[OpenIndiana-discuss] OpenVPN inside a Zone

Jonathan Adams t12nslookup at gmail.com
Mon Sep 18 08:56:54 UTC 2017 

my OpenVPN in a zone config (I have the external interface set as NAT over
an etherstub as well):

root at ekrecsrv02:~# dladm show-link
LINK        CLASS     MTU    STATE    BRIDGE     OVER
bnx0        phys      1500   up       --         --
bnx1        phys      1500   up       --         --
vboxnet0    phys      1500   up       --         --
vpninternal0 vnic     1500   up       --         bnx0
etherstub0  etherstub 9000   unknown  --         --
vnic0       vnic      9000   up       --         etherstub0
vpnvnic0    vnic      9000   up       --         etherstub0

root at ekrecsrv02:~# more /etc/ipf/ipnat.conf
map bnx1 192.168.34.0/24 -> 0/32  portmap tcp/udp auto
map bnx1 192.168.34.0/24 -> 0/32

root at ekrecsrv02:~# ifconfig vnic0
vnic0: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 9000
index 5
inet 192.168.34.1 netmask ffffff00 broadcast 192.168.34.255
ether 2:8:20:cf:62:f

root at ekrecsrv02:~# zonecfg -z vpnzone info
zonename: vpnzone
zonepath: /zones/vpnzone
brand: ipkg
autoboot: true
bootargs:
pool:
limitpriv:
scheduling-class:
ip-type: exclusive
hostid:
fs-allowed:
net:
address not specified
allowed-address not specified
physical: vpninternal0
defrouter not specified
net:
address not specified
allowed-address not specified
physical: vpnvnic0
defrouter not specified
device:
match: /dev/lockstat
device:
match: /dev/tun*


Jon


On 17 September 2017 at 23:46, Till Wegmüller <toasterson at gmail.com> wrote:

> Hi Jim
>
> Yes I have those permisions set. The interface gets set up. The connection
> gets established but OpenVPN Segfaults somewhere during cipher handling.
>
> What version are you using? Have you needed to modify smf to make openvpn
> work?
>
> Greetings
> Till
>
>
> Am 17.09.2017 um 23:48 schrieb Jim Klimov:
>
>> On September 17, 2017 10:17:04 PM GMT+02:00, "Till Wegmüller" <
>> toasterson at gmail.com> wrote:
>>
>>> Hello Everyone
>>>
>>> I am trying to install openvpn into a zone. However I am getting stuck.
>>>
>>> I am getting setpriv error when launching via smf.
>>> I have the priv part of the openindiana.README inside the manifest (it
>>> was there from installation).
>>>
>>> If I Launch OpenVPN via console (no daemon) it runs until "TCPv4_SERVER
>>>
>>> READ [448] from [AF_INET]$CLIENTIP: P_DATA_V2 kid=0 DATA len=447" after
>>>
>>> that it segfaults and dumps core.
>>>
>>> pstack core says
>>>
>>> core 'core' of 9356:    /usr/sbin/openvpn --config
>>> /etc/openvpn/openvpn.conf
>>>   00000000 ???????? (81791e4, 80467f0, c, 1)
>>>   febc4a3a aesni_gcm_init_key (817cde0, 0, 80467f0, 0) + da
>>> febc0491 EVP_CipherInit_ex (817cde0, 0, 0, 0, 80467f0, ffffffff) + 151
>>>   08071409 cipher_ctx_reset (817cde0, 80467f0, 8, 8066edb) + 19
>>> 0806ad62 openvpn_decrypt_aead (a06, 0, 0, 8160648, 814e034, 814d960) +
>>> 232
>>>   0806c4c5 openvpn_decrypt (814db44, a06, 0, 0, 8160648, 814e034) + 75
>>> 080752be process_incoming_link_part1 (814d30c, 813ca90, 0, 8162690) +
>>> 1be
>>> 0809a22a multi_process_incoming_link (80469ec, 814d188, 9, 8072ca7, 8,
>>> 8046a64) + aa
>>>   08092972 multi_tcp_action (0, 80472ec, 8146ac0, 404, 8046f88,
>>> fefd2482) + 532
>>>   08092fad tunnel_server_tcp (8047454, 8047454, 80fd440, 0, 805c173,
>>> fed3a28a) + 3ed
>>>   0809dcd1 openvpn_main (feffb0a8) + 1f1
>>> 0809df8b main     (8047dec, fef5f2c8, 8047e28, 8064e23, 3, 8047e34) +
>>> 1b
>>>   08064e23 _start   (3, 8047ef0, 8047f02, 8047f0b, 0, 8047f25) + 83
>>>
>>> Does anybody have an idea what the setpriv Error could be?
>>> Has anybody a working OpenVPN Server in a zone?
>>>
>>> Thanks in advance for any help
>>> Greetings
>>> Till
>>>
>>> _______________________________________________
>>> openindiana-discuss mailing list
>>> openindiana-discuss at openindiana.org
>>> https://openindiana.org/mailman/listinfo/openindiana-discuss
>>>
>>
>> Yes, our router lives in a zone nicely.
>>
>> IIRC there are privs to set for the zone itself, so it is permitted to
>> manipulate the network, and pass the tun/tap device nodes.
>>
>> Jim
>> --
>> Typos courtesy of K-9 Mail on my Android
>>
>>
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss
>

More information about the openindiana-discuss mailing list