[Users] openvpn in openvz
spameden
spameden at gmail.com
Mon Jun 23 05:56:52 PDT 2014
2014-06-23 11:31 GMT+04:00 Rene C. <openvz at dokbua.com>:
> Sorry, still stuck:
>
Did you try OpenVPN configuration that I've suggested?
About IPSEC: not sure, check your syslog logs might give you some tips.
>
> [root at server14 ~]# uname -a
> Linux server14.-sanitized- 2.6.32-042stab090.4 #1 SMP Mon Jun 16
> 15:13:38 MSK 2014 x86_64 x86_64 x86_64 GNU/Linux
> [root at server14 ~]# for x in tun ppp_async pppol2tp
> xfrm4_mode_transport xfrm4_mode_tunnel xfrm_ipcomp esp4; do lsmod |
> grep $x; done
> xfrm4_mode_tunnel 2019 0
> tun 19157 0
> ppp_async 7874 0
> ppp_generic 25400 3 pppol2tp,pppox,ppp_async
> crc_ccitt 1733 1 ppp_async
> pppol2tp 22749 0
> pppox 2712 1 pppol2tp
> ppp_generic 25400 3 pppol2tp,pppox,ppp_async
> xfrm4_mode_transport 1465 0
> xfrm4_mode_tunnel 2019 0
> xfrm_ipcomp 4626 0
> esp4 5406 0
> [root at server14 ~]# vzctl enter 1418
> entered into CT 1418
> [root at vps1418 /]# ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path [OK]
> Linux Openswan U2.6.32/K(no kernel code presently loaded)
> Checking for IPsec support in kernel [FAILED]
> SAref kernel support [N/A]
> Checking that pluto is running [OK]
> Pluto listening for IKE on udp 500 [FAILED]
> Pluto listening for NAT-T on udp 4500 [FAILED]
> Checking for 'ip' command [OK]
> Checking /bin/sh is not /bin/dash [OK]
> Checking for 'iptables' command [OK]
> Opportunistic Encryption Support [DISABLED]
>
> What am I missing?
>
> On Mon, Jun 23, 2014 at 1:12 AM, Rene C. <openvz at dokbua.com> wrote:
> > Yep, rebooted the container.
> >
> > Here's the modules present:
> >
> > [root at server18 ~]# lsmod
> > Module Size Used by
> > esp4 5406 0
> > xfrm_ipcomp 4626 0
> > xfrm4_mode_tunnel 2019 0
> > pppol2tp 22749 0
> > pppox 2712 1 pppol2tp
> > ppp_async 7874 0
> > ppp_generic 25400 3 pppol2tp,pppox,ppp_async
> > slhc 5821 1 ppp_generic
> > crc_ccitt 1733 1 ppp_async
> > vzethdev 8221 0
> > vznetdev 18952 10
> > pio_nfs 17576 0
> > pio_direct 28261 9
> > pfmt_raw 3213 0
> > pfmt_ploop1 6320 9
> > ploop 116096 23 pio_nfs,pio_direct,pfmt_raw,pfmt_ploop1
> > simfs 4448 0
> > vzrst 196693 0
> > vzcpt 148911 1 vzrst
> > nfs 442438 3 pio_nfs,vzrst,vzcpt
> > lockd 77189 2 vzrst,nfs
> > fscache 55684 1 nfs
> > auth_rpcgss 44949 1 nfs
> > nfs_acl 2663 1 nfs
> > sunrpc 268245 6 pio_nfs,nfs,lockd,auth_rpcgss,nfs_acl
> > vziolimit 3719 0
> > vzmon 24462 8 vznetdev,vzrst,vzcpt
> > ip6table_mangle 3669 0
> > nf_nat_ftp 3523 0
> > nf_conntrack_ftp 12929 1 nf_nat_ftp
> > iptable_nat 6302 1
> > nf_nat 23213 3 vzrst,nf_nat_ftp,iptable_nat
> > xt_length 1338 0
> > xt_hl 1547 0
> > xt_tcpmss 1623 0
> > xt_TCPMSS 3461 1
> > iptable_mangle 3493 0
> > xt_multiport 2716 0
> > xt_limit 2134 0
> > nf_conntrack_ipv4 9946 5 iptable_nat,nf_nat
> > nf_defrag_ipv4 1531 1 nf_conntrack_ipv4
> > ipt_LOG 6405 0
> > xt_DSCP 2849 0
> > xt_dscp 2073 0
> > ipt_REJECT 2399 12
> > tun 19157 0
> > xt_owner 2258 0
> > vzdquota 55339 0 [permanent]
> > vzevent 2179 1
> > vzdev 2733 5
> vzethdev,vznetdev,vziolimit,vzmon,vzdquota
> > iptable_filter 2937 5
> > ip_tables 18119 3 iptable_nat,iptable_mangle,iptable_filter
> > ip6t_REJECT 4711 2
> > nf_conntrack_ipv6 8353 2
> > nf_defrag_ipv6 11188 1 nf_conntrack_ipv6
> > xt_state 1508 4
> > nf_conntrack 80313 9
> >
> vzrst,vzcpt,nf_nat_ftp,nf_conntrack_ftp,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state
> > ip6table_filter 3033 1
> > ip6_tables 18988 2 ip6table_mangle,ip6table_filter
> > ipv6 322874 1627
> > vzrst,ip6table_mangle,ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6
> > iTCO_wdt 7147 0
> > iTCO_vendor_support 3072 1 iTCO_wdt
> > i2c_i801 11375 0
> > i2c_core 31084 1 i2c_i801
> > sg 29446 0
> > lpc_ich 12819 0
> > mfd_core 1911 1 lpc_ich
> > e1000e 267426 0
> > ptp 9614 1 e1000e
> > pps_core 11490 1 ptp
> > ext4 419456 11
> > jbd2 93779 1 ext4
> > mbcache 8209 1 ext4
> > sd_mod 39005 6
> > crc_t10dif 1557 1 sd_mod
> > ahci 42263 4
> > video 20978 0
> > output 2425 1 video
> > dm_mirror 14432 0
> > dm_region_hash 12101 1 dm_mirror
> > dm_log 9946 2 dm_mirror,dm_region_hash
> > dm_mod 84369 19 dm_mirror,dm_log
> >
> > On Mon, Jun 23, 2014 at 12:52 AM, Pavel Odintsov
> > <pavel.odintsov at gmail.com> wrote:
> >> Hello!
> >>
> >> IPsec should work from 84.8 kernel according to
> >> https://openvz.org/IPsec but I found explicit reference about IPsec
> >> only in 84.10:
> http://openvz.org/Download/kernel/rhel6-testing/042stab084.10
> >>
> >> Did you restart CT after loading kernel modules for l2tp?
> >>
> >> On Sun, Jun 22, 2014 at 7:05 PM, Rene C. <openvz at dokbua.com> wrote:
> >>> Ok I gave your suggestion a shot, using your link through Google
> >>> translate and
> http://www.maxwhale.com/how-to-install-l2tp-vpn-on-centos/
> >>> for comparison.
> >>>
> >>> Everything seems to go well until the 'ipsec verify' part when it says:
> >>>
> >>> [root at vps1418 /]# ipsec verify
> >>> Checking your system to see if IPsec got installed and started
> correctly:
> >>> Version check and ipsec on-path [OK]
> >>> Linux Openswan U2.6.32/K(no kernel code presently loaded)
> >>> Checking for IPsec support in kernel [FAILED]
> >>> SAref kernel support [N/A]
> >>> Checking that pluto is running [OK]
> >>> Pluto listening for IKE on udp 500 [FAILED]
> >>> Pluto listening for NAT-T on udp 4500 [FAILED]
> >>> Checking for 'ip' command [OK]
> >>> Checking /bin/sh is not /bin/dash [OK]
> >>> Checking for 'iptables' command [OK]
> >>> Opportunistic Encryption Support [DISABLED]
> >>>
> >>> I think the biggest problem here is the "Checking for IPsec support in
> kernel"?
> >>>
> >>> I use 2.6.32-042stab085.20 - I know it's not the latest kernel, but
> >>> supposedly ipsec support should be in kernels after stab084?
> >>>
> >>>
> >>>
> >>> On Sat, Jun 21, 2014 at 7:28 PM, Pavel Odintsov
> >>> <pavel.odintsov at gmail.com> wrote:
> >>>> Hello!
> >>>>
> >>>> In modern version of OpenVZ you can use l2tp with ipsec support
> >>>> instead OpenVPN: http://habrahabr.ru/company/FastVPS/blog/205162/
> >>>> (sorry this manual in russian language but it's very simple). It's
> >>>> very useable because you do not need any special clients on Windows
> >>>> hosts. Maybe you can try this?
> >>>>
> >>>>
> >>>>
> >>>> On Sat, Jun 21, 2014 at 2:11 PM, Benjamin Henrion <zoobab at gmail.com>
> wrote:
> >>>>> On Sat, Jun 21, 2014 at 8:47 AM, Rene C. <openvz at dokbua.com> wrote:
> >>>>>> I got the openvpn part itself down, no problem, but getting it to
> work
> >>>>>> in a container is a lot of hassle. Many pages, but most are outdated
> >>>>>> and things keeps changing. Anyone know how to get it to work TODAY?
> >>>>>>
> >>>>>> The server is an otherwise normal server with public ip addresses
> and
> >>>>>> works with cpanel, no problem that far. The problem is getting an
> >>>>>> openvpn service to work in it.
> >>>>>>
> >>>>>> I've already added the tun device, and I can connect to the server
> >>>>>> with the openvpn client, just can't continue from there, so some
> >>>>>> routing is missing.
> >>>>>>
> >>>>>> I've followed the general routing instructions but because openvz
> >>>>>> doesn't support MASQ it doesn't work.
> >>>>>>
> >>>>>> - which modules to insmod on the hwnode
> >>>>>
> >>>>> Just make sure "tun" is present in lsmod.
> >>>>>
> >>>>>> - which modules to add into /etc/vz/vz.conf
> >>>>>
> >>>>> The same. "tun" should be part of the list of modules in vz.conf, so
> >>>>> it gets loaded at vz start.
> >>>>>
> >>>>>> - which modules to add into /etc/vz/<ct>.conf
> >>>>>
> >>>>> And the for the CTID you want to run openvpn access in:
> >>>>>
> >>>>>
> https://openvz.org/VPN_via_the_TUN/TAP_device#Granting_container_an_access_to_TUN.2FTAP
> >>>>>
> >>>>> Can you provide openvpn-client debug messages?
> >>>>>
> >>>>> --
> >>>>> Benjamin Henrion <bhenrion at ffii.org>
> >>>>> FFII Brussels - +32-484-566109 - +32-2-4148403
> >>>>> "In July 2005, after several failed attempts to legalise software
> >>>>> patents in Europe, the patent establishment changed its strategy.
> >>>>> Instead of explicitly seeking to sanction the patentability of
> >>>>> software, they are now seeking to create a central European patent
> >>>>> court, which would establish and enforce patentability rules in their
> >>>>> favor, without any possibility of correction by competing courts or
> >>>>> democratically elected legislators."
> >>>>> _______________________________________________
> >>>>> Users mailing list
> >>>>> Users at openvz.org
> >>>>> https://lists.openvz.org/mailman/listinfo/users
> >>>>
> >>>>
> >>>>
> >>>> --
> >>>> Sincerely yours, Pavel Odintsov
> >>>> _______________________________________________
> >>>> Users mailing list
> >>>> Users at openvz.org
> >>>> https://lists.openvz.org/mailman/listinfo/users
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at openvz.org
> >>> https://lists.openvz.org/mailman/listinfo/users
> >>
> >>
> >>
> >> --
> >> Sincerely yours, Pavel Odintsov
> >> _______________________________________________
> >> Users mailing list
> >> Users at openvz.org
> >> https://lists.openvz.org/mailman/listinfo/users
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/users/attachments/20140623/81c89b44/attachment-0001.html>
More information about the Users
mailing list