Personal home page for:
Patrick Mackinlay
Home | Contact | Secure |

VPN jail

Edit /usr/local/etc/tor/torrc and add

# Additional sockets for VPN jail
SocksPort 10.9.0.1:9050
DNSPort 10.9.0.1:53

Create a network (10.9.0.0/30) for tor and the VPN jail.

/sbin/ifconfig epair100 create up
/sbin/ifconfig epair100a 10.9.0.1 netmask 255.255.255.252 up
/usr/local/etc/rc.d/tor restart

Make sure jails have access to tun devices, edit /etc/devfs.rules and add

# PIM
[devfsrules_jail=4]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
#add path 'dsp*' unhide
#add path 'mixer*' unhide
# For VPN jail
add path 'tun*' unhide
#/PIM

Create the jail by cloning patrick.uknet.spacesurfer.com, this can be done by following the instructions in the zfsUtils.pl command and copying the changed files from the template:

zfsUtils.pl jailCreateZmirrorClone vpn
rm /jails/vpn/etc/ssh/ssh_host_*
mkdir /mnt/patrick
cp -av /jails/templates/vpn/ /jails/vpn

Packet filter

Prevent packets from any of the VPN IP addresses from egressing or ingressing the LAN or WAN. Add the following to /etc/pf.conf

# vpn, prevent unencrypted packets from egressing or ingressing on the LAN or WAN
table <vpn> const { 10.7/16, 10.8/16, 10.9/16}
block quick on $ext_if from <vpn> to any
block quick on $ext_if from any to <vpn>
block quick on $int_if from <vpn> to any
block quick on $int_if from any to <vpn>

References

FreeBSD Jails with VLAN HOWTO
Contact MeDesigned for w3c compliance (XHTML and CSS).Sep 16 2019