| OpenVZ + OpenVPN + iptables [message #7231] |
Sat, 07 October 2006 21:42  |
gatos
Messages: 2
Registered: October 2006
|
Junior Member |
|
|
Hello,
I decided to move my OpenVPN into OpenVZ, but I got some troubles. I guess it's NAT. tun0 device doesn't forward any packets TX=0.
iptables rules:
iptables -t nat -A POSTROUTING -j SNAT --to 88.xx.81.85 -s 192.168.2.0/255.255.255.0
tcpdump -i tun0
21:29:47.648984 IP 192.168.2.5 > 64.233.167.99: ICMP echo request, id 1536, seq 20224, length 40
21:29:52.929442 IP 192.168.2.5 > 64.233.167.99: ICMP echo request, id 1536, seq 20480, length 40
/etc/vz/vz.conf
IPTABLES="iptable_nat ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length"
/etc/modprobe.conf
..
options ip_conntrack ip_conntrack_enable_ve0=1
ifconfig
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.15.1 P-t-P:192.168.15.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:75 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:3872 (3.7 KiB) TX bytes:0 (0.0 b)
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:706 errors:0 dropped:0 overruns:0 frame:0
TX packets:454 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:61208 (59.7 KiB) TX bytes:58291 (56.9 KiB)
venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:88.xx.81.85 P-t-P:88.xx.81.85 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
Thank you in advance
|
|
|
|
|
|
| Re: OpenVZ + OpenVPN + iptables [message #7245 is a reply to message #7231] |
Mon, 09 October 2006 04:52  |
dlzinc
Messages: 34
Registered: March 2006
|
Member |
|
|
Inside the VE, check if IP forwarding is enabled?
# sysctl net.ipv4.ip_forward
To enable:
# sysctl net.ipv4.ip_forward = 1
You'll also need routes on the HN to tell it where to send the received NATed packets. (I think that's all you need at least...)
|
|
|
|
|
|
|
|
| Re: OpenVZ + OpenVPN + iptables [message #7281 is a reply to message #7231] |
Tue, 10 October 2006 07:25 |
dev
Messages: 1693
Registered: September 2005
Location: Moscow
|
Senior Member |
|
|
1. why have you installed vzctl inside VE?
this makes apg-get install to fail 
2. I installed strace inside the VE.
3. I straced openvpn process 13724. You can find output in out and
out.2 files.
out.2 file demonstrates that this process reads ping ICMP packets from /dev/net/tun:
read(6, "E\0\0T\0\0@\0@\1\233U\300\250\17\1\300\250\17\2\10\0Se"..., 1500) = 84
/dev/net/tun has fd=6:
debian-tun-1:~# ls /proc/13724/fd -la
lrwx------ 1 root root 64 Oct 10 07:12 6 -> /dev/net/tun
i.e. tun/tap works fine.
4. however this process doesn't send the packet anywhere...
it looks like it tries to negotiate with the other end:
send(4, "<29>Oct 10 07:15:46 ovpn-server["..., 70, MSG_NOSIGNAL) = 70
send(4, "<29>Oct 10 07:15:46 ovpn-server["..., 79, MSG_NOSIGNAL) = 79
send(4, "<29>Oct 10 07:15:46 ovpn-server["..., 74, MSG_NOSIGNAL) = 74
send(4, "<29>Oct 10 07:15:46 ovpn-server["..., 81, MSG_NOSIGNAL) = 81
send(4, "<29>Oct 10 07:15:46 ovpn-server["..., 81, MSG_NOSIGNAL) = 81
send(4, "<29>Oct 10 07:15:46 ovpn-server["..., 67, MSG_NOSIGNAL) = 67
but gets no reply :/
fd 4:
lrwx------ 1 root root 64 Oct 10 07:12 4 -> socket:[745036]
debian-tun-1:~# netstat -nap
unix 2 [ ] DGRAM 745036 13724/openvpn
5. So I guess your configuration of openvpn is wrong
|
|
|
|
OpenVZ Forum
Members
Search
Help
Register
Login
Home
