OpenVPN within a Jail under 6.x ...
Uwe Doering
gemini at geminix.org
Thu Feb 9 03:36:46 PST 2006
Oliver Fromme wrote:
> Marc G. Fournier wrote:
> > Oliver Fromme wrote:
> > > The problem is that you need to configure interfaces
> > > (tun(4) or tap(4)) to set up the VPN, but ifconfig(8)
> > > does not work inside a jail. That means you cannot
> > > set up a VPN inside a jail. However, you can _use_
> > > it within a jail, of course, if you assign the IP of
> > > the VPN connection to the jail
> >
> > 'k, how would you do that? I thought you could only assign one IP to a
> > jail, both in 4.x and 6.x?
>
> True. I meant that the IP of the VPN connection is the
> only IP of the jail.
>
> Or, if you can't do that, forward the packets into the
> jail using IPFW FWD rules and NAT. In that case, the
> jail doesn't need to have the VPN connection's IP.
>
> In fact, you can set the IP of the jail to a localnet
> IP (such as 127.0.1.1), which isn't routable and isn't
> accessible from the outside at all. That's often done
> to improve security.
Talking about security, while I haven't worked with VPNs so far I
believe that there needs to be a route installed in order to forward
packets to the remote end of the VPN connection.
Now, since routes are a global resource in FreeBSD, is there a way to
prevent users from other jails on that machine from accessing that VPN,
too? If it weren't possible to restrict access to a VPN to the jail it
is associated with the VPN would no longer be private I'd think.
Uwe
--
Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers
gemini at geminix.org | http://www.escapebox.net
More information about the freebsd-stable
mailing list