Date: Thu, 09 Feb 2006 12:36:42 +0100 From: Uwe Doering <gemini@geminix.org> To: freebsd-stable@FreeBSD.ORG Subject: Re: OpenVPN within a Jail under 6.x ... Message-ID: <43EB294A.6090609@geminix.org> In-Reply-To: <200602081643.k18GhJNg069698@lurza.secnetix.de> References: <200602081643.k18GhJNg069698@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Oliver Fromme wrote:
> Marc G. Fournier wrote:
> > Oliver Fromme wrote:
> > > The problem is that you need to configure interfaces
> > > (tun(4) or tap(4)) to set up the VPN, but ifconfig(8)
> > > does not work inside a jail. That means you cannot
> > > set up a VPN inside a jail. However, you can _use_
> > > it within a jail, of course, if you assign the IP of
> > > the VPN connection to the jail
> >
> > 'k, how would you do that? I thought you could only assign one IP to a
> > jail, both in 4.x and 6.x?
>
> True. I meant that the IP of the VPN connection is the
> only IP of the jail.
>
> Or, if you can't do that, forward the packets into the
> jail using IPFW FWD rules and NAT. In that case, the
> jail doesn't need to have the VPN connection's IP.
>
> In fact, you can set the IP of the jail to a localnet
> IP (such as 127.0.1.1), which isn't routable and isn't
> accessible from the outside at all. That's often done
> to improve security.
Talking about security, while I haven't worked with VPNs so far I
believe that there needs to be a route installed in order to forward
packets to the remote end of the VPN connection.
Now, since routes are a global resource in FreeBSD, is there a way to
prevent users from other jails on that machine from accessing that VPN,
too? If it weren't possible to restrict access to a VPN to the jail it
is associated with the VPN would no longer be private I'd think.
Uwe
--
Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers
gemini@geminix.org | http://www.escapebox.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43EB294A.6090609>