======================================= freebsd openvpn in a vnet jail ======================================= yes! ======================================= simplified topology --------------------------------------- private network: 192.168.30.0/24 public network: 99.99.99.97/29 openvpn server: 192.168.30.192/24 openvpn network: 10.10.0.0/24 host private ip: 192.168.30.55/24 host public ip: up jail private ip: 192.168.30.192/24 jail public ip: 99.99.99.99/29 ======================================= local machines: add return route to openvpn network --------------------------------------- # freebsd /etc/rc.conf static_routes="openvpn" route_openvpn="-net 10.10.0.0/24 192.168.30.192" ....................................... # linux /etc/network/interfaces up route add -net 10.10.0.0/24 gw 192.168.30.192 dev enp0s3 ....................................... # windows command prompt run as administrator route -p ADD 10.10.0.0 MASK 255.255.255.0 192.168.30.192 ....................................... # mac terminal (temporary) sudo route -n add -net 10.10.0.0/24 192.168.30.192 ======================================= host: /etc/devfs.rules --------------------------------------- [devfsrules_jail_vino=6] add include $devfsrules_hide_all add include $devfsrules_unhide_basic add include $devfsrules_unhide_login add path tun0 unhide add path zfs unhide ======================================= host: /etc/jail.conf --------------------------------------- exec.clean; exec.start = "/bin/sh /etc/rc"; exec.stop = "/bin/sh /etc/rc.shutdown"; allow.mount; mount.devfs; path = "/export/jail/${name}/root"; exec.consolelog = "/var/log/jail_${name}.log"; vino { vnet; vnet.interface = "epair2b"; vnet.interface += "epair12b"; devfs_ruleset = "6"; } ======================================= host: /etc/rc.conf --------------------------------------- # private interface ifconfig_igb0="inet 192.168.30.55 netmask 255.255.255.0" defaultrouter="192.168.30.1" # public interface for jails only ifconfig_igb1="up" # add route to openvpn gateway static_routes="openvpn" route_openvpn="-net 10.10.0.0/24 192.168.30.192" # jail jail_enable="YES" # only start listed jails on boot otherwise start all jail_list="vino" # igb0 bridge0 epair0xx = private # igb1 bridge1 epair1xx = public cloned_interfaces="\ bridge0 epair0 epair1 epair2 \ bridge1 epair10 epair11 epair12" # private ifconfig_bridge0="\ addm igb0 \ addm epair0a \ addm epair1a \ addm epair2a \ " ifconfig_epair0a="up" ifconfig_epair1a="up" ifconfig_epair2a="up" # public ifconfig_bridge1="\ addm igb1 \ addm epair10a \ addm epair11a \ addm epair12a \ " ifconfig_epair10a="up" ifconfig_epair11a="up" ifconfig_epair12a="up" # tun for vino the openvpn jail jail_vino_ip_multi0="tun0|10.10.0.1 10.10.0.2 mtu 1500 netmask 255.255.255.255" ....................................... service devfs restart service netif restart ls -l /dev/tun0 crw------- 1 uucp dialer 0xda Sep 12 14:40 /dev/tun0 ifconfig tun0 ifconfig: interface tun0 does not exist ======================================= host: install migratable jail --------------------------------------- zfs list -o name,mounted -r tank/jail/vino/disk | grep 'yes' | cat -n - | sort -rn | awk '{ print "zfs umount -f " $2 }' zfs destroy -fR tank/jail/vino zfs create tank/jail/vino zfs create tank/jail/vino/root zfs set canmount=off tank/jail/vino/root zfs create tank/jail/vino/disk zfs create tank/jail/vino/disk/zroot zfs set mountpoint=/export/jail/vino/root/zroot tank/jail/vino/disk/zroot zfs create tank/jail/vino/disk/zroot/ROOT zfs set mountpoint=none tank/jail/vino/disk/zroot/ROOT zfs create tank/jail/vino/disk/zroot/ROOT/default zfs set canmount=on tank/jail/vino/disk/zroot/ROOT/default zfs set mountpoint=/export/jail/vino/root tank/jail/vino/disk/zroot/ROOT/default zfs create tank/jail/vino/disk/zroot/tmp zfs set mountpoint=/export/jail/vino/root/tmp tank/jail/vino/disk/zroot/tmp zfs create tank/jail/vino/disk/zroot/usr zfs set canmount=off tank/jail/vino/disk/zroot/usr zfs set mountpoint=/export/jail/vino/root/usr tank/jail/vino/disk/zroot/usr zfs create tank/jail/vino/disk/zroot/usr/home zfs create tank/jail/vino/disk/zroot/usr/ports zfs create tank/jail/vino/disk/zroot/usr/src zfs create tank/jail/vino/disk/zroot/var zfs set canmount=off tank/jail/vino/disk/zroot/var zfs set mountpoint=/export/jail/vino/root/var tank/jail/vino/disk/zroot/var zfs create tank/jail/vino/disk/zroot/var/audit zfs create tank/jail/vino/disk/zroot/var/crash zfs create tank/jail/vino/disk/zroot/var/log zfs create tank/jail/vino/disk/zroot/var/mail zfs create tank/jail/vino/disk/zroot/var/tmp zfs get -r -t filesystem canmount,mountpoint tank/jail/vino | grep -v "PROPERTY" | sort -b -t' ' -k 2 -k 1 bsdinstall jail /export/jail/vino/root ======================================= host: /export/jail/vino/root/etc/rc.conf --------------------------------------- hostname="vino" ifconfig_epair2b="inet 192.168.30.192 netmask 255.255.255.0" ifconfig_epair12b="inet 99.99.99.99 netmask 255.255.255.248" defaultrouter="99.99.99.98" ======================================= host: start the jail --------------------------------------- service jail start vino jexec vino ======================================= jail: install openvpn --------------------------------------- pkg install openvpn mkdir -p /usr/local/etc/openvpn/ccd mkdir -p /usr/local/etc/openvpn/easy-rsa cp -r /usr/local/share/easy-rsa/* /usr/local/etc/openvpn/easy-rsa/ cd /usr/local/etc/openvpn/easy-rsa easyrsa init-pki ======================================= jail: /usr/local/etc/openvpn/easy-rsa/pki/vars --------------------------------------- set_var EASYRSA_REQ_COUNTRY "CA" set_var EASYRSA_REQ_PROVINCE "ON" set_var EASYRSA_REQ_CITY "Pickering" set_var EASYRSA_REQ_ORG "acme" set_var EASYRSA_REQ_EMAIL "you@example.com" set_var EASYRSA_REQ_OU "Imagination" set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_CA_EXPIRE 36500 set_var EASYRSA_CERT_EXPIRE 36500 set_var EASYRSA_DIGEST "sha256" ======================================= cd /usr/local/etc/openvpn/easy-rsa easyrsa build-ca nopass >> Common Name (eg: your user, host, or server name) [Easy-RSA CA]: <-------- just hit enter easyrsa build-server-full server nopass >> Confirm request details: <-------- yes easyrsa gen-dh easyrsa gen-crl openvpn --genkey secret /usr/local/etc/openvpn/easy-rsa/pki/ta.key cp /usr/local/etc/openvpn/easy-rsa/pki/ca.crt /usr/local/etc/openvpn/ cp /usr/local/etc/openvpn/easy-rsa/pki/dh.pem /usr/local/etc/openvpn/ cp /usr/local/etc/openvpn/easy-rsa/pki/ta.key /usr/local/etc/openvpn/ cp /usr/local/etc/openvpn/easy-rsa/pki/crl.pem /usr/local/etc/openvpn/ cp /usr/local/etc/openvpn/easy-rsa/pki/issued/server.crt /usr/local/etc/openvpn/ cp /usr/local/etc/openvpn/easy-rsa/pki/private/ca.key /usr/local/etc/openvpn/ cp /usr/local/etc/openvpn/easy-rsa/pki/private/server.key /usr/local/etc/openvpn/ ======================================= jail: /usr/local/etc/openvpn/server.conf --------------------------------------- port 1194 proto udp dev tun topology subnet ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh.pem server 10.10.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.30.0 255.255.255.0" client-config-dir ccd client-to-client keepalive 10 120 tls-auth ta.key 0 # This file is secret data-ciphers AES-256-GCM:AES-128-GCM data-ciphers-fallback AES-256-CBC persist-key persist-tun status openvpn-status.log verb 3 explicit-exit-notify 1 crl-verify crl.pem ======================================= jail: /usr/local/etc/openvpn/client.conf --------------------------------------- client dev tun proto udp remote 99.99.99.99 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server mute-replay-warnings data-ciphers AES-256-GCM:AES-128-GCM data-ciphers-fallback AES-256-CBC verb 3 auth-nocache key-direction 1 ======================================= jail: /etc/rc.conf --------------------------------------- # openvpn openvpn_enable="YES" openvpn_if="tun" openvpn_configfile="/usr/local/etc/openvpn/server.conf" openvpn_dir="/usr/local/etc/openvpn/" gateway_enable="YES" ....................................... ls -l /dev/tun* ls: No match. ifconfig tun0 ifconfig: interface tun0 does not exist service openvpn start ls -l /dev/tun* crw------- 1 uucp dialer 0xda Sep 12 15:11 /dev/tun0 ifconfig tun0 tun0: flags=8043 metric 0 mtu 1500 options=80000 inet 10.10.0.1 netmask 0xffffff00 broadcast 10.10.0.255 groups: tun nd6 options=29 Opened by PID 14112 ======================================= jail: create OpenVPN client certificates --------------------------------------- cd /usr/local/etc/openvpn/easy-rsa easyrsa build-client-full john >> Enter PEM pass phrase: <-------- pass phrase >> Verifying - Enter PEM pass phrase: <-------- pass phrase >> Confirm request details: <-------- yes ....................................... cat /usr/local/etc/openvpn/client.conf > /usr/local/etc/openvpn/acme.john.ovpn echo "" >> /usr/local/etc/openvpn/acme.john.ovpn cat /usr/local/etc/openvpn/easy-rsa/pki/ta.key >> /usr/local/etc/openvpn/acme.john.ovpn echo "" >> /usr/local/etc/openvpn/acme.john.ovpn echo "" >> /usr/local/etc/openvpn/acme.john.ovpn cat /usr/local/etc/openvpn/easy-rsa/pki/ca.crt >> /usr/local/etc/openvpn/acme.john.ovpn echo "" >> /usr/local/etc/openvpn/acme.john.ovpn echo "" >> /usr/local/etc/openvpn/acme.john.ovpn cat /usr/local/etc/openvpn/easy-rsa/pki/issued/john.crt >> /usr/local/etc/openvpn/acme.john.ovpn echo "" >> /usr/local/etc/openvpn/acme.john.ovpn echo "" >> /usr/local/etc/openvpn/acme.john.ovpn cat /usr/local/etc/openvpn/easy-rsa/pki/private/john.key >> /usr/local/etc/openvpn/acme.john.ovpn echo "" >> /usr/local/etc/openvpn/acme.john.ovpn ....................................... import /usr/local/etc/openvpn/acme.john.ovpn into an openvpn client connect and connect from a remote network! ======================================= jail: firewall and routing (recommended) ======================================= setup ipfw for custom forwarding and custom restrict access for john and others to private network and machines ======================================= jail: assign ip to user (optional) --------------------------------------- https://openvpn.net/community-resources/configuring-client-specific-rules-and-access-policies/ # /26 or 255.255.255.192 mask # 10.10.0.1/26 - 10.10.0.62/26 <------- range 1 # 10.10.0.65/26 - 10.10.0.126/26 <------- range 2 # 10.10.0.129/26 - 10.10.0.190/26 <------- range 3 # 10.10.0.193/26 - 10.10.0.254/26 <------- range 4 (john) echo "ifconfig-push 10.10.0.201 255.255.255.192" > /usr/local/etc/openvpn/ccd/john ======================================= host: /etc/rc.conf --------------------------------------- # ipfw for jail firewall_enable="YES" firewall_type="open" ======================================= jail: /etc/rc.conf --------------------------------------- # ipfw firewall_enable="YES" firewall_script="/usr/local/bin/ipfw.sh" firewall_logging="YES" ======================================= jail: /etc/sysctl.conf --------------------------------------- # ipfw logging net.inet.ip.fw.verbose_limit=10 ======================================= jail: /usr/local/bin/ipfw.sh --------------------------------------- #!/bin/sh # # ipfw # # just update this script when you need any changes and run it # Setup ----------------------------------------------------------------------- # Add rule rule="ipfw -q add" # loopback loop="lo0" # private LAN interface lan="epair2b" # public WAN interface wan="epair12b" # VPN interface vpn="tun0" # from remote someone="123.123.0.0/16" # Flush out the list first ---------------------------------------------------- ipfw -q -f flush # Allow loopback In/Out ------------------------------------------------------- # $rule 1100 allow all from any to any via $loop $rule 1100 allow tcp from any to any via $loop $rule 1110 allow udp from any to any via $loop $rule 1120 allow icmp from any to any via $loop # Allow LAN In/Out ------------------------------------------------------------ # $rule 2100 allow all from any to any via $lan $rule 2100 allow tcp from any to any via $lan $rule 2110 allow udp from any to any via $lan $rule 2120 allow icmp from any to any via $lan # Allow VPN In/Out ------------------------------------------------------------ $rule 3100 allow all from any to any out via $vpn # $rule 3101 allow all from 10.10.0.2 to any in via $vpn # vpn range 1: 10.10.0.1/26 - 10.10.0.62/26 $rule 3110 allow all from 10.10.0.0/26 to any in via $vpn # vpn range 2: 10.10.0.65/26 - 10.10.0.126/26 $rule 3120 allow tcp from 10.10.0.64/26 to any dst-port 139,445 in via $vpn $rule 3121 allow udp from 10.10.0.64/26 to any dst-port 137,138 in via $vpn # vpn range 3: 10.10.0.129/26 - 10.10.0.190/26 $rule 3130 allow all from 10.10.0.128/26 to 192.168.30.30,192,168.30.31,192.168.30.32 dst-port 80,443 in via $vpn # vpn range 4: 10.10.0.193/26 - 10.10.0.254/26 $rule 3140 allow tcp from 10.10.0.201 to 192.168.30.80 dst-port 139,445 in via $vpn $rule 3141 allow udp from 10.10.0.201 to 192.168.30.80 dst-port 137,138 in via $vpn $rule 3142 allow tcp from 10.10.0.202 to 192.168.30.87 dst-port 139,445 in via $vpn $rule 3143 allow udp from 10.10.0.202 to 192.168.30.87 dst-port 137,138 in via $vpn $rule 3144 allow tcp from 10.10.0.203 to 192.168.30.66 dst-port 80,443 in via $vpn $rule 3145 allow udp from 10.10.0.203 to 192.168.30.66 dst-port 80,443 in via $vpn # Allow Existing Connections In/Out ------------------------------------------- # Allow if packet matches an existing entry in the dynamic rules table $rule 4100 check-state # Deny WAN Attack in ---------------------------------------------------------- # Deny non-routable reserved address spaces $rule 5100 deny all from 192.168.0.0/16 to any in via $wan #RFC 1918 private IP $rule 5110 deny all from 172.16.0.0/12 to any in via $wan #RFC 1918 private IP $rule 5120 deny all from 10.0.0.0/8 to any in via $wan #RFC 1918 private IP $rule 5130 deny all from 127.0.0.0/8 to any in via $wan #loopback $rule 5140 deny all from 0.0.0.0/8 to any in via $wan #loopback $rule 5150 deny all from 169.254.0.0/16 to any in via $wan #DHCP auto-config $rule 5160 deny all from 192.0.2.0/24 to any in via $wan #reserved for docs $rule 5170 deny all from 204.152.64.0/23 to any in via $wan #Sun cluster interconnect $rule 5180 deny all from 224.0.0.0/3 to any in via $wan #Class D & E multicast # Deny public pings # $rule 5200 deny icmp from any to any in via $wan # Allow traceroute out $rule 5200 unreach port udp from any to any 33434-33524 via $wan $rule 5210 allow icmp from any to any icmptypes 0,3,4,11 via $wan # Deny ident $rule 5300 deny tcp from any to any 113 in via $wan # Deny all Netbios services. $rule 5400 deny tcp from any to any 137 in via $wan $rule 5410 deny tcp from any to any 138 in via $wan $rule 5420 deny tcp from any to any 139 in via $wan $rule 5430 deny tcp from any to any 81 in via $wan # Deny fragments $rule 5500 deny all from any to any frag in via $wan # Deny ACK packets that did not match the dynamic rule table $rule 5600 deny tcp from any to any established in via $wan # Allow WAN Out (client) ------------------------------------------------------ $rule 6100 allow tcp from me to any out via $wan setup keep-state $rule 6110 allow udp from me to any out via $wan keep-state $rule 6120 allow icmp from me to any out via $wan keep-state # Allow WAN In (server) ------------------------------------------------------- # SSH # $rule 7100 allow log tcp from $someone to me 22 in via $wan setup keep-state # OpenVPN (limit max 50 connections) $rule 7900 allow log udp from any to me 1194 in via $wan limit src-addr 50 # Deny & Log ------------------------------------------------------------------ # Deny & Log all other incoming connections $rule 9100 deny log all from any to any in via $wan # Deny & Log everything else $rule 9200 deny log all from any to any ....................................... chmod 700 /usr/local/bin/ipfw.sh service ipfw start ipfw show /usr/local/bin/ipfw.sh ======================================= jail: revoke client certificates --------------------------------------- cd /usr/local/etc/openvpn/easy-rsa easyrsa revoke john >> Continue with revocation: <-------- yes easyrsa gen-crl cp /usr/local/etc/openvpn/easy-rsa/pki/crl.pem /usr/local/etc/openvpn/ rm /usr/local/etc/openvpn/ccd/john rm /usr/local/etc/openvpn/acme.john.ovpn rm /usr/local/etc/openvpn/easy-rsa/pki/issued/john.crt rm /usr/local/etc/openvpn/easy-rsa/pki/private/john.key ======================================= :0) =======================================