Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 09 Feb 2006 12:36:42 +0100
From:      Uwe Doering <gemini@geminix.org>
To:        freebsd-stable@FreeBSD.ORG
Subject:   Re: OpenVPN within a Jail under 6.x ...
Message-ID:  <43EB294A.6090609@geminix.org>
In-Reply-To: <200602081643.k18GhJNg069698@lurza.secnetix.de>
References:  <200602081643.k18GhJNg069698@lurza.secnetix.de>

next in thread | previous in thread | raw e-mail | index | archive | help
Oliver Fromme wrote:
> Marc G. Fournier wrote:
>  > Oliver Fromme wrote:
>  > > The problem is that you need to configure interfaces
>  > > (tun(4) or tap(4)) to set up the VPN, but ifconfig(8)
>  > > does not work inside a jail.  That means you cannot
>  > > set up a VPN inside a jail.  However, you can _use_
>  > > it within a jail, of course, if you assign the IP of
>  > > the VPN connection to the jail
>  > 
>  > 'k, how would you do that?  I thought you could only assign one IP to a 
>  > jail, both in 4.x and 6.x?
> 
> True.  I meant that the IP of the VPN connection is the
> only IP of the jail.
> 
> Or, if you can't do that, forward the packets into the
> jail using IPFW FWD rules and NAT.  In that case, the
> jail doesn't need to have the VPN connection's IP.
> 
> In fact, you can set the IP of the jail to a localnet
> IP (such as 127.0.1.1), which isn't routable and isn't
> accessible from the outside at all.  That's often done
> to improve security.

Talking about security, while I haven't worked with VPNs so far I 
believe that there needs to be a route installed in order to forward 
packets to the remote end of the VPN connection.

Now, since routes are a global resource in FreeBSD, is there a way to 
prevent users from other jails on that machine from accessing that VPN, 
too?  If it weren't possible to restrict access to a VPN to the jail it 
is associated with the VPN would no longer be private I'd think.

    Uwe
-- 
Uwe Doering         |  EscapeBox - Managed On-Demand UNIX Servers
gemini@geminix.org  |  http://www.escapebox.net



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43EB294A.6090609>