[Users] openvpn in openvz
Rene C.
openvz at dokbua.com
Wed Jun 25 11:19:59 PDT 2014
No, I went in the direction of l2tp as recommended. It both seems more
secure and more compatible with both windows and android clients than
openvpn.
I still get the "Checking for IPsec support in kernel
[FAILED]" error from the check, although the latest openvz
kernel is now installed.
What can we do to narrow down the cause of this?
On Mon, Jun 23, 2014 at 7:56 PM, spameden <spameden at gmail.com> wrote:
>
>
>
> 2014-06-23 11:31 GMT+04:00 Rene C. <openvz at dokbua.com>:
>>
>> Sorry, still stuck:
>
>
> Did you try OpenVPN configuration that I've suggested?
>
> About IPSEC: not sure, check your syslog logs might give you some tips.
>>
>>
>> [root at server14 ~]# uname -a
>> Linux server14.-sanitized- 2.6.32-042stab090.4 #1 SMP Mon Jun 16
>> 15:13:38 MSK 2014 x86_64 x86_64 x86_64 GNU/Linux
>> [root at server14 ~]# for x in tun ppp_async pppol2tp
>> xfrm4_mode_transport xfrm4_mode_tunnel xfrm_ipcomp esp4; do lsmod |
>> grep $x; done
>> xfrm4_mode_tunnel 2019 0
>> tun 19157 0
>> ppp_async 7874 0
>> ppp_generic 25400 3 pppol2tp,pppox,ppp_async
>> crc_ccitt 1733 1 ppp_async
>> pppol2tp 22749 0
>> pppox 2712 1 pppol2tp
>> ppp_generic 25400 3 pppol2tp,pppox,ppp_async
>> xfrm4_mode_transport 1465 0
>> xfrm4_mode_tunnel 2019 0
>> xfrm_ipcomp 4626 0
>> esp4 5406 0
>> [root at server14 ~]# vzctl enter 1418
>> entered into CT 1418
>> [root at vps1418 /]# ipsec verify
>> Checking your system to see if IPsec got installed and started correctly:
>> Version check and ipsec on-path [OK]
>> Linux Openswan U2.6.32/K(no kernel code presently loaded)
>> Checking for IPsec support in kernel [FAILED]
>> SAref kernel support [N/A]
>> Checking that pluto is running [OK]
>> Pluto listening for IKE on udp 500 [FAILED]
>> Pluto listening for NAT-T on udp 4500 [FAILED]
>> Checking for 'ip' command [OK]
>> Checking /bin/sh is not /bin/dash [OK]
>> Checking for 'iptables' command [OK]
>> Opportunistic Encryption Support [DISABLED]
>>
>> What am I missing?
>>
>> On Mon, Jun 23, 2014 at 1:12 AM, Rene C. <openvz at dokbua.com> wrote:
>> > Yep, rebooted the container.
>> >
>> > Here's the modules present:
>> >
>> > [root at server18 ~]# lsmod
>> > Module Size Used by
>> > esp4 5406 0
>> > xfrm_ipcomp 4626 0
>> > xfrm4_mode_tunnel 2019 0
>> > pppol2tp 22749 0
>> > pppox 2712 1 pppol2tp
>> > ppp_async 7874 0
>> > ppp_generic 25400 3 pppol2tp,pppox,ppp_async
>> > slhc 5821 1 ppp_generic
>> > crc_ccitt 1733 1 ppp_async
>> > vzethdev 8221 0
>> > vznetdev 18952 10
>> > pio_nfs 17576 0
>> > pio_direct 28261 9
>> > pfmt_raw 3213 0
>> > pfmt_ploop1 6320 9
>> > ploop 116096 23 pio_nfs,pio_direct,pfmt_raw,pfmt_ploop1
>> > simfs 4448 0
>> > vzrst 196693 0
>> > vzcpt 148911 1 vzrst
>> > nfs 442438 3 pio_nfs,vzrst,vzcpt
>> > lockd 77189 2 vzrst,nfs
>> > fscache 55684 1 nfs
>> > auth_rpcgss 44949 1 nfs
>> > nfs_acl 2663 1 nfs
>> > sunrpc 268245 6 pio_nfs,nfs,lockd,auth_rpcgss,nfs_acl
>> > vziolimit 3719 0
>> > vzmon 24462 8 vznetdev,vzrst,vzcpt
>> > ip6table_mangle 3669 0
>> > nf_nat_ftp 3523 0
>> > nf_conntrack_ftp 12929 1 nf_nat_ftp
>> > iptable_nat 6302 1
>> > nf_nat 23213 3 vzrst,nf_nat_ftp,iptable_nat
>> > xt_length 1338 0
>> > xt_hl 1547 0
>> > xt_tcpmss 1623 0
>> > xt_TCPMSS 3461 1
>> > iptable_mangle 3493 0
>> > xt_multiport 2716 0
>> > xt_limit 2134 0
>> > nf_conntrack_ipv4 9946 5 iptable_nat,nf_nat
>> > nf_defrag_ipv4 1531 1 nf_conntrack_ipv4
>> > ipt_LOG 6405 0
>> > xt_DSCP 2849 0
>> > xt_dscp 2073 0
>> > ipt_REJECT 2399 12
>> > tun 19157 0
>> > xt_owner 2258 0
>> > vzdquota 55339 0 [permanent]
>> > vzevent 2179 1
>> > vzdev 2733 5
>> > vzethdev,vznetdev,vziolimit,vzmon,vzdquota
>> > iptable_filter 2937 5
>> > ip_tables 18119 3
>> > iptable_nat,iptable_mangle,iptable_filter
>> > ip6t_REJECT 4711 2
>> > nf_conntrack_ipv6 8353 2
>> > nf_defrag_ipv6 11188 1 nf_conntrack_ipv6
>> > xt_state 1508 4
>> > nf_conntrack 80313 9
>> >
>> > vzrst,vzcpt,nf_nat_ftp,nf_conntrack_ftp,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state
>> > ip6table_filter 3033 1
>> > ip6_tables 18988 2 ip6table_mangle,ip6table_filter
>> > ipv6 322874 1627
>> > vzrst,ip6table_mangle,ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6
>> > iTCO_wdt 7147 0
>> > iTCO_vendor_support 3072 1 iTCO_wdt
>> > i2c_i801 11375 0
>> > i2c_core 31084 1 i2c_i801
>> > sg 29446 0
>> > lpc_ich 12819 0
>> > mfd_core 1911 1 lpc_ich
>> > e1000e 267426 0
>> > ptp 9614 1 e1000e
>> > pps_core 11490 1 ptp
>> > ext4 419456 11
>> > jbd2 93779 1 ext4
>> > mbcache 8209 1 ext4
>> > sd_mod 39005 6
>> > crc_t10dif 1557 1 sd_mod
>> > ahci 42263 4
>> > video 20978 0
>> > output 2425 1 video
>> > dm_mirror 14432 0
>> > dm_region_hash 12101 1 dm_mirror
>> > dm_log 9946 2 dm_mirror,dm_region_hash
>> > dm_mod 84369 19 dm_mirror,dm_log
>> >
>> > On Mon, Jun 23, 2014 at 12:52 AM, Pavel Odintsov
>> > <pavel.odintsov at gmail.com> wrote:
>> >> Hello!
>> >>
>> >> IPsec should work from 84.8 kernel according to
>> >> https://openvz.org/IPsec but I found explicit reference about IPsec
>> >> only in 84.10:
>> >> http://openvz.org/Download/kernel/rhel6-testing/042stab084.10
>> >>
>> >> Did you restart CT after loading kernel modules for l2tp?
>> >>
>> >> On Sun, Jun 22, 2014 at 7:05 PM, Rene C. <openvz at dokbua.com> wrote:
>> >>> Ok I gave your suggestion a shot, using your link through Google
>> >>> translate and
>> >>> http://www.maxwhale.com/how-to-install-l2tp-vpn-on-centos/
>> >>> for comparison.
>> >>>
>> >>> Everything seems to go well until the 'ipsec verify' part when it
>> >>> says:
>> >>>
>> >>> [root at vps1418 /]# ipsec verify
>> >>> Checking your system to see if IPsec got installed and started
>> >>> correctly:
>> >>> Version check and ipsec on-path [OK]
>> >>> Linux Openswan U2.6.32/K(no kernel code presently loaded)
>> >>> Checking for IPsec support in kernel [FAILED]
>> >>> SAref kernel support [N/A]
>> >>> Checking that pluto is running [OK]
>> >>> Pluto listening for IKE on udp 500 [FAILED]
>> >>> Pluto listening for NAT-T on udp 4500 [FAILED]
>> >>> Checking for 'ip' command [OK]
>> >>> Checking /bin/sh is not /bin/dash [OK]
>> >>> Checking for 'iptables' command [OK]
>> >>> Opportunistic Encryption Support
>> >>> [DISABLED]
>> >>>
>> >>> I think the biggest problem here is the "Checking for IPsec support in
>> >>> kernel"?
>> >>>
>> >>> I use 2.6.32-042stab085.20 - I know it's not the latest kernel, but
>> >>> supposedly ipsec support should be in kernels after stab084?
>> >>>
>> >>>
>> >>>
>> >>> On Sat, Jun 21, 2014 at 7:28 PM, Pavel Odintsov
>> >>> <pavel.odintsov at gmail.com> wrote:
>> >>>> Hello!
>> >>>>
>> >>>> In modern version of OpenVZ you can use l2tp with ipsec support
>> >>>> instead OpenVPN: http://habrahabr.ru/company/FastVPS/blog/205162/
>> >>>> (sorry this manual in russian language but it's very simple). It's
>> >>>> very useable because you do not need any special clients on Windows
>> >>>> hosts. Maybe you can try this?
>> >>>>
>> >>>>
>> >>>>
>> >>>> On Sat, Jun 21, 2014 at 2:11 PM, Benjamin Henrion <zoobab at gmail.com>
>> >>>> wrote:
>> >>>>> On Sat, Jun 21, 2014 at 8:47 AM, Rene C. <openvz at dokbua.com> wrote:
>> >>>>>> I got the openvpn part itself down, no problem, but getting it to
>> >>>>>> work
>> >>>>>> in a container is a lot of hassle. Many pages, but most are
>> >>>>>> outdated
>> >>>>>> and things keeps changing. Anyone know how to get it to work TODAY?
>> >>>>>>
>> >>>>>> The server is an otherwise normal server with public ip addresses
>> >>>>>> and
>> >>>>>> works with cpanel, no problem that far. The problem is getting an
>> >>>>>> openvpn service to work in it.
>> >>>>>>
>> >>>>>> I've already added the tun device, and I can connect to the server
>> >>>>>> with the openvpn client, just can't continue from there, so some
>> >>>>>> routing is missing.
>> >>>>>>
>> >>>>>> I've followed the general routing instructions but because openvz
>> >>>>>> doesn't support MASQ it doesn't work.
>> >>>>>>
>> >>>>>> - which modules to insmod on the hwnode
>> >>>>>
>> >>>>> Just make sure "tun" is present in lsmod.
>> >>>>>
>> >>>>>> - which modules to add into /etc/vz/vz.conf
>> >>>>>
>> >>>>> The same. "tun" should be part of the list of modules in vz.conf, so
>> >>>>> it gets loaded at vz start.
>> >>>>>
>> >>>>>> - which modules to add into /etc/vz/<ct>.conf
>> >>>>>
>> >>>>> And the for the CTID you want to run openvpn access in:
>> >>>>>
>> >>>>>
>> >>>>> https://openvz.org/VPN_via_the_TUN/TAP_device#Granting_container_an_access_to_TUN.2FTAP
>> >>>>>
>> >>>>> Can you provide openvpn-client debug messages?
>> >>>>>
>> >>>>> --
>> >>>>> Benjamin Henrion <bhenrion at ffii.org>
>> >>>>> FFII Brussels - +32-484-566109 - +32-2-4148403
>> >>>>> "In July 2005, after several failed attempts to legalise software
>> >>>>> patents in Europe, the patent establishment changed its strategy.
>> >>>>> Instead of explicitly seeking to sanction the patentability of
>> >>>>> software, they are now seeking to create a central European patent
>> >>>>> court, which would establish and enforce patentability rules in
>> >>>>> their
>> >>>>> favor, without any possibility of correction by competing courts or
>> >>>>> democratically elected legislators."
>> >>>>> _______________________________________________
>> >>>>> Users mailing list
>> >>>>> Users at openvz.org
>> >>>>> https://lists.openvz.org/mailman/listinfo/users
>> >>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>> Sincerely yours, Pavel Odintsov
>> >>>> _______________________________________________
>> >>>> Users mailing list
>> >>>> Users at openvz.org
>> >>>> https://lists.openvz.org/mailman/listinfo/users
>> >>> _______________________________________________
>> >>> Users mailing list
>> >>> Users at openvz.org
>> >>> https://lists.openvz.org/mailman/listinfo/users
>> >>
>> >>
>> >>
>> >> --
>> >> Sincerely yours, Pavel Odintsov
>> >> _______________________________________________
>> >> Users mailing list
>> >> Users at openvz.org
>> >> https://lists.openvz.org/mailman/listinfo/users
>> _______________________________________________
>> Users mailing list
>> Users at openvz.org
>> https://lists.openvz.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users
>
More information about the Users
mailing list