FreeBSD 10: VIMAGE OpenVPN Routing mit iPredator (ipv4)

Gewünscht ist eine vnet Jail mit Routingfunktion über ipredator.se.

Zunächst wird ein FreeBSD VIMAGE Jail HOST benötigt, dazu kann man sich folgender Anleitung bedienen: FreeBSD 10: VIMAGE (virtualized network stack) mit if_bridge & epair

Anschließend wird der Kernel mit IPFIREWALL Support rekompiliert, iPredator OpenVPN eingerichtet und NAT Forwarding aktiviert.

Um den Rahmen des Blogartikels nicht zu sprengen, wird an einer anderen Stelle ausführlicher auf die Firewalloptimierung eingegangen.

Beispiel:

plitc_freebsd_vimage_vpn

WARNING: VIMAGE (virtualized network stack) is a highly experimental feature.

Benötigt wird:
– eine fertige vnet Jail mit korrekten devfs.rules etc.
– zusätzlich IPFIREWALL Support im Kernel

FreeBSD Beastie Installation: OpenVPN Jail

Punkt 1: alte Kernel Objekte säubern

$
cd /usr
chflags -R noschg /usr/obj/*
rm -rfv /usr/obj/*
$

Punkt 2: Kernel Config mit IPFW Support

$
vi /root/kernels/VIMAGE
$
$
### ### ### VIMAGE ### ### ###
#
cpu             HAMMER
ident           VIMAGE

makeoptions     DEBUG=-g                        # Build kernel with gdb(1) debug symbols
makeoptions     WITH_CTF=1                      # Run ctfconvert(1) for DTrace support

### < --- --- --- > ###

options         IPFIREWALL                      # enables IPFW
options         IPFIREWALL_VERBOSE              # enables logging for rules with log keyword
options         IPFIREWALL_VERBOSE_LIMIT=5      # limits number of logged packets per-entry
options         IPFIREWALL_DEFAULT_TO_ACCEPT    # sets default policy to pass what is not explicitly denied
options         IPDIVERT                        # enables NAT

###options         DUMMYNET                        # traffic shaper, bandwidth manager and delay emulator
###options         HZ=1000                         # strongly recommended

device          carp
device          lagg
device          enc
device          gre
options         XBONEHACK

options         TCP_SIGNATURE                   # include support for RFC 2385

options         VIMAGE                          # Network Stack Virtualization
options         NULLFS                          # NULL filesystem

### VIMAGE - if_bridge/epair virtualization // ###
device          if_bridge
device          epair
### // VIMAGE - if_bridge/epair virtualization ###

### VIMAGE - netgraph virtualization // ###
options         NETGRAPH
options         NETGRAPH_ETHER
options         NETGRAPH_BRIDGE
options         NETGRAPH_EIFACE
options         NETGRAPH_SOCKET
### // VIMAGE - netgraph virtualization ###

device          tap                             # virtual link layer 2 device

options         VFS_AIO

### DEFAULT ### options         TCP_OFFLOAD     # TCP offload

options         RACCT                           # Resource accounting
options         RCTL                            # Controls resource limits

device          crypto                          # core crypto support
device          cryptodev                       # /dev/crypto for access to h/w

device          rndtest                         # FIPS 140-2 entropy tester

device          hifn                            # Hifn 7951, 7781, etc.
options         HIFN_DEBUG                      # enable debugging support: hw.hifn.debug
options         HIFN_RNDTEST                    # enable rndtest support

device          ubsec                           # Broadcom 5501, 5601, 58xx
options         UBSEC_DEBUG                     # enable debugging support: hw.ubsec.debug
options         UBSEC_RNDTEST                   # enable rndtest support

options         IPSEC                           # IP security (requires device crypto)
options         IPSEC_NAT_T                     # NAT-T support, UDP encap of ESP

options         FDESCFS                         # File descriptor filesystem

### NOT WITH VIMAGE ### device          pf
### NOT WITH VIMAGE ### device          pflog
### NOT WITH VIMAGE ### device          pfsync
### NOT WITH VIMAGE ### options         ALTQ
### NOT WITH VIMAGE ### options         KTR_ALQ
### NOT WITH VIMAGE ### options         ALTQ_CBQ       # Class Based Queueing
### NOT WITH VIMAGE ### options         ALTQ_RED       # Random Early Detection
### NOT WITH VIMAGE ### options         ALTQ_RIO       # RED In/Out
### NOT WITH VIMAGE ### options         ALTQ_HFSC      # Hierarchical Packet Scheduler
### NOT WITH VIMAGE ### options         ALTQ_CDNR      # Traffic conditioner
### NOT WITH VIMAGE ### options         ALTQ_PRIQ      # Priority Queueing
### NOT WITH VIMAGE ### options         ALTQ_NOPCC     # Required if the TSC is unusable
### NOT WITH VIMAGE ### options         ROUTETABLES=15 # max 16 FIB (Forward Information Base/multiple routing tables) support
#
### NOT WITH VIMAGE ### options         SCTP           # Stream Control Transmission Protocol
#
### ### ### VIMAGE ### ### ###
$

Punkt 3: Kernel bauen/installieren

$
cd /usr/src
time make buildkernel KERNCONF=VIMAGE
time make installkernel KERNCONF=VIMAGE

reboot
$

Punkt 4: rc.conf anpassen
(ipfw aktivieren)

$
vi /etc/rc.conf

### Firewall // ###
firewall_enable="YES"
firewall_type="open"
firewall_logging="YES"
#
pf_enable="NO"                  # PF aktivieren (Modul, wenn noetig, aktivieren)
pf_rules="/etc/pf.conf"         # Datei mit Regeldefinitionen fuer pf
pf_flags=""                     # zusaetzliche Parameter fuer den Start von pfctl
pflog_enable="NO"               # starte pflogd(8)
pflog_logfile="/var/log/pflog"  # wo soll pflogd die Protokolldatei speichern
pflog_flags=""                  # zusaetzliche Parameter fuer den Start von pflogd
### // Firewall ###
$

Punkt 5: HOST sysctl.conf

$
vi /etc/sysctl.conf

### ### ### JAIL HOST // ### ### ###

net.inet.ip.forwarding=0
net.inet.ip.fastforwarding=0
net.inet6.ip6.forwarding=0

### ezjail // ###
security.jail.param.allow.raw_sockets=1
security.jail.allow_raw_sockets=1
#
#net.add_addr_allfibs=4
### // ezjail ###

### HOST - VirtualBox USB 1.1 // ###
#hw.usb.ehci.no_hs=1
### // HOST - VirtualBox USB 1.1 ###

### VIMAGE // ###
net.link.tap.user_open=1

net.inet.ip.sourceroute=0
net.inet.ip.accept_sourceroute=0
### // VIMAGE ###

### ### ### // JAIL HOST ### ### ###
# EOF
$

sysctl – ip.forwarding muss auf dem HOST nicht aktiv sein!

Punkt 6: HOST Systemreboot

$
ipfw2 (+ipv6) initialized, divert enabled, nat loadable, default to accept, logging disabled
DUMMYNET 0xfffff80002fb8240 with IPv6 initialized (100409)
$

Punkt 7: Jail für OpenVPN erstellen

$
ezjail-admin create vpn 0.0.0.0
$

Punkt 8: Jail Config, für VIMAGE, anpassen

$
vi /usr/local/etc/ezjail/vpn

#export jail_vpn_ip="0.0.0.0"
export jail_vpn_exec_stop="/bin/sh /etc/rc.shutdown"
export jail_vpn_devfs_ruleset="22"
export jail_vpn_parameters="allow.raw_sockets=1 allow.sysvipc=1"

### VIMAGE // ###
export jail_vpn_exec_prestart0="ifconfig epair1 create up"
export jail_vpn_exec_prestart1="ifconfig vswitch0 addm epair1a"
export jail_vpn_exec_poststart0="ifconfig epair1b vnet vpn"
export jail_vpn_exec_poststart1="jexec vpn /sbin/ifconfig epair1b 192.168.100.100/24"
export jail_vpn_exec_poststart2="jexec vpn /sbin/route add default 192.168.100.1"
export jail_vpn_exec_poststart3="jexec vpn /sbin/ifconfig epair1b inet6 2001:ffff:ffff:ffff::100 prefixlen 64"
export jail_vpn_exec_poststart4="jexec vpn /sbin/route add -inet6 default fe80::aaaa:aaaa:aaaa:aaaa%epair1b"
export jail_vpn_exec_poststop0="ifconfig epair1a destroy"
### // VIMAGE ###

### OpenVPN // ###
export jail_vpn_exec_prestart2="ifconfig tun1 create up"
export jail_vpn_exec_poststart5="ifconfig tun1 vnet test01"
export jail_vpn_exec_poststop1="ifconfig tun1 destroy"
### // OpenVPN ###
$

Punkt 9: devfs.rules anpassen

$
vi /etc/devfs.rules

### Jail - VIMAGE // ###
[devfsrules_jail_mem=22]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path mem unhide
add path kmem unhide
add path 'tun*' unhide
# !!! add path 'tap*' unhide
add path 'bpf*' unhide
### // Jail - VIMAGE ###
$
$
service devfs restart
$

Punkt 10: Jail starten

$
ezjail-admin start vpn
$

Jetzt kann man sich zunächst die Jail beliebig anpassen (tmux/zsh install etc.)

Punkt 11: OpenVPN – iPredator einrichten

unter Guide: OpenVPN on FreeBSD gibt es eine hervorragende Anleitung

$
cd /usr/ports/security/openvpn
make config-recursive

                      
┌──────────────────── openvpn-2.3.4 ─────────────────────────┐   
│ ┌──────────────────────────────────────────────────────┐ │   
│ │+[x] EASYRSA   Install security/easy-rsa RSA helper package    │ │   
│ │+[ ] PKCS11    Use security/pkcs11-helper                      │ │
│ │+[x] PW_SAVE   Interactive passwords may be read from a file   │ │   
│ │─────────────────────────── SSL protocol support ────────│ │   
│ │+(*) OPENSSL   SSL/TLS support via OpenSSL                     │ │
│ │+( ) POLARSSL  SSL/TLS support via PolarSSL                    │ │
│ └──────────────────────────────────────────────────────┘ │   
├──────────────────────────────────────────────────────────┤

make install clean
mkdir /usr/local/etc/openvpn
cd /usr/local/etc/openvpn
fetch --no-verify-peer https://ipredator.se/static/downloads/openvpn/cli/IPredator-CLI-Password.conf
echo "USERNAME" > /usr/local/etc/openvpn/IPredator.auth
echo "PASSWD" >> /usr/local/etc/openvpn/IPredator.auth

sed 's/tun0/tun1/g' /usr/local/etc/openvpn/IPredator-CLI-Password.conf > /usr/local/etc/openvpn/IPredator-CLI-Password.conf_; mv -fv /usr/local/etc/openvpn/IPredator-CLI-Password.conf_ /usr/local/etc/openvpn/IPredator-CLI-Password.conf

sed 's/udp/tcp/g' /usr/local/etc/openvpn/IPredator-CLI-Password.conf > /usr/local/etc/openvpn/IPredator-CLI-Password.conf_; mv -fv /usr/local/etc/openvpn/IPredator-CLI-Password.conf_ /usr/local/etc/openvpn/IPredator-CLI-Password.conf

sed 's/etc\/openvpn/usr\/local\/etc\/openvpn/g' /usr/local/etc/openvpn/IPredator-CLI-Password.conf > /usr/local/etc/openvpn/IPredator-CLI-Password.conf_; mv -fv /usr/local/etc/openvpn/IPredator-CLI-Password.conf_ /usr/local/etc/openvpn/IPredator-CLI-Password.conf

chown root:wheel /usr/local/etc/openvpn/IPredator-CLI-Password.conf
chown root:wheel /usr/local/etc/openvpn/IPredator.auth
chmod 400 /usr/local/etc/openvpn/IPredator-CLI-Password.conf
chmod 400 /usr/local/etc/openvpn/IPredator.auth
$

Punkt 12: OpenVPN Verbindungstest

$
openvpn --config /usr/local/etc/openvpn/IPredator-CLI-Password.conf
$

Punkt 13: Jail Firewall / Forwarding definieren

— @JAIL: sysctl.conf —

$
vi /etc/sysctl.conf

net.inet.ip.forwarding=1
net.inet.ip.fastforwarding=0
net.inet6.ip6.forwarding=1
$

— @JAIL: rc.conf —

$
vi /etc/rc.conf

gateway_enable=YES
natd_enable="YES"                   # Enable NATD function
natd_interface="tun1"               # interface name of public Internet NIC
natd_flags="-dynamic -m"            # -m = preserve port numbers if possible
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/IPredator-CLI-Password.conf"
$

— @JAIL: rc.local —

$
vi /etc/rc.local

### Firewall Forwarding // ###
ipfw add 500 divert natd all from any to any via tun1
### // Firewall Forwarding ###

service natd start
$

Punkt 14: Jail restart

@HOST!

$
ezjail-admin stop vpn
ezjail-admin start vpn
$

Firewall Check mit „ipfw table all list“

That’s FreeBSD