[Users] vz 7 network capability and openVPN forward/masquerade
Jehan Procaccia
Jehan.Procaccia at imtbs-tsp.eu
Tue Feb 25 12:21:33 MSK 2020
Hello
I have running VPNs that works perfectly on openvz6 , now I move to
openvz7 and I cannot make it forward or masquerade between interfaces .
I am questionning about different concepts:
1) is enabling capablities still enable/usefull ?
ie: prlctl set ctvpn --capability net_admin:on => doesn't save anything
in the CT conf ...
I did set
prlctl set ctvpn --netfilter full => in order to have nat and mangle chains
2) is using iptables or firewalld determinent ? masquerade or SNAT ?
neither of those works
for Masquerade I did
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A
POSTROUTING -s 10.91.10.0/22 -o eth0 -j MASQUERADE
for iptables I tried with
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o venet0 -j SNAT --to-source 157.109.2.13
-A POSTROUTING -s 10.91.10.0/22 -j SNAT --to-source 157.109.2.13
by the way is venet0 important as it appears down in the CT !?
2: venet0: <BROADCAST,POINTOPOINT,NOARP> mtu 1500 qdisc noop state DOWN
group default
link/void
3: eth0 at if248: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UP group default qlen 1000
dev/tun is working correctly
I set it with: vzctl set ctvpn --devnodes net/tun:rw --save
CT-ABC /# ls -l /dev/net/tun
crw-rw-rw- 1 root root 10, 200 Feb 25 10:07 /dev/net/tun
CT-ABC /# cat /dev/net/tun
cat: /dev/net/tun: File descriptor in bad state
=> message that means it is operational !
openvpn uses tun interface, connecting clients to openvpn server works
fine, but routing between interfaces (tun0 and eth0 ) doesn't work .
of course ip_forward is enabled
CT-ABC /# cat /proc/sys/net/ipv4/ip_forward
1
Thanks for your help .
More information about the Users
mailing list