From owner-freebsd-questions@FreeBSD.ORG Fri Jan 5 15:29:08 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AEDDD16A415 for ; Fri, 5 Jan 2007 15:29:08 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.187.76.162]) by mx1.freebsd.org (Postfix) with ESMTP id 0835713C428 for ; Fri, 5 Jan 2007 15:29:07 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from [IPv6:::1] (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.13.8/8.13.8) with ESMTP id l05FSmVX099450; Fri, 5 Jan 2007 15:28:48 GMT (envelope-from m.seaman@infracaninophile.co.uk) Message-ID: <459E6EA8.5040007@infracaninophile.co.uk> Date: Fri, 05 Jan 2007 15:28:40 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 1.5.0.9 (X11/20061223) MIME-Version: 1.0 To: "Marc G. Fournier" References: In-Reply-To: X-Enigmail-Version: 0.94.0.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig976476CB07B125263EDBA7C6" X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (smtp.infracaninophile.co.uk [IPv6:::1]); Fri, 05 Jan 2007 15:29:03 +0000 (GMT) X-Virus-Scanned: ClamAV 0.88.7/2414/Fri Jan 5 01:41:51 2007 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00, DKIM_POLICY_TESTING,NO_RELAYS autolearn=ham version=3.1.7 X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: VPN server to run in FreeBSD jail ... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Jan 2007 15:29:08 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig976476CB07B125263EDBA7C6 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Marc G. Fournier wrote: > Does anyone know of any software that would allow a client attach a VPN= *to* a > process running within a FreeBSD jail from a Windows machine? I believe you can sort-of do this with a certain amount of packet redirection and firewall trickery, but it isn't very easy and you won't be able to control anything to do with the VPN from within the jail.=20 Essentially you do the old trick of creating the jail using an alias address on the loopback, then add redirection rules in the firewall to forward traffic to it. If you need to create tap, tun of gif interfaces to run the VPN software then that has to be done *outside* the jail, as there's no simple way of making those interfaces visible inside it. It doesn't help now, but there is work underway to make the whole network stack clonable under FreeBSD -- meaning each jail gets the ability to have as many IP numbers as it wants, and to have a separate firewall from the host system and do all the other networking tricks you can think of. http://www.tel.fer.hr/zec/papers/zec-03.pdf Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig976476CB07B125263EDBA7C6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.1 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFnm6v8Mjk52CukIwRCDPCAJ9eb0lCKLVrHjdJV1wy4Vkkh8jTugCdGahW Iqo+QBgEcHzEjHtM0uOuWVw= =fcuN -----END PGP SIGNATURE----- --------------enig976476CB07B125263EDBA7C6--