Monthly Archives: May 2013

jailed openvpn server

As there is no real progress in my piano sessions due to the lack of time and blah :) I just have another nice topic which costs me a couple of hours I want you to spend more efficient. But there will definitely be piano contest soon I promise, so please stay patient.

Migrating your openvpn server to run within a jail on freeBSD

You might have recognized that I am moving servcies from an old and long used linux host to clients they’re more suitable today.
So I did with my running openvpn server which should stay openvpn and will be replaced by cisco ipsec/vpn later on; so look out for another post then ­čśë

First I wanted to put the openvpn server into a jail which I use a lot to keep the system clean and opeational for each of the servcies:

[root@zolga:~] jls
   JID  IP Address      Hostname                      Path
     1  10.2.0.2        xterm                         /usr/jails/xterm
     2  10.2.0.50       tor                           /usr/jails/tor
     3  10.2.0.154      syslog                        /usr/jails/syslog
     4  10.2.0.33       sql                           /usr/jails/sql
     5  10.2.0.137      nethack                       /usr/jails/nethack
     6  10.2.0.25       mail.mynet.lc                 /usr/jails/mail
     7  10.2.0.81       web.mynet.lc                  /usr/jails/http
     8  10.2.0.80       erl                           /usr/jails/erl
     9  10.2.0.52       ejabber.myspot.at             /usr/jails/ejabber
    10  10.2.0.10       dns.mynet.lc                  /usr/jails/dns
    11  10.2.0.11       dhcp                          /usr/jails/dhcp
    29  10.2.0.194      openvpn                       /usr/jails/openvpn
[root@zolga:~]

On the setup of the new server there was not a single issue to solve: just install the server, take your old configuration files and keys with you and everything will be fine. So. I. thought.
But as one of the features a jail cannnot do what it wants with the host it is sitting on, and so the first run of the server failed by dynamically create the tunnel interface which is needed to set up the site-2-site connection.

And this is prohibited by default, so this step has to done manually once, but there is a good howto in freebsd forums.

The configuration file of the openVPN configutation itself is not topic of this post, because there are several ways to set up a VPN connection. All you have to take care of in this step is, to use the same interface (“dev tun0” or “dev tap0”) in your /usr/local/etc/openvpn/server.conf as you created before.