freebsd stable - Oct 2011 - Accessing tun devices from inside a Jail

Hi all,

      I'm currently attempting to setup, I suppose you'd call it a
multi-VPN-tunnel gateway. Basically I have several OpenVPN Servers in
different locations, I want to have various tunnels up to them and be
able to choose an exit by way of pointing my browser at a particular
instance of Squid running in a particular jail which routes via a
particular tunnel (HTTP/S traffic is the primary concern at this
point, though I might want to extend the concept to all traffic in
future).

First issue I ran into was routing tables, that was resolved by
recompiling my kernel with option ROUTETABLES=10 and pointing each of
my jails to their own FIB, however as it's not possible to configure
route tables from inside the jail (as far as I'm aware anyway) I need
to bring the OpenVPN tunnel up from the host and utilise a route-up
script to configure the routing table for the jail (utilising setfib),
I run into problems though, as even though the tun device is visible
in the jail it does not appear to be configured (no IP addersses, etc)
so the jail is unable to route traffic.

All the stuff I've been able to find online has been geared to static
addresses on each end of the tunnel, this is not the case with my VPN
provider, tunnel addresses are dynamically assigned.

I think that worst case I can probably use pf on the host to route
traffic from a given jail via a particular interface or possibly
cobble something up around VIMAGE, but I think I'd rather not have to
go down those paths.

I'm not sure if what I'm looking for is actually possible, any
suggestions would be much appreciated.

Thanks,

Morgan

On Thu, Oct 20, 2011 at 9:02 PM, Morgan Reed
<morgan.s.reed@gmail.com>wrote:
>
> I think that worst case I can probably use pf on the host to route
> traffic from a given jail via a particular interface or possibly
> cobble something up around VIMAGE, but I think I'd rather not have to
> go down those paths.
>
> I'm not sure if what I'm looking for is actually possible, any
> suggestions would be much appreciated.
>
To me, this seems like one of reasons VIMAGE was created.

Here's more of an outline if you're looking to evaluate it further.

http://druidbsd.sourceforge.net/vimage.html

-- 
Adam Vande More

Am 21.10.2011 um 04:02 schrieb Morgan Reed:
> Hi all,
> 
>      I'm currently attempting to setup, I suppose you'd call it a
> multi-VPN-tunnel gateway. Basically I have several OpenVPN Servers in
> different locations, I want to have various tunnels up to them and be
> able to choose an exit by way of pointing my browser at a particular
> instance of Squid running in a particular jail which routes via a
> particular tunnel (HTTP/S traffic is the primary concern at this
> point, though I might want to extend the concept to all traffic in
> future).
I have a similar setup, but the OpenVPN endpoints are on OpenWrt, with tinyproxy
running there.  I have a central squid that knows which tiny proxy to use for
which URL pattern, and that works quite well.
> First issue I ran into was routing tables, that was resolved by
> recompiling my kernel with option ROUTETABLES=10 and pointing each of
> my jails to their own FIB, however as it's not possible to configure
> route tables from inside the jail (as far as I'm aware anyway) I need
> to bring the OpenVPN tunnel up from the host and utilise a route-up
> script to configure the routing table for the jail (utilising setfib),
> I run into problems though, as even though the tun device is visible
> in the jail it does not appear to be configured (no IP addersses, etc)
> so the jail is unable to route traffic.
> 
> All the stuff I've been able to find online has been geared to static
> addresses on each end of the tunnel, this is not the case with my VPN
> provider, tunnel addresses are dynamically assigned.
> 
> I think that worst case I can probably use pf on the host to route
> traffic from a given jail via a particular interface or possibly
> cobble something up around VIMAGE, but I think I'd rather not have to
> go down those paths.
> 
> I'm not sure if what I'm looking for is actually possible, any
> suggestions would be much appreciated.

I was trying to enable a set of processes to use a separate DSL interface, with
the FreeBSD box terminating the PPPoE connection.  I've tried a couple of
things:
- I couldn't come up with pf rules that would allow certain processes (i. e.
those in a specific jail, or running under a specific user id) to have seperate
forwarding applied to them.  I believe IPFW might be better suited, but I
haven't tried.
- VIMAGE and mpd don't like each other, so VIMAGE was out as well
- VBox with the interface bridged to the DSL interface works fine, but has a lot
of overhead.

My OpenVPN hub server is running inside a jail, but the tun interface is
preconfigured from outside; the config substitutes /bin/true for ifconfig and
route.

HTH, and please report back on any success, I'm definitely interested!


Stefan

-- 
Stefan Bethke <stb@lassitu.de>   Fon +49 151 14070811