forward vpn into jail without pf/ipfw/etc

[nekoexmachina]

Hello guys!

The scheme I currently want to achive is:

-- FreeBSD server (8.1 if it matters)
---- web jail (http stuff plus mysql)
---- build jail (git plus build-zone)
---- i2p/freenet jail
---- sandbox jail

In this scheme, I want to have openvpn connected on the main FreeBSD server (as I understand, there is no possibility to make vpn work inside the jail) and bind it to i2p jail.

Which is the best variant to bind jail to VPN if in VPN I have dynamic IP? As I see it now, what I want is:

-- Real NIC with multiple per-jail IPs, except i2p jail (done)
-- Virtual NIC with one IP (?)
-- Bridge tun0 -> virtual NIC (?)

Is it sane? How do I do that?

 

[fbsd1]

You state you have dynamic IP from your ISP. How do you get your fqdn to point to your dynamic IP after it changes on you? I suggest you read more about jails and how they work, Jail does not equate to virtural machine.

 

[Savagedlight]

You can use VIMAGE (experimental feature) to spawn a separate network stack per jail, coupled with epair virtual network devices and if_bridge to bridge the jail with the right tunX device.
You can then configure each jails network setup as if it was a standalone FreeBSD box. (I've heard there's some instabilities when using firewalls with VIMAGE)

This setup has severe memory leaks upon destroying the epair devices on FreeBSD 8.1 (i.e. stopping the jails) Haven't tried it on any other system. You'd also have to disable SCTP in the kernel config for this to work (on 8.1 at least)