[Users] openvpn in openvz

spameden spameden at gmail.com
Sun Jun 22 12:08:14 PDT 2014 

2014-06-21 10:47 GMT+04:00 Rene C. <openvz at dokbua.com>:

> I got the openvpn part itself down, no problem, but getting it to work
> in a container is a lot of hassle. Many pages, but most are outdated
> and things keeps changing. Anyone know how to get it to work TODAY?
>
> The server is an otherwise normal server with public ip addresses and
> works with cpanel, no problem that far. The problem is getting an
> openvpn service to work in it.
> s
> - which modules to insmod on the hwnode
>
$ *cat /etc/modules*

#Iptables
ip_tables
iptable_filter
iptable_mangle
ipt_limit
ipt_multiport
ipt_tos
ipt_REJECT
ipt_TCPMSS
ipt_tcpmss
ipt_ttl
ipt_length
ip_conntrack
ipt_state
ipt_connlimit
ipt_recent
ipt_comment
xt_comment



> - which modules to add into /etc/vz/vz.conf
>

*/etc/vz/vz.conf*:
IPTABLES_MODULES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter
iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ip6_tables
ip6table_filter ip6table_mangle ip6t_REJECT"

> - which modules to add into /etc/vz/<ct>.conf
>

*/etc/vz/conf/2xx.conf:*

DEVNODES="net/tun:rw "
DEVICES="c:10:200:rw "
CAPABILITY=" NET_ADMIN:on"
IPTABLES="ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport
ipt_tos ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ip_conntrack
ipt_state ipt_recent iptable_nat "


Make sure you add this on your HN in mangle table (note replace eth0 with
your outbound internet interface):
# Generated by iptables-save v1.4.14 on Sun Jun 22 23:05:56 2014
*mangle
:PREROUTING ACCEPT [106874720:35868997787]
:INPUT ACCEPT [73771015:17894674066]
:FORWARD ACCEPT [33103560:17974356407]
:OUTPUT ACCEPT [63966614:112159146298]
:POSTROUTING ACCEPT [97050402:130132419523]
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
COMMIT
# Completed on Sun Jun 22 23:05:56 2014

this rule fixes issue with low MTU packets.


*settings inside CT:*
/etc/openvpn/server.conf:
fragment 1420
mssfix

these two settings fixes issues as well with low TCP mtu.


Firewall settings in the container for OpenVPN:
*/etc/iptables.rules *in CT (note replace 1111 port with your OpenVPN
server port and 1.2.3.4 with your external IP of CT):

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:Firewall - [0:0]
-A INPUT -s 10.8.1.0/24 -j ACCEPT
-A INPUT -j Firewall
-A FORWARD -d 10.8.1.0/24 -j ACCEPT
-A FORWARD -s 10.8.1.0/24 -j ACCEPT
-A Firewall -p udp -m udp --dport 1111 -m state --state NEW -m comment
--comment "OpenVPN server" -j ACCEPT
-A Firewall -i lo -j ACCEPT
-A Firewall -m state --state RELATED,ESTABLISHED -j ACCEPT
-A Firewall -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Jun  5 15:31:33 2014
# Generated by iptables-save v1.4.14 on Thu Jun  5 15:31:33 2014
*mangle
:PREROUTING ACCEPT [97586930:43802318561]
:INPUT ACCEPT [31215292:5102519658]
:FORWARD ACCEPT [66363273:38698230987]
:OUTPUT ACCEPT [44914356:38872135945]
:POSTROUTING ACCEPT [111277625:77570366051]
COMMIT
# Completed on Thu Jun  5 15:31:33 2014
# Generated by iptables-save v1.4.14 on Thu Jun  5 15:31:33 2014
*nat
:PREROUTING ACCEPT [3571417:259748350]
:POSTROUTING ACCEPT [1726:125927]
:OUTPUT ACCEPT [1727:126000]
-A POSTROUTING -s 10.8.1.0/24 -j SNAT --to-source 1.2.3.4
COMMIT





_______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/users/attachments/20140622/5e47e7d4/attachment.html>

More information about the Users mailing list