2014-06-21 10:47 GMT+04:00 Rene C. <ope...@dokbua.com>: > I got the openvpn part itself down, no problem, but getting it to work > in a container is a lot of hassle. Many pages, but most are outdated > and things keeps changing. Anyone know how to get it to work TODAY? > > The server is an otherwise normal server with public ip addresses and > works with cpanel, no problem that far. The problem is getting an > openvpn service to work in it. > s > - which modules to insmod on the hwnode > $ *cat /etc/modules*
#Iptables ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ip_conntrack ipt_state ipt_connlimit ipt_recent ipt_comment xt_comment > - which modules to add into /etc/vz/vz.conf > */etc/vz/vz.conf*: IPTABLES_MODULES="ipt_REJECT ipt_tos ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ip6_tables ip6table_filter ip6table_mangle ip6t_REJECT" > - which modules to add into /etc/vz/<ct>.conf > */etc/vz/conf/2xx.conf:* DEVNODES="net/tun:rw " DEVICES="c:10:200:rw " CAPABILITY=" NET_ADMIN:on" IPTABLES="ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ip_conntrack ipt_state ipt_recent iptable_nat " Make sure you add this on your HN in mangle table (note replace eth0 with your outbound internet interface): # Generated by iptables-save v1.4.14 on Sun Jun 22 23:05:56 2014 *mangle :PREROUTING ACCEPT [106874720:35868997787] :INPUT ACCEPT [73771015:17894674066] :FORWARD ACCEPT [33103560:17974356407] :OUTPUT ACCEPT [63966614:112159146298] :POSTROUTING ACCEPT [97050402:130132419523] -A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu COMMIT # Completed on Sun Jun 22 23:05:56 2014 this rule fixes issue with low MTU packets. *settings inside CT:* /etc/openvpn/server.conf: fragment 1420 mssfix these two settings fixes issues as well with low TCP mtu. Firewall settings in the container for OpenVPN: */etc/iptables.rules *in CT (note replace 1111 port with your OpenVPN server port and 1.2.3.4 with your external IP of CT): *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :Firewall - [0:0] -A INPUT -s 10.8.1.0/24 -j ACCEPT -A INPUT -j Firewall -A FORWARD -d 10.8.1.0/24 -j ACCEPT -A FORWARD -s 10.8.1.0/24 -j ACCEPT -A Firewall -p udp -m udp --dport 1111 -m state --state NEW -m comment --comment "OpenVPN server" -j ACCEPT -A Firewall -i lo -j ACCEPT -A Firewall -m state --state RELATED,ESTABLISHED -j ACCEPT -A Firewall -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Thu Jun 5 15:31:33 2014 # Generated by iptables-save v1.4.14 on Thu Jun 5 15:31:33 2014 *mangle :PREROUTING ACCEPT [97586930:43802318561] :INPUT ACCEPT [31215292:5102519658] :FORWARD ACCEPT [66363273:38698230987] :OUTPUT ACCEPT [44914356:38872135945] :POSTROUTING ACCEPT [111277625:77570366051] COMMIT # Completed on Thu Jun 5 15:31:33 2014 # Generated by iptables-save v1.4.14 on Thu Jun 5 15:31:33 2014 *nat :PREROUTING ACCEPT [3571417:259748350] :POSTROUTING ACCEPT [1726:125927] :OUTPUT ACCEPT [1727:126000] -A POSTROUTING -s 10.8.1.0/24 -j SNAT --to-source 1.2.3.4 COMMIT _______________________________________________ > Users mailing list > Users@openvz.org > https://lists.openvz.org/mailman/listinfo/users >
_______________________________________________ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users
