SoftEther (VPN) in a Jail?

[Andy22]

Hi,

while researching freeNAS + freeBSD further, i discovered this:

FreeBSD jails are limited in the following ways:

Modifying the network configuration, including interfaces, interface or IP addresses, and the routing table, is prohibited. Accessing divert and routing sockets are also prohibited. Additionally raw sockets are disabled by default. A jail is bound only to specific IP addresses and firewall rules cannot be changed.

If i interpret this correctly, this means any VPN solution can't run inside a Jail, since they normally need to add routes and tinker with firewall rules. So what about this "VImage" option than? If i understand this option correctly it provides each Jail with its own network stack, so VPN should be possible again?

So is it possible to install VPN solutions to the base unjailed system and does this linux compatibility layer exist than or can be installed?

 

[jgreco]

A jailed VPN solution historically causes those operations to be executed in the host environment. I don't know what's been done in FreeNAS.

 

[dlavigne]

Where is that reference from? Any idea if that was pre- or post-vimage functionality?

 

[jgreco]

That reference is from twenty years of experience administering FreeBSD based networks.

 

[dlavigne]

Sorry, did I reply to the wrong person? I was curious as to the origin of the first quote by the OP.

 

[Andy22]

Sorry, did I reply to the wrong person? I was curious as to the origin of the first quote by the OP.

http://en.wikipedia.org/wiki/FreeBSD_jail

 

[jgreco]

Sorry, I thought the basic design concepts behind jails were well-understood. I thought you were asking me for a source for what I said. The OP's interpretation of what that has traditionally meant for jails was correct, but even in the earliest days of jails it was perfectly acceptable to work "outside the box" by ssh'ing out to the host system to do critical stuff like routing updates. That's just years of "make it work."

 

[dlavigne]

That particular quote is mostly untrue now that jails support vimage: http://web.archive.org/web/20130903120236/http://imunes.tel.fer.hr/virtnet/. Of course, it depends whether or not the jail was created with VIMAGE enabled or not.

wrt to VPNs, the last I heard you're still SOL as vimage does not support tun0, which is needed for the VPN. This may or may not have changed for 10.x or 11.x, but I have not heard either way.

wrt to Linux compatibility, in FreeBSD this is provided by the linux-compat which gets installed when you install a Linux jail. Unfortunately, Linux compat is starting to show its age as it only supports 32-bit binaries.