<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">2014-06-21 10:47 GMT+04:00 Rene C. <span dir="ltr"><<a href="mailto:openvz@dokbua.com" target="_blank">openvz@dokbua.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
I got the openvpn part itself down, no problem, but getting it to work<br>
in a container is a lot of hassle. Many pages, but most are outdated<br>
and things keeps changing. Anyone know how to get it to work TODAY?<br>
<br>
The server is an otherwise normal server with public ip addresses and<br>
works with cpanel, no problem that far. The problem is getting an<br>
openvpn service to work in it.<br>s<br>
- which modules to insmod on the hwnode<br></blockquote><div>$ <b>cat /etc/modules</b></div><div><br></div><div><div>#Iptables</div><div>ip_tables</div><div>iptable_filter</div><div>iptable_mangle</div><div>ipt_limit</div>
<div>ipt_multiport</div><div>ipt_tos</div><div>ipt_REJECT</div><div>ipt_TCPMSS</div><div>ipt_tcpmss</div><div>ipt_ttl</div><div>ipt_length</div><div>ip_conntrack</div><div>ipt_state</div><div>ipt_connlimit</div><div>ipt_recent</div>
<div>ipt_comment</div><div>xt_comment</div></div><div><br></div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
- which modules to add into /etc/vz/vz.conf<br></blockquote><div><br></div><div><b>/etc/vz/vz.conf</b>:</div><div>IPTABLES_MODULES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ip6_tables ip6table_filter ip6table_mangle ip6t_REJECT" </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
- which modules to add into /etc/vz/<ct>.conf<br></blockquote><div> </div><div><b>/etc/vz/conf/2xx.conf:</b></div><div><br></div><div>DEVNODES="net/tun:rw " </div><div>DEVICES="c:10:200:rw "<br>
</div><div>CAPABILITY=" NET_ADMIN:on"<br></div><div><div>IPTABLES="ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ip_conntrack ipt_state ipt_recent iptable_nat "</div>
<div><br></div><div><br></div><div>Make sure you add this on your HN in mangle table (note replace eth0 with your outbound internet interface):</div><div><div># Generated by iptables-save v1.4.14 on Sun Jun 22 23:05:56 2014</div>
<div>*mangle</div><div>:PREROUTING ACCEPT [106874720:35868997787]</div><div>:INPUT ACCEPT [73771015:17894674066]</div><div>:FORWARD ACCEPT [33103560:17974356407]</div><div>:OUTPUT ACCEPT [63966614:112159146298]</div><div>
:POSTROUTING ACCEPT [97050402:130132419523]</div><div>-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu</div><div>COMMIT</div><div># Completed on Sun Jun 22 23:05:56 2014</div></div><div>
<br></div><div>this rule fixes issue with low MTU packets.</div><div><br></div><div><br></div><div><b>settings inside CT:</b></div><div>/etc/openvpn/server.conf:</div><div><div>fragment 1420</div><div>mssfix</div></div><div>
<br></div><div>these two settings fixes issues as well with low TCP mtu.</div><div><br></div><div><br></div><div>Firewall settings in the container for OpenVPN:</div><div><b>/etc/iptables.rules </b>in CT (note replace 1111 port with your OpenVPN server port and 1.2.3.4 with your external IP of CT):<br>
</div><div><br></div><div><div>*filter</div><div>:INPUT ACCEPT [0:0]</div><div>:FORWARD DROP [0:0]</div><div>:OUTPUT ACCEPT [0:0]</div><div>:Firewall - [0:0]</div><div>-A INPUT -s <a href="http://10.8.1.0/24">10.8.1.0/24</a> -j ACCEPT</div>
<div>-A INPUT -j Firewall</div><div>-A FORWARD -d <a href="http://10.8.1.0/24">10.8.1.0/24</a> -j ACCEPT</div><div>-A FORWARD -s <a href="http://10.8.1.0/24">10.8.1.0/24</a> -j ACCEPT</div><div>-A Firewall -p udp -m udp --dport 1111 -m state --state NEW -m comment --comment "OpenVPN server" -j ACCEPT</div>
<div>-A Firewall -i lo -j ACCEPT<br></div><div>-A Firewall -m state --state RELATED,ESTABLISHED -j ACCEPT</div><div>-A Firewall -j REJECT --reject-with icmp-host-prohibited<br></div><div>COMMIT</div><div># Completed on Thu Jun 5 15:31:33 2014</div>
<div># Generated by iptables-save v1.4.14 on Thu Jun 5 15:31:33 2014</div><div>*mangle</div><div>:PREROUTING ACCEPT [97586930:43802318561]</div><div>:INPUT ACCEPT [31215292:5102519658]</div><div>:FORWARD ACCEPT [66363273:38698230987]</div>
<div>:OUTPUT ACCEPT [44914356:38872135945]</div><div>:POSTROUTING ACCEPT [111277625:77570366051]</div><div>COMMIT</div><div># Completed on Thu Jun 5 15:31:33 2014</div><div># Generated by iptables-save v1.4.14 on Thu Jun 5 15:31:33 2014</div>
<div>*nat</div><div>:PREROUTING ACCEPT [3571417:259748350]</div><div>:POSTROUTING ACCEPT [1726:125927]</div><div>:OUTPUT ACCEPT [1727:126000]</div><div>-A POSTROUTING -s <a href="http://10.8.1.0/24">10.8.1.0/24</a> -j SNAT --to-source 1.2.3.4</div>
<div>COMMIT</div></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@openvz.org">Users@openvz.org</a><br>
<a href="https://lists.openvz.org/mailman/listinfo/users" target="_blank">https://lists.openvz.org/mailman/listinfo/users</a><br>
</blockquote></div><br></div></div>