[Users] openvpn in openvz

Pavel Odintsov pavel.odintsov at gmail.com
Wed Jun 25 23:38:01 PDT 2014


Hello!

I'm not sure about your problems but we have few production
installation with this configuration. But we use only up to date
kernels like 90.x series. What kernel you used for tests?

On Thu, Jun 26, 2014 at 5:28 AM, spameden <spameden at gmail.com> wrote:
>
>
>
> 2014-06-25 22:19 GMT+04:00 Rene C. <openvz at dokbua.com>:
>
>> No, I went in the direction of l2tp as recommended. It both seems more
>> secure and more compatible with both windows and android clients than
>> openvpn.
>
>
>
> 'more secure' ?
>
> did you audit OpenVPN/OpenSSL code? How can you say so.
>
> There are clients for both android and windows for OpenVPN.
>
> Anyways, if you've decided to go with IPSec go over with it, it should work
> too.
>
>
>>
>>
>>
>> I still get the "Checking for IPsec support in kernel
>>        [FAILED]" error from the check, although the latest openvz
>> kernel is now installed.
>>
>> What can we do to narrow down the cause of this?
>
>
> tbh, I have no idea, had no experience with IPSec setup on OpenVZ, ask the
> guy who've suggested ipsec setup.
>
>>
>> On Mon, Jun 23, 2014 at 7:56 PM, spameden <spameden at gmail.com> wrote:
>> >
>> >
>> >
>> > 2014-06-23 11:31 GMT+04:00 Rene C. <openvz at dokbua.com>:
>> >>
>> >> Sorry, still stuck:
>> >
>> >
>> > Did you try OpenVPN configuration that I've suggested?
>> >
>> > About IPSEC: not sure, check your syslog logs might give you some tips.
>> >>
>> >>
>> >> [root at server14 ~]# uname -a
>> >> Linux server14.-sanitized- 2.6.32-042stab090.4 #1 SMP Mon Jun 16
>> >> 15:13:38 MSK 2014 x86_64 x86_64 x86_64 GNU/Linux
>> >> [root at server14 ~]# for x in tun ppp_async pppol2tp
>> >> xfrm4_mode_transport xfrm4_mode_tunnel xfrm_ipcomp esp4; do lsmod |
>> >> grep $x; done
>> >> xfrm4_mode_tunnel       2019  0
>> >> tun                    19157  0
>> >> ppp_async               7874  0
>> >> ppp_generic            25400  3 pppol2tp,pppox,ppp_async
>> >> crc_ccitt               1733  1 ppp_async
>> >> pppol2tp               22749  0
>> >> pppox                   2712  1 pppol2tp
>> >> ppp_generic            25400  3 pppol2tp,pppox,ppp_async
>> >> xfrm4_mode_transport     1465  0
>> >> xfrm4_mode_tunnel       2019  0
>> >> xfrm_ipcomp             4626  0
>> >> esp4                    5406  0
>> >> [root at server14 ~]# vzctl enter 1418
>> >> entered into CT 1418
>> >> [root at vps1418 /]# ipsec verify
>> >> Checking your system to see if IPsec got installed and started
>> >> correctly:
>> >> Version check and ipsec on-path                              [OK]
>> >> Linux Openswan U2.6.32/K(no kernel code presently loaded)
>> >> Checking for IPsec support in kernel                         [FAILED]
>> >>  SAref kernel support                                        [N/A]
>> >> Checking that pluto is running                               [OK]
>> >>  Pluto listening for IKE on udp 500                          [FAILED]
>> >>  Pluto listening for NAT-T on udp 4500                       [FAILED]
>> >> Checking for 'ip' command                                    [OK]
>> >> Checking /bin/sh is not /bin/dash                            [OK]
>> >> Checking for 'iptables' command                              [OK]
>> >> Opportunistic Encryption Support                             [DISABLED]
>> >>
>> >> What am I missing?
>> >>
>> >> On Mon, Jun 23, 2014 at 1:12 AM, Rene C. <openvz at dokbua.com> wrote:
>> >> > Yep, rebooted the container.
>> >> >
>> >> > Here's the modules present:
>> >> >
>> >> > [root at server18 ~]# lsmod
>> >> > Module                  Size  Used by
>> >> > esp4                    5406  0
>> >> > xfrm_ipcomp             4626  0
>> >> > xfrm4_mode_tunnel       2019  0
>> >> > pppol2tp               22749  0
>> >> > pppox                   2712  1 pppol2tp
>> >> > ppp_async               7874  0
>> >> > ppp_generic            25400  3 pppol2tp,pppox,ppp_async
>> >> > slhc                    5821  1 ppp_generic
>> >> > crc_ccitt               1733  1 ppp_async
>> >> > vzethdev                8221  0
>> >> > vznetdev               18952  10
>> >> > pio_nfs                17576  0
>> >> > pio_direct             28261  9
>> >> > pfmt_raw                3213  0
>> >> > pfmt_ploop1             6320  9
>> >> > ploop                 116096  23
>> >> > pio_nfs,pio_direct,pfmt_raw,pfmt_ploop1
>> >> > simfs                   4448  0
>> >> > vzrst                 196693  0
>> >> > vzcpt                 148911  1 vzrst
>> >> > nfs                   442438  3 pio_nfs,vzrst,vzcpt
>> >> > lockd                  77189  2 vzrst,nfs
>> >> > fscache                55684  1 nfs
>> >> > auth_rpcgss            44949  1 nfs
>> >> > nfs_acl                 2663  1 nfs
>> >> > sunrpc                268245  6 pio_nfs,nfs,lockd,auth_rpcgss,nfs_acl
>> >> > vziolimit               3719  0
>> >> > vzmon                  24462  8 vznetdev,vzrst,vzcpt
>> >> > ip6table_mangle         3669  0
>> >> > nf_nat_ftp              3523  0
>> >> > nf_conntrack_ftp       12929  1 nf_nat_ftp
>> >> > iptable_nat             6302  1
>> >> > nf_nat                 23213  3 vzrst,nf_nat_ftp,iptable_nat
>> >> > xt_length               1338  0
>> >> > xt_hl                   1547  0
>> >> > xt_tcpmss               1623  0
>> >> > xt_TCPMSS               3461  1
>> >> > iptable_mangle          3493  0
>> >> > xt_multiport            2716  0
>> >> > xt_limit                2134  0
>> >> > nf_conntrack_ipv4       9946  5 iptable_nat,nf_nat
>> >> > nf_defrag_ipv4          1531  1 nf_conntrack_ipv4
>> >> > ipt_LOG                 6405  0
>> >> > xt_DSCP                 2849  0
>> >> > xt_dscp                 2073  0
>> >> > ipt_REJECT              2399  12
>> >> > tun                    19157  0
>> >> > xt_owner                2258  0
>> >> > vzdquota               55339  0 [permanent]
>> >> > vzevent                 2179  1
>> >> > vzdev                   2733  5
>> >> > vzethdev,vznetdev,vziolimit,vzmon,vzdquota
>> >> > iptable_filter          2937  5
>> >> > ip_tables              18119  3
>> >> > iptable_nat,iptable_mangle,iptable_filter
>> >> > ip6t_REJECT             4711  2
>> >> > nf_conntrack_ipv6       8353  2
>> >> > nf_defrag_ipv6         11188  1 nf_conntrack_ipv6
>> >> > xt_state                1508  4
>> >> > nf_conntrack           80313  9
>> >> >
>> >> >
>> >> > vzrst,vzcpt,nf_nat_ftp,nf_conntrack_ftp,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state
>> >> > ip6table_filter         3033  1
>> >> > ip6_tables             18988  2 ip6table_mangle,ip6table_filter
>> >> > ipv6                  322874  1627
>> >> > vzrst,ip6table_mangle,ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6
>> >> > iTCO_wdt                7147  0
>> >> > iTCO_vendor_support     3072  1 iTCO_wdt
>> >> > i2c_i801               11375  0
>> >> > i2c_core               31084  1 i2c_i801
>> >> > sg                     29446  0
>> >> > lpc_ich                12819  0
>> >> > mfd_core                1911  1 lpc_ich
>> >> > e1000e                267426  0
>> >> > ptp                     9614  1 e1000e
>> >> > pps_core               11490  1 ptp
>> >> > ext4                  419456  11
>> >> > jbd2                   93779  1 ext4
>> >> > mbcache                 8209  1 ext4
>> >> > sd_mod                 39005  6
>> >> > crc_t10dif              1557  1 sd_mod
>> >> > ahci                   42263  4
>> >> > video                  20978  0
>> >> > output                  2425  1 video
>> >> > dm_mirror              14432  0
>> >> > dm_region_hash         12101  1 dm_mirror
>> >> > dm_log                  9946  2 dm_mirror,dm_region_hash
>> >> > dm_mod                 84369  19 dm_mirror,dm_log
>> >> >
>> >> > On Mon, Jun 23, 2014 at 12:52 AM, Pavel Odintsov
>> >> > <pavel.odintsov at gmail.com> wrote:
>> >> >> Hello!
>> >> >>
>> >> >> IPsec should work from 84.8 kernel according to
>> >> >> https://openvz.org/IPsec but I found explicit reference about IPsec
>> >> >> only in 84.10:
>> >> >> http://openvz.org/Download/kernel/rhel6-testing/042stab084.10
>> >> >>
>> >> >> Did you restart CT after loading kernel modules for l2tp?
>> >> >>
>> >> >> On Sun, Jun 22, 2014 at 7:05 PM, Rene C. <openvz at dokbua.com> wrote:
>> >> >>> Ok I gave your suggestion a shot, using your link through Google
>> >> >>> translate and
>> >> >>> http://www.maxwhale.com/how-to-install-l2tp-vpn-on-centos/
>> >> >>> for comparison.
>> >> >>>
>> >> >>> Everything seems to go well until the 'ipsec verify' part when it
>> >> >>> says:
>> >> >>>
>> >> >>> [root at vps1418 /]# ipsec verify
>> >> >>> Checking your system to see if IPsec got installed and started
>> >> >>> correctly:
>> >> >>> Version check and ipsec on-path                             [OK]
>> >> >>> Linux Openswan U2.6.32/K(no kernel code presently loaded)
>> >> >>> Checking for IPsec support in kernel
>> >> >>> [FAILED]
>> >> >>>  SAref kernel support                                       [N/A]
>> >> >>> Checking that pluto is running                               [OK]
>> >> >>>  Pluto listening for IKE on udp 500
>> >> >>> [FAILED]
>> >> >>>  Pluto listening for NAT-T on udp 4500
>> >> >>> [FAILED]
>> >> >>> Checking for 'ip' command                                   [OK]
>> >> >>> Checking /bin/sh is not /bin/dash                           [OK]
>> >> >>> Checking for 'iptables' command                             [OK]
>> >> >>> Opportunistic Encryption Support
>> >> >>> [DISABLED]
>> >> >>>
>> >> >>> I think the biggest problem here is the "Checking for IPsec support
>> >> >>> in
>> >> >>> kernel"?
>> >> >>>
>> >> >>> I use 2.6.32-042stab085.20 - I know it's not the latest kernel, but
>> >> >>> supposedly ipsec support should be in kernels after stab084?
>> >> >>>
>> >> >>>
>> >> >>>
>> >> >>> On Sat, Jun 21, 2014 at 7:28 PM, Pavel Odintsov
>> >> >>> <pavel.odintsov at gmail.com> wrote:
>> >> >>>> Hello!
>> >> >>>>
>> >> >>>> In modern version of OpenVZ you can use l2tp with ipsec support
>> >> >>>> instead OpenVPN: http://habrahabr.ru/company/FastVPS/blog/205162/
>> >> >>>> (sorry this manual in russian language but it's very simple). It's
>> >> >>>> very useable because you do not need any special clients on
>> >> >>>> Windows
>> >> >>>> hosts. Maybe you can try this?
>> >> >>>>
>> >> >>>>
>> >> >>>>
>> >> >>>> On Sat, Jun 21, 2014 at 2:11 PM, Benjamin Henrion
>> >> >>>> <zoobab at gmail.com>
>> >> >>>> wrote:
>> >> >>>>> On Sat, Jun 21, 2014 at 8:47 AM, Rene C. <openvz at dokbua.com>
>> >> >>>>> wrote:
>> >> >>>>>> I got the openvpn part itself down, no problem, but getting it
>> >> >>>>>> to
>> >> >>>>>> work
>> >> >>>>>> in a container is a lot of hassle. Many pages, but most are
>> >> >>>>>> outdated
>> >> >>>>>> and things keeps changing. Anyone know how to get it to work
>> >> >>>>>> TODAY?
>> >> >>>>>>
>> >> >>>>>> The server is an otherwise normal server with public ip
>> >> >>>>>> addresses
>> >> >>>>>> and
>> >> >>>>>> works with cpanel, no problem that far. The problem is getting
>> >> >>>>>> an
>> >> >>>>>> openvpn service to work in it.
>> >> >>>>>>
>> >> >>>>>> I've already added the tun device, and I can connect to the
>> >> >>>>>> server
>> >> >>>>>> with the openvpn client, just can't continue from there, so some
>> >> >>>>>> routing is missing.
>> >> >>>>>>
>> >> >>>>>> I've followed the general routing instructions but because
>> >> >>>>>> openvz
>> >> >>>>>> doesn't support MASQ it doesn't work.
>> >> >>>>>>
>> >> >>>>>> - which modules to insmod on the hwnode
>> >> >>>>>
>> >> >>>>> Just make sure "tun" is present in lsmod.
>> >> >>>>>
>> >> >>>>>> - which modules to add into /etc/vz/vz.conf
>> >> >>>>>
>> >> >>>>> The same. "tun" should be part of the list of modules in vz.conf,
>> >> >>>>> so
>> >> >>>>> it gets loaded at vz start.
>> >> >>>>>
>> >> >>>>>> - which modules to add into /etc/vz/<ct>.conf
>> >> >>>>>
>> >> >>>>> And the for the CTID you want to run openvpn access in:
>> >> >>>>>
>> >> >>>>>
>> >> >>>>>
>> >> >>>>> https://openvz.org/VPN_via_the_TUN/TAP_device#Granting_container_an_access_to_TUN.2FTAP
>> >> >>>>>
>> >> >>>>> Can you provide openvpn-client debug messages?
>> >> >>>>>
>> >> >>>>> --
>> >> >>>>> Benjamin Henrion <bhenrion at ffii.org>
>> >> >>>>> FFII Brussels - +32-484-566109 - +32-2-4148403
>> >> >>>>> "In July 2005, after several failed attempts to legalise software
>> >> >>>>> patents in Europe, the patent establishment changed its strategy.
>> >> >>>>> Instead of explicitly seeking to sanction the patentability of
>> >> >>>>> software, they are now seeking to create a central European
>> >> >>>>> patent
>> >> >>>>> court, which would establish and enforce patentability rules in
>> >> >>>>> their
>> >> >>>>> favor, without any possibility of correction by competing courts
>> >> >>>>> or
>> >> >>>>> democratically elected legislators."
>> >> >>>>> _______________________________________________
>> >> >>>>> Users mailing list
>> >> >>>>> Users at openvz.org
>> >> >>>>> https://lists.openvz.org/mailman/listinfo/users
>> >> >>>>
>> >> >>>>
>> >> >>>>
>> >> >>>> --
>> >> >>>> Sincerely yours, Pavel Odintsov
>> >> >>>> _______________________________________________
>> >> >>>> Users mailing list
>> >> >>>> Users at openvz.org
>> >> >>>> https://lists.openvz.org/mailman/listinfo/users
>> >> >>> _______________________________________________
>> >> >>> Users mailing list
>> >> >>> Users at openvz.org
>> >> >>> https://lists.openvz.org/mailman/listinfo/users
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> Sincerely yours, Pavel Odintsov
>> >> >> _______________________________________________
>> >> >> Users mailing list
>> >> >> Users at openvz.org
>> >> >> https://lists.openvz.org/mailman/listinfo/users
>> >> _______________________________________________
>> >> Users mailing list
>> >> Users at openvz.org
>> >> https://lists.openvz.org/mailman/listinfo/users
>> >
>> >
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users at openvz.org
>> > https://lists.openvz.org/mailman/listinfo/users
>> >
>> _______________________________________________
>> Users mailing list
>> Users at openvz.org
>> https://lists.openvz.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users
>



-- 
Sincerely yours, Pavel Odintsov


More information about the Users mailing list