natd in a jail

[Simon Dick]

On 22 November 2012 04:00, Morgan Reed <morgan.s.reed at gmail.com> wrote:

> Hi All,
>
>      I've a bit of an odd query which I hope somebody may be able to
> assist with.
>
> I'm looking to set up several OpenVPN tunnels on a single machine
> (each residing in its own jail) and route data to different
> destinations over different tunnels by selectively routing the traffic
> via a particular jail.
>
> I have three jails set up with OpenVPN tunnels terminated in each,
> they all work as expected from the "local" machine.
>
> I can't do a straight forward route over the VPN tunnel as I don't
> control the other end of the tunnel, I need to treat it as a
> point-to-point connection as a result, hence I need to use NAT.
>
> I've tested this setup with a single tunnel running off a "real"
> machine with natd providing NAT, it works like a charm, however, when
> I move the config into a jail I run into issues, natd doesn't seem to
> be able to see the incoming traffic, nothing shows up in the logs at
> all.
>
> I'm not even sure if this is actually possible, I'm starting to
> suspect that natd can't hook in low enough from the jails to access
> the incoming traffic.
>
> Traffic gets into the jail by way of an epair interface between the
> host and the jail, bridged to the ethernet adapter by way of a bridge
> device, I can see the traffic attempting to route over the tun
> interface in the jail (but obviously it's not being NATted so nothing
> comes back) so the traffic is making it in and through the routing
> engine, just not via natd.
>
> Any suggestions here?
>
> The host is FreeBSD-8.3.
>

I've not used it myself, but this sound like something VIMAGE may be good
for, basically it's a virtual tcp stack per jail, there's some docs at
http://wiki.freebsd.org/Image but I seem to remember a more up to date one
elsewhere but can't find it at the moment!