Editing VPN via the TUN/TAP device

Jump to: navigation, search

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision Your text
Line 1: Line 1:
<translate>
 
<!--T:1-->
 
 
This article describes how to use VPN via the TUN/TAP device inside a [[container]].
 
This article describes how to use VPN via the TUN/TAP device inside a [[container]].
  
== Kernel TUN/TAP support == <!--T:2-->
+
== Kernel TUN/TAP support ==
 
OpenVZ supports VPN inside a container via kernel TUN/TAP module and device.
 
OpenVZ supports VPN inside a container via kernel TUN/TAP module and device.
 
To allow container #101 to use the TUN/TAP device the following should be done:
 
To allow container #101 to use the TUN/TAP device the following should be done:
  
<!--T:3-->
 
 
Make sure the '''tun''' module has been already loaded on the [[hardware node]]:
 
Make sure the '''tun''' module has been already loaded on the [[hardware node]]:
 
  lsmod | grep tun
 
  lsmod | grep tun
  
<!--T:4-->
 
 
If it is not there, use the following command to load '''tun''' module:
 
If it is not there, use the following command to load '''tun''' module:
 
  modprobe tun
 
  modprobe tun
  
<!--T:5-->
 
 
To make sure that '''tun''' module will be automatically loaded on every reboot you can also add it or into <code>/etc/modules.conf</code> (on RHEL see <code>/etc/sysconfig/modules/</code> directory).
 
To make sure that '''tun''' module will be automatically loaded on every reboot you can also add it or into <code>/etc/modules.conf</code> (on RHEL see <code>/etc/sysconfig/modules/</code> directory).
  
== Granting container an access to TUN/TAP == <!--T:6-->
+
== Granting container an access to TUN/TAP ==
 
 
<!--T:7-->
 
 
Allow your container to use the tun/tap device by running the following commands on the host node:
 
Allow your container to use the tun/tap device by running the following commands on the host node:
  
  <!--T:8-->
+
  vzctl set 101 --devnodes net/tun:rw --save
CTID=101
+
  vzctl set $CTID --devnodes net/tun:rw --capability net_admin:on --save
+
  vzctl set 101 --devices c:10:200:rw --save
 +
 +
vzctl set 101 --capability net_admin:on --save
 +
 +
vzctl exec 101 mkdir -p /dev/net
 +
 +
vzctl exec 101 chmod 600 /dev/net/tun
  
== Configuring VPN inside container == <!--T:9-->
+
== Configuring VPN inside container ==
 
After the configuration steps above are done it is possible to use VPN software working with TUN/TAP inside
 
After the configuration steps above are done it is possible to use VPN software working with TUN/TAP inside
 
container just like on a usual standalone Linux box.
 
container just like on a usual standalone Linux box.
  
<!--T:10-->
 
 
The following software can be used for VPN with TUN/TAP:
 
The following software can be used for VPN with TUN/TAP:
 
* Tinc (http://tinc-vpn.org)
 
* Tinc (http://tinc-vpn.org)
Line 37: Line 35:
 
* Virtual TUNnel (http://vtun.sourceforge.net)
 
* Virtual TUNnel (http://vtun.sourceforge.net)
  
== Reaching hosts behind VPN container == <!--T:11-->
+
== Reaching hosts behind VPN container ==
 
In order to reach hosts behind VPN container you must configure it to use a VETH interface instead a VENET one, at least with an OpenVPN server.
 
In order to reach hosts behind VPN container you must configure it to use a VETH interface instead a VENET one, at least with an OpenVPN server.
  
<!--T:12-->
 
 
With a VENET interface you will only reach the VPN container.
 
With a VENET interface you will only reach the VPN container.
  
<!--T:13-->
 
 
To use a VETH device follow [[Veth]] article.
 
To use a VETH device follow [[Veth]] article.
  
<!--T:14-->
 
 
If you insist on using a VENET interface and need to reach hosts behind the OpenVPN VE then you can use source NAT. You need to mangle source packets so that they appear to originate from the OpenVPN server VE.
 
If you insist on using a VENET interface and need to reach hosts behind the OpenVPN VE then you can use source NAT. You need to mangle source packets so that they appear to originate from the OpenVPN server VE.
  
== Tinc problems == <!--T:15-->
+
== Tinc problems ==
  
<!--T:16-->
 
 
Using the default venet0:0 interface on the container, tinc seems to have problems as it complains the port 655 is already used on 0.0.0.0.
 
Using the default venet0:0 interface on the container, tinc seems to have problems as it complains the port 655 is already used on 0.0.0.0.
  
<!--T:17-->
 
 
Netstat shows that the port 655 is available:
 
Netstat shows that the port 655 is available:
  
<!--T:18-->
 
 
<pre>
 
<pre>
 
root@132 / [3]# netstat -l
 
root@132 / [3]# netstat -l
Line 72: Line 64:
 
</pre>
 
</pre>
  
<!--T:19-->
 
 
Starting the Tincd daemon where it complains that port 655 is not available:
 
Starting the Tincd daemon where it complains that port 655 is not available:
  
<!--T:20-->
 
 
<pre>
 
<pre>
 
root@132 / [4]# tincd -n myvpn
 
root@132 / [4]# tincd -n myvpn
Line 93: Line 83:
 
</pre>
 
</pre>
  
<!--T:21-->
 
 
An echo to Bindv6only (see [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440150 discussion here]) seems to resolve the problem:
 
An echo to Bindv6only (see [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440150 discussion here]) seems to resolve the problem:
  
<!--T:22-->
 
 
<pre>
 
<pre>
 
root@132 / [12]# echo 1 > /proc/sys/net/ipv6/bindv6only
 
root@132 / [12]# echo 1 > /proc/sys/net/ipv6/bindv6only
 
</pre>
 
</pre>
  
<!--T:23-->
 
 
Or put in your /etc/sysctl.conf file:
 
Or put in your /etc/sysctl.conf file:
  
<!--T:24-->
 
 
<pre>
 
<pre>
 
net.ipv6.bindv6only = 1
 
net.ipv6.bindv6only = 1
 
</pre>
 
</pre>
  
<!--T:25-->
 
 
Then apply the changes with:
 
Then apply the changes with:
  
<!--T:26-->
 
 
<pre>
 
<pre>
 
root@132 / [14]# sysctl -p
 
root@132 / [14]# sysctl -p
 
</pre>
 
</pre>
  
== The tunctl problem == <!--T:27-->
+
== The tunctl problem ==
 
Unfortunately, you are limited to [http://forum.openvz.org/index.php?t=msg&th=4280&goto=22066&#msg_22066 non-persistent tunnels inside the VEs]:
 
Unfortunately, you are limited to [http://forum.openvz.org/index.php?t=msg&th=4280&goto=22066&#msg_22066 non-persistent tunnels inside the VEs]:
  
<!--T:28-->
 
 
<pre>
 
<pre>
 
# tunctl
 
# tunctl
Line 126: Line 109:
 
</pre>
 
</pre>
  
<!--T:29-->
 
 
Get a patched tunctl [https://github.com/xl0/uml-utilities here], and run it with the -n option. It will create a non-persistent tun device and sleep instead of terminating, to keep the device from deletion. To remove the tunnel, kill the tunctl process.
 
Get a patched tunctl [https://github.com/xl0/uml-utilities here], and run it with the -n option. It will create a non-persistent tun device and sleep instead of terminating, to keep the device from deletion. To remove the tunnel, kill the tunctl process.
  
  
== Troubleshooting == <!--T:30-->
+
== Troubleshooting ==
 
If NAT is needed within the VE, this error will occur on attempts to use NAT:
 
If NAT is needed within the VE, this error will occur on attempts to use NAT:
  
  <!--T:31-->
+
  # iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
 
 
  iptables v1.4.3.2: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
 
  iptables v1.4.3.2: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
 
  Perhaps iptables or your kernel needs to be upgraded.
 
  Perhaps iptables or your kernel needs to be upgraded.
  
<!--T:32-->
+
The solution is given here:
Solution:
+
 
* use recent kernel
+
http://kb.parallels.com/en/5228
* enable NAT inside CT:
+
 
: <code>vzctl set $CTID --netfilter full --save</code>
+
Also see page 69-70 of:
 +
 
 +
http://download.openvz.org/doc/OpenVZ-Users-Guide.pdf
 +
 
 +
Note that the above steps do not solve the problem if a gentoo VE sits on a Centos HN; it's still an unsolved mystery.
  
== External links == <!--T:33-->
+
== External links ==
 
* [http://vtun.sourceforge.net Virtual TUNnel]
 
* [http://vtun.sourceforge.net Virtual TUNnel]
 
* [http://openvpn.net OpenVPN]
 
* [http://openvpn.net OpenVPN]
 
* [http://tinc-vpn.org Tinc]
 
* [http://tinc-vpn.org Tinc]
 
* [http://openvpn.net/index.php/access-server/howto-openvpn-as/186-how-to-run-access-server-on-a-vps-container.html How to run OpenVPN Access Server in OpenVZ]
 
* [http://openvpn.net/index.php/access-server/howto-openvpn-as/186-how-to-run-access-server-on-a-vps-container.html How to run OpenVPN Access Server in OpenVZ]
* [http://kb.odin.com/en/696 Odin KB #696: Is VPN via the TUN/TAP device supported inside a Container?]
+
* [http://kb.parallels.com/en/696 Parallels KB#696: Is VPN via the TUN/TAP device supported inside a Container?]
</translate>
 
 
[[Category: HOWTO]]
 
[[Category: HOWTO]]
 
[[Category: Networking]]
 
[[Category: Networking]]

Please note that all contributions to OpenVZ Virtuozzo Containers Wiki may be edited, altered, or removed by other contributors. If you don't want your writing to be edited mercilessly, then don't submit it here.
 If you are going to add external links to an article, read the External links policy first!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)
Retrieved from "https://wiki.openvz.org/VPN_via_the_TUN/TAP_device"