Difference between revisions of "VPN via the TUN/TAP device"

This article describes how to use VPN via the TUN/TAP device inside a container.

Kernel TUN/TAP support

OpenVZ supports VPN inside a container via kernel TUN/TAP module and device. To allow container #101 to use the TUN/TAP device the following should be done:

Make sure the tun module has been already loaded on the hardware node:

# lsmod | grep tun

If it is not there, use the following command to load tun module:

# modprobe tun

You can also add it into /etc/modules.conf to make sure it will be loaded on every reboot automatically.

Granting container an access to TUN/TAP

Allow your container to use the tun/tap device by running the following commands on the host node:

vzctl set 101 --devices c:10:200:rw --save
vzctl set 101 --capability net_admin:on --save

And create the character device file inside the container (execute the following on the host node):

vzctl exec 101 mkdir -p /dev/net
vzctl exec 101 mknod /dev/net/tun c 10 200
vzctl exec 101 chmod 600 /dev/net/tun

Configuring VPN inside container

After the configuration steps above are done it is possible to use VPN software working with TUN/TAP inside container just like on a usual standalone linux box

The following software can be used for VPN with TUN/TAP:

• Virtual TUNnel (http://vtun.sourceforge.net)
• OpenVPN (http://openvpn.sourceforge.net)

Troubleshooting

If NAT is needed within the VE, this error will occur on attempts to use NAT:

# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
iptables v1.4.3.2: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

The solution is given here:

http://kb.parallels.com/en/5228

Also see page 69-70 of:

http://download.openvz.org/doc/OpenVZ-Users-Guide.pdf

External links

• Virtual TUNnel
• OpenVPN