ocserv in jail: cannot open /dev/tun

spmzt

spmzt

Hi,

I installed net/ocserv 1.1.3 on Freebsd 13.1 in jail. and I can create tun interface inside the jail.
The problem is the net/ocserv try to access the /dev/tun inside my jail and it obviously fails.

Here is my configuration:
/etc/devfs.conf:
Code: 
[devfsrules_jail_overlay=5]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path 'tun*' unhide
add path 'vpns*' unhide

ezjail variables for vnet and devfs:
Code: 
export jail_overlay_devfs_ruleset="5"
export jail_overlay_vnet_enable="YES"
export jail_overlay_vnet_interface="e0b_overlay"
export jail_overlay_exec_prestart0="/usr/local/sbin/jib addm overlay vtnet0 && /sbin/ifconfig e0a_overlay inet 172.16.1.1/30"
export jail_overlay_exec_poststop0="/usr/local/sbin/jib destroy overlay"
export jail_overlay_parameters="allow.raw_sockets=1"

ocserv debug (ip randomized):
Code: 
ocserv 53654 - - sec-mod: initiating session for user 'user' (session: 98dgrj)
ocserv 53446 - - main[user]:172.16.1.1:58219 new user session
ocserv 53446 - - main[user]:172.16.1.1:58219 selected IP: 172.16.1.58
ocserv 53446 - - main[user]:172.16.1.1:58219 assigned IPv4: 172.16.1.58
ocserv 53446 - - main: cannot open /dev/tun; falling back to iteration: No such file or directory
ocserv 53446 - - main: tun.c:731: Can't open tun device: File exists
ocserv 53446 - - main[user]:172.16.1.1:58219 failed authentication attempt for user 'user'
ocserv 53446 - - main[user]:172.16.1.1:58219 sending message 'auth cookie reply' to worker
ocserv 53855 - - worker[user]: 172.16.1.1 received auth reply message (value: 3)
ocserv 53855 - - worker[user]: 172.16.1.1 error receiving cookie authentication reply
ocserv 53855 - - worker[user]: 172.16.1.1 failed cookie authentication attempt
ocserv 53446 - - main[user]:172.16.1.1:58219 worker terminated
ocserv 53446 - - main[user]:172.16.1.1:58219 sending msg sm: session close to sec-mod
ocserv 53654 - - sec-mod: received request sm: session close
ocserv 53654 - - sec-mod: cmd [size=42] sm: session close
ocserv 53446 - - main[user]:172.16.1.1:58219 user disconnected (reason: unspecified, rx: 0, tx: 0)
ocserv 53654 - - sec-mod: temporarily closing session for user (session: 98Twrj)
ocserv 53446 - - main: tun.c:781: /dev/tun254: Error destroying interface: Device not configured

Anyone has any idea to how to put /dev/tun in my jail to make the net/ocserv work?

EDIT 1: add ocserv debug
 
Last edited by a moderator:
W.hâ/t said:
I don't know much about that but don't you need a nat rule? from pf.conf(5)
Code: 
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
Click to expand...
I have. It's definitely not about the firewall. I think it's must be related to the devfs or jail configuration itself.
 
spmzt said:
Can't open tun device: File exists
Click to expand...
Destroy the device and restart the server.

Edit:
Or maybe in a config file there is a way to tell net/ocserv to use the existing/dev/tun0. Otherwise you can pretty much delete any configuration regarding this. Even the nat rule, ocserv will configure all this automatically.
 
W.hâ/t said:
Destroy the device and restart the server.

Edit:
Or maybe in a config file there is a way to tell net/ocserv to use the existing/dev/tun0. Otherwise you can pretty much delete any configuration regarding this. Even the nat rule, ocserv will configure all this automatically.
Click to expand...
I created an issue in gitlab for ocserv project to do so.
gitlab.com

ocserv in jail: cannot open /dev/tun (#463) · Issues · OpenConnect VPN projects / ocserv · GitLab

Description of problem: Hi, I installed ocserv 1.1.6 on Freebsd 13.1 in jail. After authentication it will...
gitlab.com gitlab.com
 
You must log in or register to reply here.
Back
Top