OpenVPN Server in a FreeBSD 9.2 Jail Routing/NAT Issues

[aplats]

Hello,

I'm trying to get an OpenVPN server to work in a standard 9.2 jail using VIMAGE. I've read the following (which at the time does not recommend running it in a jail) and have my config pretty much identical: http://joepaetzel.wordpress.com/2013/09/22/openvpn-on-freenas-9-1/. I'd really prefer to run this from a jail and not touch the FreeNAS installation, and not have to worry about it being overwritten on updates.

OpenVPN actually works and I can VPN in just fine. However, I can't reach any other computer on the network.

My internal network is 10.2.2.0/24. The OpenVPN server is 10.2.2.102. I'm able to SSH into that address just fine over the VPN. I cannot ping my FreeNAS box or any other machine, though.

Also, instead of going down the road of having to set up a route on my internal network showing how to get back to the VPN network, I'm looking to use IPFW to NAT. My crappy router doesn't allow static routes, so this would be much better in my case. Here is a dump of my ipfw table:

ipfw show
00100 0 0 nat 1 ip from 10.8.0.0/24 to any out via epair0b
00200 8367 1489619 nat 1 ip from any to any in via epair0b
65535 54936 9143316 allow ip from any to any
I'm probably missing out on some fundamentals here, so if anyone can assist, I'd greatly appreciate it.

 

[aplats]

Looks like I was able to figure it out. I'll share all the things I did so hopefully it will help someone else.

1. I installed OpenVPN using pkg install openvpn

2. I followed the guide at http://joepaetzel.wordpress.com/2013/09/22/openvpn-on-freenas-9-1/ (other than acquiring openvpn). Anywhere he mentions the FreeNAS IP, I use the jail's IP.

3. I needed to add the following to my rc.conf to enable routing through the jail as a gateway (this is what did the trick):
cloned_interfaces="tun"
gateway_enable="YES"

4. I then set up NAT using ipfw so I don't need to set up a static route on the router (all devices in my case since my router doesn't allow me to add static routes). Here are the commands, thanks to perlguy9 from the comments on that wordpress article:
ipfw nat 1 config if epair0b
ipfw add nat 1 all from 10.8.0.0/24 to any out via epair0b
ipfw add nat 1 all from any to any in via epair0b

All I need to do is add those ipfw commands to a startup script like openvpn's rc.d file.

 

[aplats]

I added the following to the bottom of the /usr/local/etc/rc.d/openvpn file for the NAT config:

#clean out current rules
ipfw -f flush

ipfw nat 1 config if epair0b
ipfw add nat 1 all from 10.8.0.0/24 to any out via epair0b
ipfw add nat 1 all from any to any in via epair0b

 

[Cosmo_Kramer]

Thanks, I was wondering about this.
In regards to the firewall rules, this would be the "proper" way of doing it.

Edit "/etc/rc.conf" and add:
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules" #This can be any path

Your ipfw.rules file would look something like this:

Code:

IPFW -q -f flush
IPFW -q nat 1 config if epair0b
IPFW -q add nat 1 all from 10.8.0.0/24 to any out via epair0b
IPFW -q add nat 1 all from any to any in via epair0b

Then you'd also add your other firewall rules in there as well.

 

[aplats]

Thanks, I was wondering about this.
In regards to the firewall rules, this would be the "proper" way of doing it.

Edit "/etc/rc.conf" and add:
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules" #This can be any path

Your ipfw.rules file would look something like this:

Code:

IPFW -q -f flush
IPFW -q nat 1 config if epair0b
IPFW -q add nat 1 all from 10.8.0.0/24 to any out via epair0b
IPFW -q add nat 1 all from any to any in via epair0b

Then you'd also add your other firewall rules in there as well.

Awesome. Thanks for that info! I'm going to make that change now--I prefer to do things as close to proper as possible. I recall seeing using a file for ipfw, but boy was I burnt out after work today.

 

[aplats]

I also wanted to add how I got two factor authentication working with google authenticator:

1. get google authenticator: pkg install pam_google_authenticator
2. run google authenticator to set it up by doing the following:
google-authenticator
Do you want authentication tokens to be time-based: y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n): y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n): n
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n): y

Remember the information it gives you at the top. When you visit the URL it will present you with a QR code that you just scan with the Google Authenticator app on your phone or whichever device you choose. Once scanned, your phone will start showing auth codes.
3. go into /etc/pam.d and copy the sshd file to openvpn
4. edit the newly created openvpn file and add the following two lines to the top of the auth section:
auth requisite /usr/local/lib/pam_google_authenticator.so forward_pass
auth required pam_unix.so try_first_pass
5. I commented out the other line for pam_unix (last line in the auth section): #auth required pam_unix.so no_warn try_first_pass
6. edit your openvpn server conf file and add the following (note that the openvpn at the end corresponds to the file name you created under /etc/pam.d):
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
7. restart the openvpn service: service openvpn restart
8. in your client configuration for openvpn, you need to add (place this anywhere, I put it at the very bottom): auth-user-pass

Now when you go to log in, you'll be prompted for a username and password. The username will be your unix login that you use to get into the shell (just the plain username). The password will be your unix password with the google authenticator code at the end--no spaces between the two. An example if your unix login is jpesci, the password is funnyclown and your google authentication code is 111222:
username: jpesci
password: funnyclown111222

I'll probably make this a separate post so it's more easily discovered. Good luck!

 

[aplats]

A couple tips to help secure your VPN more. You could either (B is a better choice):

A) Disable VPN access from the superuser by doing the following
In your /etc/pam.d/openvpn file add the following line to the top of the # auth section:
auth requisite pam_group.so deny root_only

This tells the PAM that a requisite is to use the pam_group module to check the group membership and deny wheel (wheel is the default if not specified), but skip this module if the account is not the superuser.

B) You could also allow only specific groups to VPN in. You'll need to create a special group for VPN and then add your individual users to it. Then do the following
In your /etc/pam.d/openvpn file add the following line to the top of the # auth section:
auth requisite pam_group.so no_warn group=special_vpn_group luser

So now PAM will only allow users in the special_vpn_group to access VPN. luser tells PAM to evaluate the target user's group membership. If you don't specify luser, PAM will default to ruser (evaluates the supplicant's group membership) and fail.

 

[Cosmo_Kramer]

Thanks for all of your hard work. I look forward to seeing the tutorial you plan on writing up.

 

[mdebatti]

Is this thread only about setting up openvpn to VPN in to the freenas box?

I am after some help on how to setup openvpn to use a VPN to download anonymously from the freeNAS box Transmission plugin. (I already have ca.crt & openvpn.opvn files from the vpn provider, which worked on a RaspberryPi to unlock geoblocking)

Can someone give a bit more details on how to "install OpenVPN using pkg install openvpn" and setting up the Jail?

 

[andyclimb]

Hi,

Im getting stuck at the generation of the certificates. when i try to run ./clean-all I get this...

root@openvpn:/usr/local/share/easy-rsa # ./clean-all
Please source the vars script first (i.e. "source ./vars")
Make sure you have edited it to reflect your configuration.

then i get this if i try source ./vars

root@openvpn:/usr/local/share/easy-rsa # source ./vars
export: Command not found.
export: Command not found.
export: Command not found.
export: Command not found.
EASY_RSA: Undefined variable.
export: Command not found.

EASY_RSA: Undefined variable.
any ideas?

 

[marian78]

I am too stack at generate my own certificate for openvpn in jail. I do this:

Code:

portsnap fetch
portsnap extract
cd /usr/ports/security/openvpn
make install clean

same output "source ./vars"

:(

Marian L.

edit: solved -> must do this:

Code:

portsnap fetch
portsnap extract
cd /usr/ports/security/openvpn
make install clean
sh
. ./vars
./build-ca
...........

these two dots ". ./vars" are not mistake...

edit2: ok, i setup all, openvpn and ipfw. i can connect openvpn, can ping, but only jail ip. not working for me, no ping to other jails or freenas or network pc. my internal lan subnet is 192.168.10.0/24, jail is 192.168.10.243. :(

 

[madmax]

So i installed openvpn inside a jail with vimage.

Code:

pkg install openvpn

Then added these lines to rc.conf

Code:

openvpn_enable=”YES”
openvpn_if=”tun”
openvpn_configfile=”/mnt/Files/openvpn/openvpn.conf”
openvpn_dir=”/mnt/Files/openvpn”

I then started openvpn

Code:

service openvpn start

I check the openvpn ip addres and it was the vpn's address.

Do I need to add any firewall rules? I'm little worried there might be dns leakage or something else.
Is there any other test I should do to confirm that its working right?