<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">OK for 1) , then I don't need any
capability (net_admin, sys_time), I was wondering because I read
that on lots of docs as in :</div>
<div class="moz-cite-prefix"><a class="moz-txt-link-freetext" href="https://github.com/OpenVZ/vz-docs/blob/master/virtuozzo_7_users_guide.asc">https://github.com/OpenVZ/vz-docs/blob/master/virtuozzo_7_users_guide.asc</a></div>
<div class="moz-cite-prefix">perhaps deprecated ? <br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">for 2) I use routed openvpn (tun0) <br>
</div>
<div class="moz-cite-prefix">yes I mess a lot between iptables and
firewalld while debungin my pb <br>
</div>
<div class="moz-cite-prefix">2.1) I would prefere to use firewalld ,
can you confirm me the rule you use ?</div>
<div class="moz-cite-prefix">POSTROUTING with masquerade or have you
an iptable SNAT exemple ? <br>
</div>
<div class="moz-cite-prefix">2.2) if I use a eth0 interface do you
confirm that venet0 (that is Down on my CT) is not concerned at
all ? <br>
</div>
<div class="moz-cite-prefix">2.3) my eth0 appears as eth0@if248 (ip
addr) , is it important for the firewall-cmd command arguments
=> "-o eth0" ? should I use -o eth0@if248 !<br>
</div>
<div class="moz-cite-prefix">2.4) what do you mean by <code>rp_filter</code>
(reverse path filtering), should I disable it , how ? <br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Thanks . <br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Le 25/02/2020 à 14:54, Dmitry
Konstantinov a écrit :<br>
</div>
<blockquote type="cite" cite="mid:20200225085456.4b1ada30@mintl">
<pre class="moz-quote-pre" wrap="">openvpn does work. dev/tun:rw and full netfilter is all the
'extras' I have in the container's config
1) not sure if it's still works but probably not useful in
this particular case, never used any capabilities for openvpn.
2) I use a single postrouting rule. Like the last one in your list.
I don't quite understand your setup. Do you use routed or bridged
networking? with firewalld you configure eth0 but I see venet0 in
iptables. I don't have much experience with eth devices inside
container, perhaps you might need to configure rp_filter for it
to work with openvpn.
On Tue, 25 Feb 2020 10:21:33 +0100
Jehan Procaccia <a class="moz-txt-link-rfc2396E" href="mailto:Jehan.Procaccia@imtbs-tsp.eu"><Jehan.Procaccia@imtbs-tsp.eu></a> wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">Hello
I have running VPNs that works perfectly on openvz6 , now I move to
openvz7 and I cannot make it forward or masquerade between
interfaces .
I am questionning about different concepts:
1) is enabling capablities still enable/usefull ?
ie: prlctl set ctvpn --capability net_admin:on => doesn't save
anything in the CT conf ...
I did set
prlctl set ctvpn --netfilter full => in order to have nat and mangle
chains
2) is using iptables or firewalld determinent ? masquerade or SNAT ?
neither of those works
for Masquerade I did
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A
POSTROUTING -s 10.91.10.0/22 -o eth0 -j MASQUERADE
for iptables I tried with
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o venet0 -j SNAT --to-source 157.109.2.13
-A POSTROUTING -s 10.91.10.0/22 -j SNAT --to-source 157.109.2.13
by the way is venet0 important as it appears down in the CT !?
2: venet0: <BROADCAST,POINTOPOINT,NOARP> mtu 1500 qdisc noop state
DOWN group default
link/void
3: eth0@if248: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue state UP group default qlen 1000
dev/tun is working correctly
I set it with: vzctl set ctvpn --devnodes net/tun:rw --save
CT-ABC /# ls -l /dev/net/tun
crw-rw-rw- 1 root root 10, 200 Feb 25 10:07 /dev/net/tun
CT-ABC /# cat /dev/net/tun
cat: /dev/net/tun: File descriptor in bad state
=> message that means it is operational !
openvpn uses tun interface, connecting clients to openvpn server
works fine, but routing between interfaces (tun0 and eth0 ) doesn't
work .
of course ip_forward is enabled
CT-ABC /# cat /proc/sys/net/ipv4/ip_forward
1
Thanks for your help .
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@openvz.org">Users@openvz.org</a>
<a class="moz-txt-link-freetext" href="https://lists.openvz.org/mailman/listinfo/users">https://lists.openvz.org/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@openvz.org">Users@openvz.org</a>
<a class="moz-txt-link-freetext" href="https://lists.openvz.org/mailman/listinfo/users">https://lists.openvz.org/mailman/listinfo/users</a>
</pre>
</blockquote>
<p><br>
</p>
</body>
</html>