Linux – Bringing an IPsec tunnel on the hardware node to the OpenVZ containers

bridgelinuxnetworkingopenvzrouting

I have a server hosting OpenVZ containers. An IPsec tunnel is configured on the hardware node (HN) and I'd like to make the remote network available in the containers (CT). How can I do this?

The current setup is like this:

HN has a public address on eth0
HN has a private address 192.168.100.1 on the alias eth0:0
The remote network is 192.168.200.0/24, HN is able to ping hosts on this network
CT has a public address on venet0, it is reachable from the outside world and can reach external hosts
CT has a private address 192.168.100.101. It can ping its HN on the private address 192.168.100.1
No firewall is configured

CT can't reach hosts on the remote 192.168.200.0/24 network and I'm not sure how to do this. Can this be done by using a venet interface for the containers, or do I have to switch to veth? Is this a missing route on the HN? Do I have to enable some kind of NATing on the HN?

Any help will be appreciated.

UPDATE: If the CT send a ping from its private address I can see the icmp request/reply with a tcpdump on the venet0 interface on the host. I looks like the outgoing traffic is fine but the incoming traffic is blocked.

Best Answer

To make the host's IPsec tunnels available to your containers, you need to run this in your container :

sysctl -w net.ipv4.conf.venet0.disable_policy=1

This will disable the IPSEC policy (SPD) checks on the VZ's interface. This needs to be adapt if veth devices are used in the container.

For more details see:

Related Solutions

OpenVZ multiple networks on CTs

Same problem, but different solution. The two ports were not connected to the same network and needed to appear from the IP address of the virtual machine, so masquerading did not work.

The main issue here is that the openvz container sets the subnet of all of the ips on venet to 255.255.255.255. There is no preference of one interface. There is no preference on which router it should go through, so it sometimes uses eth0, and sometimes uses eth1. The result was random failures for certain IP addresses when the request goes out on the wrong interface.

One solution was to add a route that specified the source like so:

ip route add 10.20.0.0/16 dev venet0 src 10.20.0.xxx
ip route add a.b.c.241/24 dev venet0 src a.b.c.xxx

I found that the simplest solution for now was to set set the subnets just after they've been brought up (on an ubuntu/debian container in /etc/network/if-up.d):

#!/bin/sh
if [ "$IFACE" = "venet0:1" ]; then
        ifconfig venet0:1 netmask 255.255.0.0 up
fi
if [ "$IFACE" = "venet0:0" ]; then
        ifconfig venet0:0 netmask 255.255.255.0 up
fi
exit 0

Both solutions should have the same affect. Both solutions makes me a little concerned that when accessing the internet (to update or for DNS), it may unintentionally use the 10.x.x.x address that has no route to the internet. The default route is default via 192.0.2.1 dev venet0, so I'm not quite sure how it gets to there, but it appears to work as intended after several reboots of both the container and the host.

UPDATE For a more rubust solution: I used bash to check the IP and figure out what subnet to add it to.

Ubuntu/Debian (/etc/network/if-up.d):

#!/bin/bash
if [ "${IF_ADDRESS:0:6}" = "xx.yy." ]; then
        echo "AlReece45: $IFACE, IP Address $IF_ADDRESS marked as internal"
        ifconfig "$IFACE" netmask 255.255.0.0 up
fi
if [ "${IF_ADDRESS:0:11}" = "xxx.yy.zzz." ]; then
        echo "AlReece45: $IFACE, IP address $IF_ADDRESS marked as external"
        ifconfig "$IFACE" netmask 255.255.255.0 up
fi
exit 0

CentOS/Redhat (/sbin/ifup-local):

#!/bin/bash
IFACE="$1"
IF_ADDRESS=$(ifconfig $IFACE | grep "inet addr" | awk '{print $2}' | cut -d':' -f2);
if [ "${IF_ADDRESS:0:6}" = "xx.yy." ]; then
        echo "AlReece45: $1, IP Address $IF_ADDRESS marked as internal"
        ifconfig "$1" netmask 255.255.0.0 up
fi
if [ "${IF_ADDRESS:0:11}" = "xxx.yy.zzz." ]; then
        echo "AlReece45: $1, IP address $IF_ADDRESS marked as external"
        ifconfig "$1" netmask 255.255.255.0 up
fi
exit 0

Iptables – OpenVZ container can’t reach the internet

I finally found what the problem was.
After rechecking all the configurations again and again I finally found a little typo in my containers resolv.conf.
After adjusting it to the right nameserver, it finally works now.

Best Answer

Related Solutions

OpenVZ multiple networks on CTs

Iptables – OpenVZ container can’t reach the internet

Related Topic