[Users] openvpn in openvz
Pavel Odintsov
pavel.odintsov at gmail.com
Thu Jun 26 11:07:12 PDT 2014
Hello!
You can try to do something like this:
touch /lib/modules/2.6.32-042stab090.3/modules.dep
It can suppress ipsec_setup warnings.
On Thu, Jun 26, 2014 at 9:52 PM, Rene C. <openvz at dokbua.com> wrote:
> Going through the whole thing again I fell over this fatal error
> during the ipsec restart:
>
> ipsec_setup: FATAL: Could not load
> /lib/modules/2.6.32-042stab090.3/modules.dep: No such file or
> directory
>
> I installed both openswan xl2tpd though yum (epel repo) but neither
> seem to add anything to /lib/modules. What am I missing?
>
>
> On Thu, Jun 26, 2014 at 2:06 PM, Rene C. <openvz at dokbua.com> wrote:
>> I already upgraded the kernel to the latest before the last test:
>>
>> [root at server14 ~]# uname -a
>> Linux server14.-sanitized- 2.6.32-042stab090.4 #1 SMP Mon Jun 16
>>
>> Sorry if I didn't make that very clear
>>
>> On Thu, Jun 26, 2014 at 1:38 PM, Pavel Odintsov
>> <pavel.odintsov at gmail.com> wrote:
>>> Hello!
>>>
>>> I'm not sure about your problems but we have few production
>>> installation with this configuration. But we use only up to date
>>> kernels like 90.x series. What kernel you used for tests?
>>>
>>> On Thu, Jun 26, 2014 at 5:28 AM, spameden <spameden at gmail.com> wrote:
>>>>
>>>>
>>>>
>>>> 2014-06-25 22:19 GMT+04:00 Rene C. <openvz at dokbua.com>:
>>>>
>>>>> No, I went in the direction of l2tp as recommended. It both seems more
>>>>> secure and more compatible with both windows and android clients than
>>>>> openvpn.
>>>>
>>>>
>>>>
>>>> 'more secure' ?
>>>>
>>>> did you audit OpenVPN/OpenSSL code? How can you say so.
>>>>
>>>> There are clients for both android and windows for OpenVPN.
>>>>
>>>> Anyways, if you've decided to go with IPSec go over with it, it should work
>>>> too.
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>> I still get the "Checking for IPsec support in kernel
>>>>> [FAILED]" error from the check, although the latest openvz
>>>>> kernel is now installed.
>>>>>
>>>>> What can we do to narrow down the cause of this?
>>>>
>>>>
>>>> tbh, I have no idea, had no experience with IPSec setup on OpenVZ, ask the
>>>> guy who've suggested ipsec setup.
>>>>
>>>>>
>>>>> On Mon, Jun 23, 2014 at 7:56 PM, spameden <spameden at gmail.com> wrote:
>>>>> >
>>>>> >
>>>>> >
>>>>> > 2014-06-23 11:31 GMT+04:00 Rene C. <openvz at dokbua.com>:
>>>>> >>
>>>>> >> Sorry, still stuck:
>>>>> >
>>>>> >
>>>>> > Did you try OpenVPN configuration that I've suggested?
>>>>> >
>>>>> > About IPSEC: not sure, check your syslog logs might give you some tips.
>>>>> >>
>>>>> >>
>>>>> >> [root at server14 ~]# uname -a
>>>>> >> Linux server14.-sanitized- 2.6.32-042stab090.4 #1 SMP Mon Jun 16
>>>>> >> 15:13:38 MSK 2014 x86_64 x86_64 x86_64 GNU/Linux
>>>>> >> [root at server14 ~]# for x in tun ppp_async pppol2tp
>>>>> >> xfrm4_mode_transport xfrm4_mode_tunnel xfrm_ipcomp esp4; do lsmod |
>>>>> >> grep $x; done
>>>>> >> xfrm4_mode_tunnel 2019 0
>>>>> >> tun 19157 0
>>>>> >> ppp_async 7874 0
>>>>> >> ppp_generic 25400 3 pppol2tp,pppox,ppp_async
>>>>> >> crc_ccitt 1733 1 ppp_async
>>>>> >> pppol2tp 22749 0
>>>>> >> pppox 2712 1 pppol2tp
>>>>> >> ppp_generic 25400 3 pppol2tp,pppox,ppp_async
>>>>> >> xfrm4_mode_transport 1465 0
>>>>> >> xfrm4_mode_tunnel 2019 0
>>>>> >> xfrm_ipcomp 4626 0
>>>>> >> esp4 5406 0
>>>>> >> [root at server14 ~]# vzctl enter 1418
>>>>> >> entered into CT 1418
>>>>> >> [root at vps1418 /]# ipsec verify
>>>>> >> Checking your system to see if IPsec got installed and started
>>>>> >> correctly:
>>>>> >> Version check and ipsec on-path [OK]
>>>>> >> Linux Openswan U2.6.32/K(no kernel code presently loaded)
>>>>> >> Checking for IPsec support in kernel [FAILED]
>>>>> >> SAref kernel support [N/A]
>>>>> >> Checking that pluto is running [OK]
>>>>> >> Pluto listening for IKE on udp 500 [FAILED]
>>>>> >> Pluto listening for NAT-T on udp 4500 [FAILED]
>>>>> >> Checking for 'ip' command [OK]
>>>>> >> Checking /bin/sh is not /bin/dash [OK]
>>>>> >> Checking for 'iptables' command [OK]
>>>>> >> Opportunistic Encryption Support [DISABLED]
>>>>> >>
>>>>> >> What am I missing?
>>>>> >>
>>>>> >> On Mon, Jun 23, 2014 at 1:12 AM, Rene C. <openvz at dokbua.com> wrote:
>>>>> >> > Yep, rebooted the container.
>>>>> >> >
>>>>> >> > Here's the modules present:
>>>>> >> >
>>>>> >> > [root at server18 ~]# lsmod
>>>>> >> > Module Size Used by
>>>>> >> > esp4 5406 0
>>>>> >> > xfrm_ipcomp 4626 0
>>>>> >> > xfrm4_mode_tunnel 2019 0
>>>>> >> > pppol2tp 22749 0
>>>>> >> > pppox 2712 1 pppol2tp
>>>>> >> > ppp_async 7874 0
>>>>> >> > ppp_generic 25400 3 pppol2tp,pppox,ppp_async
>>>>> >> > slhc 5821 1 ppp_generic
>>>>> >> > crc_ccitt 1733 1 ppp_async
>>>>> >> > vzethdev 8221 0
>>>>> >> > vznetdev 18952 10
>>>>> >> > pio_nfs 17576 0
>>>>> >> > pio_direct 28261 9
>>>>> >> > pfmt_raw 3213 0
>>>>> >> > pfmt_ploop1 6320 9
>>>>> >> > ploop 116096 23
>>>>> >> > pio_nfs,pio_direct,pfmt_raw,pfmt_ploop1
>>>>> >> > simfs 4448 0
>>>>> >> > vzrst 196693 0
>>>>> >> > vzcpt 148911 1 vzrst
>>>>> >> > nfs 442438 3 pio_nfs,vzrst,vzcpt
>>>>> >> > lockd 77189 2 vzrst,nfs
>>>>> >> > fscache 55684 1 nfs
>>>>> >> > auth_rpcgss 44949 1 nfs
>>>>> >> > nfs_acl 2663 1 nfs
>>>>> >> > sunrpc 268245 6 pio_nfs,nfs,lockd,auth_rpcgss,nfs_acl
>>>>> >> > vziolimit 3719 0
>>>>> >> > vzmon 24462 8 vznetdev,vzrst,vzcpt
>>>>> >> > ip6table_mangle 3669 0
>>>>> >> > nf_nat_ftp 3523 0
>>>>> >> > nf_conntrack_ftp 12929 1 nf_nat_ftp
>>>>> >> > iptable_nat 6302 1
>>>>> >> > nf_nat 23213 3 vzrst,nf_nat_ftp,iptable_nat
>>>>> >> > xt_length 1338 0
>>>>> >> > xt_hl 1547 0
>>>>> >> > xt_tcpmss 1623 0
>>>>> >> > xt_TCPMSS 3461 1
>>>>> >> > iptable_mangle 3493 0
>>>>> >> > xt_multiport 2716 0
>>>>> >> > xt_limit 2134 0
>>>>> >> > nf_conntrack_ipv4 9946 5 iptable_nat,nf_nat
>>>>> >> > nf_defrag_ipv4 1531 1 nf_conntrack_ipv4
>>>>> >> > ipt_LOG 6405 0
>>>>> >> > xt_DSCP 2849 0
>>>>> >> > xt_dscp 2073 0
>>>>> >> > ipt_REJECT 2399 12
>>>>> >> > tun 19157 0
>>>>> >> > xt_owner 2258 0
>>>>> >> > vzdquota 55339 0 [permanent]
>>>>> >> > vzevent 2179 1
>>>>> >> > vzdev 2733 5
>>>>> >> > vzethdev,vznetdev,vziolimit,vzmon,vzdquota
>>>>> >> > iptable_filter 2937 5
>>>>> >> > ip_tables 18119 3
>>>>> >> > iptable_nat,iptable_mangle,iptable_filter
>>>>> >> > ip6t_REJECT 4711 2
>>>>> >> > nf_conntrack_ipv6 8353 2
>>>>> >> > nf_defrag_ipv6 11188 1 nf_conntrack_ipv6
>>>>> >> > xt_state 1508 4
>>>>> >> > nf_conntrack 80313 9
>>>>> >> >
>>>>> >> >
>>>>> >> > vzrst,vzcpt,nf_nat_ftp,nf_conntrack_ftp,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state
>>>>> >> > ip6table_filter 3033 1
>>>>> >> > ip6_tables 18988 2 ip6table_mangle,ip6table_filter
>>>>> >> > ipv6 322874 1627
>>>>> >> > vzrst,ip6table_mangle,ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6
>>>>> >> > iTCO_wdt 7147 0
>>>>> >> > iTCO_vendor_support 3072 1 iTCO_wdt
>>>>> >> > i2c_i801 11375 0
>>>>> >> > i2c_core 31084 1 i2c_i801
>>>>> >> > sg 29446 0
>>>>> >> > lpc_ich 12819 0
>>>>> >> > mfd_core 1911 1 lpc_ich
>>>>> >> > e1000e 267426 0
>>>>> >> > ptp 9614 1 e1000e
>>>>> >> > pps_core 11490 1 ptp
>>>>> >> > ext4 419456 11
>>>>> >> > jbd2 93779 1 ext4
>>>>> >> > mbcache 8209 1 ext4
>>>>> >> > sd_mod 39005 6
>>>>> >> > crc_t10dif 1557 1 sd_mod
>>>>> >> > ahci 42263 4
>>>>> >> > video 20978 0
>>>>> >> > output 2425 1 video
>>>>> >> > dm_mirror 14432 0
>>>>> >> > dm_region_hash 12101 1 dm_mirror
>>>>> >> > dm_log 9946 2 dm_mirror,dm_region_hash
>>>>> >> > dm_mod 84369 19 dm_mirror,dm_log
>>>>> >> >
>>>>> >> > On Mon, Jun 23, 2014 at 12:52 AM, Pavel Odintsov
>>>>> >> > <pavel.odintsov at gmail.com> wrote:
>>>>> >> >> Hello!
>>>>> >> >>
>>>>> >> >> IPsec should work from 84.8 kernel according to
>>>>> >> >> https://openvz.org/IPsec but I found explicit reference about IPsec
>>>>> >> >> only in 84.10:
>>>>> >> >> http://openvz.org/Download/kernel/rhel6-testing/042stab084.10
>>>>> >> >>
>>>>> >> >> Did you restart CT after loading kernel modules for l2tp?
>>>>> >> >>
>>>>> >> >> On Sun, Jun 22, 2014 at 7:05 PM, Rene C. <openvz at dokbua.com> wrote:
>>>>> >> >>> Ok I gave your suggestion a shot, using your link through Google
>>>>> >> >>> translate and
>>>>> >> >>> http://www.maxwhale.com/how-to-install-l2tp-vpn-on-centos/
>>>>> >> >>> for comparison.
>>>>> >> >>>
>>>>> >> >>> Everything seems to go well until the 'ipsec verify' part when it
>>>>> >> >>> says:
>>>>> >> >>>
>>>>> >> >>> [root at vps1418 /]# ipsec verify
>>>>> >> >>> Checking your system to see if IPsec got installed and started
>>>>> >> >>> correctly:
>>>>> >> >>> Version check and ipsec on-path [OK]
>>>>> >> >>> Linux Openswan U2.6.32/K(no kernel code presently loaded)
>>>>> >> >>> Checking for IPsec support in kernel
>>>>> >> >>> [FAILED]
>>>>> >> >>> SAref kernel support [N/A]
>>>>> >> >>> Checking that pluto is running [OK]
>>>>> >> >>> Pluto listening for IKE on udp 500
>>>>> >> >>> [FAILED]
>>>>> >> >>> Pluto listening for NAT-T on udp 4500
>>>>> >> >>> [FAILED]
>>>>> >> >>> Checking for 'ip' command [OK]
>>>>> >> >>> Checking /bin/sh is not /bin/dash [OK]
>>>>> >> >>> Checking for 'iptables' command [OK]
>>>>> >> >>> Opportunistic Encryption Support
>>>>> >> >>> [DISABLED]
>>>>> >> >>>
>>>>> >> >>> I think the biggest problem here is the "Checking for IPsec support
>>>>> >> >>> in
>>>>> >> >>> kernel"?
>>>>> >> >>>
>>>>> >> >>> I use 2.6.32-042stab085.20 - I know it's not the latest kernel, but
>>>>> >> >>> supposedly ipsec support should be in kernels after stab084?
>>>>> >> >>>
>>>>> >> >>>
>>>>> >> >>>
>>>>> >> >>> On Sat, Jun 21, 2014 at 7:28 PM, Pavel Odintsov
>>>>> >> >>> <pavel.odintsov at gmail.com> wrote:
>>>>> >> >>>> Hello!
>>>>> >> >>>>
>>>>> >> >>>> In modern version of OpenVZ you can use l2tp with ipsec support
>>>>> >> >>>> instead OpenVPN: http://habrahabr.ru/company/FastVPS/blog/205162/
>>>>> >> >>>> (sorry this manual in russian language but it's very simple). It's
>>>>> >> >>>> very useable because you do not need any special clients on
>>>>> >> >>>> Windows
>>>>> >> >>>> hosts. Maybe you can try this?
>>>>> >> >>>>
>>>>> >> >>>>
>>>>> >> >>>>
>>>>> >> >>>> On Sat, Jun 21, 2014 at 2:11 PM, Benjamin Henrion
>>>>> >> >>>> <zoobab at gmail.com>
>>>>> >> >>>> wrote:
>>>>> >> >>>>> On Sat, Jun 21, 2014 at 8:47 AM, Rene C. <openvz at dokbua.com>
>>>>> >> >>>>> wrote:
>>>>> >> >>>>>> I got the openvpn part itself down, no problem, but getting it
>>>>> >> >>>>>> to
>>>>> >> >>>>>> work
>>>>> >> >>>>>> in a container is a lot of hassle. Many pages, but most are
>>>>> >> >>>>>> outdated
>>>>> >> >>>>>> and things keeps changing. Anyone know how to get it to work
>>>>> >> >>>>>> TODAY?
>>>>> >> >>>>>>
>>>>> >> >>>>>> The server is an otherwise normal server with public ip
>>>>> >> >>>>>> addresses
>>>>> >> >>>>>> and
>>>>> >> >>>>>> works with cpanel, no problem that far. The problem is getting
>>>>> >> >>>>>> an
>>>>> >> >>>>>> openvpn service to work in it.
>>>>> >> >>>>>>
>>>>> >> >>>>>> I've already added the tun device, and I can connect to the
>>>>> >> >>>>>> server
>>>>> >> >>>>>> with the openvpn client, just can't continue from there, so some
>>>>> >> >>>>>> routing is missing.
>>>>> >> >>>>>>
>>>>> >> >>>>>> I've followed the general routing instructions but because
>>>>> >> >>>>>> openvz
>>>>> >> >>>>>> doesn't support MASQ it doesn't work.
>>>>> >> >>>>>>
>>>>> >> >>>>>> - which modules to insmod on the hwnode
>>>>> >> >>>>>
>>>>> >> >>>>> Just make sure "tun" is present in lsmod.
>>>>> >> >>>>>
>>>>> >> >>>>>> - which modules to add into /etc/vz/vz.conf
>>>>> >> >>>>>
>>>>> >> >>>>> The same. "tun" should be part of the list of modules in vz.conf,
>>>>> >> >>>>> so
>>>>> >> >>>>> it gets loaded at vz start.
>>>>> >> >>>>>
>>>>> >> >>>>>> - which modules to add into /etc/vz/<ct>.conf
>>>>> >> >>>>>
>>>>> >> >>>>> And the for the CTID you want to run openvpn access in:
>>>>> >> >>>>>
>>>>> >> >>>>>
>>>>> >> >>>>>
>>>>> >> >>>>> https://openvz.org/VPN_via_the_TUN/TAP_device#Granting_container_an_access_to_TUN.2FTAP
>>>>> >> >>>>>
>>>>> >> >>>>> Can you provide openvpn-client debug messages?
>>>>> >> >>>>>
>>>>> >> >>>>> --
>>>>> >> >>>>> Benjamin Henrion <bhenrion at ffii.org>
>>>>> >> >>>>> FFII Brussels - +32-484-566109 - +32-2-4148403
>>>>> >> >>>>> "In July 2005, after several failed attempts to legalise software
>>>>> >> >>>>> patents in Europe, the patent establishment changed its strategy.
>>>>> >> >>>>> Instead of explicitly seeking to sanction the patentability of
>>>>> >> >>>>> software, they are now seeking to create a central European
>>>>> >> >>>>> patent
>>>>> >> >>>>> court, which would establish and enforce patentability rules in
>>>>> >> >>>>> their
>>>>> >> >>>>> favor, without any possibility of correction by competing courts
>>>>> >> >>>>> or
>>>>> >> >>>>> democratically elected legislators."
>>>>> >> >>>>> _______________________________________________
>>>>> >> >>>>> Users mailing list
>>>>> >> >>>>> Users at openvz.org
>>>>> >> >>>>> https://lists.openvz.org/mailman/listinfo/users
>>>>> >> >>>>
>>>>> >> >>>>
>>>>> >> >>>>
>>>>> >> >>>> --
>>>>> >> >>>> Sincerely yours, Pavel Odintsov
>>>>> >> >>>> _______________________________________________
>>>>> >> >>>> Users mailing list
>>>>> >> >>>> Users at openvz.org
>>>>> >> >>>> https://lists.openvz.org/mailman/listinfo/users
>>>>> >> >>> _______________________________________________
>>>>> >> >>> Users mailing list
>>>>> >> >>> Users at openvz.org
>>>>> >> >>> https://lists.openvz.org/mailman/listinfo/users
>>>>> >> >>
>>>>> >> >>
>>>>> >> >>
>>>>> >> >> --
>>>>> >> >> Sincerely yours, Pavel Odintsov
>>>>> >> >> _______________________________________________
>>>>> >> >> Users mailing list
>>>>> >> >> Users at openvz.org
>>>>> >> >> https://lists.openvz.org/mailman/listinfo/users
>>>>> >> _______________________________________________
>>>>> >> Users mailing list
>>>>> >> Users at openvz.org
>>>>> >> https://lists.openvz.org/mailman/listinfo/users
>>>>> >
>>>>> >
>>>>> >
>>>>> > _______________________________________________
>>>>> > Users mailing list
>>>>> > Users at openvz.org
>>>>> > https://lists.openvz.org/mailman/listinfo/users
>>>>> >
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at openvz.org
>>>>> https://lists.openvz.org/mailman/listinfo/users
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at openvz.org
>>>> https://lists.openvz.org/mailman/listinfo/users
>>>>
>>>
>>>
>>>
>>> --
>>> Sincerely yours, Pavel Odintsov
>>> _______________________________________________
>>> Users mailing list
>>> Users at openvz.org
>>> https://lists.openvz.org/mailman/listinfo/users
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users
--
Sincerely yours, Pavel Odintsov
More information about the Users
mailing list