OpenVZ Forum


Home » General » Support » routing issue with openvpn in containter
routing issue with openvpn in containter [message #33143] Wed, 24 September 2008 17:25 Go to next message
james is currently offline  james
Messages: 2
Registered: September 2008
Location: Elliott, SC
Junior Member
Hi,

I have a strange routing issue with openvpn inside a container. I am a fairly new user of openvz. I have openvpn installed in a container. (I had to use a veth device to get routing to work at all.. venet didn't seem to work).

The HN has 2 interface eth0 (10.255.255.1/24 facing DMZ) and eth1 (10.38.0.1/26, internal lan). This box is also the default gw for my network. (10.38.0.0/26). The vpn network is 10.10.0.0/24. I am running openvpn in server mode here its ip is 10.10.0.1. I have 3 clients connecting with vpn ips of 10.10.0.9 and 10.10.0.13. Each client connects properly and can ping each other and other nodes on my lan (10.38.0.50, 10.38.0.3X) and other containers (10.38.0.2 and 10.38.0.3). The other containers utilized the venet device.

The HN can ping the vpn serve 10.10.0.1 but none of the other nodes (10.10.0.9 and 10.10.0.13). Other nodes on my lan can ping the HN and the vpn nodes. My quest is why can the HN not access VPN clients?

I do not have a bridge for veth103.0 and eth1 setup as I don't want one.


HN:
sysctl -p

net.ipv4.conf.default.forwarding = 1
net.ipv4.ip_forward = 1
net.ipv4.conf.eth0.proxy_arp = 1
net.ipv4.conf.eth1.proxy_arp = 1
net.ipv4.conf.all.arp_filter = 1
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2

root@foghorn:~# ip ru
0: from all lookup 255
32766: from all lookup main
32767: from all lookup default
root@foghorn:~# ip r s t all
10.38.0.3 dev venet0 scope link
10.38.0.2 dev venet0 scope link
10.38.0.4 dev veth103.0 scope link
10.255.255.0/29 dev eth0 proto kernel scope link src 10.255.255.2
10.38.0.0/26 dev eth1 proto kernel scope link src 10.38.0.1
192.168.1.0/24 via 10.38.0.4 dev veth103.0
10.10.0.0/24 via 10.38.0.4 dev veth103.0
default via 10.255.255.1 dev eth0
local 10.255.255.2 dev eth0 table 255 proto kernel scope host src 10.255.255.2
broadcast 127.255.255.255 dev lo table 255 proto kernel scope link src 127.0.0.1
broadcast 10.255.255.0 dev eth0 table 255 proto kernel scope link src 10.255.255.2
broadcast 10.38.0.63 dev eth1 table 255 proto kernel scope link src 10.38.0.1
broadcast 10.255.255.7 dev eth0 table 255 proto kernel scope link src 10.255.255.2
local 10.38.0.1 dev eth1 table 255 proto kernel scope host src 10.38.0.1
broadcast 10.38.0.0 dev eth1 table 255 proto kernel scope link src 10.38.0.1
broadcast 127.0.0.0 dev lo table 255 proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo table 255 proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo table 255 proto kernel scope host src 127.0.0.1
fe80::/64 dev eth0 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth1 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev veth103.0 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
unreachable default dev lo table unspec proto none metric -1 error -101 hoplimit 255
local ::1 via :: dev lo table 255 proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::213:d3ff:fe0e:7d8b via :: dev lo table 255 proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::218:4dff:fef0:9a8f via :: dev lo table 255 proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::218:51ff:fe74:1c30 via :: dev lo table 255 proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
ff00::/8 dev eth0 table 255 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev eth1 table 255 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev veth103.0 table 255 metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
unreachable default dev lo table unspec proto none metric -1 error -101 hoplimit 255
root@foghorn:~#



Report message to a moderator

Re: routing issue with openvpn in containter [message #33149 is a reply to message #33143] Thu, 25 September 2008 06:55 Go to previous messageGo to next message
maratrus is currently offline  maratrus
Messages: 1495
Registered: August 2007
Location: Moscow
Senior Member
Hello,

why do you expect your HN to be able to ping 10.10.0.9 or 10.10.0.13? It's a virtual private network and you must to connect your OpenVPN server (your VE) to be able to reach that machines?

Report message to a moderator

Re: routing issue with openvpn in containter [message #33173 is a reply to message #33149] Fri, 26 September 2008 14:17 Go to previous messageGo to next message
james is currently offline  james
Messages: 2
Registered: September 2008
Location: Elliott, SC
Junior Member
Mainly because I have the routes setup
(e.g. ip r add 10.10.0.0/24 via 10.38.0.4) and the rest of my lan can ready 10.10.0.0/24. The other containers on the HN can also reach 10.10.0.0/24.

Report message to a moderator

Re: routing issue with openvpn in containter [message #33174 is a reply to message #33173] Fri, 26 September 2008 15:13 Go to previous message
maratrus is currently offline  maratrus
Messages: 1495
Registered: August 2007
Location: Moscow
Senior Member
Hi,

could you possibly show routing records from inside the VE.
Please, also use tcpdump utility to find out why your VE doesn't respond. Try to ping your VE and run tcpdump at the same moment:
- on the HN (veth interface)
- inside VE (eth interface)
Do you have any iptables limitations?

Report message to a moderator

Previous Topic: Fail to ping hostname
Next Topic: OpenVZ, Bind and stalling TCP connections.
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Mon Aug 05 12:19:51 GMT 2024

Total time taken to generate the page: 0.03140 seconds
Powered by FUDforum Powered by Virtuozzo Containers