Send jail inet traffic through a VPN tunnel with the PF rule “pass out route-toâ€
Seriously, how hard can this really be?!?
I’m trying to get all of my jail traffic to go through a VPN tunnel where the rest of the traffic takes the normal route. I was hoping to accomplish this with the PF rule “pass out route-toâ€.
Could someone please tell me if this should be possible or if I’m only vesting my time.
I have one physical Ethernet interface “em0†with IP 192.168.0.10 and GW 192.168.0.1
The jail is on “lo1†with IP 10.1.1.1
The VPN is on “ng0†with external IP 93.182.188.96 and GW 93.182.188.2
Everything goes through the VPN tunnel with the default route set to the VPN gateway so the VPN works (sort of but that’s another thread).
My plan was to set the default GW to 192.168.0.1 again and then use the “pass out route-to†rule in pf.conf to route packages from the jail to the VPN GW.
Didn’t get it to work unfortunately.
I started out with
The packages didn’t go through the tunnel though.
Instead this ends up in my IPFW log.
I then tried
But with the same result.
I would have expected that to override the default route but apparently that isn’t the case.
Have I misunderstood the functionality of the route-to function or is it just the implementation that is wrong?
I can’t use IPFW fwd rules because that isn’t enabled in the kernel.
Seriously, how hard can this really be?!?
I’m trying to get all of my jail traffic to go through a VPN tunnel where the rest of the traffic takes the normal route. I was hoping to accomplish this with the PF rule “pass out route-toâ€.
Could someone please tell me if this should be possible or if I’m only vesting my time.
I have one physical Ethernet interface “em0†with IP 192.168.0.10 and GW 192.168.0.1
The jail is on “lo1†with IP 10.1.1.1
The VPN is on “ng0†with external IP 93.182.188.96 and GW 93.182.188.2
Code:
# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC>
ether xx:xx:xx:xx:xx:xx
inet 192.168.0.10 netmask 0xffffff00 broadcast 192.168.0.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet 10.1.1.1 netmask 0xffffff00
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
ng0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1456
inet 93.182.188.96 --> 93.182.188.2 netmask 0xffffffffEverything goes through the VPN tunnel with the default route set to the VPN gateway so the VPN works (sort of but that’s another thread).
Code:
# netstat -r
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 93.182.188.2 UGS 0 20 ng0
10.1.1.1 link#3 UH 0 0 lo1
93.182.188.2 192.168.0.1 UGHS 4 29 em0
93.182.188.96 link#5 UHS 0 0 lo0
localhost link#2 UH 0 0 lo0
192.168.0.0 link#1 U 8 142018 em0
192.168.0.10 link#1 UHS 0 0 lo0
Internet6:
Destination Gateway Flags Netif Expire
localhost localhost UH lo0
fe80::%lo0 link#2 U lo0
fe80::1%lo0 link#2 UHS lo0
ff01:2:: fe80::1%lo0 U lo0
ff02::%lo0 fe80::1%lo0 U lo0My plan was to set the default GW to 192.168.0.1 again and then use the “pass out route-to†rule in pf.conf to route packages from the jail to the VPN GW.
Didn’t get it to work unfortunately.
I started out with
Code:
#pass out route-to ($ext_if 93.182.188.2) from $10.1.1.1 to ! 10.1.1.1/24Instead this ends up in my IPFW log.
Code:
Dec 4 14:54:29 BSD kernel: ipfw: 20000 Deny TCP 93.182.188.96:39097 93.9.233.42:1539 out via em0
Dec 4 14:54:29 BSD kernel: ipfw: 20000 Deny TCP 93.182.188.96:60489 90.51.200.88:31998 out via em0
Dec 4 14:54:29 BSD kernel: ipfw: 20000 Deny TCP 93.182.188.96:60518 78.227.136.20:6880 out via em0I then tried
Code:
#pass out route-to ($ext_if 93.182.189.2) from any to anyI would have expected that to override the default route but apparently that isn’t the case.
Have I misunderstood the functionality of the route-to function or is it just the implementation that is wrong?
I can’t use IPFW fwd rules because that isn’t enabled in the kernel.