[Users] openvpn in openvz

Rene C. openvz at dokbua.com
Fri Jun 27 02:05:56 PDT 2014


Thanks for the input!  I didn't see that mentioned anywhere before.
After having created the directory and ran depmod -a the directory now
received some content.

root at vps1703 [/]# ll /lib/modules/2.6.32-042stab090.3/
total 48
drwxr-xr-x 2 root root 4096 Jun 27 16:02 ./
drwxr-xr-x 3 root root 4096 Jun 27 01:17 ../
-rw-r--r-- 1 root root   45 Jun 27 16:02 modules.alias
-rw-r--r-- 1 root root   69 Jun 27 16:02 modules.ccwmap
-rw-r--r-- 1 root root    0 Jun 27 16:02 modules.dep
-rw-r--r-- 1 root root   73 Jun 27 16:02 modules.ieee1394map
-rw-r--r-- 1 root root  141 Jun 27 16:02 modules.inputmap
-rw-r--r-- 1 root root   81 Jun 27 16:02 modules.isapnpmap
-rw-r--r-- 1 root root   74 Jun 27 16:02 modules.ofmap
-rw-r--r-- 1 root root   99 Jun 27 16:02 modules.pcimap
-rw-r--r-- 1 root root   43 Jun 27 16:02 modules.seriomap
-rw-r--r-- 1 root root   49 Jun 27 16:02 modules.symbols
-rw-r--r-- 1 root root  189 Jun 27 16:02 modules.usbmap

Unfortunately the net result is unchanged:

root at vps1703 [/]#  ipsec setup restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec 2.6.32...
ipsec_setup: multiple ip addresses, using  127.0.0.1 on venet0
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
/proc/sys/crypto/fips_enabled
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
/proc/sys/crypto/fips_enabled
root at vps1703 [/]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             [OK]
Linux Openswan U2.6.32/K(no kernel code presently loaded)
Checking for IPsec support in kernel                         [FAILED]
 SAref kernel support                                       [N/A]
Checking that pluto is running                               [OK]
 Pluto listening for IKE on udp 500                         [FAILED]
 Pluto listening for NAT-T on udp 4500                       [FAILED]
Checking for 'ip' command                                   [OK]
Checking /bin/sh is not /bin/dash                           [OK]
Checking for 'iptables' command                             [OK]
Opportunistic Encryption Support                             [DISABLED]
root at vps1703 [/]#




On Fri, Jun 27, 2014 at 3:27 PM, Ian <openvz_list at fishnet.co.uk> wrote:
> On 26/06/2014 18:52, Rene C. wrote:
>> Going through the whole thing again I fell over this fatal error
>> during the ipsec restart:
>>
>> ipsec_setup: FATAL: Could not load
>> /lib/modules/2.6.32-042stab090.3/modules.dep: No such file or
>> directory
>>
>> I installed both openswan xl2tpd though yum (epel repo) but neither
>> seem to add anything to /lib/modules. What am I missing?
>
> Hi,
>
> I get this error allot between kernel upgrades when using iptables
> within containers.  I found the fix is to make the directory its
> complaining about first, then run depmod -a (all from within the container):
>
> # mkdir -p /lib/modules/2.6.32-042stab090.3/
> # depmod -a
>
> Can someone shed a light on why this error occurs?
>
> It is complaining about a previous kernel version here (Rene states that
> stab090.4 is installed below).
>
> Regards
>
> Ian
> --
>
>>
>>
>> On Thu, Jun 26, 2014 at 2:06 PM, Rene C. <openvz at dokbua.com> wrote:
>>> I already upgraded the kernel to the latest before the last test:
>>>
>>> [root at server14 ~]# uname -a
>>> Linux server14.-sanitized- 2.6.32-042stab090.4 #1 SMP Mon Jun 16
>>>
>>> Sorry if I didn't make that very clear
>>>
>>> On Thu, Jun 26, 2014 at 1:38 PM, Pavel Odintsov
>>> <pavel.odintsov at gmail.com> wrote:
>>>> Hello!
>>>>
>>>> I'm not sure about your problems but we have few production
>>>> installation with this configuration. But we use only up to date
>>>> kernels like 90.x series. What kernel you used for tests?
>>>>
>>>> On Thu, Jun 26, 2014 at 5:28 AM, spameden <spameden at gmail.com> wrote:
>>>>>
>>>>>
>>>>>
>>>>> 2014-06-25 22:19 GMT+04:00 Rene C. <openvz at dokbua.com>:
>>>>>
>>>>>> No, I went in the direction of l2tp as recommended. It both seems more
>>>>>> secure and more compatible with both windows and android clients than
>>>>>> openvpn.
>>>>>
>>>>>
>>>>>
>>>>> 'more secure' ?
>>>>>
>>>>> did you audit OpenVPN/OpenSSL code? How can you say so.
>>>>>
>>>>> There are clients for both android and windows for OpenVPN.
>>>>>
>>>>> Anyways, if you've decided to go with IPSec go over with it, it should work
>>>>> too.
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> I still get the "Checking for IPsec support in kernel
>>>>>>        [FAILED]" error from the check, although the latest openvz
>>>>>> kernel is now installed.
>>>>>>
>>>>>> What can we do to narrow down the cause of this?
>>>>>
>>>>>
>>>>> tbh, I have no idea, had no experience with IPSec setup on OpenVZ, ask the
>>>>> guy who've suggested ipsec setup.
>>>>>
>>>>>>
>>>>>> On Mon, Jun 23, 2014 at 7:56 PM, spameden <spameden at gmail.com> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> 2014-06-23 11:31 GMT+04:00 Rene C. <openvz at dokbua.com>:
>>>>>>>>
>>>>>>>> Sorry, still stuck:
>>>>>>>
>>>>>>>
>>>>>>> Did you try OpenVPN configuration that I've suggested?
>>>>>>>
>>>>>>> About IPSEC: not sure, check your syslog logs might give you some tips.
>>>>>>>>
>>>>>>>>
>>>>>>>> [root at server14 ~]# uname -a
>>>>>>>> Linux server14.-sanitized- 2.6.32-042stab090.4 #1 SMP Mon Jun 16
>>>>>>>> 15:13:38 MSK 2014 x86_64 x86_64 x86_64 GNU/Linux
>>>>>>>> [root at server14 ~]# for x in tun ppp_async pppol2tp
>>>>>>>> xfrm4_mode_transport xfrm4_mode_tunnel xfrm_ipcomp esp4; do lsmod |
>>>>>>>> grep $x; done
>>>>>>>> xfrm4_mode_tunnel       2019  0
>>>>>>>> tun                    19157  0
>>>>>>>> ppp_async               7874  0
>>>>>>>> ppp_generic            25400  3 pppol2tp,pppox,ppp_async
>>>>>>>> crc_ccitt               1733  1 ppp_async
>>>>>>>> pppol2tp               22749  0
>>>>>>>> pppox                   2712  1 pppol2tp
>>>>>>>> ppp_generic            25400  3 pppol2tp,pppox,ppp_async
>>>>>>>> xfrm4_mode_transport     1465  0
>>>>>>>> xfrm4_mode_tunnel       2019  0
>>>>>>>> xfrm_ipcomp             4626  0
>>>>>>>> esp4                    5406  0
>>>>>>>> [root at server14 ~]# vzctl enter 1418
>>>>>>>> entered into CT 1418
>>>>>>>> [root at vps1418 /]# ipsec verify
>>>>>>>> Checking your system to see if IPsec got installed and started
>>>>>>>> correctly:
>>>>>>>> Version check and ipsec on-path                              [OK]
>>>>>>>> Linux Openswan U2.6.32/K(no kernel code presently loaded)
>>>>>>>> Checking for IPsec support in kernel                         [FAILED]
>>>>>>>>  SAref kernel support                                        [N/A]
>>>>>>>> Checking that pluto is running                               [OK]
>>>>>>>>  Pluto listening for IKE on udp 500                          [FAILED]
>>>>>>>>  Pluto listening for NAT-T on udp 4500                       [FAILED]
>>>>>>>> Checking for 'ip' command                                    [OK]
>>>>>>>> Checking /bin/sh is not /bin/dash                            [OK]
>>>>>>>> Checking for 'iptables' command                              [OK]
>>>>>>>> Opportunistic Encryption Support                             [DISABLED]
>>>>>>>>
>>>>>>>> What am I missing?
>>>>>>>>
>>>>>>>> On Mon, Jun 23, 2014 at 1:12 AM, Rene C. <openvz at dokbua.com> wrote:
>>>>>>>>> Yep, rebooted the container.
>>>>>>>>>
>>>>>>>>> Here's the modules present:
>>>>>>>>>
>>>>>>>>> [root at server18 ~]# lsmod
>>>>>>>>> Module                  Size  Used by
>>>>>>>>> esp4                    5406  0
>>>>>>>>> xfrm_ipcomp             4626  0
>>>>>>>>> xfrm4_mode_tunnel       2019  0
>>>>>>>>> pppol2tp               22749  0
>>>>>>>>> pppox                   2712  1 pppol2tp
>>>>>>>>> ppp_async               7874  0
>>>>>>>>> ppp_generic            25400  3 pppol2tp,pppox,ppp_async
>>>>>>>>> slhc                    5821  1 ppp_generic
>>>>>>>>> crc_ccitt               1733  1 ppp_async
>>>>>>>>> vzethdev                8221  0
>>>>>>>>> vznetdev               18952  10
>>>>>>>>> pio_nfs                17576  0
>>>>>>>>> pio_direct             28261  9
>>>>>>>>> pfmt_raw                3213  0
>>>>>>>>> pfmt_ploop1             6320  9
>>>>>>>>> ploop                 116096  23
>>>>>>>>> pio_nfs,pio_direct,pfmt_raw,pfmt_ploop1
>>>>>>>>> simfs                   4448  0
>>>>>>>>> vzrst                 196693  0
>>>>>>>>> vzcpt                 148911  1 vzrst
>>>>>>>>> nfs                   442438  3 pio_nfs,vzrst,vzcpt
>>>>>>>>> lockd                  77189  2 vzrst,nfs
>>>>>>>>> fscache                55684  1 nfs
>>>>>>>>> auth_rpcgss            44949  1 nfs
>>>>>>>>> nfs_acl                 2663  1 nfs
>>>>>>>>> sunrpc                268245  6 pio_nfs,nfs,lockd,auth_rpcgss,nfs_acl
>>>>>>>>> vziolimit               3719  0
>>>>>>>>> vzmon                  24462  8 vznetdev,vzrst,vzcpt
>>>>>>>>> ip6table_mangle         3669  0
>>>>>>>>> nf_nat_ftp              3523  0
>>>>>>>>> nf_conntrack_ftp       12929  1 nf_nat_ftp
>>>>>>>>> iptable_nat             6302  1
>>>>>>>>> nf_nat                 23213  3 vzrst,nf_nat_ftp,iptable_nat
>>>>>>>>> xt_length               1338  0
>>>>>>>>> xt_hl                   1547  0
>>>>>>>>> xt_tcpmss               1623  0
>>>>>>>>> xt_TCPMSS               3461  1
>>>>>>>>> iptable_mangle          3493  0
>>>>>>>>> xt_multiport            2716  0
>>>>>>>>> xt_limit                2134  0
>>>>>>>>> nf_conntrack_ipv4       9946  5 iptable_nat,nf_nat
>>>>>>>>> nf_defrag_ipv4          1531  1 nf_conntrack_ipv4
>>>>>>>>> ipt_LOG                 6405  0
>>>>>>>>> xt_DSCP                 2849  0
>>>>>>>>> xt_dscp                 2073  0
>>>>>>>>> ipt_REJECT              2399  12
>>>>>>>>> tun                    19157  0
>>>>>>>>> xt_owner                2258  0
>>>>>>>>> vzdquota               55339  0 [permanent]
>>>>>>>>> vzevent                 2179  1
>>>>>>>>> vzdev                   2733  5
>>>>>>>>> vzethdev,vznetdev,vziolimit,vzmon,vzdquota
>>>>>>>>> iptable_filter          2937  5
>>>>>>>>> ip_tables              18119  3
>>>>>>>>> iptable_nat,iptable_mangle,iptable_filter
>>>>>>>>> ip6t_REJECT             4711  2
>>>>>>>>> nf_conntrack_ipv6       8353  2
>>>>>>>>> nf_defrag_ipv6         11188  1 nf_conntrack_ipv6
>>>>>>>>> xt_state                1508  4
>>>>>>>>> nf_conntrack           80313  9
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> vzrst,vzcpt,nf_nat_ftp,nf_conntrack_ftp,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state
>>>>>>>>> ip6table_filter         3033  1
>>>>>>>>> ip6_tables             18988  2 ip6table_mangle,ip6table_filter
>>>>>>>>> ipv6                  322874  1627
>>>>>>>>> vzrst,ip6table_mangle,ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6
>>>>>>>>> iTCO_wdt                7147  0
>>>>>>>>> iTCO_vendor_support     3072  1 iTCO_wdt
>>>>>>>>> i2c_i801               11375  0
>>>>>>>>> i2c_core               31084  1 i2c_i801
>>>>>>>>> sg                     29446  0
>>>>>>>>> lpc_ich                12819  0
>>>>>>>>> mfd_core                1911  1 lpc_ich
>>>>>>>>> e1000e                267426  0
>>>>>>>>> ptp                     9614  1 e1000e
>>>>>>>>> pps_core               11490  1 ptp
>>>>>>>>> ext4                  419456  11
>>>>>>>>> jbd2                   93779  1 ext4
>>>>>>>>> mbcache                 8209  1 ext4
>>>>>>>>> sd_mod                 39005  6
>>>>>>>>> crc_t10dif              1557  1 sd_mod
>>>>>>>>> ahci                   42263  4
>>>>>>>>> video                  20978  0
>>>>>>>>> output                  2425  1 video
>>>>>>>>> dm_mirror              14432  0
>>>>>>>>> dm_region_hash         12101  1 dm_mirror
>>>>>>>>> dm_log                  9946  2 dm_mirror,dm_region_hash
>>>>>>>>> dm_mod                 84369  19 dm_mirror,dm_log
>>>>>>>>>
>>>>>>>>> On Mon, Jun 23, 2014 at 12:52 AM, Pavel Odintsov
>>>>>>>>> <pavel.odintsov at gmail.com> wrote:
>>>>>>>>>> Hello!
>>>>>>>>>>
>>>>>>>>>> IPsec should work from 84.8 kernel according to
>>>>>>>>>> https://openvz.org/IPsec but I found explicit reference about IPsec
>>>>>>>>>> only in 84.10:
>>>>>>>>>> http://openvz.org/Download/kernel/rhel6-testing/042stab084.10
>>>>>>>>>>
>>>>>>>>>> Did you restart CT after loading kernel modules for l2tp?
>>>>>>>>>>
>>>>>>>>>> On Sun, Jun 22, 2014 at 7:05 PM, Rene C. <openvz at dokbua.com> wrote:
>>>>>>>>>>> Ok I gave your suggestion a shot, using your link through Google
>>>>>>>>>>> translate and
>>>>>>>>>>> http://www.maxwhale.com/how-to-install-l2tp-vpn-on-centos/
>>>>>>>>>>> for comparison.
>>>>>>>>>>>
>>>>>>>>>>> Everything seems to go well until the 'ipsec verify' part when it
>>>>>>>>>>> says:
>>>>>>>>>>>
>>>>>>>>>>> [root at vps1418 /]# ipsec verify
>>>>>>>>>>> Checking your system to see if IPsec got installed and started
>>>>>>>>>>> correctly:
>>>>>>>>>>> Version check and ipsec on-path                             [OK]
>>>>>>>>>>> Linux Openswan U2.6.32/K(no kernel code presently loaded)
>>>>>>>>>>> Checking for IPsec support in kernel
>>>>>>>>>>> [FAILED]
>>>>>>>>>>>  SAref kernel support                                       [N/A]
>>>>>>>>>>> Checking that pluto is running                               [OK]
>>>>>>>>>>>  Pluto listening for IKE on udp 500
>>>>>>>>>>> [FAILED]
>>>>>>>>>>>  Pluto listening for NAT-T on udp 4500
>>>>>>>>>>> [FAILED]
>>>>>>>>>>> Checking for 'ip' command                                   [OK]
>>>>>>>>>>> Checking /bin/sh is not /bin/dash                           [OK]
>>>>>>>>>>> Checking for 'iptables' command                             [OK]
>>>>>>>>>>> Opportunistic Encryption Support
>>>>>>>>>>> [DISABLED]
>>>>>>>>>>>
>>>>>>>>>>> I think the biggest problem here is the "Checking for IPsec support
>>>>>>>>>>> in
>>>>>>>>>>> kernel"?
>>>>>>>>>>>
>>>>>>>>>>> I use 2.6.32-042stab085.20 - I know it's not the latest kernel, but
>>>>>>>>>>> supposedly ipsec support should be in kernels after stab084?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Sat, Jun 21, 2014 at 7:28 PM, Pavel Odintsov
>>>>>>>>>>> <pavel.odintsov at gmail.com> wrote:
>>>>>>>>>>>> Hello!
>>>>>>>>>>>>
>>>>>>>>>>>> In modern version of OpenVZ you can use l2tp with ipsec support
>>>>>>>>>>>> instead OpenVPN: http://habrahabr.ru/company/FastVPS/blog/205162/
>>>>>>>>>>>> (sorry this manual in russian language but it's very simple). It's
>>>>>>>>>>>> very useable because you do not need any special clients on
>>>>>>>>>>>> Windows
>>>>>>>>>>>> hosts. Maybe you can try this?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Sat, Jun 21, 2014 at 2:11 PM, Benjamin Henrion
>>>>>>>>>>>> <zoobab at gmail.com>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>> On Sat, Jun 21, 2014 at 8:47 AM, Rene C. <openvz at dokbua.com>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>> I got the openvpn part itself down, no problem, but getting it
>>>>>>>>>>>>>> to
>>>>>>>>>>>>>> work
>>>>>>>>>>>>>> in a container is a lot of hassle. Many pages, but most are
>>>>>>>>>>>>>> outdated
>>>>>>>>>>>>>> and things keeps changing. Anyone know how to get it to work
>>>>>>>>>>>>>> TODAY?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The server is an otherwise normal server with public ip
>>>>>>>>>>>>>> addresses
>>>>>>>>>>>>>> and
>>>>>>>>>>>>>> works with cpanel, no problem that far. The problem is getting
>>>>>>>>>>>>>> an
>>>>>>>>>>>>>> openvpn service to work in it.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I've already added the tun device, and I can connect to the
>>>>>>>>>>>>>> server
>>>>>>>>>>>>>> with the openvpn client, just can't continue from there, so some
>>>>>>>>>>>>>> routing is missing.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I've followed the general routing instructions but because
>>>>>>>>>>>>>> openvz
>>>>>>>>>>>>>> doesn't support MASQ it doesn't work.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> - which modules to insmod on the hwnode
>>>>>>>>>>>>>
>>>>>>>>>>>>> Just make sure "tun" is present in lsmod.
>>>>>>>>>>>>>
>>>>>>>>>>>>>> - which modules to add into /etc/vz/vz.conf
>>>>>>>>>>>>>
>>>>>>>>>>>>> The same. "tun" should be part of the list of modules in vz.conf,
>>>>>>>>>>>>> so
>>>>>>>>>>>>> it gets loaded at vz start.
>>>>>>>>>>>>>
>>>>>>>>>>>>>> - which modules to add into /etc/vz/<ct>.conf
>>>>>>>>>>>>>
>>>>>>>>>>>>> And the for the CTID you want to run openvpn access in:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> https://openvz.org/VPN_via_the_TUN/TAP_device#Granting_container_an_access_to_TUN.2FTAP
>>>>>>>>>>>>>
>>>>>>>>>>>>> Can you provide openvpn-client debug messages?
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Benjamin Henrion <bhenrion at ffii.org>
>
>
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users


More information about the Users mailing list