OpenVPN within a Jail under 6.x ...

[Oliver Fromme]

Uwe Doering <gemini at geminix.org> wrote:
 > Talking about security, while I haven't worked with VPNs so far I 
 > believe that there needs to be a route installed in order to forward 
 > packets to the remote end of the VPN connection.

In general, yes, you need a route.  However, it depends on
what you're using the VPN connection for.  If you only need
it to access a single host or network on the other side,
then the interface route might be sufficient (it's created
automaticaly by ifconfig(8)).  Conversely, if you want to
use the VPN connection as your uplink, you must set the
default route to the VPN link.

 > Now, since routes are a global resource in FreeBSD, is there a way to 
 > prevent users from other jails on that machine from accessing that VPN, 
 > too?  If it weren't possible to restrict access to a VPN to the jail it 
 > is associated with the VPN would no longer be private I'd think.

Every jail has its own IP address.  Connections originating
from a jail are forced to use the jail's IP address as their
source address.  Therefore you can use a packet filter (IPFW
or PF) to control where those packets are allowed to go.

For example, assume you have a jail with IP 10.20.30.40 that
is allowed to use a VPN on interface tun5.  These IPFW rules
will implement that policy:

   allow ip from 10.20.30.40 to any out xmit tun5
   deny ip from any to any out xmit tun5

Of course, that's just a very simple example.  You can use
other rules to further restrict the packets, and you can
also control incoming packets in a similar way.

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"When your hammer is C++, everything begins to look like a thumb."
        -- Steve Haflich, in comp.lang.c++