Last active
January 19, 2021 13:43
-
-
Save ckxng/f46ea456c441de376bbd to your computer and use it in GitHub Desktop.
FreeBSD network settings for jails, one of which is on a VPN
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
client | |
dev tun | |
proto udp | |
remote vpn-server.vpn-provider.com 1194 | |
resolv-retry infinite | |
nobind | |
persist-key | |
persist-tun | |
ca /usr/local/etc/openvpn/my-ca.crt | |
tls-client | |
remote-cert-tls server | |
auth-user-pass /usr/local/etc/openvpn/my-login.conf | |
comp-lzo | |
verb 1 | |
reneg-sec 0 | |
crl-verify /usr/local/etc/openvpn/my-crl.pem | |
up /usr/local/etc/openvpn/pf-reload.sh | |
up-restart 1 | |
script-security 2 | |
daemon |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
exec /sbin/pfctl -f /etc/pf.conf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
IF_PUB="igb0" | |
IP_PUB="111.222.33.44" | |
IP_PUB_BAK="111.222.55.66" | |
NET_JAIL="127.0.1.0/24" | |
IF_VPN="tun0" | |
NET_VPNJAIL="127.0.2.0/24" | |
scrub in all | |
nat pass on $IF_PUB from $NET_JAIL to any -> $IF_PUB | |
nat pass on $IF_VPN from $NET_VPNJAIL to any -> $IF_VPN | |
# jail1 | |
rdr pass on $IF_PUB proto tcp from any to $IP_PUB port {2201} -> 127.0.1.1 | |
rdr pass on $IF_PUB proto tcp from any to $IP_PUB_BAK port {2201} -> 127.0.1.1 | |
# jail2 | |
rdr pass on $IF_PUB proto tcp from any to $IP_PUB port {2202} -> 127.0.1.2 | |
rdr pass on $IF_PUB proto tcp from any to $IP_PUB_BAK port {2202} -> 127.0.1.2 | |
# vpnjail1 | |
rdr pass on $IF_PUB proto tcp from any to $IP_PUB port {2211} -> 127.0.2.1 | |
rdr pass on $IF_PUB proto tcp from any to $IP_PUB_BAK port {2211} -> 127.0.2.1 | |
pass in from $NET_JAIL to any rtable 0 | |
pass in from $NET_VPNJAIL to any rtable 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# network interfaces and fib 0 | |
ifconfig_igb0="inet 111.222.33.44 netmask 255.255.255.0 broadcast 111.222.33.255" | |
defaultrouter="111.222.33.254" | |
ifconfig_igb0_ipv6="inet6 2500:1111:2222:3333:: prefixlen 64 accept_rtadv" | |
ipv6_network_interfaces="igb0" | |
ipv6_default_interface="igb0" | |
ipv6_defaultrouter="2500:1111:2222:3333:ff:ff:ff:ff" | |
# openvpn on fib 1 | |
openvpn_enable="NO" #started from rc.local | |
static_routes="vpn" | |
route_vpn="default 111.222.33.254 -fib 1" | |
# jails and nat | |
pf_enable="YES" | |
cloned_interfaces="lo1" | |
ipv4_addrs_lo1="127.0.1.1-19 127.0.2.1-19" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
setfib -F1 /usr/local/sbin/openvpn /usr/local/etc/openvpn/myconfig.ovpn |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment