rcorder for vpn-like tunnels during early rc.d startup
Eugene Grosbein
eugen at grosbein.net
Sat Dec 22 15:19:08 UTC 2018
22.12.2018 21:01, Dave Cottlehuber wrote:
> I have a port[1] net/zerotier that provides a p2p layer2+ vpn via tap(4) interfaces.
> Ideally zerotier/zt would be available early enough during boot that later daemons
> such as ssh and other network services would be able to bind to those interfaces.
You should not try to make it start before packet filters, that is wrong
and may sometimes even partially defeat security goals of VPN networking.
The whole system of FreeBSD rc.d system script dependencies assumes
that packet filers initialize before network is fully operational.
Take a look at base system's /etc/rc.d/ppp for an example of tunneling daemon
that starts as early as possible. Another example is /etc/rc.d/local_unbound
that needs fully operating networking but starts early enough to provide DNS services
for ssh and others: in FreeBSD 12.0+ it REQUIREs "defaultroute" and "netwait" features.
More information about the freebsd-hackers
mailing list