natd in a jail

[Morgan Reed]

SOLVED: Thanks all for your assistance.

SUMMARY:
 - Kernel rebuilt with option IPFIREWALL and friends turned on (not
necessary if your ipfw modules work you should just be able to load
them, mine didn't for reasons I don't really have the time or
inclination to track down)
 - OpenVPN configurations modified to use a specific tun device
('device tun' directive replaced with 'device tun0')
 - OpenVPN configurations modified to run the following script prior
to dropping privs (via the 'up' directive);

/usr/local/etc/openvpn/up.sh
---
ipfw -q flush
pfw nat 1 config if tun0 reset same_ports deny_in
ipfw add 500 nat 1 ip from any to any via tun0
---
This script assumes that option IPFILTER_DEFAULT_TO_ACCEPT or the
equivalent sysctl frob is set, this is most probably *not* what you
want to do in the "real world". Modify as needed, and be sure to set
the permissions on the file appropriately as the script will be
executed by root.

A warning though; this is a total hack, the ipfw stuff should be moved
to /etc/ipfw.rules or similar and processed by ipfw at boot but I'm
not sure how it'll react if you try to do this config before the tun
device is created, I expect it'll be unhappy so you'll need to create
a static tun device for openvpn, this is the "right" way to do things
but I'm being exceedingly lazy. The script above is a filthy hack, and
potentially dangerous.

 - Normal requirements for gateway operation also apply here (which
essentially means set gateway_enable=YES in rc.conf on the host and
all router jails).