# Routing jail traffic through OpenVPN



## underscore (Apr 16, 2013)

Hello!

I'm trying to route almost all traffic from a jail through an OpenVPN connection. So far I tried installing the OpenVPN deamon in the jail and set IPs etc on the host machine, according to http://forums.freebsd.org/showthread.php?t=22143

However, this howto is for a OpenVPN server, and what I need is the client side. Also, the IPs and Routes of my OpenVPN Provider are set dynamically, so setting them statically on the host isn't really working.

Do you have any tipps on what would be the easiest way to achieve the following.


Connect to an OpenVPN server
Route all local network (10.10.10.x) traffic from the jail "normally" throught my default router
Route every other traffic from the jail through the OpenVPN Connection

Until now, I created aliases for my bge0 in the /etc/rc.conf and every jail got one of those alias-IPs. Do I need to change that? 

What would I need for this? ipfw? Just Routing? VNets?

I read up on some of those, but before I start stumbling in the dark, I wanted to ask if someone more experienced could give me a hint what would be the easiest/fastest way for this setup.

Thanks!


----------



## underscore (Apr 17, 2013)

Alternatively, I could use PPTP or L2TP/IPSec, if that would be easier, however, I like OpenVPN better.


----------



## tx1131 (Apr 25, 2013)

Hi, 

I tried OpenVPN in jail some time as well and it was a pain to set up. It may be easier to set up on the host and redirect all traffic from tun/tap to the particular jail. 

As for dynamic IP, try one of the dynamic DNS services, you can find them free.

Hope this helps,
Konrad


----------



## Crest (Apr 25, 2013)

Use IPFW and match on the jail ID to move them into an other routing table (FIB) with setfib. Add the rule in the jail.conf hooks just after the jail is created, but before any process is started in the jail. Add the routes to a FIB other than the default FIB in the OpenVPN --up hook. It doesn't matter what you use as long as it can call a shell script at the right moment.


----------



## underscore (May 23, 2013)

I finally got around to take another look at this, and now I almost there:

I recompiled my kernel to support FIB, and this almost works.

If I start OpenVPN via `setfib 1 openvpn client.conf`, it does connect. When the jail isn't running at the time and I manually edit the jail address to the address of tun0, my jail traffic gets routed over the VPN. However local access (10.10.10.x) is obviously not possible anymore, and the manual starting and editing isn't a long-term solution.

Does anyone can help me work around this last part? I'd like to let openvpn set all the routes (I tried setting them in a --route-up-script, however I always seem to be missing some.

Is there a way to set the jail-IP after it started? Or do I have to go over ipfw to redirect everything from my jail?


----------

