[Users] vz 7 network capability and openVPN forward/masquerade

Tue Feb 25 18:32:43 MSK 2020

OK for 1) , then I don't need any capability (net_admin, sys_time), I 
was wondering because I read that on lots of docs as in :
https://github.com/OpenVZ/vz-docs/blob/master/virtuozzo_7_users_guide.asc
perhaps deprecated ?

for 2) I use routed openvpn (tun0)
yes I mess a lot between iptables and firewalld while debungin my pb
2.1) I would prefere to use firewalld , can you confirm me the rule you 
use ?
POSTROUTING with masquerade or have you an iptable SNAT exemple ?
2.2) if I use a eth0 interface do you confirm that venet0 (that is Down 
on my CT) is not concerned at all ?
2.3) my eth0 appears as eth0 at if248 (ip addr) , is it important for the 
firewall-cmd command arguments => "-o eth0" ? should I use -o eth0 at if248 !
2.4) what do you mean by |rp_filter| (reverse path filtering), should I 
disable it , how ?

Thanks .

Le 25/02/2020 à 14:54, Dmitry Konstantinov a écrit :
> openvpn does work. dev/tun:rw and full netfilter is all the
> 'extras' I have in the container's config
>
> 1) not sure if it's still works but probably not useful in
> this particular case, never used any capabilities for openvpn.
>
> 2) I use a single postrouting rule. Like the last one in your list.
>
>
> I don't quite understand your setup. Do you use routed or bridged
> networking? with firewalld you configure eth0 but I see venet0 in
> iptables. I don't have much experience with eth devices inside
> container, perhaps you might need to configure rp_filter for it
> to work with openvpn.
>
>
>
>
>
> On Tue, 25 Feb 2020 10:21:33 +0100
> Jehan Procaccia <Jehan.Procaccia at imtbs-tsp.eu> wrote:
>
>> Hello
>>
>> I have running VPNs that works perfectly on openvz6 , now I move to
>> openvz7 and I cannot make it forward or masquerade between
>> interfaces .
>>
>> I am questionning about different concepts:
>>
>> 1) is enabling capablities still enable/usefull ?
>>
>> ie: prlctl set ctvpn --capability net_admin:on => doesn't save
>> anything in the CT conf ...
>>
>> I did set
>>
>> prlctl set ctvpn --netfilter full  => in order to have nat and mangle
>> chains
>>
>> 2) is using iptables or firewalld determinent ? masquerade or SNAT ?
>>
>> neither of those works
>>
>> for Masquerade I did
>>
>> firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A
>> POSTROUTING -s 10.91.10.0/22 -o eth0 -j MASQUERADE
>>
>> for iptables I tried with
>>
>> *nat
>> :PREROUTING ACCEPT [0:0]
>> :POSTROUTING ACCEPT [0:0]
>> :OUTPUT ACCEPT [0:0]
>> -A POSTROUTING -o venet0 -j SNAT --to-source 157.109.2.13
>> -A POSTROUTING -s 10.91.10.0/22 -j SNAT --to-source 157.109.2.13
>>
>> by the way is venet0 important as it appears down in the CT !?
>>
>> 2: venet0: <BROADCAST,POINTOPOINT,NOARP> mtu 1500 qdisc noop state
>> DOWN group default
>>       link/void
>> 3: eth0 at if248: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
>> noqueue state UP group default qlen 1000
>>
>> dev/tun is working correctly
>>
>> I set it with: vzctl set ctvpn --devnodes net/tun:rw --save
>>
>> CT-ABC /# ls -l /dev/net/tun
>> crw-rw-rw- 1 root root 10, 200 Feb 25 10:07 /dev/net/tun
>> CT-ABC /# cat /dev/net/tun
>> cat: /dev/net/tun: File descriptor in bad state
>> => message that means it is operational !
>>
>> openvpn uses tun interface, connecting clients to openvpn server
>> works fine, but routing between interfaces (tun0 and eth0 ) doesn't
>> work .
>>
>> of course ip_forward is enabled
>>
>> CT-ABC /# cat /proc/sys/net/ipv4/ip_forward
>> 1
>>
>> Thanks for your help .
>>
>> _______________________________________________
>> Users mailing list
>> Users at openvz.org
>> https://lists.openvz.org/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/users/attachments/20200225/e6958420/attachment-0001.html>