SOLVED OpenVPN can't set up TUN

[Glorious1]

I've got OpenVPN all set up but it's no go:

Code:

[root@transmission /]# openvpn --config /usr/local/etc/openvpn/openvpn.conf
Fri Jun 14 16:04:09 2019 WARNING: file '/usr/local/etc/openvpn/pass.txt' is group or others accessible
Fri Jun 14 16:04:09 2019 OpenVPN 2.4.7 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 16 2019
Fri Jun 14 16:04:09 2019 library versions: OpenSSL 1.0.2o-freebsd  27 Mar 2018, LZO 2.10
Fri Jun 14 16:04:09 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]172.98.67.38:1198
Fri Jun 14 16:04:09 2019 UDP link local: (not bound)
Fri Jun 14 16:04:09 2019 UDP link remote: [AF_INET]172.98.67.38:1198
Fri Jun 14 16:04:09 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Fri Jun 14 16:04:09 2019 [d9947588bc751676718d105c512fe777] Peer Connection Initiated with [AF_INET]172.98.67.38:1198
Fri Jun 14 16:04:11 2019 GDG: problem writing to routing socket
Fri Jun 14 16:04:11 2019 Cannot allocate TUN/TAP dev dynamically
Fri Jun 14 16:04:11 2019 Exiting due to fatal error

I know a lot of people had this problem in changing their jails to iocage (I'm late to the party). The magic solution was setting allow_tun to 1. I've done that with the jail GUI and with the command line, and rebooted the entire server. Just can't get it to work. I didn't change the openvpn.conf settings except to point to the user/password file. I don't understand anything about these network interfaces so will definitely need some help.

 

[Glorious1]

Here are all the settings of the jail as well as configuration files. If you see any clues, please let me know.
In the jail settings, note that allow_tun is 1, which I assume means true or yes. It is checked in the GUI.

Code:

[jim@Tabernacle ~]$ iocage get all transmission
CONFIG_VERSION:14.1
allow_chflags:0
allow_mlock:0
allow_mount:0
allow_mount_devfs:0
allow_mount_nullfs:0
allow_mount_procfs:0
allow_mount_tmpfs:0
allow_mount_zfs:0
allow_quotas:0
allow_raw_sockets:1
allow_set_hostname:1
allow_socket_af:0
allow_sysvipc:0
allow_tun:1
available:readonly
basejail:yes
boot:on
bpf:no
children_max:0
cloned_release:11.2-RELEASE
comment:none
compression:lz4
compressratio:readonly
coredumpsize:off
count:1
cpuset:off
cputime:off
datasize:off
dedup:off
defaultrouter:none
defaultrouter6:none
depends:none
devfs_ruleset:4
dhcp:off
enforce_statfs:2
exec_clean:1
exec_fib:0
exec_jail_user:root
exec_poststart:/usr/bin/true
exec_poststop:/usr/bin/true
exec_prestart:/usr/bin/true
exec_prestop:/usr/bin/true
exec_start:/bin/sh /etc/rc
exec_stop:/bin/sh /etc/rc.shutdown
exec_system_jail_user:0
exec_system_user:root
exec_timeout:60
host_domainname:none
host_hostname:transmission
host_hostuuid:transmission
host_time:yes
hostid:fb601104-7bf4-11e9-aaf7-0cc47a319aec
hostid_strict_check:off
interfaces:vnet0:bridge0
ip4:new
ip4_addr:igb0|192.168.0.104/24
ip4_saddrsel:1
ip6:new
ip6_addr:none
ip6_saddrsel:1
jail_zfs:off
jail_zfs_dataset:iocage/jails/transmission/data
jail_zfs_mountpoint:none
last_started:2019-06-15 15:08:28
login_flags:-f root
mac_prefix:0cc47a
maxproc:off
memorylocked:off
memoryuse:off
mount_devfs:1
mount_fdescfs:1
mount_linprocfs:0
mount_procfs:0
mountpoint:readonly
msgqqueued:off
msgqsize:off
nmsgq:off
notes:none
nsemop:off
nshm:off
nthr:off
openfiles:off
origin:readonly
owner:root
pcpu:off
priority:99
pseudoterminals:off
quota:none
release:11.2-RELEASE-p10
reservation:none
resolver:/etc/resolv.conf
rlimits:off
securelevel:2
shmsize:off
stacksize:off
state:up
stop_timeout:30
swapuse:off
sync_state:none
sync_target:none
sync_tgt_zpool:none
sysvmsg:new
sysvsem:new
sysvshm:new
template:no
type:pluginv2
used:readonly
vmemoryuse:off
vnet:off
vnet0_mac:none
vnet1_mac:none
vnet2_mac:none
vnet3_mac:none
vnet_default_interface:auto
vnet_interfaces:none
wallclock:off

Here is the active openvpn.conf file (without the keys). Note it contains "dev tun" which I guess tells openvpn to make it:

Code:

[root@transmission /]# cat /usr/local/etc/openvpn/openvpn.conf
client
dev tun
proto udp
remote ca-toronto.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server

auth-user-pass /usr/local/etc/openvpn/pass.txt
compress
verb 1
reneg-sec 0

And here is the rc.conf. It contains "openvpn_if="tun", which according to openvpn is supposed to load the tun driver. It wasn't there initially so was an attempt at fixing.

Code:

[root@transmission /]# cat /etc/rc.conf
hostname="transmission"
cron_flags="$cron_flags -J 15"

# Disable Sendmail by default
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

# Run secure syslog
syslogd_flags="-c -ss"

# Enable IPv6
ipv6_activate_all_interfaces="YES"

transmission_enable="YES"
transmission_conf_dir="/var/db/transmission"
transmission_download_dir="/media/downloads"
transmission_user="tranny"

openvpn_enable="YES"
# Load tun driver
openvpn_if="tun"
openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"
firewall_enable="NO"
firewall_type="/media/watch/ipfw_rules"

 

[Glorious1]

Here's another possible clue for someone smarter than me:

Code:

root@transmission:~ # ipfw list
ipfw: retrieving config failed: Operation not permitted

Note that firewall is disabled in rc.conf for testing purposes (doesn't work if enabled either). Still, hoping this might be it, I changed the permission on my ipfw_rules to 777. Still doesn't work.

 

[Glorious1]

Well some progress from this post - a clue that the jail property vnet needs to be on. I did that, now ipfw list works. But now trying to start OpenVPN results in some other issue:

Code:

root@transmission:~ # openvpn --config /usr/local/etc/openvpn/openvpn.conf
Mon Jun 17 07:29:36 2019 OpenVPN 2.4.7 amd64-portbld-freebsd11.2 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on May 16 2019
Mon Jun 17 07:29:36 2019 library versions: OpenSSL 1.0.2o-freebsd  27 Mar 2018, LZO 2.10
Mon Jun 17 07:29:36 2019 RESOLVE: Cannot resolve host address: ca-toronto.privateinternetaccess.com:1198 (hostname nor servname provided, or not known)
Mon Jun 17 07:29:36 2019 RESOLVE: Cannot resolve host address: ca-toronto.privateinternetaccess.com:1198 (hostname nor servname provided, or not known)
Mon Jun 17 07:29:36 2019 Could not determine IPv4/IPv6 protocol
Mon Jun 17 07:29:36 2019 SIGUSR1[soft,init_instance] received, process restarting

The RESOLVE and restarting just keep repeating. I have no idea what I'm doing, but it still seems like that network is not set up right. I tried setting firewall_enable="NO" in rc.conf and issuing service ipfw onestop, but got the same result as above.

Could someone who has transmission and OpenVPN both working in a jail please post the output of iocage get all <jailname>?

 

[colmconn]

The "cannot resolve" error suggests that you have DNS resolution issues within your jail. Can you resolve ca-toronto.privateinternetaccess.com to an IP using the host command within the jail? If not, you need to fix your DNS resolution (check /etc/resolv.conf).

 

[Glorious1]

Thanks for the reply.
Looks like resolv.conf has the same nameservers I set up in the main FreeNAS:

Code:

root@transmission:~ # cat /etc/resolv.conf
# Generated by resolvconf
search local
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 4.2.2.3

There seems to be no network connection:

Code:

root@transmission:~ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: Network is unreachable
ping: sendto: Network is unreachable

root@transmission:~ # host ca-toronto.privateinternetaccess.com
;; connection timed out; no servers could be reached

Before I turned vnet ON, there was a long list of things in ifconfig (but tun couldn't work); now just one:

Code:

root@transmission:~ # ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
    options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
    inet 127.0.0.1 netmask 0xff000000
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
    groups: lo 

If I turn vnet OFF, and restart the jail, I get lots of stuff in ifconfig and I have internet connection:

Code:

root@transmission:~ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=56 time=5.698 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=7.737 ms

root@transmission:~ # host ca-toronto.privateinternetaccess.com
ca-toronto.privateinternetaccess.com has address 172.98.67.142
ca-toronto.privateinternetaccess.com has address 172.98.67.96 . . .

But I'm back to the original TUN fatal error with openvpn.

 

[colmconn]

You should have more than loopback (lo) showing in the output of your ifconfig command. So it's no wonder you're having network problems.

Can you post the output of

Code:

iocage get all transmission

 

[Glorious1]

You should have more than loopback (lo) showing in the output of your ifconfig command. So it's no wonder you're having network problems.

Can you post the output of

Code:

iocage get all transmission

That problem is only when vnet is on. As noted, I have tons of network interfaces (or whatever they're called) when it is off, and can access the internet just fine. EDIT: But openvpn can't run apparently because it can't establish TUN.

The output of that iocage jail settings command is in the second post (with vnet off, as it is now).

 

[Glorious1]

I noticed the ipv4 default router was not set (defaultrouter in the output of iocage get all transmission). With the jail stopped, for some reason that was greyed out in the GUI and I couldn't set it. So I did it with sudo iocage set defaultrouter="192.168.0.1" transmission, and it shows in the GUI after starting the jail.

But openvpn still can't start!

 

[Glorious1]

Finally got it working. The trick was yes, turn vnet (and bpf) on, and, since I want it to have a permanent local IP (not DHCP), the ip4_addr property has to be vnet0|192.168.0.104/24. In the GUI the latter is 3 settings, IPv4 Interface (vnet0), Address (192.168.0.104), and Netmask (24). tun0 pops up when openvpn is running and disappears when not.

For anyone struggling as I was, here are the complete jail settings. Note that this jail was initiated as a transmission plugin jail.

Code:

[jim@Tabernacle ~]$ iocage get all transmission
CONFIG_VERSION:14.1
allow_chflags:0
allow_mlock:0
allow_mount:0
allow_mount_devfs:0
allow_mount_nullfs:0
allow_mount_procfs:0
allow_mount_tmpfs:0
allow_mount_zfs:0
allow_quotas:0
allow_raw_sockets:1
allow_set_hostname:1
allow_socket_af:0
allow_sysvipc:0
allow_tun:1
available:readonly
basejail:yes
boot:on
bpf:yes
children_max:0
cloned_release:11.2-RELEASE
comment:none
compression:lz4
compressratio:readonly
coredumpsize:off
count:1
cpuset:off
cputime:off
datasize:off
dedup:off
defaultrouter:192.168.0.1
defaultrouter6:none
depends:none
devfs_ruleset:4
dhcp:off
enforce_statfs:2
exec_clean:1
exec_fib:0
exec_jail_user:root
exec_poststart:/usr/bin/true
exec_poststop:/usr/bin/true
exec_prestart:/usr/bin/true
exec_prestop:/usr/bin/true
exec_start:/bin/sh /etc/rc
exec_stop:/bin/sh /etc/rc.shutdown
exec_system_jail_user:0
exec_system_user:root
exec_timeout:60
host_domainname:none
host_hostname:transmission
host_hostuuid:transmission
host_time:yes
hostid:fb601104-7bf4-11e9-aaf7-0cc47a319aec
hostid_strict_check:off
interfaces:vnet0:bridge0
ip4:new
ip4_addr:vnet0|192.168.0.104/24
ip4_saddrsel:1
ip6:new
ip6_addr:none
ip6_saddrsel:1
jail_zfs:off
jail_zfs_dataset:iocage/jails/transmission/data
jail_zfs_mountpoint:none
last_started:2019-06-18 15:35:43
login_flags:-f root
mac_prefix:0cc47a
maxproc:off
memorylocked:off
memoryuse:off
mount_devfs:1
mount_fdescfs:1
mount_linprocfs:0
mount_procfs:0
mountpoint:readonly
msgqqueued:off
msgqsize:off
nmsgq:off
notes:none
nsemop:off
nshm:off
nthr:off
openfiles:off
origin:readonly
owner:root
pcpu:off
priority:99
pseudoterminals:off
quota:none
release:11.2-RELEASE-p10
reservation:none
resolver:/etc/resolv.conf
rlimits:off
securelevel:2
shmsize:off
stacksize:off
state:up
stop_timeout:30
swapuse:off
sync_state:none
sync_target:none
sync_tgt_zpool:none
sysvmsg:new
sysvsem:new
sysvshm:new
template:no
type:pluginv2
used:readonly
vmemoryuse:off
vnet:on
vnet0_mac:0cc47a03aa46 0cc47a03aa47
vnet1_mac:none
vnet2_mac:none
vnet3_mac:none
vnet_default_interface:auto
vnet_interfaces:none
wallclock:off