[Users] openvpn in openvz

Rene C. openvz at dokbua.com
Sun Jun 22 11:12:05 PDT 2014


Yep, rebooted the container.

Here's the modules present:

[root at server18 ~]# lsmod
Module                  Size  Used by
esp4                    5406  0
xfrm_ipcomp             4626  0
xfrm4_mode_tunnel       2019  0
pppol2tp               22749  0
pppox                   2712  1 pppol2tp
ppp_async               7874  0
ppp_generic            25400  3 pppol2tp,pppox,ppp_async
slhc                    5821  1 ppp_generic
crc_ccitt               1733  1 ppp_async
vzethdev                8221  0
vznetdev               18952  10
pio_nfs                17576  0
pio_direct             28261  9
pfmt_raw                3213  0
pfmt_ploop1             6320  9
ploop                 116096  23 pio_nfs,pio_direct,pfmt_raw,pfmt_ploop1
simfs                   4448  0
vzrst                 196693  0
vzcpt                 148911  1 vzrst
nfs                   442438  3 pio_nfs,vzrst,vzcpt
lockd                  77189  2 vzrst,nfs
fscache                55684  1 nfs
auth_rpcgss            44949  1 nfs
nfs_acl                 2663  1 nfs
sunrpc                268245  6 pio_nfs,nfs,lockd,auth_rpcgss,nfs_acl
vziolimit               3719  0
vzmon                  24462  8 vznetdev,vzrst,vzcpt
ip6table_mangle         3669  0
nf_nat_ftp              3523  0
nf_conntrack_ftp       12929  1 nf_nat_ftp
iptable_nat             6302  1
nf_nat                 23213  3 vzrst,nf_nat_ftp,iptable_nat
xt_length               1338  0
xt_hl                   1547  0
xt_tcpmss               1623  0
xt_TCPMSS               3461  1
iptable_mangle          3493  0
xt_multiport            2716  0
xt_limit                2134  0
nf_conntrack_ipv4       9946  5 iptable_nat,nf_nat
nf_defrag_ipv4          1531  1 nf_conntrack_ipv4
ipt_LOG                 6405  0
xt_DSCP                 2849  0
xt_dscp                 2073  0
ipt_REJECT              2399  12
tun                    19157  0
xt_owner                2258  0
vzdquota               55339  0 [permanent]
vzevent                 2179  1
vzdev                   2733  5 vzethdev,vznetdev,vziolimit,vzmon,vzdquota
iptable_filter          2937  5
ip_tables              18119  3 iptable_nat,iptable_mangle,iptable_filter
ip6t_REJECT             4711  2
nf_conntrack_ipv6       8353  2
nf_defrag_ipv6         11188  1 nf_conntrack_ipv6
xt_state                1508  4
nf_conntrack           80313  9
vzrst,vzcpt,nf_nat_ftp,nf_conntrack_ftp,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state
ip6table_filter         3033  1
ip6_tables             18988  2 ip6table_mangle,ip6table_filter
ipv6                  322874  1627
vzrst,ip6table_mangle,ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6
iTCO_wdt                7147  0
iTCO_vendor_support     3072  1 iTCO_wdt
i2c_i801               11375  0
i2c_core               31084  1 i2c_i801
sg                     29446  0
lpc_ich                12819  0
mfd_core                1911  1 lpc_ich
e1000e                267426  0
ptp                     9614  1 e1000e
pps_core               11490  1 ptp
ext4                  419456  11
jbd2                   93779  1 ext4
mbcache                 8209  1 ext4
sd_mod                 39005  6
crc_t10dif              1557  1 sd_mod
ahci                   42263  4
video                  20978  0
output                  2425  1 video
dm_mirror              14432  0
dm_region_hash         12101  1 dm_mirror
dm_log                  9946  2 dm_mirror,dm_region_hash
dm_mod                 84369  19 dm_mirror,dm_log

On Mon, Jun 23, 2014 at 12:52 AM, Pavel Odintsov
<pavel.odintsov at gmail.com> wrote:
> Hello!
>
> IPsec should work from 84.8 kernel according to
> https://openvz.org/IPsec but I found explicit reference about IPsec
> only in 84.10: http://openvz.org/Download/kernel/rhel6-testing/042stab084.10
>
> Did you restart CT after loading kernel modules for l2tp?
>
> On Sun, Jun 22, 2014 at 7:05 PM, Rene C. <openvz at dokbua.com> wrote:
>> Ok I gave your suggestion a shot, using your link through Google
>> translate and http://www.maxwhale.com/how-to-install-l2tp-vpn-on-centos/
>> for comparison.
>>
>> Everything seems to go well until the 'ipsec verify' part when it says:
>>
>> [root at vps1418 /]# ipsec verify
>> Checking your system to see if IPsec got installed and started correctly:
>> Version check and ipsec on-path                             [OK]
>> Linux Openswan U2.6.32/K(no kernel code presently loaded)
>> Checking for IPsec support in kernel                         [FAILED]
>>  SAref kernel support                                       [N/A]
>> Checking that pluto is running                               [OK]
>>  Pluto listening for IKE on udp 500                         [FAILED]
>>  Pluto listening for NAT-T on udp 4500                       [FAILED]
>> Checking for 'ip' command                                   [OK]
>> Checking /bin/sh is not /bin/dash                           [OK]
>> Checking for 'iptables' command                             [OK]
>> Opportunistic Encryption Support                             [DISABLED]
>>
>> I think the biggest problem here is the "Checking for IPsec support in kernel"?
>>
>> I use 2.6.32-042stab085.20 - I know it's not the latest kernel, but
>> supposedly ipsec support should be in kernels after stab084?
>>
>>
>>
>> On Sat, Jun 21, 2014 at 7:28 PM, Pavel Odintsov
>> <pavel.odintsov at gmail.com> wrote:
>>> Hello!
>>>
>>> In modern version of OpenVZ you can use l2tp with ipsec support
>>> instead OpenVPN: http://habrahabr.ru/company/FastVPS/blog/205162/
>>> (sorry this manual in russian language but it's very simple). It's
>>> very useable because you do not need any special clients on Windows
>>> hosts. Maybe you can try this?
>>>
>>>
>>>
>>> On Sat, Jun 21, 2014 at 2:11 PM, Benjamin Henrion <zoobab at gmail.com> wrote:
>>>> On Sat, Jun 21, 2014 at 8:47 AM, Rene C. <openvz at dokbua.com> wrote:
>>>>> I got the openvpn part itself down, no problem, but getting it to work
>>>>> in a container is a lot of hassle. Many pages, but most are outdated
>>>>> and things keeps changing. Anyone know how to get it to work TODAY?
>>>>>
>>>>> The server is an otherwise normal server with public ip addresses and
>>>>> works with cpanel, no problem that far. The problem is getting an
>>>>> openvpn service to work in it.
>>>>>
>>>>> I've already added the tun device, and I can connect to the server
>>>>> with the openvpn client, just can't continue from there, so some
>>>>> routing is missing.
>>>>>
>>>>> I've followed the general routing instructions but because openvz
>>>>> doesn't support MASQ it doesn't work.
>>>>>
>>>>> - which modules to insmod on the hwnode
>>>>
>>>> Just make sure "tun" is present in lsmod.
>>>>
>>>>> - which modules to add into /etc/vz/vz.conf
>>>>
>>>> The same. "tun" should be part of the list of modules in vz.conf, so
>>>> it gets loaded at vz start.
>>>>
>>>>> - which modules to add into /etc/vz/<ct>.conf
>>>>
>>>> And the for the CTID you want to run openvpn access in:
>>>>
>>>> https://openvz.org/VPN_via_the_TUN/TAP_device#Granting_container_an_access_to_TUN.2FTAP
>>>>
>>>> Can you provide openvpn-client debug messages?
>>>>
>>>> --
>>>> Benjamin Henrion <bhenrion at ffii.org>
>>>> FFII Brussels - +32-484-566109 - +32-2-4148403
>>>> "In July 2005, after several failed attempts to legalise software
>>>> patents in Europe, the patent establishment changed its strategy.
>>>> Instead of explicitly seeking to sanction the patentability of
>>>> software, they are now seeking to create a central European patent
>>>> court, which would establish and enforce patentability rules in their
>>>> favor, without any possibility of correction by competing courts or
>>>> democratically elected legislators."
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at openvz.org
>>>> https://lists.openvz.org/mailman/listinfo/users
>>>
>>>
>>>
>>> --
>>> Sincerely yours, Pavel Odintsov
>>> _______________________________________________
>>> Users mailing list
>>> Users at openvz.org
>>> https://lists.openvz.org/mailman/listinfo/users
>> _______________________________________________
>> Users mailing list
>> Users at openvz.org
>> https://lists.openvz.org/mailman/listinfo/users
>
>
>
> --
> Sincerely yours, Pavel Odintsov
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users


More information about the Users mailing list