From owner-freebsd-stable@FreeBSD.ORG Fri Oct 21 02:33:30 2011 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6D812106566C for ; Fri, 21 Oct 2011 02:33:30 +0000 (UTC) (envelope-from morgan.s.reed@gmail.com) Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 349718FC15 for ; Fri, 21 Oct 2011 02:33:29 +0000 (UTC) Received: by ggnq2 with SMTP id q2so2741715ggn.13 for ; Thu, 20 Oct 2011 19:33:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; bh=jYpF4i2vidDQLHwHRQReZWPXdgelr3FFXc739UtA4gg=; b=MzoUbME2aVp7LZHigmFiK3Gq+xDRqjw4BMItDD/Xe/WPQiIWnUzGyhVkZvgBGAo6yl JKYgzEsmXuTHEdSMc4GoguXhSIO88K1uPE0NCd6fVR302ZMH7q8iF+nLcOgE2GVG754Y +vSPMoVSq/pItP7j5rYKPe17llnOOPumZtmQ0= Received: by 10.68.55.100 with SMTP id r4mr24087681pbp.69.1319162582325; Thu, 20 Oct 2011 19:03:02 -0700 (PDT) MIME-Version: 1.0 Received: by 10.68.40.231 with HTTP; Thu, 20 Oct 2011 19:02:40 -0700 (PDT) From: Morgan Reed Date: Fri, 21 Oct 2011 13:02:40 +1100 Message-ID: To: freebsd-stable@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Accessing tun devices from inside a Jail X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Oct 2011 02:33:30 -0000 Hi all, I'm currently attempting to setup, I suppose you'd call it a multi-VPN-tunnel gateway. Basically I have several OpenVPN Servers in different locations, I want to have various tunnels up to them and be able to choose an exit by way of pointing my browser at a particular instance of Squid running in a particular jail which routes via a particular tunnel (HTTP/S traffic is the primary concern at this point, though I might want to extend the concept to all traffic in future). First issue I ran into was routing tables, that was resolved by recompiling my kernel with option ROUTETABLES=10 and pointing each of my jails to their own FIB, however as it's not possible to configure route tables from inside the jail (as far as I'm aware anyway) I need to bring the OpenVPN tunnel up from the host and utilise a route-up script to configure the routing table for the jail (utilising setfib), I run into problems though, as even though the tun device is visible in the jail it does not appear to be configured (no IP addersses, etc) so the jail is unable to route traffic. All the stuff I've been able to find online has been geared to static addresses on each end of the tunnel, this is not the case with my VPN provider, tunnel addresses are dynamically assigned. I think that worst case I can probably use pf on the host to route traffic from a given jail via a particular interface or possibly cobble something up around VIMAGE, but I think I'd rather not have to go down those paths. I'm not sure if what I'm looking for is actually possible, any suggestions would be much appreciated. Thanks, Morgan