From owner-freebsd-stable@FreeBSD.ORG Thu Feb 9 11:36:46 2006 Return-Path: X-Original-To: freebsd-stable@FreeBSD.ORG Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 96A5516A420 for ; Thu, 9 Feb 2006 11:36:46 +0000 (GMT) (envelope-from gemini@geminix.org) Received: from gen129.n001.c02.escapebox.net (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 36B4243D46 for ; Thu, 9 Feb 2006 11:36:46 +0000 (GMT) (envelope-from gemini@geminix.org) Message-ID: <43EB294A.6090609@geminix.org> Date: Thu, 09 Feb 2006 12:36:42 +0100 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.12) Gecko/20060129 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-stable@FreeBSD.ORG References: <200602081643.k18GhJNg069698@lurza.secnetix.de> In-Reply-To: <200602081643.k18GhJNg069698@lurza.secnetix.de> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Received: from gemini by geminix.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.60 (FreeBSD)) (envelope-from ) id 1F7A6N-000Ihz-H4; Thu, 09 Feb 2006 12:36:43 +0100 Cc: Subject: Re: OpenVPN within a Jail under 6.x ... X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Feb 2006 11:36:46 -0000 Oliver Fromme wrote: > Marc G. Fournier wrote: > > Oliver Fromme wrote: > > > The problem is that you need to configure interfaces > > > (tun(4) or tap(4)) to set up the VPN, but ifconfig(8) > > > does not work inside a jail. That means you cannot > > > set up a VPN inside a jail. However, you can _use_ > > > it within a jail, of course, if you assign the IP of > > > the VPN connection to the jail > > > > 'k, how would you do that? I thought you could only assign one IP to a > > jail, both in 4.x and 6.x? > > True. I meant that the IP of the VPN connection is the > only IP of the jail. > > Or, if you can't do that, forward the packets into the > jail using IPFW FWD rules and NAT. In that case, the > jail doesn't need to have the VPN connection's IP. > > In fact, you can set the IP of the jail to a localnet > IP (such as 127.0.1.1), which isn't routable and isn't > accessible from the outside at all. That's often done > to improve security. Talking about security, while I haven't worked with VPNs so far I believe that there needs to be a route installed in order to forward packets to the remote end of the VPN connection. Now, since routes are a global resource in FreeBSD, is there a way to prevent users from other jails on that machine from accessing that VPN, too? If it weren't possible to restrict access to a VPN to the jail it is associated with the VPN would no longer be private I'd think. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net