[Users] openvpn in openvz
Rene C.
openvz at dokbua.com
Fri Jun 27 01:54:40 PDT 2014
Please disregard the small version difference (stab090.3 vs stab090.4)
- I am testing on two different servers with minor differences in the
Kernel installed. The one throwing the 090.3 error actually runs the
090.3 kernel. Sorry for the inconsistancy.
On Fri, Jun 27, 2014 at 3:27 PM, Ian <openvz_list at fishnet.co.uk> wrote:
> On 26/06/2014 18:52, Rene C. wrote:
>> Going through the whole thing again I fell over this fatal error
>> during the ipsec restart:
>>
>> ipsec_setup: FATAL: Could not load
>> /lib/modules/2.6.32-042stab090.3/modules.dep: No such file or
>> directory
>>
>> I installed both openswan xl2tpd though yum (epel repo) but neither
>> seem to add anything to /lib/modules. What am I missing?
>
> Hi,
>
> I get this error allot between kernel upgrades when using iptables
> within containers. I found the fix is to make the directory its
> complaining about first, then run depmod -a (all from within the container):
>
> # mkdir -p /lib/modules/2.6.32-042stab090.3/
> # depmod -a
>
> Can someone shed a light on why this error occurs?
>
> It is complaining about a previous kernel version here (Rene states that
> stab090.4 is installed below).
>
> Regards
>
> Ian
> --
>
>>
>>
>> On Thu, Jun 26, 2014 at 2:06 PM, Rene C. <openvz at dokbua.com> wrote:
>>> I already upgraded the kernel to the latest before the last test:
>>>
>>> [root at server14 ~]# uname -a
>>> Linux server14.-sanitized- 2.6.32-042stab090.4 #1 SMP Mon Jun 16
>>>
>>> Sorry if I didn't make that very clear
>>>
>>> On Thu, Jun 26, 2014 at 1:38 PM, Pavel Odintsov
>>> <pavel.odintsov at gmail.com> wrote:
>>>> Hello!
>>>>
>>>> I'm not sure about your problems but we have few production
>>>> installation with this configuration. But we use only up to date
>>>> kernels like 90.x series. What kernel you used for tests?
>>>>
>>>> On Thu, Jun 26, 2014 at 5:28 AM, spameden <spameden at gmail.com> wrote:
>>>>>
>>>>>
>>>>>
>>>>> 2014-06-25 22:19 GMT+04:00 Rene C. <openvz at dokbua.com>:
>>>>>
>>>>>> No, I went in the direction of l2tp as recommended. It both seems more
>>>>>> secure and more compatible with both windows and android clients than
>>>>>> openvpn.
>>>>>
>>>>>
>>>>>
>>>>> 'more secure' ?
>>>>>
>>>>> did you audit OpenVPN/OpenSSL code? How can you say so.
>>>>>
>>>>> There are clients for both android and windows for OpenVPN.
>>>>>
>>>>> Anyways, if you've decided to go with IPSec go over with it, it should work
>>>>> too.
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> I still get the "Checking for IPsec support in kernel
>>>>>> [FAILED]" error from the check, although the latest openvz
>>>>>> kernel is now installed.
>>>>>>
>>>>>> What can we do to narrow down the cause of this?
>>>>>
>>>>>
>>>>> tbh, I have no idea, had no experience with IPSec setup on OpenVZ, ask the
>>>>> guy who've suggested ipsec setup.
>>>>>
>>>>>>
>>>>>> On Mon, Jun 23, 2014 at 7:56 PM, spameden <spameden at gmail.com> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> 2014-06-23 11:31 GMT+04:00 Rene C. <openvz at dokbua.com>:
>>>>>>>>
>>>>>>>> Sorry, still stuck:
>>>>>>>
>>>>>>>
>>>>>>> Did you try OpenVPN configuration that I've suggested?
>>>>>>>
>>>>>>> About IPSEC: not sure, check your syslog logs might give you some tips.
>>>>>>>>
>>>>>>>>
>>>>>>>> [root at server14 ~]# uname -a
>>>>>>>> Linux server14.-sanitized- 2.6.32-042stab090.4 #1 SMP Mon Jun 16
>>>>>>>> 15:13:38 MSK 2014 x86_64 x86_64 x86_64 GNU/Linux
>>>>>>>> [root at server14 ~]# for x in tun ppp_async pppol2tp
>>>>>>>> xfrm4_mode_transport xfrm4_mode_tunnel xfrm_ipcomp esp4; do lsmod |
>>>>>>>> grep $x; done
>>>>>>>> xfrm4_mode_tunnel 2019 0
>>>>>>>> tun 19157 0
>>>>>>>> ppp_async 7874 0
>>>>>>>> ppp_generic 25400 3 pppol2tp,pppox,ppp_async
>>>>>>>> crc_ccitt 1733 1 ppp_async
>>>>>>>> pppol2tp 22749 0
>>>>>>>> pppox 2712 1 pppol2tp
>>>>>>>> ppp_generic 25400 3 pppol2tp,pppox,ppp_async
>>>>>>>> xfrm4_mode_transport 1465 0
>>>>>>>> xfrm4_mode_tunnel 2019 0
>>>>>>>> xfrm_ipcomp 4626 0
>>>>>>>> esp4 5406 0
>>>>>>>> [root at server14 ~]# vzctl enter 1418
>>>>>>>> entered into CT 1418
>>>>>>>> [root at vps1418 /]# ipsec verify
>>>>>>>> Checking your system to see if IPsec got installed and started
>>>>>>>> correctly:
>>>>>>>> Version check and ipsec on-path [OK]
>>>>>>>> Linux Openswan U2.6.32/K(no kernel code presently loaded)
>>>>>>>> Checking for IPsec support in kernel [FAILED]
>>>>>>>> SAref kernel support [N/A]
>>>>>>>> Checking that pluto is running [OK]
>>>>>>>> Pluto listening for IKE on udp 500 [FAILED]
>>>>>>>> Pluto listening for NAT-T on udp 4500 [FAILED]
>>>>>>>> Checking for 'ip' command [OK]
>>>>>>>> Checking /bin/sh is not /bin/dash [OK]
>>>>>>>> Checking for 'iptables' command [OK]
>>>>>>>> Opportunistic Encryption Support [DISABLED]
>>>>>>>>
>>>>>>>> What am I missing?
>>>>>>>>
>>>>>>>> On Mon, Jun 23, 2014 at 1:12 AM, Rene C. <openvz at dokbua.com> wrote:
>>>>>>>>> Yep, rebooted the container.
>>>>>>>>>
>>>>>>>>> Here's the modules present:
>>>>>>>>>
>>>>>>>>> [root at server18 ~]# lsmod
>>>>>>>>> Module Size Used by
>>>>>>>>> esp4 5406 0
>>>>>>>>> xfrm_ipcomp 4626 0
>>>>>>>>> xfrm4_mode_tunnel 2019 0
>>>>>>>>> pppol2tp 22749 0
>>>>>>>>> pppox 2712 1 pppol2tp
>>>>>>>>> ppp_async 7874 0
>>>>>>>>> ppp_generic 25400 3 pppol2tp,pppox,ppp_async
>>>>>>>>> slhc 5821 1 ppp_generic
>>>>>>>>> crc_ccitt 1733 1 ppp_async
>>>>>>>>> vzethdev 8221 0
>>>>>>>>> vznetdev 18952 10
>>>>>>>>> pio_nfs 17576 0
>>>>>>>>> pio_direct 28261 9
>>>>>>>>> pfmt_raw 3213 0
>>>>>>>>> pfmt_ploop1 6320 9
>>>>>>>>> ploop 116096 23
>>>>>>>>> pio_nfs,pio_direct,pfmt_raw,pfmt_ploop1
>>>>>>>>> simfs 4448 0
>>>>>>>>> vzrst 196693 0
>>>>>>>>> vzcpt 148911 1 vzrst
>>>>>>>>> nfs 442438 3 pio_nfs,vzrst,vzcpt
>>>>>>>>> lockd 77189 2 vzrst,nfs
>>>>>>>>> fscache 55684 1 nfs
>>>>>>>>> auth_rpcgss 44949 1 nfs
>>>>>>>>> nfs_acl 2663 1 nfs
>>>>>>>>> sunrpc 268245 6 pio_nfs,nfs,lockd,auth_rpcgss,nfs_acl
>>>>>>>>> vziolimit 3719 0
>>>>>>>>> vzmon 24462 8 vznetdev,vzrst,vzcpt
>>>>>>>>> ip6table_mangle 3669 0
>>>>>>>>> nf_nat_ftp 3523 0
>>>>>>>>> nf_conntrack_ftp 12929 1 nf_nat_ftp
>>>>>>>>> iptable_nat 6302 1
>>>>>>>>> nf_nat 23213 3 vzrst,nf_nat_ftp,iptable_nat
>>>>>>>>> xt_length 1338 0
>>>>>>>>> xt_hl 1547 0
>>>>>>>>> xt_tcpmss 1623 0
>>>>>>>>> xt_TCPMSS 3461 1
>>>>>>>>> iptable_mangle 3493 0
>>>>>>>>> xt_multiport 2716 0
>>>>>>>>> xt_limit 2134 0
>>>>>>>>> nf_conntrack_ipv4 9946 5 iptable_nat,nf_nat
>>>>>>>>> nf_defrag_ipv4 1531 1 nf_conntrack_ipv4
>>>>>>>>> ipt_LOG 6405 0
>>>>>>>>> xt_DSCP 2849 0
>>>>>>>>> xt_dscp 2073 0
>>>>>>>>> ipt_REJECT 2399 12
>>>>>>>>> tun 19157 0
>>>>>>>>> xt_owner 2258 0
>>>>>>>>> vzdquota 55339 0 [permanent]
>>>>>>>>> vzevent 2179 1
>>>>>>>>> vzdev 2733 5
>>>>>>>>> vzethdev,vznetdev,vziolimit,vzmon,vzdquota
>>>>>>>>> iptable_filter 2937 5
>>>>>>>>> ip_tables 18119 3
>>>>>>>>> iptable_nat,iptable_mangle,iptable_filter
>>>>>>>>> ip6t_REJECT 4711 2
>>>>>>>>> nf_conntrack_ipv6 8353 2
>>>>>>>>> nf_defrag_ipv6 11188 1 nf_conntrack_ipv6
>>>>>>>>> xt_state 1508 4
>>>>>>>>> nf_conntrack 80313 9
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> vzrst,vzcpt,nf_nat_ftp,nf_conntrack_ftp,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state
>>>>>>>>> ip6table_filter 3033 1
>>>>>>>>> ip6_tables 18988 2 ip6table_mangle,ip6table_filter
>>>>>>>>> ipv6 322874 1627
>>>>>>>>> vzrst,ip6table_mangle,ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6
>>>>>>>>> iTCO_wdt 7147 0
>>>>>>>>> iTCO_vendor_support 3072 1 iTCO_wdt
>>>>>>>>> i2c_i801 11375 0
>>>>>>>>> i2c_core 31084 1 i2c_i801
>>>>>>>>> sg 29446 0
>>>>>>>>> lpc_ich 12819 0
>>>>>>>>> mfd_core 1911 1 lpc_ich
>>>>>>>>> e1000e 267426 0
>>>>>>>>> ptp 9614 1 e1000e
>>>>>>>>> pps_core 11490 1 ptp
>>>>>>>>> ext4 419456 11
>>>>>>>>> jbd2 93779 1 ext4
>>>>>>>>> mbcache 8209 1 ext4
>>>>>>>>> sd_mod 39005 6
>>>>>>>>> crc_t10dif 1557 1 sd_mod
>>>>>>>>> ahci 42263 4
>>>>>>>>> video 20978 0
>>>>>>>>> output 2425 1 video
>>>>>>>>> dm_mirror 14432 0
>>>>>>>>> dm_region_hash 12101 1 dm_mirror
>>>>>>>>> dm_log 9946 2 dm_mirror,dm_region_hash
>>>>>>>>> dm_mod 84369 19 dm_mirror,dm_log
>>>>>>>>>
>>>>>>>>> On Mon, Jun 23, 2014 at 12:52 AM, Pavel Odintsov
>>>>>>>>> <pavel.odintsov at gmail.com> wrote:
>>>>>>>>>> Hello!
>>>>>>>>>>
>>>>>>>>>> IPsec should work from 84.8 kernel according to
>>>>>>>>>> https://openvz.org/IPsec but I found explicit reference about IPsec
>>>>>>>>>> only in 84.10:
>>>>>>>>>> http://openvz.org/Download/kernel/rhel6-testing/042stab084.10
>>>>>>>>>>
>>>>>>>>>> Did you restart CT after loading kernel modules for l2tp?
>>>>>>>>>>
>>>>>>>>>> On Sun, Jun 22, 2014 at 7:05 PM, Rene C. <openvz at dokbua.com> wrote:
>>>>>>>>>>> Ok I gave your suggestion a shot, using your link through Google
>>>>>>>>>>> translate and
>>>>>>>>>>> http://www.maxwhale.com/how-to-install-l2tp-vpn-on-centos/
>>>>>>>>>>> for comparison.
>>>>>>>>>>>
>>>>>>>>>>> Everything seems to go well until the 'ipsec verify' part when it
>>>>>>>>>>> says:
>>>>>>>>>>>
>>>>>>>>>>> [root at vps1418 /]# ipsec verify
>>>>>>>>>>> Checking your system to see if IPsec got installed and started
>>>>>>>>>>> correctly:
>>>>>>>>>>> Version check and ipsec on-path [OK]
>>>>>>>>>>> Linux Openswan U2.6.32/K(no kernel code presently loaded)
>>>>>>>>>>> Checking for IPsec support in kernel
>>>>>>>>>>> [FAILED]
>>>>>>>>>>> SAref kernel support [N/A]
>>>>>>>>>>> Checking that pluto is running [OK]
>>>>>>>>>>> Pluto listening for IKE on udp 500
>>>>>>>>>>> [FAILED]
>>>>>>>>>>> Pluto listening for NAT-T on udp 4500
>>>>>>>>>>> [FAILED]
>>>>>>>>>>> Checking for 'ip' command [OK]
>>>>>>>>>>> Checking /bin/sh is not /bin/dash [OK]
>>>>>>>>>>> Checking for 'iptables' command [OK]
>>>>>>>>>>> Opportunistic Encryption Support
>>>>>>>>>>> [DISABLED]
>>>>>>>>>>>
>>>>>>>>>>> I think the biggest problem here is the "Checking for IPsec support
>>>>>>>>>>> in
>>>>>>>>>>> kernel"?
>>>>>>>>>>>
>>>>>>>>>>> I use 2.6.32-042stab085.20 - I know it's not the latest kernel, but
>>>>>>>>>>> supposedly ipsec support should be in kernels after stab084?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Sat, Jun 21, 2014 at 7:28 PM, Pavel Odintsov
>>>>>>>>>>> <pavel.odintsov at gmail.com> wrote:
>>>>>>>>>>>> Hello!
>>>>>>>>>>>>
>>>>>>>>>>>> In modern version of OpenVZ you can use l2tp with ipsec support
>>>>>>>>>>>> instead OpenVPN: http://habrahabr.ru/company/FastVPS/blog/205162/
>>>>>>>>>>>> (sorry this manual in russian language but it's very simple). It's
>>>>>>>>>>>> very useable because you do not need any special clients on
>>>>>>>>>>>> Windows
>>>>>>>>>>>> hosts. Maybe you can try this?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Sat, Jun 21, 2014 at 2:11 PM, Benjamin Henrion
>>>>>>>>>>>> <zoobab at gmail.com>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>> On Sat, Jun 21, 2014 at 8:47 AM, Rene C. <openvz at dokbua.com>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>> I got the openvpn part itself down, no problem, but getting it
>>>>>>>>>>>>>> to
>>>>>>>>>>>>>> work
>>>>>>>>>>>>>> in a container is a lot of hassle. Many pages, but most are
>>>>>>>>>>>>>> outdated
>>>>>>>>>>>>>> and things keeps changing. Anyone know how to get it to work
>>>>>>>>>>>>>> TODAY?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The server is an otherwise normal server with public ip
>>>>>>>>>>>>>> addresses
>>>>>>>>>>>>>> and
>>>>>>>>>>>>>> works with cpanel, no problem that far. The problem is getting
>>>>>>>>>>>>>> an
>>>>>>>>>>>>>> openvpn service to work in it.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I've already added the tun device, and I can connect to the
>>>>>>>>>>>>>> server
>>>>>>>>>>>>>> with the openvpn client, just can't continue from there, so some
>>>>>>>>>>>>>> routing is missing.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I've followed the general routing instructions but because
>>>>>>>>>>>>>> openvz
>>>>>>>>>>>>>> doesn't support MASQ it doesn't work.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> - which modules to insmod on the hwnode
>>>>>>>>>>>>>
>>>>>>>>>>>>> Just make sure "tun" is present in lsmod.
>>>>>>>>>>>>>
>>>>>>>>>>>>>> - which modules to add into /etc/vz/vz.conf
>>>>>>>>>>>>>
>>>>>>>>>>>>> The same. "tun" should be part of the list of modules in vz.conf,
>>>>>>>>>>>>> so
>>>>>>>>>>>>> it gets loaded at vz start.
>>>>>>>>>>>>>
>>>>>>>>>>>>>> - which modules to add into /etc/vz/<ct>.conf
>>>>>>>>>>>>>
>>>>>>>>>>>>> And the for the CTID you want to run openvpn access in:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> https://openvz.org/VPN_via_the_TUN/TAP_device#Granting_container_an_access_to_TUN.2FTAP
>>>>>>>>>>>>>
>>>>>>>>>>>>> Can you provide openvpn-client debug messages?
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Benjamin Henrion <bhenrion at ffii.org>
>
>
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users
More information about the Users
mailing list