Given I have a lot more free time on my hands, I’m getting around to completing a few home projects. One of them is routing some of my server traffic through a VPN. I’m looking for recommendations as to how to do this though. I’m running a FreeNAS box and I want traffic from certain jails to route via OpenVPN, but I still need those jails to be accessible via LAN (including externally by way of my routers OpenVPN server). I also have a Ubiquiti EdgeRouter-4.
So I’m wondering what the best option to do this would be. Would it be better to:
Install OpenVPN in the freeNAS jails I want to use it for, and configure it that way?
Install OpenVPN in its own jail or VM on the FreeNAS box?
Set up a site-to-site connection on EdgeOS, and route traffic through that based on either port, or IP address (if that can even be done).
Are there benefits and/or detriments to any of these options that I’m not thinking of?
Do you want all internet traffic from some jails to go through a public vpn? Or do you control the other endpoint?
I’d say do it from within a jail, as that way you get more flexibility to tune things right, compared to having to do it on edgeos.
Either way, if you just focus on the word “pull” in the openvpn man page, you will find various config options to control how routes and gateways and DNS servers are set-up. You can override whatever the servers are sending you that way, either statically or you could get all the server variables passed to your shell script.
If you expect privacy, don’t forget to run your own dnsmasq or similar, and set up your local domain to resolve locally.
It’ll be a public VPN controlled by PIA. Though I’m still a little iffy on them after the kape tech acquisition. I’ll eventually set up my own VPN via Linode, but that’s future me’s problem.
If I set it up within a jail, can I still access it from LAN? Most of my experience with VPN’s has blocked off LAN access. That said, I’m not hugely well versed in them.
Thanks for the tip! I’ll check that out and do some reading.
You could, it’s up to you and how you configure openvpn and the jail. You can have any number of network interfaces within a jail, you could also have multiple routing tables (setfib), and those can be configured with separate gateways and lan.
What router or routing software are you using? If you’re using a decent router, you’ll want to look into implementing the VPN with a rule to only send traffic from these IPs down X internet connection. You can either set the default to the VPN and have a rule to send these IPs out through dirty internet, or the other way around where only these IPs get routed through the VPN connection
That was my thinking if I went with the VPN client on the router itself, but I’ve gone ahead and installed it in the FreeNAS jail to play around with it a bit. It’s probably a good thing in retrospect, because dealing with the port forwarding was a pain in the arse on FreeBSD, let alone on whatever EdgeOS is based on.
It’s currently running just fine in the jail. The only problem is that I’ll have to reconfigure the whole thing for each individual jail I want to install it on. So a little more work on my end.
One thing I’d point out to anyone that might come across this… I can’t get PIA’s port forwarding script to work on FreeBSD (something they tell me they don’t support). Regardless though, if I could get it working, I would need to re-request the port forwarding every time my VPN lost connection which is just a pain in the arse. I can’t speak for other VPN providers, but as a more permanent solution, I’m going to host my own VPN via a VPS provider. Slightly more expensive, but way more configurable, and no need to worry about Kape Technologies.