[Users] vz 7 network capability and openVPN forward/masquerade
Dmitry Konstantinov
barmaley at barmaley.net
Tue Feb 25 16:54:56 MSK 2020
openvpn does work. dev/tun:rw and full netfilter is all the
'extras' I have in the container's config
1) not sure if it's still works but probably not useful in
this particular case, never used any capabilities for openvpn.
2) I use a single postrouting rule. Like the last one in your list.
I don't quite understand your setup. Do you use routed or bridged
networking? with firewalld you configure eth0 but I see venet0 in
iptables. I don't have much experience with eth devices inside
container, perhaps you might need to configure rp_filter for it
to work with openvpn.
On Tue, 25 Feb 2020 10:21:33 +0100
Jehan Procaccia <Jehan.Procaccia at imtbs-tsp.eu> wrote:
> Hello
>
> I have running VPNs that works perfectly on openvz6 , now I move to
> openvz7 and I cannot make it forward or masquerade between
> interfaces .
>
> I am questionning about different concepts:
>
> 1) is enabling capablities still enable/usefull ?
>
> ie: prlctl set ctvpn --capability net_admin:on => doesn't save
> anything in the CT conf ...
>
> I did set
>
> prlctl set ctvpn --netfilter full => in order to have nat and mangle
> chains
>
> 2) is using iptables or firewalld determinent ? masquerade or SNAT ?
>
> neither of those works
>
> for Masquerade I did
>
> firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A
> POSTROUTING -s 10.91.10.0/22 -o eth0 -j MASQUERADE
>
> for iptables I tried with
>
> *nat
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A POSTROUTING -o venet0 -j SNAT --to-source 157.109.2.13
> -A POSTROUTING -s 10.91.10.0/22 -j SNAT --to-source 157.109.2.13
>
> by the way is venet0 important as it appears down in the CT !?
>
> 2: venet0: <BROADCAST,POINTOPOINT,NOARP> mtu 1500 qdisc noop state
> DOWN group default
> link/void
> 3: eth0 at if248: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
> noqueue state UP group default qlen 1000
>
> dev/tun is working correctly
>
> I set it with: vzctl set ctvpn --devnodes net/tun:rw --save
>
> CT-ABC /# ls -l /dev/net/tun
> crw-rw-rw- 1 root root 10, 200 Feb 25 10:07 /dev/net/tun
> CT-ABC /# cat /dev/net/tun
> cat: /dev/net/tun: File descriptor in bad state
> => message that means it is operational !
>
> openvpn uses tun interface, connecting clients to openvpn server
> works fine, but routing between interfaces (tun0 and eth0 ) doesn't
> work .
>
> of course ip_forward is enabled
>
> CT-ABC /# cat /proc/sys/net/ipv4/ip_forward
> 1
>
> Thanks for your help .
>
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users
More information about the Users
mailing list