Routing jail traffic through OpenVPN

underscore

underscore

Hello!

I'm trying to route almost all traffic from a jail through an OpenVPN connection. So far I tried installing the OpenVPN deamon in the jail and set IPs etc on the host machine, according to http://forums.freebsd.org/showthread.php?t=22143

However, this howto is for a OpenVPN server, and what I need is the client side. Also, the IPs and Routes of my OpenVPN Provider are set dynamically, so setting them statically on the host isn't really working.

Do you have any tipps on what would be the easiest way to achieve the following.

  • Connect to an OpenVPN server
  • Route all local network (10.10.10.x) traffic from the jail "normally" throught my default router
  • Route every other traffic from the jail through the OpenVPN Connection

Until now, I created aliases for my bge0 in the /etc/rc.conf and every jail got one of those alias-IPs. Do I need to change that?

What would I need for this? ipfw? Just Routing? VNets?

I read up on some of those, but before I start stumbling in the dark, I wanted to ask if someone more experienced could give me a hint what would be the easiest/fastest way for this setup.

Thanks! :)
 
Alternatively, I could use PPTP or L2TP/IPSec, if that would be easier, however, I like OpenVPN better.
 
Hi,

I tried OpenVPN in jail some time as well and it was a pain to set up. It may be easier to set up on the host and redirect all traffic from tun/tap to the particular jail.

As for dynamic IP, try one of the dynamic DNS services, you can find them free.

Hope this helps,
Konrad
 
Use IPFW and match on the jail ID to move them into an other routing table (FIB) with setfib. Add the rule in the jail.conf hooks just after the jail is created, but before any process is started in the jail. Add the routes to a FIB other than the default FIB in the OpenVPN --up hook. It doesn't matter what you use as long as it can call a shell script at the right moment.
 
I finally got around to take another look at this, and now I almost there:

I recompiled my kernel to support FIB, and this almost works.

If I start OpenVPN via setfib 1 openvpn client.conf, it does connect. When the jail isn't running at the time and I manually edit the jail address to the address of tun0, my jail traffic gets routed over the VPN. However local access (10.10.10.x) is obviously not possible anymore, and the manual starting and editing isn't a long-term solution.

Does anyone can help me work around this last part? I'd like to let openvpn set all the routes (I tried setting them in a --route-up-script, however I always seem to be missing some.

Is there a way to set the jail-IP after it started? Or do I have to go over ipfw to redirect everything from my jail?
 
You must log in or register to reply here.
Back
Top