Accessing tun devices from inside a Jail

[Morgan Reed]

Hi all,

      I'm currently attempting to setup, I suppose you'd call it a
multi-VPN-tunnel gateway. Basically I have several OpenVPN Servers in
different locations, I want to have various tunnels up to them and be
able to choose an exit by way of pointing my browser at a particular
instance of Squid running in a particular jail which routes via a
particular tunnel (HTTP/S traffic is the primary concern at this
point, though I might want to extend the concept to all traffic in
future).

First issue I ran into was routing tables, that was resolved by
recompiling my kernel with option ROUTETABLES=10 and pointing each of
my jails to their own FIB, however as it's not possible to configure
route tables from inside the jail (as far as I'm aware anyway) I need
to bring the OpenVPN tunnel up from the host and utilise a route-up
script to configure the routing table for the jail (utilising setfib),
I run into problems though, as even though the tun device is visible
in the jail it does not appear to be configured (no IP addersses, etc)
so the jail is unable to route traffic.

All the stuff I've been able to find online has been geared to static
addresses on each end of the tunnel, this is not the case with my VPN
provider, tunnel addresses are dynamically assigned.

I think that worst case I can probably use pf on the host to route
traffic from a given jail via a particular interface or possibly
cobble something up around VIMAGE, but I think I'd rather not have to
go down those paths.

I'm not sure if what I'm looking for is actually possible, any
suggestions would be much appreciated.

Thanks,

Morgan