Gewünscht ist eine vnet Jail mit Routingfunktion über ipredator.se.
Zunächst wird ein FreeBSD VIMAGE Jail HOST benötigt, dazu kann man sich folgender Anleitung bedienen: FreeBSD 10: VIMAGE (virtualized network stack) mit if_bridge & epair
Anschließend wird der Kernel mit IPFIREWALL Support rekompiliert, iPredator OpenVPN eingerichtet und NAT Forwarding aktiviert.
Um den Rahmen des Blogartikels nicht zu sprengen, wird an einer anderen Stelle ausführlicher auf die Firewalloptimierung eingegangen.
Beispiel:
WARNING: VIMAGE (virtualized network stack) is a highly experimental feature.
Benötigt wird:
– eine fertige vnet Jail mit korrekten devfs.rules etc.
– zusätzlich IPFIREWALL Support im Kernel
Installation: OpenVPN Jail
Punkt 1: alte Kernel Objekte säubern
$ cd /usr chflags -R noschg /usr/obj/* rm -rfv /usr/obj/* $
Punkt 2: Kernel Config mit IPFW Support
$ vi /root/kernels/VIMAGE $
$ ### ### ### VIMAGE ### ### ### # cpu HAMMER ident VIMAGE makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols makeoptions WITH_CTF=1 # Run ctfconvert(1) for DTrace support ### < --- --- --- > ### options IPFIREWALL # enables IPFW options IPFIREWALL_VERBOSE # enables logging for rules with log keyword options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied options IPDIVERT # enables NAT ###options DUMMYNET # traffic shaper, bandwidth manager and delay emulator ###options HZ=1000 # strongly recommended device carp device lagg device enc device gre options XBONEHACK options TCP_SIGNATURE # include support for RFC 2385 options VIMAGE # Network Stack Virtualization options NULLFS # NULL filesystem ### VIMAGE - if_bridge/epair virtualization // ### device if_bridge device epair ### // VIMAGE - if_bridge/epair virtualization ### ### VIMAGE - netgraph virtualization // ### options NETGRAPH options NETGRAPH_ETHER options NETGRAPH_BRIDGE options NETGRAPH_EIFACE options NETGRAPH_SOCKET ### // VIMAGE - netgraph virtualization ### device tap # virtual link layer 2 device options VFS_AIO ### DEFAULT ### options TCP_OFFLOAD # TCP offload options RACCT # Resource accounting options RCTL # Controls resource limits device crypto # core crypto support device cryptodev # /dev/crypto for access to h/w device rndtest # FIPS 140-2 entropy tester device hifn # Hifn 7951, 7781, etc. options HIFN_DEBUG # enable debugging support: hw.hifn.debug options HIFN_RNDTEST # enable rndtest support device ubsec # Broadcom 5501, 5601, 58xx options UBSEC_DEBUG # enable debugging support: hw.ubsec.debug options UBSEC_RNDTEST # enable rndtest support options IPSEC # IP security (requires device crypto) options IPSEC_NAT_T # NAT-T support, UDP encap of ESP options FDESCFS # File descriptor filesystem ### NOT WITH VIMAGE ### device pf ### NOT WITH VIMAGE ### device pflog ### NOT WITH VIMAGE ### device pfsync ### NOT WITH VIMAGE ### options ALTQ ### NOT WITH VIMAGE ### options KTR_ALQ ### NOT WITH VIMAGE ### options ALTQ_CBQ # Class Based Queueing ### NOT WITH VIMAGE ### options ALTQ_RED # Random Early Detection ### NOT WITH VIMAGE ### options ALTQ_RIO # RED In/Out ### NOT WITH VIMAGE ### options ALTQ_HFSC # Hierarchical Packet Scheduler ### NOT WITH VIMAGE ### options ALTQ_CDNR # Traffic conditioner ### NOT WITH VIMAGE ### options ALTQ_PRIQ # Priority Queueing ### NOT WITH VIMAGE ### options ALTQ_NOPCC # Required if the TSC is unusable ### NOT WITH VIMAGE ### options ROUTETABLES=15 # max 16 FIB (Forward Information Base/multiple routing tables) support # ### NOT WITH VIMAGE ### options SCTP # Stream Control Transmission Protocol # ### ### ### VIMAGE ### ### ### $
Punkt 3: Kernel bauen/installieren
$ cd /usr/src time make buildkernel KERNCONF=VIMAGE time make installkernel KERNCONF=VIMAGE reboot $
Punkt 4: rc.conf anpassen
(ipfw aktivieren)
$ vi /etc/rc.conf ### Firewall // ### firewall_enable="YES" firewall_type="open" firewall_logging="YES" # pf_enable="NO" # PF aktivieren (Modul, wenn noetig, aktivieren) pf_rules="/etc/pf.conf" # Datei mit Regeldefinitionen fuer pf pf_flags="" # zusaetzliche Parameter fuer den Start von pfctl pflog_enable="NO" # starte pflogd(8) pflog_logfile="/var/log/pflog" # wo soll pflogd die Protokolldatei speichern pflog_flags="" # zusaetzliche Parameter fuer den Start von pflogd ### // Firewall ### $
Punkt 5: HOST sysctl.conf
$ vi /etc/sysctl.conf ### ### ### JAIL HOST // ### ### ### net.inet.ip.forwarding=0 net.inet.ip.fastforwarding=0 net.inet6.ip6.forwarding=0 ### ezjail // ### security.jail.param.allow.raw_sockets=1 security.jail.allow_raw_sockets=1 # #net.add_addr_allfibs=4 ### // ezjail ### ### HOST - VirtualBox USB 1.1 // ### #hw.usb.ehci.no_hs=1 ### // HOST - VirtualBox USB 1.1 ### ### VIMAGE // ### net.link.tap.user_open=1 net.inet.ip.sourceroute=0 net.inet.ip.accept_sourceroute=0 ### // VIMAGE ### ### ### ### // JAIL HOST ### ### ### # EOF $
sysctl – ip.forwarding muss auf dem HOST nicht aktiv sein!
Punkt 6: HOST Systemreboot
$ ipfw2 (+ipv6) initialized, divert enabled, nat loadable, default to accept, logging disabled DUMMYNET 0xfffff80002fb8240 with IPv6 initialized (100409) $
Punkt 7: Jail für OpenVPN erstellen
$ ezjail-admin create vpn 0.0.0.0 $
Punkt 8: Jail Config, für VIMAGE, anpassen
$ vi /usr/local/etc/ezjail/vpn #export jail_vpn_ip="0.0.0.0" export jail_vpn_exec_stop="/bin/sh /etc/rc.shutdown" export jail_vpn_devfs_ruleset="22" export jail_vpn_parameters="allow.raw_sockets=1 allow.sysvipc=1" ### VIMAGE // ### export jail_vpn_exec_prestart0="ifconfig epair1 create up" export jail_vpn_exec_prestart1="ifconfig vswitch0 addm epair1a" export jail_vpn_exec_poststart0="ifconfig epair1b vnet vpn" export jail_vpn_exec_poststart1="jexec vpn /sbin/ifconfig epair1b 192.168.100.100/24" export jail_vpn_exec_poststart2="jexec vpn /sbin/route add default 192.168.100.1" export jail_vpn_exec_poststart3="jexec vpn /sbin/ifconfig epair1b inet6 2001:ffff:ffff:ffff::100 prefixlen 64" export jail_vpn_exec_poststart4="jexec vpn /sbin/route add -inet6 default fe80::aaaa:aaaa:aaaa:aaaa%epair1b" export jail_vpn_exec_poststop0="ifconfig epair1a destroy" ### // VIMAGE ### ### OpenVPN // ### export jail_vpn_exec_prestart2="ifconfig tun1 create up" export jail_vpn_exec_poststart5="ifconfig tun1 vnet test01" export jail_vpn_exec_poststop1="ifconfig tun1 destroy" ### // OpenVPN ### $
Punkt 9: devfs.rules anpassen
$ vi /etc/devfs.rules ### Jail - VIMAGE // ### [devfsrules_jail_mem=22] add include $devfsrules_hide_all add include $devfsrules_unhide_basic add include $devfsrules_unhide_login add path mem unhide add path kmem unhide add path 'tun*' unhide # !!! add path 'tap*' unhide add path 'bpf*' unhide ### // Jail - VIMAGE ### $
$ service devfs restart $
Punkt 10: Jail starten
$ ezjail-admin start vpn $
Jetzt kann man sich zunächst die Jail beliebig anpassen (tmux/zsh install etc.)
Punkt 11: OpenVPN – iPredator einrichten
unter Guide: OpenVPN on FreeBSD gibt es eine hervorragende Anleitung
$
cd /usr/ports/security/openvpn
make config-recursive
┌──────────────────── openvpn-2.3.4 ─────────────────────────┐
│ ┌──────────────────────────────────────────────────────┐ │
│ │+[x] EASYRSA Install security/easy-rsa RSA helper package │ │
│ │+[ ] PKCS11 Use security/pkcs11-helper │ │
│ │+[x] PW_SAVE Interactive passwords may be read from a file │ │
│ │─────────────────────────── SSL protocol support ────────│ │
│ │+(*) OPENSSL SSL/TLS support via OpenSSL │ │
│ │+( ) POLARSSL SSL/TLS support via PolarSSL │ │
│ └──────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────┤
make install clean
mkdir /usr/local/etc/openvpn
cd /usr/local/etc/openvpn
fetch --no-verify-peer https://ipredator.se/static/downloads/openvpn/cli/IPredator-CLI-Password.conf
echo "USERNAME" > /usr/local/etc/openvpn/IPredator.auth
echo "PASSWD" >> /usr/local/etc/openvpn/IPredator.auth
sed 's/tun0/tun1/g' /usr/local/etc/openvpn/IPredator-CLI-Password.conf > /usr/local/etc/openvpn/IPredator-CLI-Password.conf_; mv -fv /usr/local/etc/openvpn/IPredator-CLI-Password.conf_ /usr/local/etc/openvpn/IPredator-CLI-Password.conf
sed 's/udp/tcp/g' /usr/local/etc/openvpn/IPredator-CLI-Password.conf > /usr/local/etc/openvpn/IPredator-CLI-Password.conf_; mv -fv /usr/local/etc/openvpn/IPredator-CLI-Password.conf_ /usr/local/etc/openvpn/IPredator-CLI-Password.conf
sed 's/etc\/openvpn/usr\/local\/etc\/openvpn/g' /usr/local/etc/openvpn/IPredator-CLI-Password.conf > /usr/local/etc/openvpn/IPredator-CLI-Password.conf_; mv -fv /usr/local/etc/openvpn/IPredator-CLI-Password.conf_ /usr/local/etc/openvpn/IPredator-CLI-Password.conf
chown root:wheel /usr/local/etc/openvpn/IPredator-CLI-Password.conf
chown root:wheel /usr/local/etc/openvpn/IPredator.auth
chmod 400 /usr/local/etc/openvpn/IPredator-CLI-Password.conf
chmod 400 /usr/local/etc/openvpn/IPredator.auth
$
Punkt 12: OpenVPN Verbindungstest
$ openvpn --config /usr/local/etc/openvpn/IPredator-CLI-Password.conf $
Punkt 13: Jail Firewall / Forwarding definieren
— @JAIL: sysctl.conf —
$ vi /etc/sysctl.conf net.inet.ip.forwarding=1 net.inet.ip.fastforwarding=0 net.inet6.ip6.forwarding=1 $
— @JAIL: rc.conf —
$ vi /etc/rc.conf gateway_enable=YES natd_enable="YES" # Enable NATD function natd_interface="tun1" # interface name of public Internet NIC natd_flags="-dynamic -m" # -m = preserve port numbers if possible openvpn_enable="YES" openvpn_configfile="/usr/local/etc/openvpn/IPredator-CLI-Password.conf" $
— @JAIL: rc.local —
$ vi /etc/rc.local ### Firewall Forwarding // ### ipfw add 500 divert natd all from any to any via tun1 ### // Firewall Forwarding ### service natd start $
Punkt 14: Jail restart
@HOST!
$ ezjail-admin stop vpn ezjail-admin start vpn $
Firewall Check mit „ipfw table all list“
That’s FreeBSD
Hinweis: https://blog.plitc.eu/2014/freebsd-10-robuster-betrieb-von-vimage-jails/