Tun disappeared after upgrading

ZodiacUHD

Patron
Joined
Aug 28, 2015
Messages
226
Hello everyone,

i had a couple of jails connecting to PIA VPN via openvpn. After the update to 12.0 those jails don’t show any tun* after running ifconfig.
Did anyone have the same issue?

Cheers
 

colmconn

Contributor
Joined
Jul 28, 2015
Messages
174
You probably just need to upgrades your openvpn PIA config files to the nextgen version. I just spend the last couple of hours trying to figure this out. Everything was working fine until this morning.
 

ZodiacUHD

Patron
Joined
Aug 28, 2015
Messages
226
You probably just need to upgrades your openvpn PIA config files to the nextgen version. I just spend the last couple of hours trying to figure this out. Everything was working fine until this morning.
Thanks for the reply, do you mean i need to download the openvpn.zip file again from PIA?
 

colmconn

Contributor
Joined
Jul 28, 2015
Messages
174
Thanks for the reply, do you mean i need to download the openvpn.zip file again from PIA?
You want https://www.privateinternetaccess.com/openvpn/openvpn-nextgen.zip. I wrote the script below to setup PIA in a jail. I've got the resolvconf stuff in it commented out because I no longer use it. It might be useful to you.

Code:
#!/usr/local/bin/bash
## set -x
##
## In part based on
## https://gist.github.com/jedediahfrey/6d475dcc34c710f62a7c
##
## Includes setup of DNS servers after the VPN tunnel is brought up
## and taken down by openvpn. This functionality relies on
## https://github.com/masterkorp/openvpn-update-resolv-conf.git
##
## Doesn't try to build openvpn from ports since openvpn versions
## greater then 2.3.9 already include PW_SAVE support complied in The
## script will check your version of openvpn and if it is less than
## 2.3.9 it will terminate
##
## LICENSE: GPL2
## https://www.gnu.org/licenses/gpl-2.0.txt
##

# set -x

getUsername() {
    read user

    echo $user
}

getPassword() {
    ## turn off echo to the password does not appear on the screen
    stty -echo
    read pass
    ## turn on echo again
    stty echo
    echo "$pass"
}

updatePkgs() {
    /usr/sbin/pkg update -f
    /usr/sbin/pkg upgrade -y
}

isOpenVpnInstalled() {
    ovpn=`which openvpn`

    if [ "x$ovpn" == "x" ] ; then
    return 0
    else
    return 1
    fi
}

installPackages() {
    env ALWAYS_ASSUME_YES=YES pkg install openvpn
}

openVpnSupportsPwSave() {
    ovpn_version=`openvpn --version | head -1 | awk -F ' ' '{print $2}'`
    major=`echo $ovpn_version | cut -d '.' -f 1`
    minor=`echo $ovpn_version | cut -d '.' -f 2`
    patch=`echo $ovpn_version | cut -d '.' -f 3`

    ## see https://www.freshports.org/security/openvpn
    ## if [ $major -eq 2 ] && [ $minor -ge 3 ] && [ $patch -gt 9 ] ; then
    if [ $major -eq 2 ] && [ $minor -ge 3 ] ; then
    echo "OpenVPN appears to support PW_SAVE. Does not need upgrading"
    return 0
    else
    echo "OpenVPN appears to not support PW_SAVE. You should install it from ports before rerunning this script."
    echo "Commands like the following may help"
    echo "/usr/sbin/portsnap fetch"
    echo "/usr/sbin/portsnap extract"
    echo "cd /usr/ports/security/openvpn"
    echo "/usr/bin/make config-recursive"
    echo "/usr/bin/make install"
    echo "/usr/bin/make clean"
    exit 1
    fi
}

getIpAddress () {

    #    if [ -x "/usr/local/bin/wget" ] ;  then
    #    ip=`wget -qO- http://wtfismyip.com/text`
    #    elif [ -x "/usr/local/bin/curl" ] ; then
    #     ip=`curl -s http://wtfismyip.com/text`
    #    fi
    ip=`fetch -q -o- http://wtfismyip.com/text`
    echo $ip
}

chooseVpnServer() {
    echo "Available VPN servers are:" > /dev/stderr
    i=1
    for ff in *.ovpn ; do
    echo -e "\t$i:\t$ff" > /dev/stderr
    i=`expr $i + 1`
    done
    echo -n "Enter a number corresponding to a server listed above: " > /dev/stderr
    read choice
    echo `ls -1 *.ovpn | sed "${choice}q;d"`
}
################################################################################
### END OF FUNCTION DEFINITIONS
################################################################################

if ! isOpenVpnInstalled ; then
    # check open vpn version
    openVpnSupportsPwSave
else
    echo "Could not find OpenVPN. Attempting to install"
    installPackages
    openVpnSupportsPwSave
fi

openVpnDir=/usr/local/etc/openvpn
rm -fr $openVpnDir
mkdir $openVpnDir

cd $openVpnDir
echo "Downloading private internet access OpenVPN configuration files"
fetch https://www.privateinternetaccess.com/openvpn/openvpn-nextgen.zip
piaOpenVpnZipFilename=openvpn-nextgen.zip


#echo "Getting update-resolv-conf script"
#git clone https://github.com/masterkorp/openvpn-update-resolv-conf.git
## set the correct paths
#echo "Setting correct path to bash and resolvconf script"
#sed -i ".orig" 's#bin/bash#usr/local/bin/bash#;s#^RESOLVCONF.*#RESOLVCONF=/sbin/resolvconf#' $openVpnDir/openvpn-update-resolv-conf/update-resolv-conf.sh

## now tell resolvconf to manage the epair interface so that DNS
## settings will be updated automatically by the update-resolv-conf.sh
## when it is invoked by openvpn
#cp /etc/resolv.conf /tmp/resolv.conf
#RESOLVCONF=$(which resolvconf)
## clear the state directory
#$RESOLVCONF -I
#dev=`ifconfig -l | tr ' ' '\n' | grep -v lo | grep -v pflog`
#dev_count=$( echo $dev | wc -l )
#if [[ $dev_count -gt 1 ]] ; then
#    echo "Got more than one configured interface. This script can't handle more then one configured interface. Exiting"
#    exit 256
#fi
#echo "Configuring $RESOLVCONF to manage the DNS resolution servers for ${dev}"
# $RESOLVCONF -a "${dev}.inet" < /tmp/resolv.conf
## rm -f /tmp/resolv.conf

if [ -f ${piaOpenVpnZipFilename} ] ; then
    unzip -q ${piaOpenVpnZipFilename}
    rm -f ${piaOpenVpnZipFilename}

    for  ovpn in *.ovpn ; do
    ## echo "Editing $ovpn"
    # Tell OpenVPN where to find the username and password
    if grep -q auth-user-pass "$ovpn" ; then
        sed -i ".orig" "s#auth-user-pass#auth-user-pass $openVpnDir/pass.txt#" "$ovpn"
    else
        echo "auth-user-pass $openVpnDir/pass.txt" >> "$ovpn"
    fi

    # Tell OpenVPN what script to run when the tunnel is brought
    # up and down
    echo "script-security 2" >> "$ovpn"
    echo "up   /usr/local/libexec/openvpn-client.up" >> "$ovpn"
    echo "down /usr/local/libexec/openvpn-client.down" >> "$ovpn"

    ## Try to keep the link alive by pinging every 60 seconds if
    ## nothing is sent across the tunnel. Any server side
    ## provided keep-alive or ping and ping-restart options will
    ## override this keep-alive directive
    echo "keepalive 60 120" >> "$ovpn"

    ## run the up/down script on restarts of the tun interface. Hopefully
    ## this will eliminate DNS resolution issues
    echo "up-restart" >> "$ovpn"

    #Use full path names to avoid ambiguity
    # sed -i ".orig" -e "s#ca\.crt\$#$openVpnDir/ca\.crt#g" "$ovpn"
    # sed -i ".orig" -e "s#crl\.pem\$#$openVpnDir/crl\.pem#g" "$ovpn"

    ## Finally replace the spaces in the filename with underscores
    ## to make typing the filenames less of a PITA
    ovpn2=`echo $ovpn | sed "s/ /_/g"`
    mv -f "$ovpn" "$ovpn2"
    rm -f "${ovpn}.orig"
    done
fi

## now ask for the username and password used to authenticate to the VPN provider
echo -n "Enter VPN service username: "
username=`getUsername`
echo -n "Enter VPN service password (it will not appear on screen when you type it): "
password=`getPassword`

passwordFile=$openVpnDir/pass.txt
touch $passwordFile
chmod 600 $passwordFile
echo $username > $passwordFile
echo $password >> $passwordFile

echo ""
vpnServer=`chooseVpnServer`
echo "You chose $vpnServer as your VPN server"

echo "Enabling OpenVPN"
sysrc openvpn_enable=YES

echo "Setting your VPN server of choice"
sysrc openvpn_configfile="$openVpnDir/$vpnServer"

echo "Getting remote host name from OpenVPN config file"
remote_host_name=$( grep "remote " $openVpnDir/$vpnServer | awk '{print $2}' )
echo "Remote host is: $remote_host_name"

echo "Converting remote host to list of class C IPV4 networks"
remote_host_nets=( $( host $remote_host_name | \
        grep -v "is an alias for" | \
              awk '{print $4}' | \
              sed 's#\.[0-9][0-9]*$##g' | \
              sort | \
              uniq ) )
echo "Got ${#remote_host_nets[@]} class C networks for the remote host name"
cat /dev/null > $openVpnDir/openvpn_nets_ipfw_table.txt
for (( ii=0; ii< ${#remote_host_nets[@]}; ii++ )) ; do
    echo "Remote host net[${ii}]: ${remote_host_nets[$ii]}"
    echo "${remote_host_nets[$ii]}.0/24" >> $openVpnDir/openvpn_nets_ipfw_table.txt
done

echo "Your DNS resolvers are:"
cat /etc/resolv.conf

oldIp=`getIpAddress`
service openvpn start
sleepDuration=5
echo "Waiting ${sleepDuration} second for OpenVPN to start"
sleep ${sleepDuration}

newIp=`getIpAddress`
echo "IP before starting OpenVPN: $oldIp"
echo "IP after  starting OpenVPN: $newIp"
if [ "$oldIp" != "$newIp" ] ; then
    echo "Success! OpenVPN appears to have started successfully."
else
    echo "The old IP and new IP are the same. It appears that OpenVPN didn't start correctly"
fi

echo "Your DNS resolvers are:"
cat /etc/resolv.conf
 

ZodiacUHD

Patron
Joined
Aug 28, 2015
Messages
226
You want https://www.privateinternetaccess.com/openvpn/openvpn-nextgen.zip. I wrote the script below to setup PIA in a jail. I've got the resolvconf stuff in it commented out because I no longer use it. It might be useful to you.

Code:
#!/usr/local/bin/bash
## set -x
##
## In part based on
## https://gist.github.com/jedediahfrey/6d475dcc34c710f62a7c
##
## Includes setup of DNS servers after the VPN tunnel is brought up
## and taken down by openvpn. This functionality relies on
## https://github.com/masterkorp/openvpn-update-resolv-conf.git
##
## Doesn't try to build openvpn from ports since openvpn versions
## greater then 2.3.9 already include PW_SAVE support complied in The
## script will check your version of openvpn and if it is less than
## 2.3.9 it will terminate
##
## LICENSE: GPL2
## https://www.gnu.org/licenses/gpl-2.0.txt
##

# set -x

getUsername() {
    read user

    echo $user
}

getPassword() {
    ## turn off echo to the password does not appear on the screen
    stty -echo
    read pass
    ## turn on echo again
    stty echo
    echo "$pass"
}

updatePkgs() {
    /usr/sbin/pkg update -f
    /usr/sbin/pkg upgrade -y
}

isOpenVpnInstalled() {
    ovpn=`which openvpn`

    if [ "x$ovpn" == "x" ] ; then
    return 0
    else
    return 1
    fi
}

installPackages() {
    env ALWAYS_ASSUME_YES=YES pkg install openvpn
}

openVpnSupportsPwSave() {
    ovpn_version=`openvpn --version | head -1 | awk -F ' ' '{print $2}'`
    major=`echo $ovpn_version | cut -d '.' -f 1`
    minor=`echo $ovpn_version | cut -d '.' -f 2`
    patch=`echo $ovpn_version | cut -d '.' -f 3`

    ## see https://www.freshports.org/security/openvpn
    ## if [ $major -eq 2 ] && [ $minor -ge 3 ] && [ $patch -gt 9 ] ; then
    if [ $major -eq 2 ] && [ $minor -ge 3 ] ; then
    echo "OpenVPN appears to support PW_SAVE. Does not need upgrading"
    return 0
    else
    echo "OpenVPN appears to not support PW_SAVE. You should install it from ports before rerunning this script."
    echo "Commands like the following may help"
    echo "/usr/sbin/portsnap fetch"
    echo "/usr/sbin/portsnap extract"
    echo "cd /usr/ports/security/openvpn"
    echo "/usr/bin/make config-recursive"
    echo "/usr/bin/make install"
    echo "/usr/bin/make clean"
    exit 1
    fi
}

getIpAddress () {

    #    if [ -x "/usr/local/bin/wget" ] ;  then
    #    ip=`wget -qO- http://wtfismyip.com/text`
    #    elif [ -x "/usr/local/bin/curl" ] ; then
    #     ip=`curl -s http://wtfismyip.com/text`
    #    fi
    ip=`fetch -q -o- http://wtfismyip.com/text`
    echo $ip
}

chooseVpnServer() {
    echo "Available VPN servers are:" > /dev/stderr
    i=1
    for ff in *.ovpn ; do
    echo -e "\t$i:\t$ff" > /dev/stderr
    i=`expr $i + 1`
    done
    echo -n "Enter a number corresponding to a server listed above: " > /dev/stderr
    read choice
    echo `ls -1 *.ovpn | sed "${choice}q;d"`
}
################################################################################
### END OF FUNCTION DEFINITIONS
################################################################################

if ! isOpenVpnInstalled ; then
    # check open vpn version
    openVpnSupportsPwSave
else
    echo "Could not find OpenVPN. Attempting to install"
    installPackages
    openVpnSupportsPwSave
fi

openVpnDir=/usr/local/etc/openvpn
rm -fr $openVpnDir
mkdir $openVpnDir

cd $openVpnDir
echo "Downloading private internet access OpenVPN configuration files"
fetch https://www.privateinternetaccess.com/openvpn/openvpn-nextgen.zip
piaOpenVpnZipFilename=openvpn-nextgen.zip


#echo "Getting update-resolv-conf script"
#git clone https://github.com/masterkorp/openvpn-update-resolv-conf.git
## set the correct paths
#echo "Setting correct path to bash and resolvconf script"
#sed -i ".orig" 's#bin/bash#usr/local/bin/bash#;s#^RESOLVCONF.*#RESOLVCONF=/sbin/resolvconf#' $openVpnDir/openvpn-update-resolv-conf/update-resolv-conf.sh

## now tell resolvconf to manage the epair interface so that DNS
## settings will be updated automatically by the update-resolv-conf.sh
## when it is invoked by openvpn
#cp /etc/resolv.conf /tmp/resolv.conf
#RESOLVCONF=$(which resolvconf)
## clear the state directory
#$RESOLVCONF -I
#dev=`ifconfig -l | tr ' ' '\n' | grep -v lo | grep -v pflog`
#dev_count=$( echo $dev | wc -l )
#if [[ $dev_count -gt 1 ]] ; then
#    echo "Got more than one configured interface. This script can't handle more then one configured interface. Exiting"
#    exit 256
#fi
#echo "Configuring $RESOLVCONF to manage the DNS resolution servers for ${dev}"
# $RESOLVCONF -a "${dev}.inet" < /tmp/resolv.conf
## rm -f /tmp/resolv.conf

if [ -f ${piaOpenVpnZipFilename} ] ; then
    unzip -q ${piaOpenVpnZipFilename}
    rm -f ${piaOpenVpnZipFilename}

    for  ovpn in *.ovpn ; do
    ## echo "Editing $ovpn"
    # Tell OpenVPN where to find the username and password
    if grep -q auth-user-pass "$ovpn" ; then
        sed -i ".orig" "s#auth-user-pass#auth-user-pass $openVpnDir/pass.txt#" "$ovpn"
    else
        echo "auth-user-pass $openVpnDir/pass.txt" >> "$ovpn"
    fi

    # Tell OpenVPN what script to run when the tunnel is brought
    # up and down
    echo "script-security 2" >> "$ovpn"
    echo "up   /usr/local/libexec/openvpn-client.up" >> "$ovpn"
    echo "down /usr/local/libexec/openvpn-client.down" >> "$ovpn"

    ## Try to keep the link alive by pinging every 60 seconds if
    ## nothing is sent across the tunnel. Any server side
    ## provided keep-alive or ping and ping-restart options will
    ## override this keep-alive directive
    echo "keepalive 60 120" >> "$ovpn"

    ## run the up/down script on restarts of the tun interface. Hopefully
    ## this will eliminate DNS resolution issues
    echo "up-restart" >> "$ovpn"

    #Use full path names to avoid ambiguity
    # sed -i ".orig" -e "s#ca\.crt\$#$openVpnDir/ca\.crt#g" "$ovpn"
    # sed -i ".orig" -e "s#crl\.pem\$#$openVpnDir/crl\.pem#g" "$ovpn"

    ## Finally replace the spaces in the filename with underscores
    ## to make typing the filenames less of a PITA
    ovpn2=`echo $ovpn | sed "s/ /_/g"`
    mv -f "$ovpn" "$ovpn2"
    rm -f "${ovpn}.orig"
    done
fi

## now ask for the username and password used to authenticate to the VPN provider
echo -n "Enter VPN service username: "
username=`getUsername`
echo -n "Enter VPN service password (it will not appear on screen when you type it): "
password=`getPassword`

passwordFile=$openVpnDir/pass.txt
touch $passwordFile
chmod 600 $passwordFile
echo $username > $passwordFile
echo $password >> $passwordFile

echo ""
vpnServer=`chooseVpnServer`
echo "You chose $vpnServer as your VPN server"

echo "Enabling OpenVPN"
sysrc openvpn_enable=YES

echo "Setting your VPN server of choice"
sysrc openvpn_configfile="$openVpnDir/$vpnServer"

echo "Getting remote host name from OpenVPN config file"
remote_host_name=$( grep "remote " $openVpnDir/$vpnServer | awk '{print $2}' )
echo "Remote host is: $remote_host_name"

echo "Converting remote host to list of class C IPV4 networks"
remote_host_nets=( $( host $remote_host_name | \
        grep -v "is an alias for" | \
              awk '{print $4}' | \
              sed 's#\.[0-9][0-9]*$##g' | \
              sort | \
              uniq ) )
echo "Got ${#remote_host_nets[@]} class C networks for the remote host name"
cat /dev/null > $openVpnDir/openvpn_nets_ipfw_table.txt
for (( ii=0; ii< ${#remote_host_nets[@]}; ii++ )) ; do
    echo "Remote host net[${ii}]: ${remote_host_nets[$ii]}"
    echo "${remote_host_nets[$ii]}.0/24" >> $openVpnDir/openvpn_nets_ipfw_table.txt
done

echo "Your DNS resolvers are:"
cat /etc/resolv.conf

oldIp=`getIpAddress`
service openvpn start
sleepDuration=5
echo "Waiting ${sleepDuration} second for OpenVPN to start"
sleep ${sleepDuration}

newIp=`getIpAddress`
echo "IP before starting OpenVPN: $oldIp"
echo "IP after  starting OpenVPN: $newIp"
if [ "$oldIp" != "$newIp" ] ; then
    echo "Success! OpenVPN appears to have started successfully."
else
    echo "The old IP and new IP are the same. It appears that OpenVPN didn't start correctly"
fi

echo "Your DNS resolvers are:"
cat /etc/resolv.conf

i’m gettin the error attached, do you have any idea?
 

Attachments

  • 9FF63E58-D3B1-4086-863E-9973765F30DA.png
    9FF63E58-D3B1-4086-863E-9973765F30DA.png
    845.2 KB · Views: 166

ZodiacUHD

Patron
Joined
Aug 28, 2015
Messages
226
chmod u+x /script.sh

./script.sh

To be fair it worked fine on 11.3, i'm having this issue on 12.0 Jail.
 

Hazz

Cadet
Joined
Oct 28, 2020
Messages
1
You probably just need to upgrades your openvpn PIA config files to the nextgen version. I just spend the last couple of hours trying to figure this out. Everything was working fine until this morning.

Oh god I spent ages scratching my head over this, thanks for the heads up regarding PIA!
 

Agurri

Cadet
Joined
Nov 13, 2015
Messages
5
Thank you very much. It help a lot. My PIA jail was not working since yesterday morning and I couldn't figure out why. Your script works very well. The only thing I'm having issue right now is if I reboot my jail, the resolvconf file is emptied and I need to either rerun the script, or manually add the nameserver back in the file.
 
Top