[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ezjail] OpenVPN in a FreeBSD jail



On 2013-08-29 11:17, Philipp Wuensche wrote:
Zenny wrote:
On 8/28/13, Philipp Wuensche <cryx-freebsd AT h3q DOT com> wrote:
Dan Langille wrote:
Are you running OpenVPN in a FreeBSD 9.1 jail?

If so, I want to talk to you.  The docs i have found are from 2011, and
things have changed.

The main issue I have now is tun0 disappearing when OpenVPN stops, but I
have OpenVPN running (but untested).

I'd like to learn more from someone who already has this running.
I have solved this with the usage of jaildaemon and a small script that
recreates the tun0 config inside the hostsystem when the openvpn
rc-script is run inside the jail.

Would you mind sharing the process? Thanks!

Sure!

As the problem is that when you stop openvpn inside the jail, openvpn
unconfigures its tun interface, I have ja jaildaemon running in the
hostsystem, which executes a script which simply reconfigures the tun0
interface from within the hostsystem everytime openvpn is stopped/restarted.

Inside the hostsystem I run this jaildaemon:

jaildaemon -j <jid-of-your-openvpn-jail> -c /opt/openvpn-route-reset -t
route-reset -r

This makes me think you need to restart jaildaemon whenever that jail is restarted. I am
quite confident that can be scripted.  Have you done that already?

Reading man 1 jaildaemon, I see that this starts a spawn a process in the given jail,
and gives that process a proctitle of 'route-reset'.

The /opt/openvpn-route-reset script simply reconfigures the interface
and route:

------------------------
#!/bin/sh

ifconfig tun0 10.1.0.1 10.1.0.2 netmask 255.255.255.255
route add -net 10.1.0.0/24 10.1.0.2
------------------------

And in the rc.d/openvpn script inside the jail I added the kill of the
jaildaemon probe:

-----------------------
stop_postcmd()
{
	rm -f "$pidfile" || warn "Could not remove $pidfile."
+	pkill -HUP -f route-reset

Reading man 1 pkill, this sends a HUP to all processes with title = 'route-reset'.

This causes the spawned process to report back to the jaildaemon, which then executes
the /opt/openvpn-route-reset script.

}

-----------------------

This way, everytime I restart openvpn inside the jail the
/opt/openvpn-route-reset script gets executed in the hostsystem and the
interface correctly setup.

greetings,
cryx


--
Dan Langille - http://langille.org/