[Users] vz 7 network capability and openVPN forward/masquerade

Dmitry Konstantinov barmaley at barmaley.net
Tue Feb 25 16:54:56 MSK 2020 

openvpn does work. dev/tun:rw and full netfilter is all the
'extras' I have in the container's config

1) not sure if it's still works but probably not useful in
this particular case, never used any capabilities for openvpn.

2) I use a single postrouting rule. Like the last one in your list.


I don't quite understand your setup. Do you use routed or bridged
networking? with firewalld you configure eth0 but I see venet0 in
iptables. I don't have much experience with eth devices inside
container, perhaps you might need to configure rp_filter for it
to work with openvpn.





On Tue, 25 Feb 2020 10:21:33 +0100
Jehan Procaccia <Jehan.Procaccia at imtbs-tsp.eu> wrote:

> Hello
> 
> I have running VPNs that works perfectly on openvz6 , now I move to 
> openvz7 and I cannot make it forward or masquerade between
> interfaces .
> 
> I am questionning about different concepts:
> 
> 1) is enabling capablities still enable/usefull ?
> 
> ie: prlctl set ctvpn --capability net_admin:on => doesn't save
> anything in the CT conf ...
> 
> I did set
> 
> prlctl set ctvpn --netfilter full  => in order to have nat and mangle
> chains
> 
> 2) is using iptables or firewalld determinent ? masquerade or SNAT ?
> 
> neither of those works
> 
> for Masquerade I did
> 
> firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A 
> POSTROUTING -s 10.91.10.0/22 -o eth0 -j MASQUERADE
> 
> for iptables I tried with
> 
> *nat
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A POSTROUTING -o venet0 -j SNAT --to-source 157.109.2.13
> -A POSTROUTING -s 10.91.10.0/22 -j SNAT --to-source 157.109.2.13
> 
> by the way is venet0 important as it appears down in the CT !?
> 
> 2: venet0: <BROADCAST,POINTOPOINT,NOARP> mtu 1500 qdisc noop state
> DOWN group default
>      link/void
> 3: eth0 at if248: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue state UP group default qlen 1000
> 
> dev/tun is working correctly
> 
> I set it with: vzctl set ctvpn --devnodes net/tun:rw --save
> 
> CT-ABC /# ls -l /dev/net/tun
> crw-rw-rw- 1 root root 10, 200 Feb 25 10:07 /dev/net/tun
> CT-ABC /# cat /dev/net/tun
> cat: /dev/net/tun: File descriptor in bad state
> => message that means it is operational !  
> 
> openvpn uses tun interface, connecting clients to openvpn server
> works fine, but routing between interfaces (tun0 and eth0 ) doesn't
> work .
> 
> of course ip_forward is enabled
> 
> CT-ABC /# cat /proc/sys/net/ipv4/ip_forward
> 1
> 
> Thanks for your help .
> 
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users

More information about the Users mailing list