[Users] openvpn in openvz
Rene C.
openvz at dokbua.com
Thu Jun 26 00:06:03 PDT 2014
I already upgraded the kernel to the latest before the last test:
[root at server14 ~]# uname -a
Linux server14.-sanitized- 2.6.32-042stab090.4 #1 SMP Mon Jun 16
Sorry if I didn't make that very clear
On Thu, Jun 26, 2014 at 1:38 PM, Pavel Odintsov
<pavel.odintsov at gmail.com> wrote:
> Hello!
>
> I'm not sure about your problems but we have few production
> installation with this configuration. But we use only up to date
> kernels like 90.x series. What kernel you used for tests?
>
> On Thu, Jun 26, 2014 at 5:28 AM, spameden <spameden at gmail.com> wrote:
>>
>>
>>
>> 2014-06-25 22:19 GMT+04:00 Rene C. <openvz at dokbua.com>:
>>
>>> No, I went in the direction of l2tp as recommended. It both seems more
>>> secure and more compatible with both windows and android clients than
>>> openvpn.
>>
>>
>>
>> 'more secure' ?
>>
>> did you audit OpenVPN/OpenSSL code? How can you say so.
>>
>> There are clients for both android and windows for OpenVPN.
>>
>> Anyways, if you've decided to go with IPSec go over with it, it should work
>> too.
>>
>>
>>>
>>>
>>>
>>> I still get the "Checking for IPsec support in kernel
>>> [FAILED]" error from the check, although the latest openvz
>>> kernel is now installed.
>>>
>>> What can we do to narrow down the cause of this?
>>
>>
>> tbh, I have no idea, had no experience with IPSec setup on OpenVZ, ask the
>> guy who've suggested ipsec setup.
>>
>>>
>>> On Mon, Jun 23, 2014 at 7:56 PM, spameden <spameden at gmail.com> wrote:
>>> >
>>> >
>>> >
>>> > 2014-06-23 11:31 GMT+04:00 Rene C. <openvz at dokbua.com>:
>>> >>
>>> >> Sorry, still stuck:
>>> >
>>> >
>>> > Did you try OpenVPN configuration that I've suggested?
>>> >
>>> > About IPSEC: not sure, check your syslog logs might give you some tips.
>>> >>
>>> >>
>>> >> [root at server14 ~]# uname -a
>>> >> Linux server14.-sanitized- 2.6.32-042stab090.4 #1 SMP Mon Jun 16
>>> >> 15:13:38 MSK 2014 x86_64 x86_64 x86_64 GNU/Linux
>>> >> [root at server14 ~]# for x in tun ppp_async pppol2tp
>>> >> xfrm4_mode_transport xfrm4_mode_tunnel xfrm_ipcomp esp4; do lsmod |
>>> >> grep $x; done
>>> >> xfrm4_mode_tunnel 2019 0
>>> >> tun 19157 0
>>> >> ppp_async 7874 0
>>> >> ppp_generic 25400 3 pppol2tp,pppox,ppp_async
>>> >> crc_ccitt 1733 1 ppp_async
>>> >> pppol2tp 22749 0
>>> >> pppox 2712 1 pppol2tp
>>> >> ppp_generic 25400 3 pppol2tp,pppox,ppp_async
>>> >> xfrm4_mode_transport 1465 0
>>> >> xfrm4_mode_tunnel 2019 0
>>> >> xfrm_ipcomp 4626 0
>>> >> esp4 5406 0
>>> >> [root at server14 ~]# vzctl enter 1418
>>> >> entered into CT 1418
>>> >> [root at vps1418 /]# ipsec verify
>>> >> Checking your system to see if IPsec got installed and started
>>> >> correctly:
>>> >> Version check and ipsec on-path [OK]
>>> >> Linux Openswan U2.6.32/K(no kernel code presently loaded)
>>> >> Checking for IPsec support in kernel [FAILED]
>>> >> SAref kernel support [N/A]
>>> >> Checking that pluto is running [OK]
>>> >> Pluto listening for IKE on udp 500 [FAILED]
>>> >> Pluto listening for NAT-T on udp 4500 [FAILED]
>>> >> Checking for 'ip' command [OK]
>>> >> Checking /bin/sh is not /bin/dash [OK]
>>> >> Checking for 'iptables' command [OK]
>>> >> Opportunistic Encryption Support [DISABLED]
>>> >>
>>> >> What am I missing?
>>> >>
>>> >> On Mon, Jun 23, 2014 at 1:12 AM, Rene C. <openvz at dokbua.com> wrote:
>>> >> > Yep, rebooted the container.
>>> >> >
>>> >> > Here's the modules present:
>>> >> >
>>> >> > [root at server18 ~]# lsmod
>>> >> > Module Size Used by
>>> >> > esp4 5406 0
>>> >> > xfrm_ipcomp 4626 0
>>> >> > xfrm4_mode_tunnel 2019 0
>>> >> > pppol2tp 22749 0
>>> >> > pppox 2712 1 pppol2tp
>>> >> > ppp_async 7874 0
>>> >> > ppp_generic 25400 3 pppol2tp,pppox,ppp_async
>>> >> > slhc 5821 1 ppp_generic
>>> >> > crc_ccitt 1733 1 ppp_async
>>> >> > vzethdev 8221 0
>>> >> > vznetdev 18952 10
>>> >> > pio_nfs 17576 0
>>> >> > pio_direct 28261 9
>>> >> > pfmt_raw 3213 0
>>> >> > pfmt_ploop1 6320 9
>>> >> > ploop 116096 23
>>> >> > pio_nfs,pio_direct,pfmt_raw,pfmt_ploop1
>>> >> > simfs 4448 0
>>> >> > vzrst 196693 0
>>> >> > vzcpt 148911 1 vzrst
>>> >> > nfs 442438 3 pio_nfs,vzrst,vzcpt
>>> >> > lockd 77189 2 vzrst,nfs
>>> >> > fscache 55684 1 nfs
>>> >> > auth_rpcgss 44949 1 nfs
>>> >> > nfs_acl 2663 1 nfs
>>> >> > sunrpc 268245 6 pio_nfs,nfs,lockd,auth_rpcgss,nfs_acl
>>> >> > vziolimit 3719 0
>>> >> > vzmon 24462 8 vznetdev,vzrst,vzcpt
>>> >> > ip6table_mangle 3669 0
>>> >> > nf_nat_ftp 3523 0
>>> >> > nf_conntrack_ftp 12929 1 nf_nat_ftp
>>> >> > iptable_nat 6302 1
>>> >> > nf_nat 23213 3 vzrst,nf_nat_ftp,iptable_nat
>>> >> > xt_length 1338 0
>>> >> > xt_hl 1547 0
>>> >> > xt_tcpmss 1623 0
>>> >> > xt_TCPMSS 3461 1
>>> >> > iptable_mangle 3493 0
>>> >> > xt_multiport 2716 0
>>> >> > xt_limit 2134 0
>>> >> > nf_conntrack_ipv4 9946 5 iptable_nat,nf_nat
>>> >> > nf_defrag_ipv4 1531 1 nf_conntrack_ipv4
>>> >> > ipt_LOG 6405 0
>>> >> > xt_DSCP 2849 0
>>> >> > xt_dscp 2073 0
>>> >> > ipt_REJECT 2399 12
>>> >> > tun 19157 0
>>> >> > xt_owner 2258 0
>>> >> > vzdquota 55339 0 [permanent]
>>> >> > vzevent 2179 1
>>> >> > vzdev 2733 5
>>> >> > vzethdev,vznetdev,vziolimit,vzmon,vzdquota
>>> >> > iptable_filter 2937 5
>>> >> > ip_tables 18119 3
>>> >> > iptable_nat,iptable_mangle,iptable_filter
>>> >> > ip6t_REJECT 4711 2
>>> >> > nf_conntrack_ipv6 8353 2
>>> >> > nf_defrag_ipv6 11188 1 nf_conntrack_ipv6
>>> >> > xt_state 1508 4
>>> >> > nf_conntrack 80313 9
>>> >> >
>>> >> >
>>> >> > vzrst,vzcpt,nf_nat_ftp,nf_conntrack_ftp,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state
>>> >> > ip6table_filter 3033 1
>>> >> > ip6_tables 18988 2 ip6table_mangle,ip6table_filter
>>> >> > ipv6 322874 1627
>>> >> > vzrst,ip6table_mangle,ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6
>>> >> > iTCO_wdt 7147 0
>>> >> > iTCO_vendor_support 3072 1 iTCO_wdt
>>> >> > i2c_i801 11375 0
>>> >> > i2c_core 31084 1 i2c_i801
>>> >> > sg 29446 0
>>> >> > lpc_ich 12819 0
>>> >> > mfd_core 1911 1 lpc_ich
>>> >> > e1000e 267426 0
>>> >> > ptp 9614 1 e1000e
>>> >> > pps_core 11490 1 ptp
>>> >> > ext4 419456 11
>>> >> > jbd2 93779 1 ext4
>>> >> > mbcache 8209 1 ext4
>>> >> > sd_mod 39005 6
>>> >> > crc_t10dif 1557 1 sd_mod
>>> >> > ahci 42263 4
>>> >> > video 20978 0
>>> >> > output 2425 1 video
>>> >> > dm_mirror 14432 0
>>> >> > dm_region_hash 12101 1 dm_mirror
>>> >> > dm_log 9946 2 dm_mirror,dm_region_hash
>>> >> > dm_mod 84369 19 dm_mirror,dm_log
>>> >> >
>>> >> > On Mon, Jun 23, 2014 at 12:52 AM, Pavel Odintsov
>>> >> > <pavel.odintsov at gmail.com> wrote:
>>> >> >> Hello!
>>> >> >>
>>> >> >> IPsec should work from 84.8 kernel according to
>>> >> >> https://openvz.org/IPsec but I found explicit reference about IPsec
>>> >> >> only in 84.10:
>>> >> >> http://openvz.org/Download/kernel/rhel6-testing/042stab084.10
>>> >> >>
>>> >> >> Did you restart CT after loading kernel modules for l2tp?
>>> >> >>
>>> >> >> On Sun, Jun 22, 2014 at 7:05 PM, Rene C. <openvz at dokbua.com> wrote:
>>> >> >>> Ok I gave your suggestion a shot, using your link through Google
>>> >> >>> translate and
>>> >> >>> http://www.maxwhale.com/how-to-install-l2tp-vpn-on-centos/
>>> >> >>> for comparison.
>>> >> >>>
>>> >> >>> Everything seems to go well until the 'ipsec verify' part when it
>>> >> >>> says:
>>> >> >>>
>>> >> >>> [root at vps1418 /]# ipsec verify
>>> >> >>> Checking your system to see if IPsec got installed and started
>>> >> >>> correctly:
>>> >> >>> Version check and ipsec on-path [OK]
>>> >> >>> Linux Openswan U2.6.32/K(no kernel code presently loaded)
>>> >> >>> Checking for IPsec support in kernel
>>> >> >>> [FAILED]
>>> >> >>> SAref kernel support [N/A]
>>> >> >>> Checking that pluto is running [OK]
>>> >> >>> Pluto listening for IKE on udp 500
>>> >> >>> [FAILED]
>>> >> >>> Pluto listening for NAT-T on udp 4500
>>> >> >>> [FAILED]
>>> >> >>> Checking for 'ip' command [OK]
>>> >> >>> Checking /bin/sh is not /bin/dash [OK]
>>> >> >>> Checking for 'iptables' command [OK]
>>> >> >>> Opportunistic Encryption Support
>>> >> >>> [DISABLED]
>>> >> >>>
>>> >> >>> I think the biggest problem here is the "Checking for IPsec support
>>> >> >>> in
>>> >> >>> kernel"?
>>> >> >>>
>>> >> >>> I use 2.6.32-042stab085.20 - I know it's not the latest kernel, but
>>> >> >>> supposedly ipsec support should be in kernels after stab084?
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>> On Sat, Jun 21, 2014 at 7:28 PM, Pavel Odintsov
>>> >> >>> <pavel.odintsov at gmail.com> wrote:
>>> >> >>>> Hello!
>>> >> >>>>
>>> >> >>>> In modern version of OpenVZ you can use l2tp with ipsec support
>>> >> >>>> instead OpenVPN: http://habrahabr.ru/company/FastVPS/blog/205162/
>>> >> >>>> (sorry this manual in russian language but it's very simple). It's
>>> >> >>>> very useable because you do not need any special clients on
>>> >> >>>> Windows
>>> >> >>>> hosts. Maybe you can try this?
>>> >> >>>>
>>> >> >>>>
>>> >> >>>>
>>> >> >>>> On Sat, Jun 21, 2014 at 2:11 PM, Benjamin Henrion
>>> >> >>>> <zoobab at gmail.com>
>>> >> >>>> wrote:
>>> >> >>>>> On Sat, Jun 21, 2014 at 8:47 AM, Rene C. <openvz at dokbua.com>
>>> >> >>>>> wrote:
>>> >> >>>>>> I got the openvpn part itself down, no problem, but getting it
>>> >> >>>>>> to
>>> >> >>>>>> work
>>> >> >>>>>> in a container is a lot of hassle. Many pages, but most are
>>> >> >>>>>> outdated
>>> >> >>>>>> and things keeps changing. Anyone know how to get it to work
>>> >> >>>>>> TODAY?
>>> >> >>>>>>
>>> >> >>>>>> The server is an otherwise normal server with public ip
>>> >> >>>>>> addresses
>>> >> >>>>>> and
>>> >> >>>>>> works with cpanel, no problem that far. The problem is getting
>>> >> >>>>>> an
>>> >> >>>>>> openvpn service to work in it.
>>> >> >>>>>>
>>> >> >>>>>> I've already added the tun device, and I can connect to the
>>> >> >>>>>> server
>>> >> >>>>>> with the openvpn client, just can't continue from there, so some
>>> >> >>>>>> routing is missing.
>>> >> >>>>>>
>>> >> >>>>>> I've followed the general routing instructions but because
>>> >> >>>>>> openvz
>>> >> >>>>>> doesn't support MASQ it doesn't work.
>>> >> >>>>>>
>>> >> >>>>>> - which modules to insmod on the hwnode
>>> >> >>>>>
>>> >> >>>>> Just make sure "tun" is present in lsmod.
>>> >> >>>>>
>>> >> >>>>>> - which modules to add into /etc/vz/vz.conf
>>> >> >>>>>
>>> >> >>>>> The same. "tun" should be part of the list of modules in vz.conf,
>>> >> >>>>> so
>>> >> >>>>> it gets loaded at vz start.
>>> >> >>>>>
>>> >> >>>>>> - which modules to add into /etc/vz/<ct>.conf
>>> >> >>>>>
>>> >> >>>>> And the for the CTID you want to run openvpn access in:
>>> >> >>>>>
>>> >> >>>>>
>>> >> >>>>>
>>> >> >>>>> https://openvz.org/VPN_via_the_TUN/TAP_device#Granting_container_an_access_to_TUN.2FTAP
>>> >> >>>>>
>>> >> >>>>> Can you provide openvpn-client debug messages?
>>> >> >>>>>
>>> >> >>>>> --
>>> >> >>>>> Benjamin Henrion <bhenrion at ffii.org>
>>> >> >>>>> FFII Brussels - +32-484-566109 - +32-2-4148403
>>> >> >>>>> "In July 2005, after several failed attempts to legalise software
>>> >> >>>>> patents in Europe, the patent establishment changed its strategy.
>>> >> >>>>> Instead of explicitly seeking to sanction the patentability of
>>> >> >>>>> software, they are now seeking to create a central European
>>> >> >>>>> patent
>>> >> >>>>> court, which would establish and enforce patentability rules in
>>> >> >>>>> their
>>> >> >>>>> favor, without any possibility of correction by competing courts
>>> >> >>>>> or
>>> >> >>>>> democratically elected legislators."
>>> >> >>>>> _______________________________________________
>>> >> >>>>> Users mailing list
>>> >> >>>>> Users at openvz.org
>>> >> >>>>> https://lists.openvz.org/mailman/listinfo/users
>>> >> >>>>
>>> >> >>>>
>>> >> >>>>
>>> >> >>>> --
>>> >> >>>> Sincerely yours, Pavel Odintsov
>>> >> >>>> _______________________________________________
>>> >> >>>> Users mailing list
>>> >> >>>> Users at openvz.org
>>> >> >>>> https://lists.openvz.org/mailman/listinfo/users
>>> >> >>> _______________________________________________
>>> >> >>> Users mailing list
>>> >> >>> Users at openvz.org
>>> >> >>> https://lists.openvz.org/mailman/listinfo/users
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >> --
>>> >> >> Sincerely yours, Pavel Odintsov
>>> >> >> _______________________________________________
>>> >> >> Users mailing list
>>> >> >> Users at openvz.org
>>> >> >> https://lists.openvz.org/mailman/listinfo/users
>>> >> _______________________________________________
>>> >> Users mailing list
>>> >> Users at openvz.org
>>> >> https://lists.openvz.org/mailman/listinfo/users
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > Users mailing list
>>> > Users at openvz.org
>>> > https://lists.openvz.org/mailman/listinfo/users
>>> >
>>> _______________________________________________
>>> Users mailing list
>>> Users at openvz.org
>>> https://lists.openvz.org/mailman/listinfo/users
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at openvz.org
>> https://lists.openvz.org/mailman/listinfo/users
>>
>
>
>
> --
> Sincerely yours, Pavel Odintsov
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users
More information about the Users
mailing list