Editing VPN via the TUN/TAP device
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 1: | Line 1: | ||
− | |||
− | |||
This article describes how to use VPN via the TUN/TAP device inside a [[container]]. | This article describes how to use VPN via the TUN/TAP device inside a [[container]]. | ||
− | == Kernel TUN/TAP support == | + | == Kernel TUN/TAP support == |
OpenVZ supports VPN inside a container via kernel TUN/TAP module and device. | OpenVZ supports VPN inside a container via kernel TUN/TAP module and device. | ||
To allow container #101 to use the TUN/TAP device the following should be done: | To allow container #101 to use the TUN/TAP device the following should be done: | ||
− | |||
Make sure the '''tun''' module has been already loaded on the [[hardware node]]: | Make sure the '''tun''' module has been already loaded on the [[hardware node]]: | ||
− | + | <pre> | |
+ | # lsmod | grep tun | ||
+ | </pre> | ||
− | |||
If it is not there, use the following command to load '''tun''' module: | If it is not there, use the following command to load '''tun''' module: | ||
− | + | <pre> | |
+ | # modprobe tun | ||
+ | </pre> | ||
− | + | To make sure that '''tun''' module will be automatically loaded on every reboot you can also add it or into /etc/modules.conf (on RHEL: echo 'modprobe tun' >> /etc/sysconfig/modules/tun.modules) or into /etc/sysconfig/vz-scripts/''VEID''.mount. (echo 'modprobe tun' >> /etc/sysconfig/vz-scripts/''VEID''.mount) | |
− | To make sure that '''tun''' module will be automatically loaded on every reboot you can also add it or into | ||
− | == Granting container an access to TUN/TAP == | + | == Granting container an access to TUN/TAP == |
+ | Allow your container to use the tun/tap device by running the following commands on the host node: | ||
− | + | vzctl set 101 --devices c:10:200:rw --save | |
− | + | vzctl set 101 --capability net_admin:on --save | |
+ | |||
+ | And create the character device file inside the container (execute the following on the host node): | ||
− | + | vzctl exec 101 mkdir -p /dev/net | |
− | + | vzctl exec 101 mknod /dev/net/tun c 10 200 | |
− | vzctl | + | vzctl exec 101 chmod 600 /dev/net/tun |
− | == Configuring VPN inside container == | + | == Configuring VPN inside container == |
After the configuration steps above are done it is possible to use VPN software working with TUN/TAP inside | After the configuration steps above are done it is possible to use VPN software working with TUN/TAP inside | ||
− | container just like on a usual standalone | + | container just like on a usual standalone linux box. |
− | |||
The following software can be used for VPN with TUN/TAP: | The following software can be used for VPN with TUN/TAP: | ||
− | |||
− | |||
* Virtual TUNnel (http://vtun.sourceforge.net) | * Virtual TUNnel (http://vtun.sourceforge.net) | ||
+ | * OpenVPN (http://openvpn.sourceforge.net) | ||
− | == | + | == Troubleshooting == |
− | + | If NAT is needed within the VE, this error will occur on attempts to use NAT: | |
− | + | # iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE | |
− | + | iptables v1.4.3.2: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) | |
+ | Perhaps iptables or your kernel needs to be upgraded. | ||
− | + | The solution is given here: | |
− | |||
− | + | http://kb.parallels.com/en/5228 | |
− | |||
− | + | Also see page 69-70 of: | |
− | + | http://download.openvz.org/doc/OpenVZ-Users-Guide.pdf | |
− | |||
− | + | Note that the above steps do not solve the problem if a gentoo VE sits on a Centos HN; it's still an unsolved mystery. | |
− | |||
− | + | == External links == | |
− | + | * [http://vtun.sourceforge.net Virtual TUNnel] | |
− | + | * [http://openvpn.sourceforge.net OpenVPN] | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
[[Category: HOWTO]] | [[Category: HOWTO]] | ||
[[Category: Networking]] | [[Category: Networking]] |