Accessing tun devices from inside a Jail

Stefan Bethke stb at
Fri Oct 21 14:09:03 UTC 2011

Am 21.10.2011 um 04:02 schrieb Morgan Reed:

> Hi all,
>      I'm currently attempting to setup, I suppose you'd call it a
> multi-VPN-tunnel gateway. Basically I have several OpenVPN Servers in
> different locations, I want to have various tunnels up to them and be
> able to choose an exit by way of pointing my browser at a particular
> instance of Squid running in a particular jail which routes via a
> particular tunnel (HTTP/S traffic is the primary concern at this
> point, though I might want to extend the concept to all traffic in
> future).

I have a similar setup, but the OpenVPN endpoints are on OpenWrt, with tinyproxy running there.  I have a central squid that knows which tiny proxy to use for which URL pattern, and that works quite well.

> First issue I ran into was routing tables, that was resolved by
> recompiling my kernel with option ROUTETABLES=10 and pointing each of
> my jails to their own FIB, however as it's not possible to configure
> route tables from inside the jail (as far as I'm aware anyway) I need
> to bring the OpenVPN tunnel up from the host and utilise a route-up
> script to configure the routing table for the jail (utilising setfib),
> I run into problems though, as even though the tun device is visible
> in the jail it does not appear to be configured (no IP addersses, etc)
> so the jail is unable to route traffic.
> All the stuff I've been able to find online has been geared to static
> addresses on each end of the tunnel, this is not the case with my VPN
> provider, tunnel addresses are dynamically assigned.
> I think that worst case I can probably use pf on the host to route
> traffic from a given jail via a particular interface or possibly
> cobble something up around VIMAGE, but I think I'd rather not have to
> go down those paths.
> I'm not sure if what I'm looking for is actually possible, any
> suggestions would be much appreciated.

I was trying to enable a set of processes to use a separate DSL interface, with the FreeBSD box terminating the PPPoE connection.  I've tried a couple of things:
- I couldn't come up with pf rules that would allow certain processes (i. e. those in a specific jail, or running under a specific user id) to have seperate forwarding applied to them.  I believe IPFW might be better suited, but I haven't tried.
- VIMAGE and mpd don't like each other, so VIMAGE was out as well
- VBox with the interface bridged to the DSL interface works fine, but has a lot of overhead.

My OpenVPN hub server is running inside a jail, but the tun interface is preconfigured from outside; the config substitutes /bin/true for ifconfig and route.

HTH, and please report back on any success, I'm definitely interested!


Stefan Bethke <stb at>   Fon +49 151 14070811

More information about the freebsd-stable mailing list