# Running OpenVPN in a ezjail jail



## thegolum35 (Oct 30, 2012)

Hi,

I am dealing with building a openvpn server running inside a jail, an ezjail one. So I follow that thread http://forums.freebsd.org/showthread.php?t=22143. But, I got errors: 
	
	



```
Serveur# /usr/local/etc/rc.d/ezjail start VPN
Configuring jails:.
Starting jails:devfs rule: error converting to number: [4~#
/etc/rc.d/jail: WARNING: devfs_init_rulesets: could not read rules from /etc/defaults/devfs.rules
devfs rule: error converting to number: [4~#
/etc/rc.d/jail: WARNING: devfs_init_rulesets: could not read rules from /etc/defaults/devfs.rules
/etc/rc.d/jail: WARNING: devfs_set_ruleset: you must specify a ruleset number
devfs rule: ioctl DEVFSIO_SAPPLY: No such process
```

Here is my devfs.rules:


```
# Devices usually found in a jail.
#
[devfsrules_jail=4]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login


# Support for TUN devices
#
[devfsrules_unhide_tun=5]
add path tun0 unhide

# Rules for jail <VPN>
#
[devfsrules_jail_VPN=6]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add include $devfsrules_unhide_tun
```

Is this problem caused by ezjail ?

Thank you


----------



## mamalos (Oct 30, 2012)

Please, post the contents of your /etc/rc.conf as well (those that are related to your jail configuration).


----------



## Crest (Oct 30, 2012)

The problem is that your jail needs it's own IP stack to run OpenVPN in a sane manner. This in turn requires a VIMAGE support in you kernel. VIMAGE ist marked as unstable for a reason although my first tests with 9.1-RC2 look promising.


----------



## mamalos (Oct 30, 2012)

Crest said:
			
		

> The problem is that your jail needs it's own IP stack to run OpenVPN in a sane manner. This in turn requires a VIMAGE support in you kernel. VIMAGE ist marked as unstable for a reason although my first tests with 9.1-RC2 look promising.



Crest, are you sure about what you're saying? Because I've been running OpenVPN inside a jail using a config close to the one that thegolum35 is citing (my config uses tap) and it works just fine. What exactly to you mean by "sane manner"? Cause you've triggered my curiosity.


----------



## gkontos (Oct 30, 2012)

@mamalos,

Yes, OpenVPN can run fine in a jail without VIMAGE. Apparently you are not the only one running it!

@thegolum35



> ```
> [devfsrules_jail=4]
> add include $devfsrules_hide_all
> add include $devfsrules_unhide_basic
> ...



What exactly is the purpose of the above?


----------



## thegolum35 (Oct 31, 2012)

Thank you for having answered


			
				gkontos said:
			
		

> @mamalos,
> 
> Yes, OpenVPN can run fine in a jail without VIMAGE. Apparently you are not the only one running it!
> 
> ...



I don't know, I think ezjail added these lines in order to avoid jails access devices such as hard drives. 

Here is my rc.conf:


> ezjail_enable="YES"
> #jail_enable="YES"
> #jail_VPN_ip_multi0="tun0|10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255"
> #jail_VPN_devfs_enable="YES"
> #jail_VPN_devfs_ruleset="devfsrules_jail_VPN"



Thank you. Gollum


----------



## mamalos (Nov 1, 2012)

I'll suppose that the lines you're showing in your /etc/rc.conf are not commented when you run your scripts...

The error you're getting happens when a /etc/devfs.rules stanza does not contain a number at its end. This is not obvious from the contents of the file you've supplied. Maybe there is some non-printable character somewhere. I'd recommend you to:

`# cp /etc/defaults/devfs.rules /etc/`

again, and append only the rules 5 and 6. Then try to start your jail.


----------



## thegolum35 (Nov 5, 2012)

It seems to be working, thank you.


----------

