OpenVPN within a Jail under 6.x ...

Oliver Fromme olli at lurza.secnetix.de
Fri Feb 10 02:37:33 PST 2006 

Uwe Doering <gemini at geminix.org> wrote:
 > Oliver Fromme wrote:
 > > Uwe Doering <gemini at geminix.org> wrote:
 > > [...]
 > > > Now, since routes are a global resource in FreeBSD, is there a way to 
 > > > prevent users from other jails on that machine from accessing that VPN, 
 > > > too?  If it weren't possible to restrict access to a VPN to the jail it 
 > > > is associated with the VPN would no longer be private I'd think.
 > > 
 > > Every jail has its own IP address.  Connections originating
 > > from a jail are forced to use the jail's IP address as their
 > > source address.  Therefore you can use a packet filter (IPFW
 > > or PF) to control where those packets are allowed to go.
 > > [...]
 > 
 > Thanks for pointing that out.  I must admit that I hadn't thought this 
 > through very thoroughly.  Now that you mention the fixed nature of a 
 > jail's IP address it is kind of obvious that you can filter on the 
 > source address.
 > 
 > However, I believe there is still a snag.  People tend to pick the same 
 > IP networks from the range of official private IP addresses for their 
 > internal LANs.  If you wanted to set up VPN tunnels to these LANs for a 
 > larger number of jails belonging to individual "owners" there is some 
 > likelihood that the routes to these LANs would overlap.

Yes, but that's a more generic problem.  When you connect
various LANs (no matter if by VPN tunnels or other means),
then you should make sure that their addresses don't
overlap.  It's a question of careful planning and design.
If you manage such a set of LANs, make sure that you
assign different address ranges to each of them.

 > That is, since 
 > you cannot _route_ based on the source address of IP packets,

Well, you can.  At least to some extent, routing by source
IP can be accomplished using IPFW's FWD feature.

However, that doesn't help much when you need to connect
networks with overlapping address ranges.  IP addresses
are required to uniquely identify a machine.  If you have
overlapping LANs, it's not possible anymore to uniquely
identify a machine by IP number, no matter what you do.
That problem exists independently of VPNs and jails.

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"I made up the term 'object-oriented', and I can tell you
I didn't have C++ in mind."
        -- Alan Kay, OOPSLA '97

More information about the freebsd-stable mailing list