[Users] How to allow a container to send "spoofed" IP packets? (for
VPN tunnels without NAT)
Nils Toedtmann
lists at nils.toedtmann.net
Fri Mar 5 10:33:54 EST 2010
Dear OpenVZ community,
i try to create a OpenVPN tunnel between different OpenVZ hardware nodes
so containers running on different hardware nodes can communicate
securely. For security and stability reasons, i want to run the OpenVPN
daemons within containers, not on the hardware nodes. I followed some
instructions i found on the net [1] and it's all working fine - but only
if the OpenVPN containers double-NAT the traffic!
But i need the containers on the different hardware nodes to directly
see each other through the OpenVPN tunnels without any IP NATing!
The problem seems to be that OpenVZ does not allow containers to "spoof"
packets, that is sending IP packets with source IP addresses other than
the container's IP addresses. When i capture within the OpenVPN
container, i can clearly see packets (having arrived through the tunnel)
leaving the OpenVPN container via venet0, but i can't see them when i
sniff venet0 from the hardware node.
I tried granting capabilities net_admin and net_raw to the OpenVPN
containers, but no luck.
How do i allow a container to send IP packets from other IP addresses
than its own - any ideas?
/nils.
PS:
hardware nodes = CentOS 5.4 + 2.6.18-164.2.1.el5.028stab066.7 x86_64
containers = Ubuntu 8.04 with openvpn 2.1_rc7-1ubuntu3.5
[1] http://wiki.openvz.org/VPN_via_the_TUN/TAP_device
More information about the Users
mailing list