PF Routing jail traffic through a VPN

[HiddenWolf]

Hi all,

I've set up an openVPN client on my server, now I'd like to route the traffic to and from a jail through the vpn tunnel.

I figured the best way to do this would be to use a PF NAT rule, but I can't seem to get it to work in my little test setup.

Network
em0 10.0.0.10 (host)
em0_alias 10.0.2.1 (jail)
tun0

/etc/pf.vpn                                                                   
VPN = "tun0"
LAN = "em0"

# NAT
nat pass on $VPN from 10.0.2.1 to any -> ($VPN)

# FIREWALL
pass in all
pass out all keep state

Can anyone enlighten me, please?

 

[SirDice]

Why NAT? If routes are properly set up there would be no need for it.

 

[HiddenWolf]

My apologies for the late reply. I caught a cold.

I have two reasons.
1. I don't have a static IP for the tun interface.
2. I don't know how to set up routes for a jail 'properly'. I found https://blog.feld.me/posts/2015/06/routing-a-freebsd-jail-through-openvpn/ this, which seemed promising, but I ended up without connectivity for the host.