| Unable to run OpenVPN - "openvpn --mktun --dev tap0" fails [message #22011] |
Thu, 18 October 2007 14:35  |
tomfra
Messages: 28
Registered: September 2007
|
Junior Member |
|
|
I am trying to setup OpenVPN on one VPS using the "dummy0" trick as described at http://forum.openvz.org/index.php?t=msg&th=315 , in the wiki and some other sources.
However, when I run "openvpn --mktun --dev tap0" I get this error:
Thu Oct 18 14:04:59 2007 TUN/TAP device tap0 opened
Thu Oct 18 14:04:59 2007 Note: Cannot set tx queue length on tap0: Operation not permitted (errno=1)
Thu Oct 18 14:04:59 2007 Cannot ioctl TUNSETPERSIST(1) tap0: Operation not permitted (errno=1)
Thu Oct 18 14:04:59 2007 Exiting
/dev/tun exists. I can also create tap0 manually but that didn't help either. Both tun & bridge modules are loaded on the host.
Thanks in advance for any help 
Tomas
Do you really believe the Internet is a safe place?
IdentityCloaker.com - Take Back Your Privacy!
|
|
|
|
|
|
|
|
|
|
| Re: Unable to run OpenVPN - "openvpn --mktun --dev tap0" fails [message #22341 is a reply to message #22339] |
Thu, 25 October 2007 21:31  |
tomfra
Messages: 28
Registered: September 2007
|
Junior Member |
|
|
| bwoo wrote on Thu, 25 October 2007 21:19 |
So is there a way of running OpenVPN as a server inside a VE?
|
Yes, it is! I've just finished installing & testing it, with some help from the Experts Exchange and a lot of Googling...
I installed it in the routing mode as the "road warrior" setup plus with routing all Internet traffic through the VPN tunnel. It works great, but the config is a bit tricky.
"openvpn --mktun --dev tap0" is not needed to make it work, also the "dummy0" trick is not needed for the routing setup, it is needed for the bridging setup which I have not tested but I am sure that it would work too.
Sometime I will hopefully write the "Howto install OpenVPN on an OpenVZ VPS" but it would be something like this (on CentOS 5):
1 ) Add rpmforge to your list of yum repos - simply install the correct rpm for your distro from http://dag.wieers.com/rpm/packages/rpmforge-release/
2 ) yum -y install openvpn
3 ) Install the openvpn webmin module, it is great for creating the certificates, monitoring the VPN connections etc. It's a bit tricky for configuring so you will have to play with it for a while.
4 ) You will need the /dev/tun device in your VPS. The how-to is at http://wiki.openvz.org/VPN_via_the_TUN/TAP_device. If you haven't done so already, do "modprobe tun" on the hardware node, I believe it should be added into /etc/init.d as well.
5 ) server.conf file could roughly look something like this:
port 1194
tls-server
mode server
proto udp
dev tun0
ca keys/myserver/ca.crt
cert keys/myserver/defaultserverkey.crt
key keys/myserver/defaultserverkey.key
dh keys/myserver/dh2048.pem
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
crl-verify keys/myserver/crl.pem
cipher AES-256-CBC
user nobody
group nobody
status servers/myserver/logs/openvpn-status.log
log-append servers/myserver/logs/openvpn.log
verb 2
mute 20
max-clients 500
management 127.0.0.1 4444
keepalive 10 120
client-config-dir /etc/openvpn/servers/myserver/ccd
comp-lzo
persist-key
persist-tun
ccd-exclusive
The 2 occurences of "push" are needed if you want to route all Internet traffic, including web etc., through the VPN tunnel, otherwise comment them out. Make sure the certificate & other paths correspond with those valid for your server.
If you set the push "dhcp-option DNS 10.8.0.1", you will need to install Bind or other DNS server on the VPS (listening on the main VPS IP). Or you can specify any public IP of DNS servers accepting queries from the VPS IP.
6 ) Client side:
I installed openvpn on my Win XP Home PC as a part of the OpenVPN GUI you can get at http://openvpn.se . Rename the Virtual TAP Network Adapter to "OpenVPN" (or something else but you will need to specify the name in the dev-node switch).
client.conf example:
client
dev tun
pull
dev-node OpenVPN
proto udp
remote PUBLIC_IP_OF_YOUR_VPN_SERVER 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert defaultclientkey.crt
key defaultclientkey.key
ns-cert-type server
cipher AES-256-CBC
keysize 256
comp-lzo
verb 3
mute 20
The "dev", "proto" & "cipher" switches must be the same as on the server. My chosen cipher - "AES-256" is somewhat extreme so you may comment it out (together with the "keysize" switch and OpenVPN will then default to Blowfish).
7 ) On the server:
service openvpn start
This should create the tun0 device I believe. Then do:
/sbin/iptables -A FORWARD -j ACCEPT -p all -s 0/0 -i tun0
/sbin/iptables -A FORWARD -j ACCEPT -p all -s 0/0 -o tun0
/sbin/iptables -t nat --flush
/sbin/iptables -t nat -A POSTROUTING -s ! x.x.x.x -o venet0 -j SNAT --to-source x.x.x.x
Replace x.x.x.x with your VPS public IP address. You should probably include those lines in the openvpn init file in /etc/init.d . Technically, only the last line may be necessary. There are probably better ways but this should work. I use CSF firewall and I added those lines to csfpre.sh instead.
8 ) Now you should be able to create the VPN tunnel from the client side.
It's not a perfect how-to but at least it could give you a few hints.
Tomas
Do you really believe the Internet is a safe place?
IdentityCloaker.com - Take Back Your Privacy!
[Updated on: Thu, 25 October 2007 21:39] Report message to a moderator |
|
|
|
|
|
|
|
|
|
| Re: Unable to run OpenVPN - "openvpn --mktun --dev tap0" fails [message #22384 is a reply to message #22375] |
Fri, 26 October 2007 19:11 |
tomfra
Messages: 28
Registered: September 2007
|
Junior Member |
|
|
I am not an "OpenVPN guru", but it would be helpful if you could post the full server & client config files if they differ from the examples I posted.
If I understand it correctly - the 192.168.0.0/24 IPs are used by your "real" network adapter and the 192.168.201.0/24 subnet is used by the VPN TAP Virtual Network Adapter, right?
If it is so it looks almost as if it was all reversed. I mean, in my log the first "route ADD" record looks like this:
"route ADD VPN_PUBLIC_IP MASK 255.255.255.255 172.23.35.10"
172.23.35.10 is my "real network adapter" gateway.
Hmm... just thinking aloud but what does this line look like in your client config file:
"remote PUBLIC_IP_OF_YOUR_VPN_SERVER 1194"
Is the "PUBLIC_IP_OF_YOUR_VPN_SERVER" really a public IP in your config file?
Tomas
Do you really believe the Internet is a safe place?
IdentityCloaker.com - Take Back Your Privacy!
|
|
|
|
|
|
| Re: Unable to run OpenVPN - "openvpn --mktun --dev tap0" fails [message #23992 is a reply to message #22011] |
Thu, 29 November 2007 18:44 |
tomfra
Messages: 28
Registered: September 2007
|
Junior Member |
|
|
Instead of this line:
/sbin/iptables -t nat -A POSTROUTING -s ! x.x.x.x -o venet0 -j SNAT --to-source x.x.x.x
try this one:
/sbin/iptables -t nat -A POSTROUTING -s 10.88.0.0/16 -o venet0 -j SNAT --to-source 192.168.1.5
where 10.88.0.0/16 is the internal IP range assigned by OpenVPN, you will very likely have a different one so don't forget to change it.
I am not saying it will work, I am really not a "pro" in this field, but it may be worth a try.
Tomas
Do you really believe the Internet is a safe place?
IdentityCloaker.com - Take Back Your Privacy!
|
|
|
|
| Re: Unable to run OpenVPN - "openvpn --mktun --dev tap0" fails [message #23993 is a reply to message #23992] |
Thu, 29 November 2007 19:10 |
OpenVZ
Messages: 3
Registered: November 2007
|
Junior Member |
|
|
| tomfra wrote on Thu, 29 November 2007 13:44 |
Instead of this line:
/sbin/iptables -t nat -A POSTROUTING -s ! x.x.x.x -o venet0 -j SNAT --to-source x.x.x.x
try this one:
/sbin/iptables -t nat -A POSTROUTING -s 10.88.0.0/16 -o venet0 -j SNAT --to-source 192.168.1.5
where 10.88.0.0/16 is the internal IP range assigned by OpenVPN, you will very likely have a different one so don't forget to change it.
I am not saying it will work, I am really not a "pro" in this field, but it may be worth a try.
Tomas
|
Hello,
thank you. I did try it.. Not working.
If I look at the log, the vpn request doesn't come to the vps.. No entry about the request..
To forward port 1194 I use this command (in the hardware node):
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.5 --dport 1194
-i eth0 -j DNAT --to-destination PUBLIC_IP_OF_HARDWARE_NODE:1194
Maybe is it wrong or not enough?
[Updated on: Thu, 29 November 2007 19:11] Report message to a moderator |
|
|
|
|
|
|
|
|
|
OpenVZ Forum
Members
Search
Help
Register
Login
Home
