Difference between revisions of "VPN via the TUN/TAP device"
|  (→External links) |  (→External links) | ||
| Line 57: | Line 57: | ||
| * [http://vtun.sourceforge.net Virtual TUNnel] | * [http://vtun.sourceforge.net Virtual TUNnel] | ||
| * [http://openvpn.net OpenVPN] | * [http://openvpn.net OpenVPN] | ||
| + | * [http://openvpn.net/index.php/access-server/howto-openvpn-as/186-how-to-run-access-server-on-a-vps-container.html How to run Access Server on a VPS container] | ||
| [[Category: HOWTO]] | [[Category: HOWTO]] | ||
| [[Category: Networking]] | [[Category: Networking]] | ||
Revision as of 22:31, 11 February 2010
This article describes how to use VPN via the TUN/TAP device inside a container.
Contents
Kernel TUN/TAP support
OpenVZ supports VPN inside a container via kernel TUN/TAP module and device. To allow container #101 to use the TUN/TAP device the following should be done:
Make sure the tun module has been already loaded on the hardware node:
# lsmod | grep tun
If it is not there, use the following command to load tun module:
# modprobe tun
To make sure that tun module will be automatically loaded on every reboot you can also add it or into /etc/modules.conf (on RHEL see /etc/sysconfig/modules/ directory) or into /etc/sysconfig/vz-scripts/CTID.mount. (echo 'modprobe tun' >> /etc/sysconfig/vz-scripts/CTID.mount)
Granting container an access to TUN/TAP
Allow your container to use the tun/tap device by running the following commands on the host node:
vzctl set 101 --devices c:10:200:rw --save vzctl set 101 --capability net_admin:on --save
And create the character device file inside the container (execute the following on the host node):
vzctl exec 101 mkdir -p /dev/net vzctl exec 101 mknod /dev/net/tun c 10 200 vzctl exec 101 chmod 600 /dev/net/tun
Configuring VPN inside container
After the configuration steps above are done it is possible to use VPN software working with TUN/TAP inside container just like on a usual standalone linux box.
The following software can be used for VPN with TUN/TAP:
- Virtual TUNnel (http://vtun.sourceforge.net)
- OpenVPN (http://openvpn.sourceforge.net)
Troubleshooting
If NAT is needed within the VE, this error will occur on attempts to use NAT:
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE iptables v1.4.3.2: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded.
The solution is given here:
http://kb.parallels.com/en/5228
Also see page 69-70 of:
http://download.openvz.org/doc/OpenVZ-Users-Guide.pdf
Note that the above steps do not solve the problem if a gentoo VE sits on a Centos HN; it's still an unsolved mystery.
