Oliver Fromme wrote:
Marc G. Fournier wrote:
> Oliver Fromme wrote:
> > The problem is that you need to configure interfaces
> > (tun(4) or tap(4)) to set up the VPN, but ifconfig(8)
> > does not work inside a jail. That means you cannot
> > set up a VPN inside a jail. However, you can _use_
> > it within a jail, of course, if you assign the IP of
> > the VPN connection to the jail
>
> 'k, how would you do that? I thought you could only assign one IP to a
> jail, both in 4.x and 6.x?
True. I meant that the IP of the VPN connection is the
only IP of the jail.
Or, if you can't do that, forward the packets into the
jail using IPFW FWD rules and NAT. In that case, the
jail doesn't need to have the VPN connection's IP.
In fact, you can set the IP of the jail to a localnet
IP (such as 127.0.1.1), which isn't routable and isn't
accessible from the outside at all. That's often done
to improve security.
Talking about security, while I haven't worked with VPNs so far I
believe that there needs to be a route installed in order to forward
packets to the remote end of the VPN connection.
Now, since routes are a global resource in FreeBSD, is there a way to
prevent users from other jails on that machine from accessing that VPN,
too? If it weren't possible to restrict access to a VPN to the jail it
is associated with the VPN would no longer be private I'd think.
Uwe
--
Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers
[EMAIL PROTECTED] | http://www.escapebox.net
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
