How to jail VPN on a router?

[Pila]

How to put OpenVPN server into jail using Asus Merlin fw?

 

[Pila]

Yes, this is trully irrelevant question and shold be left unanswered.

 

[martinr]

Yes, this is trully irrelevant question and shold be left unanswered.

I wouldn't call it "irrelevant"; incomprehensible would be a much better description, for me, anyway. I haven't the faintest idea of what the question means. The only time I've come across "jail" in relation to IT is the jailbreaking of devices such as mobile phones. So it's not impossible that the reason there's been no response is not because people consider the question irrelevant so much as unclear.

If you give a bit more detail, using terminology people are familiar with, I'm certain that you will start to get responses from the dedicated forum members who freely give of their expertise and ask for nothing in return.

 

[Beherit]

I haven't the faintest idea of what the question means.

Me neither, if I'd have to guess I'll say he means "jail" in the sense of being FreeBSD's sandbox environment: https://www.freebsd.org/doc/handbook/jails.html

I've no idea how to run an OpenVPN server in that kind of environment on an ASUS router, nor if it makes any sense as all processes are run as root anyway.

 

[RASG]

How to put OpenVPN server into jail using Asus Merlin fw?

you mean chroot? like this?

or, if want to configure chroot on your router for any service, maybe you can start here:

ramon@ac66u:/tmp/home/root# opkg list | grep chroot

coreutils-chroot - 8.23-2 - Full version of standard GNU chroot utility.

 

[Pila]

Yes, I mean:

user nobody
group nobody

chroot jail

I am off checking your response.

 

[RMerlin]

Jail rooting is not realistic, because the implementation relies on external files that are scattered throughout the filesystem (such as the key/certs being located within /jffs/openvpn/ ).

 

[ledge]

Running openvpn in a chroot jail is possible on merlin's firmware. It's not necessary to install entware or optware. Support for chroot environments are provided in the kernel. In addition, openvpn has been written to support chroot environments.
I've been running openvpn in a chroot environment for quite awhile without issues. I highly recommend running it in a jail to add another layer of security to the server process, which ordinarily make a tempting target for hackers. Key things to remember:

1. Openvpn must be run as an unprivileged user in the jail, else it's possible to break out of the jail.
2. Pay attention to directory permissions and ownership of each directory at and within the jail.
3. If you use a CRL, it must be copied to the jail before openvpn is started.

A broad overview:

1. Using merlin's passwd.add, shadow.add & group.add config files under /jffs/configs/ add an unprivileged user and group. In the password field in shadow.add, use "*" to set an invalid password. It may help to use the existing user "nobody" as a template.

2. Create a jail directory. I find it simpler to create it under the user's home directory. Place the directory creation commands in a script such as/jffs/scripts/init-start
Eg. /tmp/home/jailuser/jail/tmp/
Permissions would be like so:
jail: 755 owner: root group:root
tmp: 1777 owner: root group: root

A tmp directory is needed for openvpn to run.

3. Configure openvpn server to launch itself in a chroot environment. In merlin's openvpn server gui, add these options:
User <jailuser>
Group <jailgroup>
Chroot <jaildir>

In the example above, <jaildir> is /tmp/home/jailuser/jail/ .

4. If you use a crl, copy it to the jail dir as part of the init-start script.
Eg.
cp /jffs/openvpn/vpn_crt_server1_crl /tmp/home/jailuser/jail/crl.pem
chmod 644 /tmp/home/jailuser/jail/crl.pem

More info can be found on this Webpage:
https://community.openvpn.net/openvpn/wiki/HOWTO#chrootnon-Windowsonly