# OpenVPN client inside jail



## mheppner (Jul 26, 2015)

I am trying to run OpenVPN on the host OS and route all traffic from OpenVPN to a particular jail. Using these threads as a reference, everything seems to work correctly:

Thread routing-jail-traffic-through-openvpn.39130
Thread openvpn-client-in-a-jail.38287
OpenVPN connects on the tun0 device and creates the route to the jail. However, inside the jail, I cannot `fetch` or `curl` any URLs. My nameserver inside the jail is set in resolv.conf to 8.8.8.8.

My jails are running off of a cloned interface, lo1. The jail I'm using has an IP of 10.1.1.1 set through ezjail, but it does change when route-up.sh is executed.

openvpn.conf:

```
client
dev tun0
script-security 2
route-noexec
route-up /usr/local/etc/openvpn/route-up.sh
proto tcp
nobind
route-delay 2
redirect-gateway
...
```

route-up.sh:

```
#!/bin/sh

/sbin/route add -net $route_network_1 $route_net_gateway 255.255.255.255
/sbin/pfctl -a vpn -f - <<!
pass in reply-to (tun0 $route_vpn_gateway) to $ifconfig_local
pass out reply-to (tun0 $route_vpn_gateway) from $ifconfig_local
!
/usr/sbin/jail -m name=vpn ip4.addr=$ifconfig_local
```

pf.conf:

```
EXT_IF="re0"
EXT_IP="192.168.1.100"
INT_IF="lo1"
JAILNET=$INT_IF:network
JAIL_VPN="10.1.1.1"

...
nat on $EXT_IF inet proto { tcp, udp, icmp } from $JAILNET to any -> $EXT_IP
...
```

`openvpn --config /usr/local/etc/openvpn/openvpn.conf`

```
Sat Jul 25 20:14:11 2015 OpenVPN 2.3.7 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jul 23 2015
Sat Jul 25 20:14:11 2015 library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
Enter Auth Username:*****
Enter Auth Password:
Sat Jul 25 20:14:21 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat Jul 25 20:14:21 2015 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Jul 25 20:14:21 2015 NOTE: --fast-io is disabled since we are not using UDP
Sat Jul 25 20:14:21 2015 Socket Buffers: R=[65536->65536] S=[32768->65536]
Sat Jul 25 20:14:21 2015 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Sat Jul 25 20:14:21 2015 Attempting to establish TCP connection with [AF_INET]***.***.***.***:443 [nonblock]
Sat Jul 25 20:14:22 2015 TCP connection established with [AF_INET]***.***.***.***:443
Sat Jul 25 20:14:22 2015 TCPv4_CLIENT link local: [undef]
Sat Jul 25 20:14:22 2015 TCPv4_CLIENT link remote: [AF_INET]***.***.***.***:443
Sat Jul 25 20:14:22 2015 TLS: Initial packet from [AF_INET]***.***.***.***:443, sid=fb10c548 3c3f80e1
Sat Jul 25 20:14:22 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Jul 25 20:14:23 2015 VERIFY OK: depth=1, C=CH, ST=Zurich, L=Zurich, O=*****, OU=IT, CN=*****, name=*****, emailAddress=admin@*****
Sat Jul 25 20:14:23 2015 VERIFY OK: depth=0, C=CH, ST=Zurich, L=Zurich, O=*****, OU=IT, CN=*****, name=*****, emailAddress=admin@*****
Sat Jul 25 20:14:24 2015 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sat Jul 25 20:14:24 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jul 25 20:14:24 2015 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sat Jul 25 20:14:24 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Jul 25 20:14:24 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Jul 25 20:14:24 2015 [*****] Peer Connection Initiated with [AF_INET]***.***.***.***:443
Sat Jul 25 20:14:26 2015 SENT CONTROL [*****]: 'PUSH_REQUEST' (status=1)
Sat Jul 25 20:14:26 2015 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS  8.8.8.8,dhcp-option DNS  91.239.100.100,route 10.9.0.1,topology net30,ping 5,ping-restart 30,ifconfig 10.9.2.242 10.9.2.241'
Sat Jul 25 20:14:26 2015 OPTIONS IMPORT: timers and/or timeouts modified
Sat Jul 25 20:14:26 2015 OPTIONS IMPORT: --ifconfig/up options modified
Sat Jul 25 20:14:26 2015 OPTIONS IMPORT: route options modified
Sat Jul 25 20:14:26 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Jul 25 20:14:26 2015 ROUTE_GATEWAY 192.168.1.1
Sat Jul 25 20:14:26 2015 TUN/TAP device tun0 exists previously, keep at program end
Sat Jul 25 20:14:26 2015 TUN/TAP device /dev/tun0 opened
Sat Jul 25 20:14:26 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Jul 25 20:14:26 2015 /sbin/ifconfig tun0 10.9.2.242 10.9.2.241 mtu 1500 netmask 255.255.255.255 up
add net 10.9.0.1: gateway 192.168.1.1
No ALTQ support in kernel
ALTQ related functions disabled
Sat Jul 25 20:14:28 2015 GID set to _openvpn
Sat Jul 25 20:14:28 2015 UID set to _openvpn
Sat Jul 25 20:14:28 2015 Initialization Sequence Completed
```


----------

