Changes

Jump to: navigation, search

VPN via the TUN/TAP device

537 bytes removed, 14:53, 29 June 2011
improvements
Make sure the '''tun''' module has been already loaded on the [[hardware node]]:
<pre># lsmod | grep tun</pre>
If it is not there, use the following command to load '''tun''' module:
<pre># modprobe tun</pre>
To make sure that '''tun''' module will be automatically loaded on every reboot you can also add it or into <code>/etc/modules.conf </code> (on RHEL see <code>/etc/sysconfig/modules/ </code> directory) or into /etc/sysconfig/vz-scripts/''CTID''.mount. (echo 'modprobe tun' >> /etc/sysconfig/vz-scripts/''CTID''.mount (NOTE: don't forget chmod +x + '#!/bin/sh' at the begin of mount file))
== Granting container an access to TUN/TAP ==
Allow your container to use the tun/tap device by running the following commands on the host node:
vzctl set 101 --devices c:10:200devnodes net/tun:rw --save
vzctl set 101 --capability net_admin:on --save
 
And create the character device file inside the container (execute the following on the host node):
 
vzctl exec 101 mkdir -p /dev/net
vzctl exec 101 mknod /dev/net/tun c 10 200
vzctl exec 101 chmod 600 /dev/net/tun
 
Make vzctl recreate device node on container startup:
 
vzctl set 101 --devnodes net/tun:rw --save
== Configuring VPN inside container ==
After the configuration steps above are done it is possible to use VPN software working with TUN/TAP inside
container just like on a usual standalone linux Linux box.
The following software can be used for VPN with TUN/TAP:
With a VENET interface you will only reach the VPN container.
To use a VETH device follow this [http://wiki.openvz.org/[Veth instructions]] article.
If you insist on using a VENET interface and need to reach hosts behind the OpenVPN VE then you can use source NAT. You need to mangle source packets so that they appear to orginate originate from the OpenVPN server VE.
== Tinc problems ==
Retrieved from "https://wiki.openvz.org/Special:MobileDiff/10628"

Navigation menu