# OpenVPN in a jail



## Remington (Feb 26, 2013)

Does anyone have a simple solution or guide to get OpenVPN working in jail without compiling VIMAGE since it*'*s not production ready?  I tried to follow this thread below but had no success getting it to work.  I want to use OpenVPN to hide my client's IP address for torrent purpose and using client's browser on public WiFi.  I'll appreciate it if anyone can point out what I'm doing wrong or it's not possible to do this in a jail.  I will continue to edit this post as a guide for others to follow.

http://forums.freebsd.org/showthread.php?t=22143

Here are my following configs for FreeBSD 9.1:

Host /etc/rc.conf

```
hostname=""
defaultrouter="192.168.1.1"
ifconfig_em0="inet 192.168.1.131 netmask 0xffffff00"
ifconfig_em0_alias0="inet 192.168.1.132 netmask 255.255.255.255"
ifconfig_em0_alias1="inet 192.168.1.133 netmask 255.255.255.255"
ifconfig_em0_alias2="inet 192.168.1.134 netmask 255.255.255.255"
ifconfig_em0_alias3="inet 192.168.1.135 netmask 255.255.255.255"
ifconfig_em0_alias4="inet 192.168.1.136 netmask 255.255.255.255" # VPN Jail
ifconfig_em0_alias5="inet 192.168.1.137 netmask 255.255.255.255"
ifconfig_em0_alias6="inet 192.168.1.138 netmask 255.255.255.255"
ifconfig_em0_alias7="inet 192.168.1.139 netmask 255.255.255.255"

cloned_interfaces="tun"

zfs_enable="YES"
sshd_enable="YES"
ezjail_enable="YES"
dumpdev="NO"
```

Host /etc/defaults/devfs.rules

```
# Support for TUN devices
#
[devfsrules_unhide_tun=5]
add path tun0 unhide

# Rules for jail vpn
#
[devfsrules_jail_vpn=6]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add include $devfsrules_unhide_tun
```

Host /usr/local/etc/ezjail/vpn

```
export jail_vpn_hostname="vpn"
export jail_vpn_ip="192.168.1.136"
export jail_vpn_rootdir="/jails/vpn"
export jail_vpn_exec_start="/bin/sh /etc/rc"
export jail_vpn_exec_stop=""
export jail_vpn_mount_enable="YES"
export jail_vpn_ip_multi0="tun0|10.8.0.1 10.8.0.2 mtu 1500 netmask 255.255.255.255"
export jail_vpn_devfs_enable="YES"
export jail_vpn_devfs_ruleset="devfsrules_jail_vpn"
export jail_vpn_procfs_enable="YES"
export jail_vpn_fdescfs_enable="YES"
export jail_vpn_image=""
export jail_vpn_imagetype="zfs"
export jail_vpn_attachparams=""
export jail_vpn_attachblocking=""
export jail_vpn_forceblocking=""
export jail_vpn_zfs_datasets=""
export jail_vpn_cpuset=""
export jail_vpn_fib=""
```

Jail /etc/rc.conf

```
openvpn_enable="YES"
openvpn_configfile="/usr/local/etc/openvpn/server.conf"
openvpn_if="tun"
gateway_enable="YES"
```

Jail /usr/local/etc/openvpn/server.conf

```
local 192.168.1.136
port 1194
proto udp
dev tun0

ca   /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/server.crt
key  /usr/local/etc/openvpn/keys/server.key
dh   /usr/local/etc/openvpn/keys/dh1024.pem

server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.255.255.0"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

cipher BF-CBC        # Blowfish (default)
comp-lzo

keepalive 10 120
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3
mute 20
ifconfig-noexec
```


----------



## Remington (Feb 28, 2013)

I did further research and concluded that it is not possible to get OpenVPN working properly in Jail without VIMAGE or hacks to Jail which both is a security risk for a production web server.  There are not sufficient documentations about this so therefore I decided to install OpenVPN on the Host.


----------

