Plugin jail looses all connection as soon as openvpn starts

[zimon]

I tried this so many times with several different setups but I always end up at the same point -> as soon as I start openvpn in my jail, I can not ping to anything and the webgui from my plugin (transmission) is also not reachable. As soon as I stop openvpn everything works.

I am running TrueNAS-13.0-U6.1.

This is what I did:

1. I installed the transmission plugin via TrueNAS WebGUI and the only setting I changed in the installation was `allow_tun` checkmark.
2. I installed openvpn and configured it
3. start openvpn

When looking at the logs it seems that openvpn runs just fine:

Code:

Apr  3 18:18:40 transmission openvpn[2810]: OpenVPN 2.6.9 amd64-portbld-freebsd13.2 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD]
Apr  3 18:18:40 transmission openvpn[2810]: library versions: OpenSSL 1.1.1t-freebsd  7 Feb 2023, LZO 2.10
Apr  3 18:18:40 transmission openvpn[2811]: TCP/UDP: Preserving recently used remote address: [AF_INET]193.187.88.222:443
Apr  3 18:18:40 transmission openvpn[2811]: Socket Buffers: R=[65536->65536] S=[32768->32768]
Apr  3 18:18:40 transmission openvpn[2811]: Attempting to establish TCP connection with [AF_INET]193.187.88.222:443
Apr  3 18:18:40 transmission openvpn[2811]: TCP connection established with [AF_INET]193.187.88.222:443
Apr  3 18:18:40 transmission openvpn[2811]: TCPv4_CLIENT link local: (not bound)
Apr  3 18:18:40 transmission openvpn[2811]: TCPv4_CLIENT link remote: [AF_INET]193.187.88.222:443
Apr  3 18:18:40 transmission openvpn[2811]: TLS: Initial packet from [AF_INET]193.187.88.222:443, sid=193b0f69 18482e0f
Apr  3 18:18:40 transmission openvpn[2811]: VERIFY OK: depth=1, C=SE, ST=CA, L=Stockholm, O=PrivateVPN, CN=PrivateVPN CA, name=PrivateVPN, emailAddress=support@privatvpn.se
Apr  3 18:18:40 transmission openvpn[2811]: VERIFY KU OK
Apr  3 18:18:40 transmission openvpn[2811]: Validating certificate extended key usage
Apr  3 18:18:40 transmission openvpn[2811]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Apr  3 18:18:40 transmission openvpn[2811]: VERIFY EKU OK
Apr  3 18:18:40 transmission openvpn[2811]: VERIFY OK: depth=0, C=SE, ST=CA, L=Stockholm, O=PrivateVPN, CN=PrivateVPN, name=PrivateVPN, emailAddress=support@privatvpn.se
Apr  3 18:18:40 transmission openvpn[2811]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
Apr  3 18:18:40 transmission openvpn[2811]: [PrivateVPN] Peer Connection Initiated with [AF_INET]193.187.88.222:443
Apr  3 18:18:40 transmission openvpn[2811]: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Apr  3 18:18:40 transmission openvpn[2811]: TLS: tls_multi_process: initial untrusted session promoted to trusted
Apr  3 18:18:42 transmission openvpn[2811]: SENT CONTROL [PrivateVPN]: 'PUSH_REQUEST' (status=1)
Apr  3 18:18:42 transmission openvpn[2811]: PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,sndbuf 524288,rcvbuf 524288,redirect-gateway def1,dhcp-option DISABLE-NBT,dhcp-option DNS 10.35.53.1,dhcp-option DNS 10.35.53.2,route-gateway 10.35.12.1,topology subnet,ping 20,ping-restart 60,ifconfig 10.35.12.6 255.255.254.0,peer-id 0,cipher AES-256-GCM'
Apr  3 18:18:42 transmission openvpn[2811]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Apr  3 18:18:42 transmission openvpn[2811]: Socket Buffers: R=[65700->524288] S=[33580->524288]
Apr  3 18:18:42 transmission openvpn[2811]: OPTIONS IMPORT: --ifconfig/up options modified
Apr  3 18:18:42 transmission openvpn[2811]: OPTIONS IMPORT: route options modified
Apr  3 18:18:42 transmission openvpn[2811]: OPTIONS IMPORT: route-related options modified
Apr  3 18:18:42 transmission openvpn[2811]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Apr  3 18:18:42 transmission openvpn[2811]: ROUTE_GATEWAY 172.16.0.1/255.255.255.252 IFACE=epair0b HWADDR=7e:c2:55:03:aa:47
Apr  3 18:18:42 transmission openvpn[2811]: TUN/TAP device /dev/tun0 opened
Apr  3 18:18:42 transmission openvpn[2811]: /sbin/ifconfig tun0 10.35.12.6/23 mtu 1500 up
Apr  3 18:18:42 transmission openvpn[2811]: /sbin/route add -net 193.187.88.222 172.16.0.1 255.255.255.255
Apr  3 18:18:42 transmission openvpn[2811]: /sbin/route add -net 0.0.0.0 10.35.12.1 128.0.0.0
Apr  3 18:18:42 transmission openvpn[2811]: /sbin/route add -net 128.0.0.0 10.35.12.1 128.0.0.0
Apr  3 18:18:42 transmission openvpn[2811]: Initialization Sequence Completed
Apr  3 18:18:42 transmission openvpn[2811]: Data Channel: cipher 'AES-256-GCM', peer-id: 0, compression: 'stub'
Apr  3 18:18:42 transmission openvpn[2811]: Timers: ping 20, ping-restart 60

I assume that there is some jail/network setting I am missing but I have no clue what it is....

I added screenshots of my jail setting:

 

[Patrick M. Hausen]

The way OpenVPN is configured it routes all traffic including anything local but the default gateway into the tunnel. That is obvious from the startup log. What else do you expect to happen when it's configured to do precisely that?

 

[zimon]

The way OpenVPN is configured it routes all traffic including anything local but the default gateway into the tunnel. That is obvious from the startup log. What else do you expect to happen when it's configured to do precisely that?

Well tbh I never changed any network settings in openvpn and I can reproduce the same setup on any other unix/mac machine which gives me the result I am looking for. Any connection to the internet goes through vpn but I can still reach it locally.

When I try to decipher your statement with my lack of network knowledge - could it be that the issue is the default gateway of the jail? One thing I find a bit strange is the `default ip4 router` setting in the jail settings which is not my router (which would make more sense to me). So maybe I need to remove NAT and change it to this?

 

[Patrick M. Hausen]

Try a true VNET jail bridged to your LAN without NAT. That should work.

 

[zimon]

Try a true VNET jail bridged to your LAN without NAT. That should work.

thanks it seems to work!