Jump to content
Not connected, Your IP: 52.14.209.100
n.pubblic

Issues setting up openvpn with a killswitch in a freebsd jail

Recommended Posts

I'm trying to setup a kill switch so that if OpenVPN goes down all other connections are automatically locked. I adapted this config as it follows:
 

### EDITED
group openvpn
################
client
dev tun
remote XXXXXX 443
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
verb 3
explicit-exit-notify 5
rcvbuf 262144
sndbuf 262144
push-peer-info
setenv UV_IPV6 yes
ca "/opt/openvpn/keys/ca.crt"
cert "/opt/openvpn/keys/user.crt"
key "/opt/openvpn/keys/user.key"
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
proto udp
tls-auth "/opt/openvpn/keys/ta.key" 1

and this is my ipfw config
#!/bin/bash
ipfw -q -f flush
cmd="ipfw -q add"
vpn="tun2"
$cmd 00001 allow all from any to any via lo0
$cmd 00010 allow all from any to any via tun0 
$cmd 00101 allow all from me to 192.168.0.0/16
$cmd 00102 allow all from 192.168.0.0/16 to me
###############################
# it should allow openvpn to establish the connection
$cmd 00103 allow all from any to any gid openvpn 
###############################
$cmd 00104 allow all from any to any established
$cmd 00110 allow tcp from any to any dst-port 53 out setup keep-state
$cmd 00111 allow udp from any to any dst-port 53 out keep-state
$cmd 00201 deny all from any to any
when i try to start openvpn it won't work e.g. 
 
Mon Jul 20 22:13:17 2020 WARNING: file '/opt/openvpn/keys/user.key' is group or others accessible
Mon Jul 20 22:13:17 2020 WARNING: file '/opt/openvpn/keys/ta.key' is group or others accessible
Mon Jul 20 22:13:17 2020 OpenVPN 2.4.9 amd64-portbld-freebsd11.3 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 12 2020
Mon Jul 20 22:13:17 2020 library versions: OpenSSL 1.0.2u-freebsd  20 Dec 2019, LZO 2.10
Mon Jul 20 22:13:17 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 20 22:13:17 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 20 22:13:17 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]184.75.221.34:443
Mon Jul 20 22:13:17 2020 Socket Buffers: R=[42080->262144] S=[9216->262144]
Mon Jul 20 22:13:17 2020 UDP link local: (not bound)
Mon Jul 20 22:13:17 2020 UDP link remote: [AF_INET]184.75.221.34:443
Mon Jul 20 22:13:17 2020 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Mon Jul 20 22:13:17 2020 write UDP: Permission denied (code=13)
Mon Jul 20 22:13:19 2020 write UDP: Permission denied (code=13)
Mon Jul 20 22:13:23 2020 write UDP: Permission denied (code=13)
it looks like that in freebsd openvpn wants to start as root/wheel no matter what ad it will downgrade to a custom group only once the first connection has been successfully established. Is there a way around that? Else, is there another way to allow only openvpn to connect to the internet? I'm not married to this solution, i just want to setup a killswitch and avoid iptables.

 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...