[Users] openvpn in openvz
Rene C.
openvz at dokbua.com
Fri Jun 27 02:05:56 PDT 2014
Thanks for the input! I didn't see that mentioned anywhere before.
After having created the directory and ran depmod -a the directory now
received some content.
root at vps1703 [/]# ll /lib/modules/2.6.32-042stab090.3/
total 48
drwxr-xr-x 2 root root 4096 Jun 27 16:02 ./
drwxr-xr-x 3 root root 4096 Jun 27 01:17 ../
-rw-r--r-- 1 root root 45 Jun 27 16:02 modules.alias
-rw-r--r-- 1 root root 69 Jun 27 16:02 modules.ccwmap
-rw-r--r-- 1 root root 0 Jun 27 16:02 modules.dep
-rw-r--r-- 1 root root 73 Jun 27 16:02 modules.ieee1394map
-rw-r--r-- 1 root root 141 Jun 27 16:02 modules.inputmap
-rw-r--r-- 1 root root 81 Jun 27 16:02 modules.isapnpmap
-rw-r--r-- 1 root root 74 Jun 27 16:02 modules.ofmap
-rw-r--r-- 1 root root 99 Jun 27 16:02 modules.pcimap
-rw-r--r-- 1 root root 43 Jun 27 16:02 modules.seriomap
-rw-r--r-- 1 root root 49 Jun 27 16:02 modules.symbols
-rw-r--r-- 1 root root 189 Jun 27 16:02 modules.usbmap
Unfortunately the net result is unchanged:
root at vps1703 [/]# ipsec setup restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec 2.6.32...
ipsec_setup: multiple ip addresses, using 127.0.0.1 on venet0
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
/proc/sys/crypto/fips_enabled
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in
/proc/sys/crypto/fips_enabled
root at vps1703 [/]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K(no kernel code presently loaded)
Checking for IPsec support in kernel [FAILED]
SAref kernel support [N/A]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [FAILED]
Pluto listening for NAT-T on udp 4500 [FAILED]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
root at vps1703 [/]#
On Fri, Jun 27, 2014 at 3:27 PM, Ian <openvz_list at fishnet.co.uk> wrote:
> On 26/06/2014 18:52, Rene C. wrote:
>> Going through the whole thing again I fell over this fatal error
>> during the ipsec restart:
>>
>> ipsec_setup: FATAL: Could not load
>> /lib/modules/2.6.32-042stab090.3/modules.dep: No such file or
>> directory
>>
>> I installed both openswan xl2tpd though yum (epel repo) but neither
>> seem to add anything to /lib/modules. What am I missing?
>
> Hi,
>
> I get this error allot between kernel upgrades when using iptables
> within containers. I found the fix is to make the directory its
> complaining about first, then run depmod -a (all from within the container):
>
> # mkdir -p /lib/modules/2.6.32-042stab090.3/
> # depmod -a
>
> Can someone shed a light on why this error occurs?
>
> It is complaining about a previous kernel version here (Rene states that
> stab090.4 is installed below).
>
> Regards
>
> Ian
> --
>
>>
>>
>> On Thu, Jun 26, 2014 at 2:06 PM, Rene C. <openvz at dokbua.com> wrote:
>>> I already upgraded the kernel to the latest before the last test:
>>>
>>> [root at server14 ~]# uname -a
>>> Linux server14.-sanitized- 2.6.32-042stab090.4 #1 SMP Mon Jun 16
>>>
>>> Sorry if I didn't make that very clear
>>>
>>> On Thu, Jun 26, 2014 at 1:38 PM, Pavel Odintsov
>>> <pavel.odintsov at gmail.com> wrote:
>>>> Hello!
>>>>
>>>> I'm not sure about your problems but we have few production
>>>> installation with this configuration. But we use only up to date
>>>> kernels like 90.x series. What kernel you used for tests?
>>>>
>>>> On Thu, Jun 26, 2014 at 5:28 AM, spameden <spameden at gmail.com> wrote:
>>>>>
>>>>>
>>>>>
>>>>> 2014-06-25 22:19 GMT+04:00 Rene C. <openvz at dokbua.com>:
>>>>>
>>>>>> No, I went in the direction of l2tp as recommended. It both seems more
>>>>>> secure and more compatible with both windows and android clients than
>>>>>> openvpn.
>>>>>
>>>>>
>>>>>
>>>>> 'more secure' ?
>>>>>
>>>>> did you audit OpenVPN/OpenSSL code? How can you say so.
>>>>>
>>>>> There are clients for both android and windows for OpenVPN.
>>>>>
>>>>> Anyways, if you've decided to go with IPSec go over with it, it should work
>>>>> too.
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> I still get the "Checking for IPsec support in kernel
>>>>>> [FAILED]" error from the check, although the latest openvz
>>>>>> kernel is now installed.
>>>>>>
>>>>>> What can we do to narrow down the cause of this?
>>>>>
>>>>>
>>>>> tbh, I have no idea, had no experience with IPSec setup on OpenVZ, ask the
>>>>> guy who've suggested ipsec setup.
>>>>>
>>>>>>
>>>>>> On Mon, Jun 23, 2014 at 7:56 PM, spameden <spameden at gmail.com> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> 2014-06-23 11:31 GMT+04:00 Rene C. <openvz at dokbua.com>:
>>>>>>>>
>>>>>>>> Sorry, still stuck:
>>>>>>>
>>>>>>>
>>>>>>> Did you try OpenVPN configuration that I've suggested?
>>>>>>>
>>>>>>> About IPSEC: not sure, check your syslog logs might give you some tips.
>>>>>>>>
>>>>>>>>
>>>>>>>> [root at server14 ~]# uname -a
>>>>>>>> Linux server14.-sanitized- 2.6.32-042stab090.4 #1 SMP Mon Jun 16
>>>>>>>> 15:13:38 MSK 2014 x86_64 x86_64 x86_64 GNU/Linux
>>>>>>>> [root at server14 ~]# for x in tun ppp_async pppol2tp
>>>>>>>> xfrm4_mode_transport xfrm4_mode_tunnel xfrm_ipcomp esp4; do lsmod |
>>>>>>>> grep $x; done
>>>>>>>> xfrm4_mode_tunnel 2019 0
>>>>>>>> tun 19157 0
>>>>>>>> ppp_async 7874 0
>>>>>>>> ppp_generic 25400 3 pppol2tp,pppox,ppp_async
>>>>>>>> crc_ccitt 1733 1 ppp_async
>>>>>>>> pppol2tp 22749 0
>>>>>>>> pppox 2712 1 pppol2tp
>>>>>>>> ppp_generic 25400 3 pppol2tp,pppox,ppp_async
>>>>>>>> xfrm4_mode_transport 1465 0
>>>>>>>> xfrm4_mode_tunnel 2019 0
>>>>>>>> xfrm_ipcomp 4626 0
>>>>>>>> esp4 5406 0
>>>>>>>> [root at server14 ~]# vzctl enter 1418
>>>>>>>> entered into CT 1418
>>>>>>>> [root at vps1418 /]# ipsec verify
>>>>>>>> Checking your system to see if IPsec got installed and started
>>>>>>>> correctly:
>>>>>>>> Version check and ipsec on-path [OK]
>>>>>>>> Linux Openswan U2.6.32/K(no kernel code presently loaded)
>>>>>>>> Checking for IPsec support in kernel [FAILED]
>>>>>>>> SAref kernel support [N/A]
>>>>>>>> Checking that pluto is running [OK]
>>>>>>>> Pluto listening for IKE on udp 500 [FAILED]
>>>>>>>> Pluto listening for NAT-T on udp 4500 [FAILED]
>>>>>>>> Checking for 'ip' command [OK]
>>>>>>>> Checking /bin/sh is not /bin/dash [OK]
>>>>>>>> Checking for 'iptables' command [OK]
>>>>>>>> Opportunistic Encryption Support [DISABLED]
>>>>>>>>
>>>>>>>> What am I missing?
>>>>>>>>
>>>>>>>> On Mon, Jun 23, 2014 at 1:12 AM, Rene C. <openvz at dokbua.com> wrote:
>>>>>>>>> Yep, rebooted the container.
>>>>>>>>>
>>>>>>>>> Here's the modules present:
>>>>>>>>>
>>>>>>>>> [root at server18 ~]# lsmod
>>>>>>>>> Module Size Used by
>>>>>>>>> esp4 5406 0
>>>>>>>>> xfrm_ipcomp 4626 0
>>>>>>>>> xfrm4_mode_tunnel 2019 0
>>>>>>>>> pppol2tp 22749 0
>>>>>>>>> pppox 2712 1 pppol2tp
>>>>>>>>> ppp_async 7874 0
>>>>>>>>> ppp_generic 25400 3 pppol2tp,pppox,ppp_async
>>>>>>>>> slhc 5821 1 ppp_generic
>>>>>>>>> crc_ccitt 1733 1 ppp_async
>>>>>>>>> vzethdev 8221 0
>>>>>>>>> vznetdev 18952 10
>>>>>>>>> pio_nfs 17576 0
>>>>>>>>> pio_direct 28261 9
>>>>>>>>> pfmt_raw 3213 0
>>>>>>>>> pfmt_ploop1 6320 9
>>>>>>>>> ploop 116096 23
>>>>>>>>> pio_nfs,pio_direct,pfmt_raw,pfmt_ploop1
>>>>>>>>> simfs 4448 0
>>>>>>>>> vzrst 196693 0
>>>>>>>>> vzcpt 148911 1 vzrst
>>>>>>>>> nfs 442438 3 pio_nfs,vzrst,vzcpt
>>>>>>>>> lockd 77189 2 vzrst,nfs
>>>>>>>>> fscache 55684 1 nfs
>>>>>>>>> auth_rpcgss 44949 1 nfs
>>>>>>>>> nfs_acl 2663 1 nfs
>>>>>>>>> sunrpc 268245 6 pio_nfs,nfs,lockd,auth_rpcgss,nfs_acl
>>>>>>>>> vziolimit 3719 0
>>>>>>>>> vzmon 24462 8 vznetdev,vzrst,vzcpt
>>>>>>>>> ip6table_mangle 3669 0
>>>>>>>>> nf_nat_ftp 3523 0
>>>>>>>>> nf_conntrack_ftp 12929 1 nf_nat_ftp
>>>>>>>>> iptable_nat 6302 1
>>>>>>>>> nf_nat 23213 3 vzrst,nf_nat_ftp,iptable_nat
>>>>>>>>> xt_length 1338 0
>>>>>>>>> xt_hl 1547 0
>>>>>>>>> xt_tcpmss 1623 0
>>>>>>>>> xt_TCPMSS 3461 1
>>>>>>>>> iptable_mangle 3493 0
>>>>>>>>> xt_multiport 2716 0
>>>>>>>>> xt_limit 2134 0
>>>>>>>>> nf_conntrack_ipv4 9946 5 iptable_nat,nf_nat
>>>>>>>>> nf_defrag_ipv4 1531 1 nf_conntrack_ipv4
>>>>>>>>> ipt_LOG 6405 0
>>>>>>>>> xt_DSCP 2849 0
>>>>>>>>> xt_dscp 2073 0
>>>>>>>>> ipt_REJECT 2399 12
>>>>>>>>> tun 19157 0
>>>>>>>>> xt_owner 2258 0
>>>>>>>>> vzdquota 55339 0 [permanent]
>>>>>>>>> vzevent 2179 1
>>>>>>>>> vzdev 2733 5
>>>>>>>>> vzethdev,vznetdev,vziolimit,vzmon,vzdquota
>>>>>>>>> iptable_filter 2937 5
>>>>>>>>> ip_tables 18119 3
>>>>>>>>> iptable_nat,iptable_mangle,iptable_filter
>>>>>>>>> ip6t_REJECT 4711 2
>>>>>>>>> nf_conntrack_ipv6 8353 2
>>>>>>>>> nf_defrag_ipv6 11188 1 nf_conntrack_ipv6
>>>>>>>>> xt_state 1508 4
>>>>>>>>> nf_conntrack 80313 9
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> vzrst,vzcpt,nf_nat_ftp,nf_conntrack_ftp,iptable_nat,nf_nat,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state
>>>>>>>>> ip6table_filter 3033 1
>>>>>>>>> ip6_tables 18988 2 ip6table_mangle,ip6table_filter
>>>>>>>>> ipv6 322874 1627
>>>>>>>>> vzrst,ip6table_mangle,ip6t_REJECT,nf_conntrack_ipv6,nf_defrag_ipv6
>>>>>>>>> iTCO_wdt 7147 0
>>>>>>>>> iTCO_vendor_support 3072 1 iTCO_wdt
>>>>>>>>> i2c_i801 11375 0
>>>>>>>>> i2c_core 31084 1 i2c_i801
>>>>>>>>> sg 29446 0
>>>>>>>>> lpc_ich 12819 0
>>>>>>>>> mfd_core 1911 1 lpc_ich
>>>>>>>>> e1000e 267426 0
>>>>>>>>> ptp 9614 1 e1000e
>>>>>>>>> pps_core 11490 1 ptp
>>>>>>>>> ext4 419456 11
>>>>>>>>> jbd2 93779 1 ext4
>>>>>>>>> mbcache 8209 1 ext4
>>>>>>>>> sd_mod 39005 6
>>>>>>>>> crc_t10dif 1557 1 sd_mod
>>>>>>>>> ahci 42263 4
>>>>>>>>> video 20978 0
>>>>>>>>> output 2425 1 video
>>>>>>>>> dm_mirror 14432 0
>>>>>>>>> dm_region_hash 12101 1 dm_mirror
>>>>>>>>> dm_log 9946 2 dm_mirror,dm_region_hash
>>>>>>>>> dm_mod 84369 19 dm_mirror,dm_log
>>>>>>>>>
>>>>>>>>> On Mon, Jun 23, 2014 at 12:52 AM, Pavel Odintsov
>>>>>>>>> <pavel.odintsov at gmail.com> wrote:
>>>>>>>>>> Hello!
>>>>>>>>>>
>>>>>>>>>> IPsec should work from 84.8 kernel according to
>>>>>>>>>> https://openvz.org/IPsec but I found explicit reference about IPsec
>>>>>>>>>> only in 84.10:
>>>>>>>>>> http://openvz.org/Download/kernel/rhel6-testing/042stab084.10
>>>>>>>>>>
>>>>>>>>>> Did you restart CT after loading kernel modules for l2tp?
>>>>>>>>>>
>>>>>>>>>> On Sun, Jun 22, 2014 at 7:05 PM, Rene C. <openvz at dokbua.com> wrote:
>>>>>>>>>>> Ok I gave your suggestion a shot, using your link through Google
>>>>>>>>>>> translate and
>>>>>>>>>>> http://www.maxwhale.com/how-to-install-l2tp-vpn-on-centos/
>>>>>>>>>>> for comparison.
>>>>>>>>>>>
>>>>>>>>>>> Everything seems to go well until the 'ipsec verify' part when it
>>>>>>>>>>> says:
>>>>>>>>>>>
>>>>>>>>>>> [root at vps1418 /]# ipsec verify
>>>>>>>>>>> Checking your system to see if IPsec got installed and started
>>>>>>>>>>> correctly:
>>>>>>>>>>> Version check and ipsec on-path [OK]
>>>>>>>>>>> Linux Openswan U2.6.32/K(no kernel code presently loaded)
>>>>>>>>>>> Checking for IPsec support in kernel
>>>>>>>>>>> [FAILED]
>>>>>>>>>>> SAref kernel support [N/A]
>>>>>>>>>>> Checking that pluto is running [OK]
>>>>>>>>>>> Pluto listening for IKE on udp 500
>>>>>>>>>>> [FAILED]
>>>>>>>>>>> Pluto listening for NAT-T on udp 4500
>>>>>>>>>>> [FAILED]
>>>>>>>>>>> Checking for 'ip' command [OK]
>>>>>>>>>>> Checking /bin/sh is not /bin/dash [OK]
>>>>>>>>>>> Checking for 'iptables' command [OK]
>>>>>>>>>>> Opportunistic Encryption Support
>>>>>>>>>>> [DISABLED]
>>>>>>>>>>>
>>>>>>>>>>> I think the biggest problem here is the "Checking for IPsec support
>>>>>>>>>>> in
>>>>>>>>>>> kernel"?
>>>>>>>>>>>
>>>>>>>>>>> I use 2.6.32-042stab085.20 - I know it's not the latest kernel, but
>>>>>>>>>>> supposedly ipsec support should be in kernels after stab084?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Sat, Jun 21, 2014 at 7:28 PM, Pavel Odintsov
>>>>>>>>>>> <pavel.odintsov at gmail.com> wrote:
>>>>>>>>>>>> Hello!
>>>>>>>>>>>>
>>>>>>>>>>>> In modern version of OpenVZ you can use l2tp with ipsec support
>>>>>>>>>>>> instead OpenVPN: http://habrahabr.ru/company/FastVPS/blog/205162/
>>>>>>>>>>>> (sorry this manual in russian language but it's very simple). It's
>>>>>>>>>>>> very useable because you do not need any special clients on
>>>>>>>>>>>> Windows
>>>>>>>>>>>> hosts. Maybe you can try this?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Sat, Jun 21, 2014 at 2:11 PM, Benjamin Henrion
>>>>>>>>>>>> <zoobab at gmail.com>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>> On Sat, Jun 21, 2014 at 8:47 AM, Rene C. <openvz at dokbua.com>
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>> I got the openvpn part itself down, no problem, but getting it
>>>>>>>>>>>>>> to
>>>>>>>>>>>>>> work
>>>>>>>>>>>>>> in a container is a lot of hassle. Many pages, but most are
>>>>>>>>>>>>>> outdated
>>>>>>>>>>>>>> and things keeps changing. Anyone know how to get it to work
>>>>>>>>>>>>>> TODAY?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> The server is an otherwise normal server with public ip
>>>>>>>>>>>>>> addresses
>>>>>>>>>>>>>> and
>>>>>>>>>>>>>> works with cpanel, no problem that far. The problem is getting
>>>>>>>>>>>>>> an
>>>>>>>>>>>>>> openvpn service to work in it.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I've already added the tun device, and I can connect to the
>>>>>>>>>>>>>> server
>>>>>>>>>>>>>> with the openvpn client, just can't continue from there, so some
>>>>>>>>>>>>>> routing is missing.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I've followed the general routing instructions but because
>>>>>>>>>>>>>> openvz
>>>>>>>>>>>>>> doesn't support MASQ it doesn't work.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> - which modules to insmod on the hwnode
>>>>>>>>>>>>>
>>>>>>>>>>>>> Just make sure "tun" is present in lsmod.
>>>>>>>>>>>>>
>>>>>>>>>>>>>> - which modules to add into /etc/vz/vz.conf
>>>>>>>>>>>>>
>>>>>>>>>>>>> The same. "tun" should be part of the list of modules in vz.conf,
>>>>>>>>>>>>> so
>>>>>>>>>>>>> it gets loaded at vz start.
>>>>>>>>>>>>>
>>>>>>>>>>>>>> - which modules to add into /etc/vz/<ct>.conf
>>>>>>>>>>>>>
>>>>>>>>>>>>> And the for the CTID you want to run openvpn access in:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> https://openvz.org/VPN_via_the_TUN/TAP_device#Granting_container_an_access_to_TUN.2FTAP
>>>>>>>>>>>>>
>>>>>>>>>>>>> Can you provide openvpn-client debug messages?
>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> Benjamin Henrion <bhenrion at ffii.org>
>
>
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users
More information about the Users
mailing list