Finch - OpenVPN, Sabnzbd, CouchPotato, SickBeard, etc, etc

[dreamcat4]

has anyone tried to install openVPN via Finch on an embedded build yet? If so is it just a case of following the Finch guides and a guide for installing openVPN on a non embedded setup?

No-one has tried that yet (to my knowledge). But yes, 99% you seem to have hit upon the correct general approach. It is a good strategy and should work in most cases.

For OpenVPN it's probably more challenging than the other ones. Because, well... its openVPN. So if you encounter some issue please share with us here the error messages etc.

Hi dreamcat4,

I've just followed your guide regarding installing Finch on my embedded setup (latest version 9.2) - seems to have installed fine thanks very much!

Just wanted to query a couple of things.

I want to install OpenVPN on a new jail. Other than the Jail Installation instructions http://dreamcat4.github.io/finch/jails-how-to/ do I just follow one of the normal OpenVPN install guides for non embedded setups?

Yes. I haven't tried OpenVPN myself yet. But that is the correct approach.

Bit scared about installing a jail incase I break something!

There is no reason to worry. If you make a mess inside of a jail, then it's very easy to delete the failed jail with:

Code: Select all

qjail stop "$jailname"
qjail delete "$jailname"

And can start over.

Also, I already have Sabnzbd installed via the brig - will installing a jail via Finch break this?

No. The 2 jail systems are entirely independent of each other. You may use both at once. Finch's jails are all installed inside of Finch's folder at "$finch_realpath/usr/jails/$jailname". So they aren't going to ever interfere with theBrig's own folders. Just don't use the same ip address however. Because the jail's IP address may conflict.

One final thing, I want to install CouchPotato, Sickbeard, Headphones - can I install via Finch even though my Sabnzbd setup is done via the brig?

Yes I guess so? I mean - they won't see each other's folders but can communicate over the LAN between each other if necessary? You can install multiple related services into the same 1 jail - if they really depend upon each other. For example Apache+PHP+MYSQL, and communicate locally over loopback interface TCP 127.0.0.1:9000 localhost.

If that is true (for those ones you mention), then some hint is often found in the installation guides of those specific software. (in other words - I haven't installed them myself so really don't know how to answer that).

If they are entirely separate services then it really doesn't matter.

... or do I need to delete that jail and install all via Finch?

No.

Just make sure that for all of your total jails (all together both Finch AND theBrig) - don't have the same IP address as another jail. Because all these jails share same NIC and LAN. You don't want an IP address conflict.

It is best to keep all of your 'theBrig' jail for now. Until later, after you are sure that you no longer need them and the new Finch jails are all proven working OK. Then you may be deleting the old ones.

[dreamcat4]

Perhaps the toughest bit to understand (with Finch) is how to be setting up your user data folders or zfs datasets (e.g. for your files like music, mp3s, media etc).

I have written a big page about it on the Finch website.

http://dreamcat4.github.io/finch/mounting-filesystems/

It takes time to understand the reasons why. But effectively you have to mount the same folder 3 times over. 1st of all you mount the dataset into Finch's chroot. 2nd mount is alias of that onto nas4free host (root '/' folder). 3rd and last mount into the jail's fstab file...

Therefore it helps to pick wisely your data folder name(s) to begin with. Choose right before you begin. So not to need to change their names or the paths afterwards.

Some examples:
"/mnt/<username>/Media/Music"
"/mnt/Volumes/Media"
"/mnt/data/..."

[dreamcat4]

Small Note:

Today I updated Finch jails howTo - http://dreamcat4.github.io/finch/jails-how-to/

For better IP address setting:

Code: Select all

qjail create -4 "192.168.1.206,lo0|127.0.0.206" openvpn

It ensures that if your software require the localhost device (e.g. interface 127.xxx), then it exists inside of the jail.

[eldude_123]

Dreamcat4 that's excellent! I'm at work the now so will have a proper go at it all later tonight / tomorrow and let you know how it get on.

Really appreciate all your hard work and taking the time to reply so quickly. Installing Finch was a breeze using your instructions, it was all up and running with zero errors in about 15 minutes. Happy days

[eldude_123]

Perhaps the toughest bit to understand (with Finch) is how to be setting up your user data folders or zfs datasets (e.g. for your files like music, mp3s, media etc).

I have written a big page about it on the Finch website.

http://dreamcat4.github.io/finch/mounting-filesystems/

It takes time to understand the reasons why. But effectively you have to mount the same folder 3 times over. 1st of all you mount the dataset into Finch's chroot. 2nd mount is alias of that onto nas4free host (root '/' folder). 3rd and last mount into the jail's fstab file...

Therefore it helps to pick wisely your data folder name(s) to begin with. Choose right before you begin. So not to need to change their names or the paths afterwards.

Some examples:
"/mnt/<username>/Media/Music"
"/mnt/Volumes/Media"
"/mnt/data/..."

Just looking at this on my break. Yeah your right, this is the main point i'm a little confused about. Will definitely have to have a more in depth read when I get home and work out exactly what it all means - looks very interesting though

[eldude_123]

Hi dreamcat4,

Possibly stupid question (apologies). Regarding:

Small Note:

Today I updated Finch jails howTo - http://dreamcat4.github.io/finch/jails-how-to/

For better IP address setting:

Code: Select all

qjail create -4 "192.168.1.206,lo0|127.0.0.206" openvpn

The corresponding command on the how to is: qjail create -4 "$jail_ip,$jail_loopback" "$jailname". In this the jailname is in quotations but in the new command it is not. Just to clarify, should this (ie openvpn) be in quotations or not? Should all the parts of commands in quotations in the how to be in quotes or not? Wasn't sure if they were there just to illustrate what you should input or if they are actually required.

Thanks!

[dreamcat4]

Just to clarify, should this (ie openvpn) be in quotations or not?

It doesn't matter for the jail's name.

Wasn't sure if they were there just to illustrate or actually required.

Using double quotes is just a general habit of mine.

The need of quotation is determined by the syntax of the command line interpreter (Bash). Basically, if there are spaces inside of a command line argument, then some type of quotes is required. Personally I prefer quoting things a lot, so not to forget that. And they are double-quotes to allow shell "$variables" be expanded.

It's not critical. You may forget the double quotes most times. However not if a filename or path has spaces in it.

[eldude_123]

ah cool thanks for explaining man, will let you know how I get on

[eldude_123]

openvpn jail installed successfully with non root ssh access - again another excellent guide dreamcat4. thanks.

1 point for other people - you can't use special characters like &%$ etc in your jail username, they're fine for the password though.

I understand what you were talking about mounting now in your guide - you need to remount in chroot so that your finch chroot can connect to your nas4free host system and finch chroot can in turn link to the jail in the other direction.

ie: HOST (nullfs mappings) <---- FINCH (your data is mounted here) ----> JAILS (nullfs mappings)

I'm going to go reread you mount guide again so that I don't make a mess - seems like I could do some actual damage to my nas if I mess this step up or is it all reversible? (I know that everything done in the jail is reversible, just querying because I'm actually doing something to the host system.)

I liked the use of quotations - they actually made the whole process much clearer in my head and helped me understand the flow of what I was doing more easily.

Another question: When I go to install openvpn, it will be in the openvpn jail right? Sorry if that seems dumb, just wanted to check seeing as the 3 different areas will be linked together after mounting.

So if I installed finch at /mnt/pool1/finch, if I followed this guide: http://geekfreely.blogspot.co.uk/2014/0 ... 4free.html then I would do everything at:
/mnt/pool1/finch/usr/jails/openvpn/mnt/pool1 (there is currently no pool1 here but I'm assuming there will be after I remount and connect everything together?) and make then Extension folder there? (In place of him using /mnt/Data/Extensions?) I know you don't specifically use openvpn, just trying to get my head around this and how everything links together!

Thanks again, will let you know how I get on.

[eldude_123]

One last thing (I promise, bed is calling!), in your mounting guide under the Existing Dataset option I just want to query the command:

zfs set mountpoint="${finch_realpath}/mnt/disk0/my_dataset" "$dataset" - I understand what I should type for everything except the last "$dataset".

Using your example of dataset called my_dataset, would the command be:

zfs set mountpoint="${finch_realpath}/mnt/disk0/my_dataset" "my_dataset"

For me this would be:

zfs set mountpoint="/mnt/pool1/finch/mnt/pool1/data" "data" - is there no space between /mnt/pool1/finch and /mnt/pool1/data?

Thanks man, time for bed before I break something

[dreamcat4]

in your mounting guide under the Existing Dataset option I just want to query the command:

zfs set mountpoint="${finch_realpath}/mnt/disk0/my_dataset" "$dataset" - I understand what I should type for everything except the last "$dataset".

Using your example of dataset called my_dataset, would the command be:

Code: Select all

zfs set mountpoint="${finch_realpath}/mnt/disk0/my_dataset" "my_dataset"  

For me this would be:

Code: Select all

zfs set mountpoint="/mnt/pool1/finch/mnt/pool1/data" "data" - 

You should see in that example (on the website) - we use the fully-qualified dataset name. It is prefixed by the pool name. So "$dataset" variable in the example we set as "disk0/my_dataset" and not just "my_dataset". It is just due to the input format of these zfs commands.

If you have now created a real dataset on nas4free, the cmd "zfs list" should say your dataset's NAME as:

Code: Select all

$ zfs list
NAME                                      USED  AVAIL  REFER  MOUNTPOINT
pool1                                    68.9G   616G  67.1G  /mnt/pool1
pool1/data                          144K   616G   144K  /mnt/pool1/data <---- {NAME,current mountpoint}

...so in your case $dataset should be "pool1/data" if "pool1" is the pool name which it belongs to. That makes the command a little different from what you put there:

Code: Select all

zfs set mountpoint="/mnt/pool1/finch/mnt/pool1/data" "pool1/data"

is there no space between /mnt/pool1/finch and /mnt/pool1/data?

Thanks man, time for bed before I break something

YES. That is correct (no space!). So we are chrooted inside the finch tree "mnt/pool1/finch" becomes "/" and the path will be accessible as "/mnt1/pool1/data" - which is the place you will expect it. It is like replicating the "/mnt/pool1/data" path. Later on we do the same thing for the jail's fstab file.


Small Notes:

* On NAS4Free platform it might be possible to instead just use the WebGUI to edit the Dataset's mount point. (if you prefer that way) look in the WebGUI --> ZFS --> Datasets screens.

* I just explain with shell commands b/c it univerally works across all Platforms (that support ZFS). For example FreeNAS users don't have such a comprehensive options in their WebGUI.

* When you set zfs options via the command line, they are all remembered and stored within the zfs partition itself. So no need to worry they won't be saved / remembered into "config.xml". All zfs configuration will be preserved, even if you later upgrade your embedded USB stick.

[eldude_123]

Hi Dreamcat4, thanks for the info.

As far as I can tell everything went fine mounting except for the fstab in the jail itself. I was unable to restart my jail. This is what I did:

[root@nas4free /mnt]# mkdir -p "/mnt/pool1/finch/usr/jails/openvpn/mnt/pool1/data"
[root@nas4free /mnt]# nano "/mnt/pool1/finch/usr/local/etc/qjail.fstab/openvpn"
GNU nano 2.2.6 File: /mnt/pool1/finch/usr/local/etc/qjail.fstab/openvpn

/usr/jails/sharedfs /usr/jails/openvpn/sharedfs nullfs ro 0 0
/mnt/pool1/data /usr/jails/openvpn/mnt/pool1/data nullfs ro 0 0


[ Wrote 3 lines ]

I accidently added a blank line after inserting the second line so re edited:
[root@nas4free /mnt]# nano "/mnt/pool1/finch/usr/local/etc/qjail.fstab/openvpn"
GNU nano 2.2.6 File: /mnt/pool1/finch/usr/local/etc/qjail.fstab/openvpn

/usr/jails/sharedfs /usr/jails/openvpn/sharedfs nullfs ro 0 0
/mnt/pool1/data /usr/jails/openvpn/mnt/pool1/data nullfs ro 0 0


[ Wrote 2 lines ]

[root@nas4free /mnt]# finch qjail restart "openvpn"
finch: chrooting to "/mnt/pool1/finch" for this 1 command only.
jail: openvpn: mount.fstab: /usr/jails/openvpn/mnt/pool1/data: not a mount point
Error: /usr/sbin/jail failed to stop jail openvpn.
because of errors in jail.conf file.
[root@nas4free /mnt]# df
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/md0 229166 225298 3868 98% /
devfs 1 1 0 100% /dev
/dev/da0a 119742 117290 2452 98% /cf
procfs 4 4 0 100% /proc
pool1 955680191 930153634 25526557 97% /mnt/pool1
pool2 957843498 946245553 11597944 99% /mnt/pool2
/dev/md1 31260 3356 26968 11% /var
/mnt/pool1/Download 955680191 930153634 25526557 97% /mnt/pool1/jail/Sabnzbd/mn t/Download
devfs 1 1 0 100% /mnt/pool1/jail/Sabnzbd/de v
devfs 1 1 0 100% /mnt/pool1/finch/dev
pool1/data 25526588 31 25526557 0% /mnt/pool1/finch/mnt/pool1 /data
/mnt/pool1/finch/mnt/pool1/data 25526588 31 25526557 0% /mnt/pool1/data

Did I miss something really obvious? Or have I failed in a step before editing the fstab in the jail?

Thanks

[dreamcat4]

I accidently added a blank line after inserting the second line

It's not significant. An fstab file can have blank lines or #comment lines anywhere in it ~ they are ignored.

[root@nas4free /mnt]# finch qjail restart "openvpn"
finch: chrooting to "/mnt/pool1/finch" for this 1 command only.
jail: openvpn: mount.fstab: /usr/jails/openvpn/mnt/pool1/data: not a mount point
Error: /usr/sbin/jail failed to stop jail openvpn.

It looks like the jail was running while you added the new entry to the jail's fstab file. So the error is occuring when trying to stop the jail, it cannot unmount the new folder as wasn't mounted (in that running jail session) at the time.

I think it's my mistake here because that's exactly what had been written in the documentation. Web page updated now with seperate 'stop' and 'start' commands.

https://github.com/dreamcat4/finch/commit/359b8c5d

http://dreamcat4.github.io/finch/mounti ... ems/#toc_7

Sorry about that

[eldude_123]

Thanks mate, as far as I can tell it seems to be sorted now!

[root@nas4free /mnt]# df
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/md0 229166 225298 3868 98% /
devfs 1 1 0 100% /dev
/dev/da0a 119742 117290 2452 98% /cf
procfs 4 4 0 100% /proc
pool1 955680150 929946454 25733696 97% /mnt/pool1
pool1/data 25733727 31 25733696 0% /mnt/pool1/finch/mnt/pool1/data
pool2 957843049 946452509 11390540 99% /mnt/pool2
/dev/md1 31260 2996 27328 10% /var
/mnt/pool1/Download 955680150 929946454 25733696 97% /mnt/pool1/jail/Sabnzbd/mnt/Download
devfs 1 1 0 100% /mnt/pool1/jail/Sabnzbd/dev
devfs 1 1 0 100% /mnt/pool1/finch/dev
/usr/jails/sharedfs 955680150 929946454 25733696 97% /mnt/pool1/finch/usr/jails/openvpn/sharedfs
/mnt/pool1/data 25733727 31 25733696 0% /mnt/pool1/finch/usr/jails/openvpn/mnt/pool1/data
devfs 1 1 0 100% /mnt/pool1/finch/usr/jails/openvpn/dev <--------------------------- this line has been added

So just to query (again I know you don't use openvpn yourself so apologies for being annoying) - when attempting to install openvpn I'll install in:
/mnt/pool1/finch/usr/jails/openvpn and use the tmp, var and usr folders in there? (I was wrong in my previous post, it was late and I was sleepy).

I can't thank you enough. Between your guides and extra help on here you have led me through a process that to be honest I was tempted not to try because it was all so foreign to me. I'm really impressed with finch and will hopefully get my vpn set up inside the jail now.

Good job and thanks for all the hard work!

[dreamcat4]

So just to query (again I know you don't use openvpn yourself so apologies for being annoying) - when attempting to install openvpn I'll install in:
/mnt/pool1/finch/usr/jails/openvpn and use the tmp, var and usr folders in there?

Yes.

Code: Select all

# Enter the jail
qjail console openvpn

# Search for matching packages in FreeBSD's official pkgng repository
pkg search "openvpn"

# Install openvpn from the FreeBSD PKGNG repo
pkg install openvpn

# Configure openvpn....
<this bit take from other previous Brig installation guides>

[eldude_123]

Legend - I know what I'll be doing later tonight. Lol the exciting Friday nights I live.

Brilliant, will keep you posted. Hopefully (fingers crossed) I'll have a working VPN on my nas at last

[dreamcat4]

Great. However don't be surprised if there are some issues to get OpenVPN working. It's a tough one to get right.

Pity that "openVPN Access Server" is closed-source w/ a license free. It is not available on FreeBSD.

http://openvpn.net/index.php/access-ser ... rview.html

That could have been a simpler and easier way to configure openVPN. You can still trial it out in a VMWare session (by downloading their .VHD file)... Or on Linux. Ah well.

http://openvpn.net/index.php/access-ser ... guide.html

One thing though: FreeBSD does have linux binary compatibility. So there is still 'a chance' of installing one of these linux .rpm or .deb package of it. Would be pretty hard to do though.

[eldude_123]

hmm from looking into this this may be a bit beyond me. Need to reread everything I have again and hopefully get through it! Bit of a brain melter unfortunately!
Have installed as per your original instructions (did it before I saw your more recent post) but the configuration looks difficult to say the least

thanks

[eldude_123]

hmmm, following these 2 guides: http://geekfreely.blogspot.co.uk/2014/0 ... 4free.html (mainly using this one) + http://torguard.net/knowledgebase.php?a ... icle&id=85. In the first guide I've gotten to the step where you edit the openvpn.conf (which I have just renamed a .ovpn file to get) and everything in the config is fine except instead of having ca openvpn.crt, I have ca globalca.crt - this was the original name of the .crt file so not sure why it's not updating itself!

According to the guide this is an important step so need to try a few others and see if i have any luck

[eldude_123]

this is really weird - no matter what i try when i go to edit for openvpn.conf it ALWAYS shows as ca globalca.crt instead of ca openvpn.crt - I have renamed this it doesn't make any sense

[dreamcat4]

These are good guides. Although perhaps don't use TORGuard. b/c HMA is cheaper (if paid annually), and has more IPs.

http://www.hidemyass.com/vpn/
=====================================================================

Here are 2 more guides:

openVPN as a client connecting to HMA
https://support.hidemyass.com/entries/2 ... anual-way-

Use openVPN as Private VPN server:
http://joepaetzel.com/2013/09/22/openvp ... eenas-9-1/

=====================================================================

Also, probably not very helpful! But if you type:

Code: Select all

pkg query %Fp openvpn

it will list all of the files that were installed for openvpn pkg. I see one of the folders is:

Code: Select all

/usr/local/share/examples/openvpn/

It says:

Code: Select all

Sample OpenVPN Configuration Files.

These files are part of the OpenVPN HOWTO
which is located at:

http://openvpn.net/howto.html

[dreamcat4]

Or if you get really stuck, doesn't hurt to ask for help on #openvpn IRC channel (FreeNode / IRCNet servers).

http://webchat.freenode.net/

[eldude_123]

Using the command: pkg query %Fp openvpn seems to look like everything has installed fine.

Thanks for the link, I've already created a post on the OpenVPN forum and have also messaged tech support at TorGuard so hopefully someone can help! Will be cancelling my TorGuard account if they can't help and switching to someone else!

Thanks

[eldude_123]

Torguard's response was just to manually update the line in the config from ca globalca.crt to ca openvpn.crt - does this seem advisable? I kindve thought it would have to update itself for it to work so I'm kind've hesitant to do that. Although I suppose may be worth a bash - can always delete the config file afterwards I guess?

[eldude_123]

Followed Torguards suggestion and renamed the ca globalca.crt to openvpn.crt by editing the line in the openvpn.conf.

Following the 2 guides I mentioned earlier. Geek friendly one - I've got to the step:
Test OpenVPN connection:
/usr/local/etc/openvpn/openvpn onestart /usr/local/etc/openvpn/openvpn.conf <--- this worked and started openvpn (when done from inside the openvpn jail console).
Then added the 2 startup variables to my Nas' rc.conf via the NAS4Free webgui.

Tried to download the test legal torrent advised in the guide but it didn't start. (Although a different torrent from another site started no problem). Went to the TorGuard guide I mentioned previously and tried the command to test if it was working:
ifconfig tun0 <---- it just says that "interface tun0 does not exist".
I definitely have a dev tun in my openvpn.conf file and have put the startup variable relating tun this in rc.conf of my NAS.

2 possible reasons I thought it might not work:
1: my nas can't see the jail (which doesn't seem possible as I got them all linked together previously)
2. I'm missing something to do with the tun setting. In the qjail openvpn console i've tried a few different tun value (ie tun, tun0, tun1) and it always says that it doesn't exist.

Not sure how to enable the tun interface, I thought it would just do it automatically now that I have everything setup.

Anyone got any idea why it is not working properly?

Thanks

EDIT: Interestingly when I was going to turn the NAS off I thought I would use the command (from within the openvpn jail console):

/usr/local/etc/openvpn/openvpn onestop /usr/local/etc/openvpn/openvpn.conf

and it said "openvpn not running? (check /var/run/openvpn.pid)" - don't understand why it's not running cause I just started it!

Checked this file and all it had in it was a number :3267 - completely blank otherwise

Thought I would restart openvpn again - this works, accidently tried to start it again and it said "openvpn already running? (pid=3601)" however when I immediately tried to stop openvpn it then said openvpn wasn't running again - so confused!

[dreamcat4]

Then added the 2 startup variables to my Nas' rc.conf via the NAS4Free webgui.

You should be editing the file "/etc/rc.conf" which is inside your openvpn jail. Not the one of the NAS4Free host system - because openvpn isn't installed there!

Tried to download the test legal torrent advised in the guide but it didn't start. (Although a different torrent from another site started no problem). Went to the TorGuard guide I mentioned previously and tried the command to test if it was working:

ifconfig tun0 <---- it just says that "interface tun0 does not exist".

"ifconfig -a" will list all the network devices that are visible from inside your jail... This is where openvpn can get problematic because jails have certain restrictions expecially in respect to networking. If openvpn hasn't created the tun0 device then that might be the reason... or if might simply be because openvpn isn't running / wasn't executed.

Bear in mind also you are using openvpn here as client not server. And bit-torrent isn't inside your jail.

What you might try is to chroot into the jail folder. The difference is that chroot is only on the filestruucture. So then openvpn has full access to the kernel, its networking stack, etc. This would (most of, nearly all) of those typical freebsd jail restrictions.

Here is how to do that:

! First: stop the jail.

Code: Select all

sudo finch chroot
qjail stop openvpn
qjail config -m openvpn # sets jail to manual mode (jail won't start at boot time)

Then:

Code: Select all

jailname="openvpn"
mount -t devfs devfs /mnt/pool0/finch/usr/jails/${jailname}/dev
mount_nullfs /usr/jails/sharedfs /usr/jails/${jailname}/sharedfs/
chroot /mnt/pool0/finch/usr/jails/${jailname}
sudo bash -l

Which will put you in an interactive shell.

From there you can:
* Try the onestart again (manual launch of openvpn).
* Use "top" command or "ps -aux" to see if openvpn is running.

If that works, then can write an rc.d script to run those cmds at boot time and put in finch's "/usr/local/etc/rc.d" startup folder.

Except at the end (those last 2 lines), would instead be:

Code: Select all

cmd="<***put here command to start openvpn service inside the chroot'd jail folder**>"
chroot /mnt/pool0/finch/usr/jails/${jailname} $cmd

I have successfully run virtualbox this way, which needed special access to the networking devices. It worked just like as if you were inside the main host's environment. And solved the networking block / "operation not permitted" etc. errors.

Another way for networking inside jails is to use a FreeBSD feature known as "VNET" / "options VIMAGE". However nas4free's kernel doesn't have that option compiled into it. The option IS present on FreeNAS (one of the reasons why I am using FreeNAS right now)... Sent a patch to zoon for him to include it. Since 25th May no response as to whether he will / won't include "options VIMAGE" in future nas4ree kernels.

So chroot is probably your best bet. You should definately look inside your openvpn's log file(s). Default location for log files if "/var/log". Make sure it's writing logs at all. If you can't find them then "lsof" will list open files by running process id (pid).

[eldude_123]

Thanks man, i'll try this when at home later. Yeah regarding the rc.conf that was one of the things I was confused about - not sure which folders can see each other between the NAS and the jail so thought it might have worked.

Sorry if it seemed like I was being daft, this is all a bit new to me!

Many thanks again for all your help, it's massively appreciated, especially considering how many questions I've been asking!

I'll try it later and let you know how it goes

[dreamcat4]

If you search "freebsd openvpn in a jail", it turns up some useful information about the tun0 device.

http://forums.freebsd.org/showthread.php?t=22143

That is a more elegant way than doing chroot jail which I had advised you yesterday...

You add the line "cloned_interfaces=tun" to finch's rc.conf file:

Code: Select all

sudo finch chroot
sysrc "cloned_interfaces=tun"

...will do that.

Create devfs rules file as it says there...

Code: Select all

sudo finch chroot
cp "/etc/defaults/devfs.rules" "/etc/devfs.rules"

And (when you put those lines to unhide tun) - choose a rule number for that ruleset.

Now: small problem.

Code: Select all

# ! qjail does not allow configuring devfs ruleset

Below you should put <your_chosen_devfs_ruleset_number> instead of "10".

Code: Select all

# ! create new qjail cmd
cp /usr/local/bin/qjail /usr/local/bin/qjail-dev10
sed -i -e 's/devfs_ruleset       =  ..4../devfs_ruleset       =  \\"10\\"/' /usr/local/bin/qjail-dev10

... or just use "10" for your jail to see all of the /dev devices (less secure).

Now:

The only thing left is to figure out how to get "qjail-dev10 start openvpn" to be executed at rc.d startup. As things stand, the command will be the original "qjail" program (not out modified one) - that is the wrong ruleset.

You can start correctly open jail with "qjail-dev10 start openvpn". So maybe put into manual mode (to exclude it), then put the correct jail start cmd into your own custom rc.d / boot script?

Another thing:

If the jail needs to see "tun0" device, you may / may not need to edit the IP address string. The syntax is:

Code: Select all

,<interface>|<ip>,

For example:

Code: Select all

qjail config -4 "192.168.1.207,lo0|127.0.0.207,tun0|<tun0's_ip_address.207>" openvpn

Will edit the list of ip addresses assigned to your jail.

[dreamcat4]

Your 3rd option is to just install openvpn directly into Finch itself (no jail). To get around the tun0 problem...

I only suggest that because: openvpn has few dependencies = less likely to make a big mess.

[eldude_123]

hi mate thanks for all the info. I've been working all day and come home to a flooded kitchen so won't get a chance to do this tonight, got a major cleanup to do - will try tomorrow or next day and let you know how i get on. thanks for all the help