594
edits
Changes
m
If it is not there, use <!--T:21-->An echo to Bindv6only (see [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440150 discussion here]) seems to resolve the following command to load '''tun''' moduleproblem: <!--T:22-->
To make sure that '''tun''' module will be automatically loaded on every reboot you can also add it or into /etc/modules.conf (on RHEL see /etc/sysconfig/modules/ directory) or into /etc/sysconfig/vz<!--T:23--scripts/''CTID''.mount. (echo 'modprobe tun' >> Or put in your /etc/sysconfig/vz-scripts/''CTID''sysctl.mount)conf file:
vzctl set 101 <!--devices cT:10:200:rw 25--save> vzctl set 101 --capability net_adminThen apply the changes with:on --save
And create the character device file inside the container (execute the following on the host node)<!--T:26--><pre>root@132 / [14]# sysctl -p</pre>
vzctl exec 101 mkdir == The tunctl problem == <!-p /dev/net-T:27--> vzctl exec 101 mknod Unfortunately, you are limited to [http:/dev/netforum.openvz.org/tun c 10 200 vzctl exec 101 chmod 600 /dev/net/tunindex.php?t=msg&th=4280&goto=22066&#msg_22066 non-persistent tunnels inside the VEs]:
== Configuring VPN inside container ==<!--T:28-->After the configuration steps above are done <pre># tunctlenabling TUNSETPERSIST: Operation not permitted</pre> <!--T:29-->Get a patched tunctl [https://github.com/xl0/uml-utilities here], and run it is possible to use VPN software working with TUN/TAP insidecontainer just like on the -n option. It will create a usual standalone linux boxnon-persistent tun device and sleep instead of terminating, to keep the device from deletion. To remove the tunnel, kill the tunctl process.
The following software can be used for VPN with TUN/TAP:
* Virtual TUNnel (http://vtun.sourceforge.net)
* OpenVPN (http://openvpn.sourceforge.net)
The solution is given here<!--T:32-->Solution:* use recent kernel* enable NAT inside CT: http:<code>vzctl set $CTID --netfilter full --save<//kb.parallels.com/en/5228code>
Also see page 69-70 of: http://download.openvz.org/doc/OpenVZ-Users-Guide.pdf Note that the above steps do not solve the problem if a gentoo VE sits on a Centos HN; it's still an unsolved mystery. == External links ==<!--T:33-->
<translate>
<!--T:1-->
This article describes how to use VPN via the TUN/TAP device inside a [[container]].
== Kernel TUN/TAP support ==<!--T:2-->
OpenVZ supports VPN inside a container via kernel TUN/TAP module and device.
To allow container #101 to use the TUN/TAP device the following should be done:
<!--T:3-->
Make sure the '''tun''' module has been already loaded on the [[hardware node]]:
lsmod | grep tun
<!--T:4-->
If it is not there, use the following command to load '''tun''' module:
modprobe tun
<!--T:5-->
To make sure that '''tun''' module will be automatically loaded on every reboot you can also add it or into <code>/etc/modules.conf</code> (on RHEL see <code>/etc/sysconfig/modules/</code> directory).
== Granting container an access to TUN/TAP == <!--T:6-->
<!--T:7-->
Allow your container to use the tun/tap device by running the following commands on the host node:
<!--T:8-->
CTID=101
vzctl set $CTID --devnodes net/tun:rw --capability net_admin:on --save
== Configuring VPN inside container == <!--T:9-->
After the configuration steps above are done it is possible to use VPN software working with TUN/TAP inside
container just like on a usual standalone Linux box.
<!--T:10-->
The following software can be used for VPN with TUN/TAP:
* Tinc (http://tinc-vpn.org)
* OpenVPN (http://openvpn.net)
* Virtual TUNnel (http://vtun.sourceforge.net)
== Reaching hosts behind VPN container == <!--T:11-->
In order to reach hosts behind VPN container you must configure it to use a VETH interface instead a VENET one, at least with an OpenVPN server.
<!--T:12-->
With a VENET interface you will only reach the VPN container.
<!--T:13-->
To use a VETH device follow [[Veth]] article.
<!--T:14-->
If you insist on using a VENET interface and need to reach hosts behind the OpenVPN VE then you can use source NAT. You need to mangle source packets so that they appear to originate from the OpenVPN server VE.
== Tinc problems == <!--T:15-->
<!--T:16-->
Using the default venet0:0 interface on the container, tinc seems to have problems as it complains the port 655 is already used on 0.0.0.0.
<!--T:17-->
Netstat shows that the port 655 is available:
<!--T:18-->
<pre>
root@132 / [3]# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost.localdom:8001 *:* LISTEN
tcp 0 0 *:2223 *:* LISTEN
tcp6 0 0 [::]:2223 [::]:* LISTEN
udp6 0 0 [::]:talk [::]:*
udp6 0 0 [::]:ntalk [::]:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 4831020 /var/run/uml-utilities/uml_switch.ctl
</pre>
<!--T:19-->
Starting the Tincd daemon where it complains that port 655 is not available:
<!--T:20-->
<pre>
root@132 / [4]# lsmod | grep tincd -n myvpnroot@132 / [5]# tail -f /var/log/syslogJul 26 14:08:01 132 /USR/SBIN/CRON[15159]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)Jul 26 14:37:42 132 -- MARK --Jul 26 14:57:42 132 -- MARK --Jul 26 15:08:01 132 /USR/SBIN/CRON[15178]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)Jul 26 15:11:23 132 tinc.myvpn[15139]: Got TERM signalJul 26 15:11:23 132 tinc.myvpn[15139]: TerminatingJul 26 15:11:37 132 tinc.myvpn[15191]: tincd 1.0.8 (Aug 14 2007 13:51:23) starting, debug level 0Jul 26 15:11:37 132 tinc.myvpn[15191]: /dev/net/tun is a Linux tun/tap device (tunmode)Jul 26 15:11:37 132 tinc.myvpn[15191]: Can't bind to 0.0.0.0 port 655/tcp: Address already in useJul 26 15:11:37 132 tinc.myvpn[15191]: Ready^Croot@132 / [6]#
</pre>
<pre>
root@132 / [12]# modprobe tunecho 1 > /proc/sys/net/ipv6/bindv6only
</pre>
<!--T:24--><pre>net.ipv6.bindv6only == Granting container an access to TUN/TAP ==1Allow your container to use the tun</tap device by running the following commands on the host node:pre>
== Troubleshooting ==<!--T:30-->
If NAT is needed within the VE, this error will occur on attempts to use NAT:
<!--T:31--># iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
iptables v1.4.3.2: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
* [http://vtun.sourceforge.net Virtual TUNnel]
* [http://openvpn.net OpenVPN]
* [http://tinc-vpn.org Tinc]
* [http://openvpn.net/index.php/access-server/howto-openvpn-as/186-how-to-run-access-server-on-a-vps-container.html How to run OpenVPN Access Server in OpenVZ]
* [http://kb.odin.com/en/696 Odin KB #696: Is VPN via the TUN/TAP device supported inside a Container?]</translate>
[[Category: HOWTO]]
[[Category: Networking]]
