On Fri, 2010-03-05 at 15:33 +0000, Nils Toedtmann wrote: > Dear OpenVZ community,
> i try to create a OpenVPN tunnel between different OpenVZ hardware nodes > so containers running on different hardware nodes can communicate > securely. For security and stability reasons, i want to run the OpenVPN > daemons within containers, not on the hardware nodes. I followed some > instructions i found on the net [1] and it's all working fine - but only > if the OpenVPN containers double-NAT the traffic! > But i need the containers on the different hardware nodes to directly > see each other through the OpenVPN tunnels without any IP NATing! > The problem seems to be that OpenVZ does not allow containers to "spoof" > packets, that is sending IP packets with source IP addresses other than > the container's IP addresses. When i capture within the OpenVPN > container, i can clearly see packets (having arrived through the tunnel) > leaving the OpenVPN container via venet0, but i can't see them when i > sniff venet0 from the hardware node. > I tried granting capabilities net_admin and net_raw to the OpenVPN > containers, but no luck. > How do i allow a container to send IP packets from other IP addresses > than its own - any ideas? First question I always have to ask. Are you using the vnet driver or the veth driver? If the vnet driver, I'm not surprised. Others may have a way to get it working with the vnet driver but I gave up on it long ago as just too broken on IPv6. Try the veth driver, which means setting up bridging but may be a private bridge on that host as well, so you can emulate the vnet behavior, if that's your want. > /nils. > PS: > hardware nodes = CentOS 5.4 + 2.6.18-164.2.1.el5.028stab066.7 x86_64 > containers = Ubuntu 8.04 with openvpn 2.1_rc7-1ubuntu3.5 Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | [email protected] /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Users mailing list [email protected] https://openvz.org/mailman/listinfo/users
