Difference between revisions of "VPN via the TUN/TAP device"

From OpenVZ Virtuozzo Containers Wiki
Jump to: navigation, search
(External links: +parallels kb 696)
(tinc problem)
Line 37: Line 37:
 
* OpenVPN (http://openvpn.net)
 
* OpenVPN (http://openvpn.net)
 
* Virtual TUNnel (http://vtun.sourceforge.net)
 
* Virtual TUNnel (http://vtun.sourceforge.net)
 +
 +
== Tinc problems ==
 +
 +
Using the default venet0:0 interface on the container, tinc seems to have problems as it complains the port 655 is already used on 0.0.0.0.
  
 
== Troubleshooting ==
 
== Troubleshooting ==

Revision as of 11:08, 26 July 2010

This article describes how to use VPN via the TUN/TAP device inside a container.

Kernel TUN/TAP support

OpenVZ supports VPN inside a container via kernel TUN/TAP module and device. To allow container #101 to use the TUN/TAP device the following should be done:

Make sure the tun module has been already loaded on the hardware node: 

# lsmod | grep tun

If it is not there, use the following command to load tun module: 

# modprobe tun

To make sure that tun module will be automatically loaded on every reboot you can also add it or into /etc/modules.conf (on RHEL see /etc/sysconfig/modules/ directory) or into /etc/sysconfig/vz-scripts/CTID.mount. (echo 'modprobe tun' >> /etc/sysconfig/vz-scripts/CTID.mount)

Granting container an access to TUN/TAP

Allow your container to use the tun/tap device by running the following commands on the host node: 

vzctl set 101 --devices c:10:200:rw --save
vzctl set 101 --capability net_admin:on --save

And create the character device file inside the container (execute the following on the host node): 

vzctl exec 101 mkdir -p /dev/net
vzctl exec 101 mknod /dev/net/tun c 10 200
vzctl exec 101 chmod 600 /dev/net/tun

Configuring VPN inside container

After the configuration steps above are done it is possible to use VPN software working with TUN/TAP inside container just like on a usual standalone linux box.

The following software can be used for VPN with TUN/TAP:

Tinc problems

Using the default venet0:0 interface on the container, tinc seems to have problems as it complains the port 655 is already used on 0.0.0.0.

Troubleshooting

If NAT is needed within the VE, this error will occur on attempts to use NAT: 

# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
iptables v1.4.3.2: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

The solution is given here: 

http://kb.parallels.com/en/5228

Also see page 69-70 of: 

http://download.openvz.org/doc/OpenVZ-Users-Guide.pdf

Note that the above steps do not solve the problem if a gentoo VE sits on a Centos HN; it's still an unsolved mystery.

External links

Retrieved from "https://wiki.openvz.org/index.php?title=VPN_via_the_TUN/TAP_device&oldid=8952"