From owner-freebsd-stable@FreeBSD.ORG Fri Oct 21 14:09:03 2011 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94C60106566C for ; Fri, 21 Oct 2011 14:09:03 +0000 (UTC) (envelope-from stb@lassitu.de) Received: from gilb.zs64.net (gilb.zs64.net [IPv6:2001:470:1f0b:105e::1ea]) by mx1.freebsd.org (Postfix) with ESMTP id 5C5C68FC17 for ; Fri, 21 Oct 2011 14:09:03 +0000 (UTC) Received: by gilb.zs64.net (Postfix, from stb@lassitu.de) id 18A1DD09BD; Fri, 21 Oct 2011 16:09:02 +0200 (CEST) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=iso-8859-1 From: Stefan Bethke In-Reply-To: Date: Fri, 21 Oct 2011 16:08:59 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <76ADAE81-7725-4139-86D9-D1A9E50E5B56@lassitu.de> References: To: Morgan Reed X-Mailer: Apple Mail (2.1251.1) Cc: freebsd-stable@freebsd.org Subject: Re: Accessing tun devices from inside a Jail X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Oct 2011 14:09:03 -0000 Am 21.10.2011 um 04:02 schrieb Morgan Reed: > Hi all, >=20 > I'm currently attempting to setup, I suppose you'd call it a > multi-VPN-tunnel gateway. Basically I have several OpenVPN Servers in > different locations, I want to have various tunnels up to them and be > able to choose an exit by way of pointing my browser at a particular > instance of Squid running in a particular jail which routes via a > particular tunnel (HTTP/S traffic is the primary concern at this > point, though I might want to extend the concept to all traffic in > future). I have a similar setup, but the OpenVPN endpoints are on OpenWrt, with = tinyproxy running there. I have a central squid that knows which tiny = proxy to use for which URL pattern, and that works quite well. > First issue I ran into was routing tables, that was resolved by > recompiling my kernel with option ROUTETABLES=3D10 and pointing each = of > my jails to their own FIB, however as it's not possible to configure > route tables from inside the jail (as far as I'm aware anyway) I need > to bring the OpenVPN tunnel up from the host and utilise a route-up > script to configure the routing table for the jail (utilising setfib), > I run into problems though, as even though the tun device is visible > in the jail it does not appear to be configured (no IP addersses, etc) > so the jail is unable to route traffic. >=20 > All the stuff I've been able to find online has been geared to static > addresses on each end of the tunnel, this is not the case with my VPN > provider, tunnel addresses are dynamically assigned. >=20 > I think that worst case I can probably use pf on the host to route > traffic from a given jail via a particular interface or possibly > cobble something up around VIMAGE, but I think I'd rather not have to > go down those paths. >=20 > I'm not sure if what I'm looking for is actually possible, any > suggestions would be much appreciated. I was trying to enable a set of processes to use a separate DSL = interface, with the FreeBSD box terminating the PPPoE connection. I've = tried a couple of things: - I couldn't come up with pf rules that would allow certain processes = (i. e. those in a specific jail, or running under a specific user id) to = have seperate forwarding applied to them. I believe IPFW might be = better suited, but I haven't tried. - VIMAGE and mpd don't like each other, so VIMAGE was out as well - VBox with the interface bridged to the DSL interface works fine, but = has a lot of overhead. My OpenVPN hub server is running inside a jail, but the tun interface is = preconfigured from outside; the config substitutes /bin/true for = ifconfig and route. HTH, and please report back on any success, I'm definitely interested! Stefan --=20 Stefan Bethke Fon +49 151 14070811