How to use Openvpn & ipfw in a jail so it only connects to the VPN

[denist]

ok i did a reboot and it woks had some var/db ownership issues but i sorted it but the script works fine..

excellent work.

the sabnzbd folder is a shared folder on my share as all my details are there for the same reason when something goes wrong i have a backup as my scripts for my tmp directories are there also..

it is not the sabznbd folder where the plugin resides..

thanx to all of you it works as expected the freenas boots and there is no access to the net as it is loading the last saved ipfw rules when the script runs which i use freenas to run it every 5 min

runs then rewrites the ipfw rules and then there is access.

thanx

Denis.

saves me from writing a script.

 

[Rilo Ravestein]

Haha! Victory at last! :D

Glad you got it all to work now!

 

[denist]

Yeah thanx to you guys


Sent from my iPhone using Tapatalk

 

[CrazySurfaNZ]

Well since in ipfw I believe the last rule the packet matches would be the one it follows, I think that rule would screw you. I was actually trying to build a kernel to do something like this but got stuck on a compilation error I couldn't figure out

Sent from my Nexus 7 using Tapatalk

Just on this issue (also see post 29), I also see the 65535 rule allowing any to any, show up when I run ipfw list. Presumably because of the same kernel option (DEFAULT TO ACCEPT).

However I believe the above reply is incorrect. Here is a quote from the BSD handbook:

When a packet enters the IPFW firewall, it is compared against the first rule in the ruleset and progresses one rule at a time, moving from top to bottom in sequence. When the packet matches the selection parameters of a rule, the rule's action is executed and the search of the ruleset terminates for that packet. This is referred to as “first match wins”.

You can find more information here:
https://www.freebsd.org/doc/en/books/handbook/firewalls-ipfw.html
See the first paragraph on section 30.4.2 (IPFW Rule Syntax).

Based on that I believe the prior rule 65535 deny any to any will stop the traffic, before the 65535 rule would allow it.

 

[Rilo Ravestein]

That is correct.

 

[hally9k]

Thanks so much for a great write up!

I have managed to get this working in my clunky noobish way (mash the keyboard until it works) - I have very little Free-BSD experience.

One question: How could I run a definitive test to show that all traffic to and from that jail is running through the VPN?

 

[Basil Hendroff]

I can successfully ping google with the vpn on, but I can also ping google with the vpn off. I have set everything up as described but this is a BIG problem for me.

Here are my firewall rules.

Code:

root@transmission_1:~ # ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
01000 allow log udp from 10.69.0.0/16 to 10.69.0.3 dst-port 53 keep-state
01002 allow log udp from 10.69.0.0/16 to 10.69.0.1 dst-port 53 keep-state
01004 allow log udp from 10.69.0.0/16 to 208.67.222.222 dst-port 53 keep-state
01006 allow ip from 10.69.0.0/16 to 10.69.0.0/16 keep-state
02000 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
02002 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
02004 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
02006 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
04000 allow ip from 127.0.0.1 to any
05000 allow ip from 10.0.0.0/8 to any
05003 allow ip from any to 10.0.0.0/8
65534 deny ip from any to any
65535 allow ip from any to any

Why does the firewall have rules that I did not specify? I think the last line is causing the traffic to get through. How to get rid of this line?

Here is a cat from the file /media/ipfw_rules

Code:

root@transmission_1:~ # cat /media/ipfw_rules
add 01000 allow log udp from 10.69.0.0/16 to 10.69.0.3 dst-port 53 keep-state
add 01002 allow log udp from 10.69.0.0/16 to 10.69.0.1 dst-port 53 keep-state
add 01004 allow log udp from 10.69.0.0/16 to 208.67.222.222 dst-port 53 keep-state
add 01006 allow ip from 10.69.0.0/16 to 10.69.0.0/16 keep-state
add 02000 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02002 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02004 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 02006 allow ip from 10.69.0.0/16 to xxx.xxx.xxx.xxx keep-state
add 04000 allow ip from 127.0.0.1 to any
add 05000 allow ip from 10.0.0.0/8 to any
add 05003 allow ip from any to 10.0.0.0/8
add 65534 deny ip from any to any

If anyone has any suggestions I would appreciate it.

EDIT: After doing some research if the kernel is compiled with IPFIREWALL_DEFAULT_TO_ACCEPT then the last rule is created. Is this what FreeNAS does by default in their kernel config? If so how do I change it?

Did you ever resolve this Kingedgar? I'm having the same issue.

 

[S^2]

For anyone having issues with pinging other servers on their local network, the issue is with this line.
The from is 192 and the to address is 196. I had to change 196 to 192 in my config and everything works fine

Code:

add 01006 allow ip from 192.168.0.0/16 to 196.168.0.0/16 keep-state

should be (at least in my case)

Code:

add 01006 allow ip from 192.168.0.0/16 to 192.168.0.0/16 keep-state

I just did a pkg upgrade and that fixed the problem

Huzzah!
I was having the same problem, hadn't spotted that that one was a 196... changed it to 192 and all is good!

 

[BigB]

I'm trying to follow this guide to install my VPN. My provider gives me a link to a zip file with an xxxx.ovpn and xxxx.crt files in it. I'm not sure how to download the files and unzip them in freenas. I can extract them on my other computer and put them in the downloads directory but then don't know how to get them into the transmission jail.
1)Do I have to do this procedure for each jail I want to use the VPN
2)Will this keep my Freenas save for torrent use?

 

[calgarychris]

Hi,

Followed your guide with a few minor tweaks for BTGuard and it works flawlessly with the one IP number I had, but I'm a total noob. If I know BTGuard issues IPs in the range xxx.xxx.xxx.YYY how do I amend the ipfw rules to cater for the unknown last three digits?

Thanks

edit: Alright, some youtube watching later and I think I've got it xxx.xxx.xxx.0/24 - correct?

 

[calgarychris]

Another question however - having specified (and tested) that the ipfw rules work, does one need to worry about ipv6? Should it be disabled? Is it possible to have blocked ipv4 traffic only to somehow have ipv6 traffic bypass the vpn?

Thanks guys, sorry for all the easy questions.

 

[ric]

Next you need to add the lines to the rc.conf so openvpn and ipfw starts when the jail starts. go to the /etc directory and fire up nano
Code (text):

1. [root@transmission_1 /]# cd /etc
2. 
   
3. [root@transmission_1 /etc]# nano rc.conf

Note: to save files in nano Ctrl+o will write the file and Ctrl+x will exit.

Once you've got the rc.conf file opened in nano add the following lines:


Code (text):

1. firewall_enable="YES"
2. 
   
3. firewall_type="/media/ipfw_rules"
4. 
   
5. openvpn_enable="YES"
6. 
   
7. openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"

Note that "firewall_type=" tells ipfw where the rules are to be loaded so make sure change the path to reflect where you are storing the file with the rules.
Now copy over your openvpn config file (usually your VPN service provider will supply this) make sure to name it openvpn.conf.
Code (text):

1. [root@transmission_1 /]# cp /media/VPNproviderfile.ovpn /usr/local/etc/openvpn/openvpn.conf

Question on where can I get VPNproviderfile.ovpn. I prefer a service provider that offer free of charge.

 

[balrog76]

So I configured OpenVPN with my transmission jail. Along with ipfw. Nice guide :) But, I have observed twice now that when I start the Jail after a reboot of the whole server, Freenas does a kernel panic and the server reboots again. So far, when I start the jail the second time, it goes ok. Anyone ever seen that? Tried to search forums and google. All I could come up with was some references to ipfw, VIMAGE and something named pf. Sad to say that it's well above my skill level :) Hints, suggestions and help appreciated?

 

[fmdx]

I just turned my server on for the first time in 5 months and I am constantly getting a TLS handshake timeout/error now. When I had left everything was working, nothing had changed about my network, etc.

I updated my key/certs and conf file in case if the changes were IP related with airvpn, and still nothing.

I re-set up the jail from scratch, and am still getting the same errors. When I tried setting it up the second time, I skipped over the ipfw sections as I could never get them to run in the first place. I've disabled the firewall on my router, as well as forwarded the ports correctly.

Any ideas?

EDIT: So, on a hunch I've tried logging into my VPN on my desktop, and it seems that a lot of foreign servers simply won't connect. I've fiddled around with the protocols, and SSL and SSH connections work, while anything UDP and TCP on various ports will not connect to my target server. My ISP must be cracking down or trying to shape traffic. How can I get OpenVPN to use SSL or SSH to connect to my VPN?

 

[Rilo Ravestein]

EDIT: So, on a hunch I've tried logging into my VPN on my desktop, and it seems that a lot of foreign servers simply won't connect. I've fiddled around with the protocols, and SSL and SSH connections work, while anything UDP and TCP on various ports will not connect to my target server. My ISP must be cracking down or trying to shape traffic. How can I get OpenVPN to use SSL or SSH to connect to my VPN?

You are comparing apples and oranges here. It's not UDP / TCP OR SSL / SSH
A little bit of reading that might be helpful:
http://security.stackexchange.com/questions/19681/where-does-ssl-encryption-take-place
https://developer.mozilla.org/en-US/Learn/TCP_IP_Security
http://security.stackexchange.com/questions/27806/whats-the-difference-between-vpn-over-tcp-vs-udp

 

[fmdx]

You are comparing apples and oranges here. It's not UDP / TCP OR SSL / SSH
A little bit of reading that might be helpful:
http://security.stackexchange.com/questions/19681/where-does-ssl-encryption-take-place
https://developer.mozilla.org/en-US/Learn/TCP_IP_Security
http://security.stackexchange.com/questions/27806/whats-the-difference-between-vpn-over-tcp-vs-udp

I understand what TCP and UDP are and what SSL and SSH are. I'm using AirVPN, you can change protocols to use TCP or UDP on various ports and alternatives, and nothing has gone through to the Netherlands even when I plugged directly into my modem. The only connections that make it through is VPN over SSL or SSH. https://airvpn.org/ssl/

Going to give this a try:

https://silvenga.com/openvpn-sheathing/

 

[hexit78]

Hi,

Everything don't work like suppose for me.
I am searching the log of what is block by ipfw but can't find anything block by ipfw :(

I have look in /var/log/ but I don't find anything block by ipfw..

Anybody have an idea?

 

[Chris Dill]

What specifically are the problems you are seeing, and what steps have you taken in diagnosing them?

 

[hexit78]

I have install and configue OpenVpn, it's work like a charm. but i stop it for the firewall log test.

I test my connection with
# lynx ipleak.net
and i got the page.

Now I try to get log of what IPFW block when it's happen.
So I have create à simple light rule wich block and log everythings.

Code:

add 65534 deny log ip from any to any

I start IPFW wich show me the rules I have create.

root@transmission_1:/ # /etc/rc.d/ipfw start
Flushed all rules.
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
65534 deny log ip from any to any
Firewall rules loaded.
Firewall logging enabled.
root@transmission_1:/ #

I test with
# lynx ipleak.net

Alert!: Unable to access document.


Looking up ipleak.net first
Looking up www.ipleak.net.com, guessing...
Looking up www.ipleak.net.edu, guessing...
Looking up www.ipleak.net.net, guessing...
Looking up www.ipleak.net.org, guessing...
Can't Access `file://localhost//ipleak.net'
Alert!: Unable to access document.

lynx: Can't access startfile
root@transmission_1:/ #

The rule work but i can't find the log of what IPFW have block.

I have check the security file ans all other in /var/log and I don't find any trace of what IPFW have block.

 

[thisman105]

Is the guide on the first post of this topic still accurate with the latest version of FreeNAS (9.3) ?

Thanks