Multi VPN and jails

quakerdoomer

quakerdoomer

My FreeBSD host runs a wireguard client. Now if I run a jail, does FreeBSD support running openvpn within that? Can I have a tun inside a jail that will not directly connect to my wifi/LAN but use the wireguard connection to establish a connection.

I need the jail to have connection as follows

tun(JAIL) -> wg(HOST) -> WiFi/LAN
 
Yes but you need to consider the reduction of the MTU when you have encapsulation of the data and you will need to calcuate the overhead of the encapsulation.

Let's say your frame in LAN is 1500, when you enc with wireguard it will be reduced to 1420, so when you use another tunnel/vpn inside this you need to set the MTU for it to 1420 or bellow otherwise it will start to fragment every packet and the connection speed will be much worst.
 
Thanks good insight. So I set tun-mtu and mssfix as well, right? This will make it pass through wg first, right? .. not directly to my LAN/WiFi, correct?
 
Hi, is it possible to run pf and pflog independently inside a jail with exclusive rules for that jail alone? I already am running pf on the host system, but I need the jail to only connect to the internet if openvpn inside it is up and connected. Possible?
 
Configuring firewall inside a jail or virtual machine is bad idea. Instead you can allow the jail IP to have access only to the OpenVPN server IP/port so it will be forced to use only VPN to connect to internet.
 
You must log in or register to reply here.
Back
Top