Personal home page for:
Patrick Mackinlay
Home | Contact | Secure |

VPN jail

Edit /usr/local/etc/tor/torrc and add

# Additional sockets for VPN jail

Create a network ( for tor and the VPN jail.

/sbin/ifconfig epair100 create up
/sbin/ifconfig epair100a netmask up
/usr/local/etc/rc.d/tor restart

Make sure jails have access to tun devices, edit /etc/devfs.rules and add

add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
#add path 'dsp*' unhide
#add path 'mixer*' unhide
# For VPN jail
add path 'tun*' unhide

Create the jail by cloning, this can be done by following the instructions in the command and copying the changed files from the template: jailCreateZmirrorClone vpn
rm /jails/vpn/etc/ssh/ssh_host_*
mkdir /mnt/patrick
cp -av /jails/templates/vpn/ /jails/vpn

Packet filter

Prevent packets from any of the VPN IP addresses from egressing or ingressing the LAN or WAN. Add the following to /etc/pf.conf

# vpn, prevent unencrypted packets from egressing or ingressing on the LAN or WAN
table <vpn> const { 10.7/16, 10.8/16, 10.9/16}
block quick on $ext_if from <vpn> to any
block quick on $ext_if from any to <vpn>
block quick on $int_if from <vpn> to any
block quick on $int_if from any to <vpn>


FreeBSD Jails with VLAN HOWTO
Contact MeDesigned for w3c compliance (XHTML and CSS).Sep 16 2019