[Users] openvpn in openvz
Ian
openvz_list at fishnet.co.uk
Fri Jun 27 01:27:26 PDT 2014
On 26/06/2014 18:52, Rene C. wrote:
> Going through the whole thing again I fell over this fatal error
> during the ipsec restart:
>
> ipsec_setup: FATAL: Could not load
> /lib/modules/2.6.32-042stab090.3/modules.dep: No such file or
> directory
>
> I installed both openswan xl2tpd though yum (epel repo) but neither
> seem to add anything to /lib/modules. What am I missing?
Hi,
I get this error allot between kernel upgrades when using iptables
within containers. I found the fix is to make the directory its
complaining about first, then run depmod -a (all from within the container):
# mkdir -p /lib/modules/2.6.32-042stab090.3/
# depmod -a
Can someone shed a light on why this error occurs?
It is complaining about a previous kernel version here (Rene states that
stab090.4 is installed below).
Regards
Ian
--
>
>
> On Thu, Jun 26, 2014 at 2:06 PM, Rene C. <openvz at dokbua.com> wrote:
>> I already upgraded the kernel to the latest before the last test:
>>
>> [root at server14 ~]# uname -a
>> Linux server14.-sanitized- 2.6.32-042stab090.4 #1 SMP Mon Jun 16
>>
>> Sorry if I didn't make that very clear
>>
>> On Thu, Jun 26, 2014 at 1:38 PM, Pavel Odintsov
>> <pavel.odintsov at gmail.com> wrote:
>>> Hello!
>>>
>>> I'm not sure about your problems but we have few production
>>> installation with this configuration. But we use only up to date
>>> kernels like 90.x series. What kernel you used for tests?
>>>
>>> On Thu, Jun 26, 2014 at 5:28 AM, spameden <spameden at gmail.com> wrote:
>>>>
>>>>
>>>>
>>>> 2014-06-25 22:19 GMT+04:00 Rene C. <openvz at dokbua.com>:
>>>>
>>>>> No, I went in the direction of l2tp as recommended. It both seems more
>>>>> secure and more compatible with both windows and android clients than
>>>>> openvpn.
>>>>
>>>>
>>>>
>>>> 'more secure' ?
>>>>
>>>> did you audit OpenVPN/OpenSSL code? How can you say so.
>>>>
>>>> There are clients for both android and windows for OpenVPN.
>>>>
>>>> Anyways, if you've decided to go with IPSec go over with it, it should work
>>>> too.
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>> I still get the "Checking for IPsec support in kernel
>>>>> [FAILED]" error from the check, although the latest openvz
>>>>> kernel is now installed.
>>>>>
>>>>> What can we do to narrow down the cause of this?
>>>>
>>>>
>>>> tbh, I have no idea, had no experience with IPSec setup on OpenVZ, ask the
>>>> guy who've suggested ipsec setup.
>>>>
>>>>>
>>>>> On Mon, Jun 23, 2014 at 7:56 PM, spameden <spameden at gmail.com> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>> 2014-06-23 11:31 GMT+04:00 Rene C. <openvz at dokbua.com>:
>>>>>>>
>>>>>>> Sorry, still stuck:
>>>>>>
>>>>>>
>>>>>> Did you try OpenVPN configuration that I've suggested?
>>>>>>
>>>>>> About IPSEC: not sure, check your syslog logs might give you some tips.
>>>>>>>
>>>>>>>
>>>>>>> [root at server14 ~]# uname -a
>>>>>>> Linux server14.-sanitized- 2.6.32-042stab090.4 #1 SMP Mon Jun 16
>>>>>>> 15:13:38 MSK 2014 x86_64 x86_64 x86_64 GNU/Linux
>>>>>>> [root at server14 ~]# for x in tun ppp_async pppol2tp
>>>>>>> xfrm4_mode_transport xfrm4_mode_tunnel xfrm_ipcomp esp4; do lsmod |
>>>>>>> grep $x; done
>>>>>>> xfrm4_mode_tunnel 2019 0
>>>>>>> tun 19157 0
>>>>>>> ppp_async 7874 0
>>>>>>> ppp_generic 25400 3 pppol2tp,pppox,ppp_async
>>>>>>> crc_ccitt 1733 1 ppp_async
>>>>>>> pppol2tp 22749 0
>>>>>>> pppox 2712 1 pppol2tp
>>>>>>> ppp_generic 25400 3 pppol2tp,pppox,ppp_async
>>>>>>> xfrm4_mode_transport 1465 0
>>>>>>> xfrm4_mode_tunnel 2019 0
>>>>>>> xfrm_ipcomp 4626 0
>>>>>>> esp4 5406 0
>>>>>>> [root at server14 ~]# vzctl enter 1418
>>>>>>> entered into CT 1418
>>>>>>> [root at vps1418 /]# ipsec verify
>>>>>>> Checking your system to see if IPsec got installed and started
>>>>>>> correctly:
>>>>>>> Version check and ipsec on-path [OK]
>>>>>>> Linux Openswan U2.6.32/K(no kernel code presently loaded)
>>>>>>> Checking for IPsec support in kernel [FAILED]
>>>>>>> SAref kernel support [N/A]
>>>>>>> Checking that pluto is running [OK]
>>>>>>> Pluto listening for IKE on udp 500 [FAILED]
>>>>>>> Pluto listening for NAT-T on udp 4500 [FAILED]
>>>>>>> Checking for 'ip' command [OK]
>>>>>>> Checking /bin/sh is not /bin/dash [OK]
>>>>>>> Checking for 'iptables' command [OK]
>>>>>>> Opportunistic Encryption Support [DISABLED]
>>>>>>>
>>>>>>> What am I missing?
>>>>>>>
>>>>>>> On Mon, Jun 23, 2014 at 1:12 AM, Rene C. <openvz at dokbua.com> wrote:
>>>>>>>> Yep, rebooted the container.
>>>>>>>>
>>>>>>>> Here's the modules present:
>>>>>>>>
>>>>>>>> [root at server18 ~]# lsmod
>>>>>>>> Module Size Used by
>>>>>>>> esp4 5406 0
>>>>>>>> xfrm_ipcomp 4626 0
>>>>>>>> xfrm4_mode_tunnel 2019 0
>>>>>>>> pppol2tp 22749 0
>>>>>>>> pppox 2712 1 pppol2tp
>>>>>>>> ppp_async 7874 0
>>>>>>>> ppp_generic 25400 3 pppol2tp,pppox,ppp_async
>>>>>>>> slhc 5821 1 ppp_generic
>>>>>>>> crc_ccitt 1733 1 ppp_async
>>>>>>>> vzethdev 8221 0
>>>>>>>> vznetdev 18952 10
>>>>>>>> pio_nfs 17576 0
>>>>>>>> pio_direct 28261 9
>>>>>>>> pfmt_raw 3213 0
>>>>>>>> pfmt_ploop1 6320 9
>>>>>>>> ploop 116096 23
>>>>>>>> pio_nfs,pio_direct,pfmt_raw,pfmt_ploop1
>>>>>>>> simfs 4448 0
>>>>>>>> vzrst 196693 0
>>>>>>>> vzcpt 148911 1 vzrst
>>>>>>>> nfs 442438 3 pio_nfs,vzrst,vzcpt
>>>>>>>> lockd 77189 2 vzrst,nfs
>>>>>>>> fscache 55684 1 nfs
>>>>>>>> auth_rpcgss 44949 1 nfs
>>>>>>>> nfs_acl 2663 1 nfs
>>>>>>>> sunrpc 268245 6 pio_nfs,nfs,lockd,auth_rpcgss,nfs_acl
>>>>>>>> vziolimit 3719 0
>>>>>>>> vzmon 24462 8 vznetdev,vzrst,vzcpt
>>>>>>>> ip6table_mangle 3669 0
>>>>>>>> nf_nat_ftp 3523 0
>>>>>>>> nf_conntrack_ftp 12929 1 nf_nat_ftp
>>>>>>>> iptable_nat 6302 1
>>>>>>>> nf_nat 23213 3 vzrst,nf_nat_ftp,iptable_nat
>>>>>>>> xt_length 1338 0
>>>>>>>> xt_hl 1547 0
>>>>>>>> xt_tcpmss 1623 0
>>>>>>>> xt_TCPMSS 3461 1
>>>>>>>> iptable_mangle 3493 0
>>>>>>>> xt_multiport 2716 0
>>>>>>>> xt_limit 2134 0
>>>>>>>> nf_conntrack_ipv4 9946 5 iptable_nat,nf_nat
>>>>>>>> nf_defrag_ipv4 1531 1 nf_conntrack_ipv4
>>>>>>>> ipt_LOG 6405 0
>>>>>>>> xt_DSCP 2849 0
>>>>>>>> xt_dscp 2073 0
>>>>>>>> ipt_REJECT 2399 12
>>>>>>>> tun 19157 0
>>>>>>>> xt_owner 2258 0
>>>>>>>> vzdquota 55339 0 [permanent]
>>>>>>>> vzevent 2179 1
>>>>>>>> vzdev 2733 5
>>>>>>>> vzethdev,vznetdev,vziolimit,vzmon,vzdquota
>>>>>>>> iptable_filter 2937 5
>>>>>>>> ip_tables 18119 3
>>>>>>>> iptable_nat,iptable_mangle,iptable_filter
>>>>>>>> ip6t_REJECT 4711 2
>>>>>>>> nf_conntrack_ipv6 8353 2
>>>>>>>> nf_defrag_ipv6 11188 1 nf_conntrack_ipv6
>>>>>>>> xt_state 1508 4
>>>>>>>> nf_conntrack 80313 9
>>>>>>>>
>>>>>>>>
>>>>>>>> vzrst,vzcpt,nf_nat_ftp,nf_conntrack_ftp,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state
>>>>>>>> ip6table_filter 3033 1
>>>>>>>> ip6_tables 18988 2 ip6table_mangle,ip6table_filter
>>>>>>>> ipv6 322874 1627
>>>>>>>> vzrst,ip6table_mangle,ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6
>>>>>>>> iTCO_wdt 7147 0
>>>>>>>> iTCO_vendor_support 3072 1 iTCO_wdt
>>>>>>>> i2c_i801 11375 0
>>>>>>>> i2c_core 31084 1 i2c_i801
>>>>>>>> sg 29446 0
>>>>>>>> lpc_ich 12819 0
>>>>>>>> mfd_core 1911 1 lpc_ich
>>>>>>>> e1000e 267426 0
>>>>>>>> ptp 9614 1 e1000e
>>>>>>>> pps_core 11490 1 ptp
>>>>>>>> ext4 419456 11
>>>>>>>> jbd2 93779 1 ext4
>>>>>>>> mbcache 8209 1 ext4
>>>>>>>> sd_mod 39005 6
>>>>>>>> crc_t10dif 1557 1 sd_mod
>>>>>>>> ahci 42263 4
>>>>>>>> video 20978 0
>>>>>>>> output 2425 1 video
>>>>>>>> dm_mirror 14432 0
>>>>>>>> dm_region_hash 12101 1 dm_mirror
>>>>>>>> dm_log 9946 2 dm_mirror,dm_region_hash
>>>>>>>> dm_mod 84369 19 dm_mirror,dm_log
>>>>>>>>
>>>>>>>> On Mon, Jun 23, 2014 at 12:52 AM, Pavel Odintsov
>>>>>>>> <pavel.odintsov at gmail.com> wrote:
>>>>>>>>> Hello!
>>>>>>>>>
>>>>>>>>> IPsec should work from 84.8 kernel according to
>>>>>>>>> https://openvz.org/IPsec but I found explicit reference about IPsec
>>>>>>>>> only in 84.10:
>>>>>>>>> http://openvz.org/Download/kernel/rhel6-testing/042stab084.10
>>>>>>>>>
>>>>>>>>> Did you restart CT after loading kernel modules for l2tp?
>>>>>>>>>
>>>>>>>>> On Sun, Jun 22, 2014 at 7:05 PM, Rene C. <openvz at dokbua.com> wrote:
>>>>>>>>>> Ok I gave your suggestion a shot, using your link through Google
>>>>>>>>>> translate and
>>>>>>>>>> http://www.maxwhale.com/how-to-install-l2tp-vpn-on-centos/
>>>>>>>>>> for comparison.
>>>>>>>>>>
>>>>>>>>>> Everything seems to go well until the 'ipsec verify' part when it
>>>>>>>>>> says:
>>>>>>>>>>
>>>>>>>>>> [root at vps1418 /]# ipsec verify
>>>>>>>>>> Checking your system to see if IPsec got installed and started
>>>>>>>>>> correctly:
>>>>>>>>>> Version check and ipsec on-path [OK]
>>>>>>>>>> Linux Openswan U2.6.32/K(no kernel code presently loaded)
>>>>>>>>>> Checking for IPsec support in kernel
>>>>>>>>>> [FAILED]
>>>>>>>>>> SAref kernel support [N/A]
>>>>>>>>>> Checking that pluto is running [OK]
>>>>>>>>>> Pluto listening for IKE on udp 500
>>>>>>>>>> [FAILED]
>>>>>>>>>> Pluto listening for NAT-T on udp 4500
>>>>>>>>>> [FAILED]
>>>>>>>>>> Checking for 'ip' command [OK]
>>>>>>>>>> Checking /bin/sh is not /bin/dash [OK]
>>>>>>>>>> Checking for 'iptables' command [OK]
>>>>>>>>>> Opportunistic Encryption Support
>>>>>>>>>> [DISABLED]
>>>>>>>>>>
>>>>>>>>>> I think the biggest problem here is the "Checking for IPsec support
>>>>>>>>>> in
>>>>>>>>>> kernel"?
>>>>>>>>>>
>>>>>>>>>> I use 2.6.32-042stab085.20 - I know it's not the latest kernel, but
>>>>>>>>>> supposedly ipsec support should be in kernels after stab084?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Sat, Jun 21, 2014 at 7:28 PM, Pavel Odintsov
>>>>>>>>>> <pavel.odintsov at gmail.com> wrote:
>>>>>>>>>>> Hello!
>>>>>>>>>>>
>>>>>>>>>>> In modern version of OpenVZ you can use l2tp with ipsec support
>>>>>>>>>>> instead OpenVPN: http://habrahabr.ru/company/FastVPS/blog/205162/
>>>>>>>>>>> (sorry this manual in russian language but it's very simple). It's
>>>>>>>>>>> very useable because you do not need any special clients on
>>>>>>>>>>> Windows
>>>>>>>>>>> hosts. Maybe you can try this?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Sat, Jun 21, 2014 at 2:11 PM, Benjamin Henrion
>>>>>>>>>>> <zoobab at gmail.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>> On Sat, Jun 21, 2014 at 8:47 AM, Rene C. <openvz at dokbua.com>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>> I got the openvpn part itself down, no problem, but getting it
>>>>>>>>>>>>> to
>>>>>>>>>>>>> work
>>>>>>>>>>>>> in a container is a lot of hassle. Many pages, but most are
>>>>>>>>>>>>> outdated
>>>>>>>>>>>>> and things keeps changing. Anyone know how to get it to work
>>>>>>>>>>>>> TODAY?
>>>>>>>>>>>>>
>>>>>>>>>>>>> The server is an otherwise normal server with public ip
>>>>>>>>>>>>> addresses
>>>>>>>>>>>>> and
>>>>>>>>>>>>> works with cpanel, no problem that far. The problem is getting
>>>>>>>>>>>>> an
>>>>>>>>>>>>> openvpn service to work in it.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I've already added the tun device, and I can connect to the
>>>>>>>>>>>>> server
>>>>>>>>>>>>> with the openvpn client, just can't continue from there, so some
>>>>>>>>>>>>> routing is missing.
>>>>>>>>>>>>>
>>>>>>>>>>>>> I've followed the general routing instructions but because
>>>>>>>>>>>>> openvz
>>>>>>>>>>>>> doesn't support MASQ it doesn't work.
>>>>>>>>>>>>>
>>>>>>>>>>>>> - which modules to insmod on the hwnode
>>>>>>>>>>>>
>>>>>>>>>>>> Just make sure "tun" is present in lsmod.
>>>>>>>>>>>>
>>>>>>>>>>>>> - which modules to add into /etc/vz/vz.conf
>>>>>>>>>>>>
>>>>>>>>>>>> The same. "tun" should be part of the list of modules in vz.conf,
>>>>>>>>>>>> so
>>>>>>>>>>>> it gets loaded at vz start.
>>>>>>>>>>>>
>>>>>>>>>>>>> - which modules to add into /etc/vz/<ct>.conf
>>>>>>>>>>>>
>>>>>>>>>>>> And the for the CTID you want to run openvpn access in:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> https://openvz.org/VPN_via_the_TUN/TAP_device#Granting_container_an_access_to_TUN.2FTAP
>>>>>>>>>>>>
>>>>>>>>>>>> Can you provide openvpn-client debug messages?
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Benjamin Henrion <bhenrion at ffii.org>
More information about the Users
mailing list