OpenVPN routing for OpenVZ containers

networkingopenvpnopenvzroutingvirtualization

I am trying to make OpenVPN tunnel accessible for all OVZ CT's running on the host.
I have initialized the tunnel devise on the host server to remote VPN server.
Although I have PING response from the remote tunnel end-point on the host, I do not have it from inside the container.

Can anyone point me on the routing configuration that I need to perform in order to have the remote VPN server accessible from inside the OpenVPN containers ?

Thanks in advance.

Best Answer

Just solved this problem with iptables NAT rule like this:

iptables -t nat -A POSTROUTING -d TARGET_NET/MASK -s CT'S_NET/MASK -j SNAT --to TUN_IP_ADDR

Related Solutions

Openvpn – Routing not working with OpenVPN

Client(172.17.17.6)<->Router+Firewall<->OVPN Srv(WAN:197.174.211.77)<->Subnet A 197.174.211.0/255.255.255.224 AND Subnet B 197.174.211.64/255.255.255.224

So your OpenVPN server locates in Subnet B. I assume your servers in Subnet A can route to Subnet B.

route 197.174.211.0 255.255.255.224         <---- You don't need this, remove it
route 197.174.211.64 255.255.255.224        <---- You don't need this, remove it
push "route 197.174.211.0  255.255.255.224"
push "route 197.174.211.64  255.255.255.224"

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
172.17.17.2     *               255.255.255.255 UH    0      0        0 tun0
197.174.211.64  172.17.17.2     255.255.255.224 UG    0      0        0 tun0  <-- Bad
197.174.211.64  *               255.255.255.224 U     0      0        0 eth0
172.17.17.0     172.17.17.2     255.255.255.0   UG    0      0        0 tun0
default         197.174.211.65  0.0.0.0         UG    0      0        0 eth0

Now 197.174.211.65 is your default router. You need to configure it for routing 172.17.17.0/24 to 197.174.211.77. You also need to configure router in Subnet A for this.

Another solution (with iptables installed):

iptables -t nat -A POSTROUTING -s 172.17.17.0/24 -o eth0 -j MASQUERADE

Debian – Assigning IPs to OpenVZ containers

Decision about routing or bridging are functional more than technical; there are pros and cons and its a choice. I prefer routing if I have only one interface, because this way let me having a single point of control (the HN) and on it, I can put some iptables or extra-protection for container which are not by default accessible from the Internet. If you prefer routing, you need to make sure the value of net.ipv4.conf.all.forwarding = 1 (run the command sysctl -a | grep forward). If not, echo 1 > /proc/sys/net/ipv4/ip_forward; (but won't survive a reboot) or add the line

net.ipv4.conf.all.forwarding = 1

in /etc/sysctl.conf and run sysctl -P after. Usually, one route instead of bridging because it allows NAT, which helps when lacking of IP4 addresses, but this is not your case, you have at least two of them.

On the other hand, bridging puts your HN and your VPS equal to equal. You can do this directly on the Internet because you seems to have enough IP addresses. You may need then extra protection on each container (iptables on each container and on host for instance).

To come back to your (routing) problem, if setting ip_forward to 1 does not help; try arp -an (sees if it resolves at this point) from both HN and VPS and tcpdump to get more details, when the packets are lost? at layer 2 or 3?

About IPv6, I really don't know :/

Best Answer

Related Solutions

Openvpn – Routing not working with OpenVPN

Debian – Assigning IPs to OpenVZ containers

Related Topic