rcorder for vpn-like tunnels during early rc.d startup

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

rcorder for vpn-like tunnels during early rc.d startup

Dave Cottlehuber-2
I have a port[1] net/zerotier that provides a p2p layer2+ vpn via tap(4) interfaces. Ideally zerotier/zt would be available early enough during boot that later daemons such as ssh and other network services would be able to bind to those interfaces.

I've tried a variety of tricks to achieve the following outcomes:

- start after netif
- default route is available so that zt can initialise itself
- started before firewalls and later network daemons

I have this working for DHCP, but not for statically assigned IPs.

Any suggestions on what else I could try?

The patch[2] achieves this for DHCP systems, as the default route is made available during `netif`, but for statically assigned systems, it arrives later with `routing`. Trying to include routing in the REQUIRE section results in the expected circular dependency, and the startup daemon hangs in the check loop as the default route isn't available to it yet.

# rcorder /usr/local/etc/rc.d/* /etc/rc.d/* |less
rcorder: Circular dependency on provision `routing' in file `/usr/local/etc/rc.d/zerotier'.
/etc/rc.d/netif
/etc/rc.d/devd
/etc/rc.d/zfsd
/etc/rc.d/ipsec
/etc/rc.d/stf
/etc/rc.d/defaultroute
/etc/rc.d/devfs
/usr/local/etc/rc.d/zerotier
/etc/rc.d/pfsync
/etc/rc.d/pflog
/etc/rc.d/pf
/etc/rc.d/ppp
/etc/rc.d/routing
/etc/rc.d/ipfw
/etc/rc.d/netwait
/etc/rc.d/resolv

[1]: https://freshports.org/net/zerotier
[2]: https://reviews.freebsd.org/D18533
[3]: https://www.freebsd.org/cgi/man.cgi?query=if_tap

A+
Dave
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: rcorder for vpn-like tunnels during early rc.d startup

Eugene Grosbein-10
22.12.2018 21:01, Dave Cottlehuber wrote:

> I have a port[1] net/zerotier that provides a p2p layer2+ vpn via tap(4) interfaces.
> Ideally zerotier/zt would be available early enough during boot that later daemons
> such as ssh and other network services would be able to bind to those interfaces.

You should not try to make it start before packet filters, that is wrong
and may sometimes even partially defeat security goals of VPN networking.
The whole system of FreeBSD rc.d system script dependencies assumes
that packet filers initialize before network is fully operational.

Take a look at base system's /etc/rc.d/ppp for an example of tunneling daemon
that starts as early as possible. Another example is /etc/rc.d/local_unbound
that needs fully operating networking but starts early enough to provide DNS services
for ssh and others: in FreeBSD 12.0+ it REQUIREs "defaultroute" and "netwait" features.

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: rcorder for vpn-like tunnels during early rc.d startup

Craig Leres-3
On 12/22/18 7:18 AM, Eugene Grosbein wrote:
> You should not try to make it start before packet filters, that is wrong

How should I handle the case where I start several openvpn tunnels and
have references to them in my pf.conf? My solution was to write a rc.d
script that gives a configured list of tun devices up to a minute to
come up and then do a "service pf reload".

                Craig
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: rcorder for vpn-like tunnels during early rc.d startup

Eugene Grosbein-10
23.12.2018 1:22, Craig Leres wrote:

> On 12/22/18 7:18 AM, Eugene Grosbein wrote:
>> You should not try to make it start before packet filters, that is wrong
>
> How should I handle the case where I start several openvpn tunnels and have references to them in my pf.conf? My solution was to write a rc.d script that gives a configured list of tun devices up to a minute to come up and then do a "service pf reload".

And this is right thing to do :-)
I mean, if your filtering rules depend on ever-changing list of interfaces,
just reconfigure the filter when the list changes
or better teach the filter to catch up with changes automatically, if possible.


_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: rcorder for vpn-like tunnels during early rc.d startup

Willem Jan Withagen-2
On 22/12/2018 19:28, Eugene Grosbein wrote:

> 23.12.2018 1:22, Craig Leres wrote:
>
>> On 12/22/18 7:18 AM, Eugene Grosbein wrote:
>>> You should not try to make it start before packet filters, that is wrong
>>
>> How should I handle the case where I start several openvpn tunnels and have references to them in my pf.conf? My solution was to write a rc.d script that gives a configured list of tun devices up to a minute to come up and then do a "service pf reload".
>
> And this is right thing to do :-)
> I mean, if your filtering rules depend on ever-changing list of interfaces,
> just reconfigure the filter when the list changes
> or better teach the filter to catch up with changes automatically, if possible.

Might want to use the ifup/ifdown scripts to add the specifics for the
VPN that just came up. Tricky part is how to get things in the tables at
the right place.

So with IPFW I use specific line numbers reserved to insert certain
rules. (using counter rules to split the fw code into blocks)

But it sort of feels like going back in the 80's basic programming.

--WjW


_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: rcorder for vpn-like tunnels during early rc.d startup

Eugene Grosbein-10
On 27.12.2018 18:09, Willem Jan Withagen wrote:

> Might want to use the ifup/ifdown scripts to add the specifics for the
> VPN that just came up. Tricky part is how to get things in the tables at
> the right place.
>
> So with IPFW I use specific line numbers reserved to insert certain
> rules. (using counter rules to split the fw code into blocks)
>
> But it sort of feels like going back in the 80's basic programming.

Current ipfw implementation allows you to use 'tun*' or table containing interface names:

ipfw table NAME create type iface
ipfw add 2000 allow ip from any to any via 'table(NAME)'

ipfw table NAME add tap0
ipfw table NAME add tun0

Note you do not have to change ruleset at all; you add or delete table records only.

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: rcorder for vpn-like tunnels during early rc.d startup

Willem Jan Withagen-2
On 27/12/2018 12:38, Eugene Grosbein wrote:

> On 27.12.2018 18:09, Willem Jan Withagen wrote:
>
>> Might want to use the ifup/ifdown scripts to add the specifics for the
>> VPN that just came up. Tricky part is how to get things in the tables at
>> the right place.
>>
>> So with IPFW I use specific line numbers reserved to insert certain
>> rules. (using counter rules to split the fw code into blocks)
>>
>> But it sort of feels like going back in the 80's basic programming.
> Current ipfw implementation allows you to use 'tun*' or table containing interface names:
>
> ipfw table NAME create type iface
> ipfw add 2000 allow ip from any to any via 'table(NAME)'
>
> ipfw table NAME add tap0
> ipfw table NAME add tun0
>
> Note you do not have to change ruleset at all; you add or delete table records only.
>
Nice,

I was wondering about this, if tables would work for that.

That is fine if all your VPNs have the same rules, but if they have
different properties and are in and outgoing you will want a bit more
control over whats going on.
Hence my basic feeling.... :)

--WjW


_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: rcorder for vpn-like tunnels during early rc.d startup

Andrey V. Elsukov
On 27.12.2018 15:31, Willem Jan Withagen wrote:
> I was wondering about this, if tables would work for that.
>
> That is fine if all your VPNs have the same rules, but if they have
> different properties and are in and outgoing you will want a bit more
> control over whats going on.
> Hence my basic feeling.... :)

You can use "tablearg" feature and just do "skipto" to rules specific to
your special tunnel. Such rules will work only for needed tunnel.

--
WBR, Andrey V. Elsukov


signature.asc (566 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: rcorder for vpn-like tunnels during early rc.d startup

Eugene Grosbein-10
In reply to this post by Willem Jan Withagen-2
27.12.2018 19:31, Willem Jan Withagen wrote:

>> Current ipfw implementation allows you to use 'tun*' or table containing interface names:
>>
>> ipfw table NAME create type iface
>> ipfw add 2000 allow ip from any to any via 'table(NAME)'
>>
>> ipfw table NAME add tap0
>> ipfw table NAME add tun0
>>
>> Note you do not have to change ruleset at all; you add or delete table records only.
>>
> Nice,
>
> I was wondering about this, if tables would work for that.
>
> That is fine if all your VPNs have the same rules, but if they have different properties and are in and outgoing you will want a bit more control over whats going on.
> Hence my basic feeling.... :)

You still can create several tables for different properties and process tables differently.


_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: rcorder for vpn-like tunnels during early rc.d startup

Craig Leres-3
In reply to this post by Willem Jan Withagen-2
On 12/27/18 3:09 AM, Willem Jan Withagen wrote:
> Might want to use the ifup/ifdown scripts to add the specifics for the
> VPN that just came up. Tricky part is how to get things in the tables at
> the right place.

That's a pretty good idea. After I wrote the working "additional rc.d
script" solution I learned about ifup/ifdown scripts which seems cleaner
but never went back to try that method.

> So with IPFW I use specific line numbers reserved to insert certain
> rules. (using counter rules to split the fw code into blocks)

(I like pf and really don't want to go back to ipfw.)

                Craig
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[hidden email]"