# How to add a jailed server to OpenVPN?



## ghostcorps (May 27, 2011)

Hi Guys

 I have just put my host server behind OpenVPN, but now I am trying to work out how to add a jailed server to the virtual LAN.

 Here is the output of ifconfig


```
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        ether 00:bd:7f:e5:12:00
        inet 192.168.254.1 netmask 0xffffff00 broadcast 192.168.254.255
        Opened by PID 95424
```

 From what I have read I thought that I could simply add this line to the the jailed servers config:

/etc/rc.conf

```
ifconfig_tap0="inet 192.168.254.2 netmask 255.255.255.0"
```

Then 


```
#/etc/rc.d/netif restart
```

 Followed by 


```
#/etc/rc.d/routing restart
```



 But after doing this I still can not contact the jailed server over the VPN.


 Here is the output of ifconfig on the jailed server after doing the above:


```
tap0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        ether 00:bd:7f:e5:12:00
        Opened by PID 95424
```

 What have I done wrong?


Thanks for your time


----------



## SirDice (May 27, 2011)

You can't set a jail's IP address from within the jail itself.


----------



## ghostcorps (May 27, 2011)

Thanks 

I'll look into it.


Do you have any suggestions?


----------



## SirDice (May 27, 2011)

Your jail already has an IP address. Just fix the routing on the host and the traffic will be correctly send to the jail.


----------



## ghostcorps (May 27, 2011)

Hmmm

The only IP assigned is the external IP, I am not using NAT. The traffic is currently going to and from the jailed server. It's just that once I an inside the VPN, the jailed server does not exist.

Or am I missing the point of what you are trying to tell me? If so: sorry, and thanks for your patience


----------



## Zare (May 28, 2011)

If you're using bridged VPN without tap device being bridged or directly connected to DHCP server that can provide addresses from desired subnet, you need to set up an ifconfig-pool. In either case, jailed instance's IP should be on the same subnet as one used on tap device / clients.


----------



## ghostcorps (May 30, 2011)

Hi Zare

 I have been trying to find examples of an ifconfig-pool, but I can find any. 

 Do you have one you could show me so I can, perhaps, get my head around it?

Thanks


----------



## ghostcorps (May 31, 2011)

Hi Again,

 For lack of any better suggestions, I have installed OpenVPN on the jailed server and am setting it up as a client with peer-to-peer enabled, it is not ideal, but it is all I can think of  Now I have a new issue... after starting OpenVPN on the new client I get this error:

/var/log/openvpn.log

```
Tue May 31 01:12:50 2011 OpenVPN 2.1.1 amd64-portbld-freebsd8.1 [SSL] [LZO2] built on May 31 2011
Tue May 31 01:12:50 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Tue May 31 01:12:50 2011 LZO compression initialized
Tue May 31 01:12:50 2011 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue May 31 01:12:50 2011 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Tue May 31 01:12:50 2011 Local Options hash (VER=V4): 'd79ca330'
Tue May 31 01:12:50 2011 Expected Remote Options hash (VER=V4): 'f7df56b8'
Tue May 31 01:12:50 2011 Socket Buffers: R=[42080->65536] S=[9216->65536]
Tue May 31 01:12:50 2011 UDPv4 link local: [undef]
Tue May 31 01:12:50 2011 UDPv4 link remote: xxx.xxx.xxx.x12:1194
Tue May 31 01:12:50 2011 TLS: Initial packet from xxx.xxx.xxx.x12:1194, sid=8f16ab2d 28e9b9bf
Tue May 31 01:12:50 2011 VERIFY OK: depth=1, /C=AU/ST=CA/L=Melbourne/O=none/CN=vpnserver/name=advoy/emailAddress=webmaster@xxx.com.au
Tue May 31 01:12:50 2011 VERIFY OK: nsCertType=SERVER
Tue May 31 01:12:50 2011 VERIFY OK: depth=0, /C=AU/ST=CA/L=Melbourne/O=none/CN=xxx.com/name=advoy/emailAddress=webmaster@xxx.com.au
Tue May 31 01:12:50 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 31 01:12:50 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 31 01:12:50 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue May 31 01:12:50 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May 31 01:12:50 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue May 31 01:12:50 2011 [xxx.com] Peer Connection Initiated with xxx.xxx.xxx.x12:2501
Tue May 31 01:12:52 2011 SENT CONTROL [xxx.com]: 'PUSH_REQUEST' (status=1)
Tue May 31 01:12:52 2011 PUSH: Received control message: 'PUSH_REPLY,route-gateway 192.168.254.1,ping 10,ping-restart 120,ifconfig 192.168.254.3 255.255.255.0'
Tue May 31 01:12:52 2011 OPTIONS IMPORT: timers and/or timeouts modified
Tue May 31 01:12:52 2011 OPTIONS IMPORT: --ifconfig/up options modified
Tue May 31 01:12:52 2011 OPTIONS IMPORT: route-related options modified
[b]openvpn: writing to routing socket: No such process[/b]
Tue May 31 01:12:52 2011 Cannot allocate TUN/TAP dev dynamically
Tue May 31 01:12:52 2011 Exiting
```


----------



## ghostcorps (Jun 1, 2011)

I have found this tutorial that seems to explain some of what I need to do. It is explaining how to use a tun device, but I think I should be able to use some of the advice to include the jail in the VPN. 

Am I on the right track?

OpenVPN server in jail (using a tun device)


----------



## ghostcorps (Jun 3, 2011)

This really isn't fun anymore 

Can someone please give me the answer? Obviously it is simple, or else there would be detailed info about doing it, but I can't see it...

To date: 


Adding the jail as a client does not work


Adding another ip to the jails rc.conf does not work


Adding the jail to the ifconfig_pool using ipp.txt does not work 

I should be able to assign the extra ip to the jail in the hosts rc.conf jail configurations, but this is where I get unstuck... 

I am getting desperate.. please help  :S


----------



## ghostcorps (Jun 3, 2011)

With some more help from Jailed I have finally sorted this out.

In the host's rc.conf I added this line: 

```
jail_webserver_ip_multi0="tap0|192.168.254.2 mtu 1500 netmask 255.255.255.0"
```

Basically it is as suggested in the tutorial above, but changing tun0 for tap0. Then in /usr/local/etc/openvpn/server.conf I uncommented and amended these lines to my purpose:


```
client-config-dir /usr/local/etc/openvpn/ccd
route 192.168.254.2 255.255.255.0
```

And finally in /usr/local/etc/openvpn/ccd/webserver I added this line:


```
ifconfig-push 192.168.254.2
```

As suspected it was very simple.   Thanks to Jailed   He is a star!


----------

