Open main menu

OpenVZ Virtuozzo Containers Wiki β

Changes

VPN using Wireguard

3,171 bytes added, 12:13, 4 July 2019
initial commit
This article describes how to use VPN via [https://www.wireguard.com WireGuard] inside a Virtuozzo 7 / OpenVZ 7 Container.

== Install WireGuard on the Host Node ==
=== Install vzkernel-devel package ===
Install vzkernel-devel package for the running kernel on the Host Node.<br>
It's required for building third-party kernel modules.
# yum install -y vzkernel-devel

=== Install WireGuard packages ===
Virtuozzo 7 is a derivative of RHEL7/CentOS7, so use corresponding part of [https://www.wireguard.com/install WireGuard installation].

# curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
# yum install epel-release
# yum install wireguard-dkms wireguard-tools

== Allow WireGuard network interfaces inside a Container ==
Next, we need to patch wireguard kernel module to allow wireguard network interface to be created in Containers:<br>
(change the path to wireguard sources if needed)
# patch /usr/src/wireguard-0.0.20190601/device.c diff-wireguard-allow-to-run-in-Containers

{{Note|Why it's required?
As Virtuozzo is very keen on security and stability, we don't allow creation of any unverified network interface inside Containers.<br>
Only those which are safe (verified and considered properly virtualized) are allowed.}}

== Rebuild patched wireguard kernel module ==
Now need to rebuild patched wireguard kernel module.<br>
dkms does not have a command to rebuild a module, so have to remove/add the module.

# dkms remove -m wireguard -v 0.0.20190601 --all
# dkms add -m wireguard -v 0.0.20190601
# dkms build -m wireguard -v 0.0.20190601
# dkms install -m wireguard -v 0.0.20190601

== Load the wireguard kernel module ==
Now load the wireguard kernel module on the Host Node,<br>
it won't be automatically loaded upon request from inside a Container.
# modprobe wireguard


== Create a Container ==
Create a Container with veth network (venet won't work here).

# vzctl create 200 --ostemplate centos7-x86_64
# prlctl set 200 --device-add net --network Bridged --dhcp yes
# vzctl start 200
# vzctl enter 200
// The Container should have an IP assigned now

== Install WireGuard inside the Container ==
Same procedure like wireguard is installed on the Host:

[CT]# curl -Lo /etc/yum.repos.d/wireguard.repo https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/repo/epel-7/jdoss-wireguard-epel-7.repo
[CT]# yum install epel-release
[CT]# yum install wireguard-dkms wireguard-tools
// may be its enough to install "wireguard-tools" package only, did not check

Now configure wireguard inside the Container using instructions from [https://www.wireguard.com/quickstart WireGuard quickstart]

== Allow WireGuard port(s) in firewall ==
Don't forget to open UDP port for wireguard on each end Node/Container.<br>
Wireguard supports UDP only at the moment.<br>
The port number can be checked via:
[CT]# wg | grep listening
listening port: 35849

[CT]# firewall-cmd --permanent --zone=public --add-port=35849/udp
success
[CT]# firewall-cmd --reload

Do the same on another Node/Container and voila!

[[Category: HOWTO]]
[[Category: Networking]]