Get your server issues fixed by our experts for a price starting at just 25 USD/Hour. Click here to register and open a ticket with us now!

Author Topic: How to use VPN via the TUN/TAP device using OpenVPN inside a container  (Read 18120 times)

0 Members and 1 Guest are viewing this topic.

vinayakk

  • Guest
OpenVPN is a free and open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses SSL/TLS security for encryption and is capable of traversing network address translators (NATs) and firewalls.

OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features.

OpenVPN is the simplest way to get a VPN server running on VPS since it utilizes the TUN interface /dev/net/tun and creates a tunnel to client software running on PC.

Kernel TUN/TAP support

OpenVZ supports VPN inside a container via kernel TUN/TAP module and device. To allow container to use the TUN/TAP device the following should be done

Make sure the tun module has been already loaded on the hardware node

Code: [Select]
# lsmod | grep tun
If it is not there, use the following command to load tun module

Code: [Select]
# modprobe tun
To make sure that tun module will be automatically loaded on every reboot you can also add it or into

Code: [Select]
/etc/modules.conf (on RHEL see /etc/sysconfig/modules/ directory) or into /etc/sysconfig/vz-scripts/CTID.mount.
(echo ‘modprobe tun’ >> /etc/sysconfig/vz-scripts/CTID.mount (NOTE: don’t forget chmod +x + ‘#!/bin/sh’ at the begin of mount file))

Granting container an access to TUN/TAP

Allow container to use the tun/tap device by running the following commands on the host node

Code: [Select]
#vzctl set CTID–devices c:10:200:rw –save
#vzctl set CTID –capability net_admin:on –save

And create the character device file inside the container (execute the following on the host node)

Code: [Select]
#vzctl exec CTID mkdir -p /dev/net
#vzctl exec CTID mknod /dev/net/tun c 10 200
#vzctl exec CTID chmod 600 /dev/net/tun

Make vzctl recreate device node on container startup:

Code: [Select]
#vzctl set CTID –devnodes net/tun:rw –save

Installing OpenVPN on OpenVZ

The following script will do the following things:
It will check to ensure tun/tap is enabled. If it isn’t you will need to contact your support department and have it enabled before continuing.
It will download and install the RPMForge Repository for CentOS (where OpenVPN packages are located)
It will use YUM and install all the required packages (openvpn openssl openssl-devel)

Once the required packages are installed the script will create a sample easy to use configuration for OpenVPN and put the required files you will need for your Client to connect in /root/openvpn-keys.tgz. It will set OpenVPN to run on boot and create the necessary iptables NAT rules to route your traffic to your primary Public IP address and save it so it will remember when iptables is restarted.

Installation Steps

Download the following script and run as root

Code: [Select]
wget http://www.openvz.ca/scripts/install-openvpn.sh
chmod 700 install-openvpn.sh
./install-openvpn.sh

When asked to enter a “Passphrase” do not enter one, leave it blank and just press “enter”
When asked for Country Code, Province, City… These do not have the be accurate. Any values will do.
When asked if you want to build/sign the generated certificates enter yes (y).
It is normal for it to ask you two times for the same information (Since you are generating both client/server keys)

The final step is to download the /root/openvpn-keys.tgz archive, unzip it on your PC and import the .ovpn file in your OpenVPN Client (you can download it here if you haven’t already). This will create a simple button in client and allow you to quickly establish a VPN connection to your VPS whenever you need it.

The folowing command useful for checking openvpn
Code: [Select]
# netstat -apn |grep openvpn

The output:
==============================
udp 0 0 0.0.0.0:1194 0.0.0.0:* 46223/openvpn
==============================

Code: [Select]
# ps aux | grep openvpn

The output:
==============================
root 46223 0.0 0.0 8568 1216 ? Ss 17:29 0:00 /usr/sbin/openvpn –daemon –writepid /var/run/openvpn/openvpn.pid –config openvpn.conf –cd /etc/openvpn –script-security 2

 :)