 allow all from me to 192.168.0.0/24 via epair* uid USER
add 00102 allow all from 192.168.0.0/24 to me via epair* uid USER
add 00103 deny all from any to any uid USER

 

[afmiller]

The wget command should pull your remote IP address if configured correctly.

I would suggest posting your full IPFW in code tags.

I use this setup for mine which works perfectly to force access to only my local net or force the rest across the VPN

Code:

add 00010 allow all from any to any via tun* uid USER
add 00101 allow all from me to 192.168.0.0/24 via epair* uid USER
add 00102 allow all from 192.168.0.0/24 to me via epair* uid USER
add 00103 deny all from any to any uid USER

I will post the rule set tomorrow when I wake up. Currently at work. On your set up I am assuming epair* is your local interface of the openvpn box, as well the uid is the name of the jail ie.. openvpn in my case. So the wget will still get your ip address even if your blocking all the data if the vpn is dead?

 

[nightshade00013]

No it literally is epair* same for tun*

The reason for that is that the epair and tun can change so setting it to epair1 or 5 is not guaranteed to work with a full system reboot or a jail reboot. The USER can either be the username or the UID number of what or which application you want to be able to access the VPN.

The IP address should fail since it is attempting to access a website and without external access to the web it should only work if the VPN is working.

 

[afmiller]

No it literally is epair* same for tun*

The reason for that is that the epair and tun can change so setting it to epair1 or 5 is not guaranteed to work with a full system reboot or a jail reboot. The USER can either be the username or the UID number of what or which application you want to be able to access the VPN.

The IP address should fail since it is attempting to access a website and without external access to the web it should only work if the VPN is working.

@nightshade00013 , I was going to use your ipfw set up, but I don't have the epair. Should I just use the vnet0 ? I'm still a little confused on what to put for the UID, as I want to use this jail as a default gateway for different jails or other network devices. How is it that wget bypasses the firewall for an ip check when ping doesn't work. Below is the current ipfw list and my ifconig

Code:

65534 deny ip from any to any
65535 allow ip from any to any

Code:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
		options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
		inet6 ::1 prefixlen 128
		inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
		inet 127.0.0.1 netmask 0xff000000
		nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
		groups: lo
vnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
		options=8<VLAN_MTU>
		ether xxxxxx
		hwaddr xxxxxx
		inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
		nd6 options=1<PERFORMNUD>
		media: Ethernet 10Gbase-T (10Gbase-T <full-duplex>)
		status: active
		groups: epair

 

[nightshade00013]

My guess is the reason it is getting through is your conflicting allow deny statements.

Anyway I would just use:

Code:

vnet*

That way if it changes to 1 2 3 4 5 6 7 or whatever it will still have access and control things.

Mine is still based of the warden jail system so that is likely the difference. Not in a huge rush to jump on iocage since everything I have is working and I use it on multiple systems. I could sit on 11.1 forever right now at least until I am confident that everything is stable. Eventually I will setup something to test with but that will wait till 11.2 drops and I will probably stay where I am until 11.2 U2 or so on my production system.

 

[afmiller]

My guess is the reason it is getting through is your conflicting allow deny statements.

Anyway I would just use:

Code:

vnet*

That way if it changes to 1 2 3 4 5 6 7 or whatever it will still have access and control things.

Mine is still based of the warden jail system so that is likely the difference. Not in a huge rush to jump on iocage since everything I have is working and I use it on multiple systems. I could sit on 11.1 forever right now at least until I am confident that everything is stable. Eventually I will setup something to test with but that will wait till 11.2 drops and I will probably stay where I am until 11.2 U2 or so on my production system.

the allow statement is stuck in there by default. Even after I flush the rules. That one seems to stay


also getting this error

Code:

root@openvpn:~ # ipfw add 00010 allow all from any to any via tun*
ipfw: No match.

 

[nightshade00013]

Odd, I have mine set to root:wheel for ownership and 644 permissions and it never makes any changes to my config. Wonder if it's iocage doing that?

Anyway with restricting a user everything has access except for the apps launched under that user id.

 

[afmiller]

Odd, I have mine set to root:wheel for ownership and 644 permissions and it never makes any changes to my config. Wonder if it's iocage doing that?

Anyway with restricting a user everything has access except for the apps launched under that user id.

oh.. so if I set the uid to say root. the wget shouldn't have access if Im logged in via root. But without restricting it, it should be applied across the board

 

[nightshade00013]

Yes technically. It does depend on what UID the application is launched under which is something I still have not really taken the time to figure out. I am more of a hardware guy than software. I can make the software work and remember how to do things.