fbpx

OpenVZ and sit-tunnels (Hurricane Electric) +openvpn

It has come absolutely clear to me that sit-tunneling on OpenVZ is practically impossible. A technician from Hurricane Electric has rounded it up by following comment:

Ok, I’ve been handling a bunch of tickets opened by folks now trying to get OpenVZ or Virtuozzo set up. The common mistake being done is people trying to bring up the tunnel inside the virtualized server. You MUST set up the tunnel on the OS that runs the physical machine. Then you can assign IPv6 addresses to the virtualized servers from your routed allocations.

Link

And he’s definetly not joking. Setting up tunnels, based on sit is not working, regardless of the method you use. However, gre-tunneling actually seem to work with a bit of work. First of all, you have to make sure the interfaces are really available when running them on the host.

The following commands are activating both gre and sit, but with no permissions to use sit on the virtual host. To make tunneling with sit work, make sure the tunnel is added on the host, not the VPS itself. I have currently found no way of making sit work. Either I get no permission to the interface, or I get ”No buffer space available”.

Another tip that people have linked to (oh, of course, the links are dead) – is tb-tun (https://code.google.com/archive/p/tb-tun/) which is an application that allows sit to be created in a userspace (not tested).

modprobe ip_gre
modprobe ip_tunnel
modprobe sit

The next step is to activate some features for the box. This step made me activate the gre-interface and I thought I also got the sit to work. But no, that failed. Do not forget to shut down your VPS here, as the following steps requires this.

vzctl set ctid --features ipgre:on,sit:on,ipip:on,bridge:on --save
vzctl set ctid --devnodes net/tun:rw --save
vzctl set ctid --netfilter full

The last step was to set the VPS capabilities. As vzctl has the capability setting deprecated, it’s better using prlctl for this action. This was actually made in bash as there was too many row to set manually…

capabilities="net_admin net_raw sys_admin ve_admin sys_resource"
for cap in $capabilities
do
prlctl set $ctid --capability ${cap}:on
done

If the interfaces do not show up when starting up the VPS again, you might also need to ass the devices manually.

vzctl set ctid --netdev_add gre0 --save
vzctl set ctid --netdev_add sit0 --save

In some cases you also need to use mknod to create the /dev/net/tun, that is used by the tunnel interfaces (I did this both on the host and the virtual server).

mkdir -p /dev/net
mknod /dev/net/tun c 10 200

At this moment you should be able to create both gre-tunnels and actually also use openvpn. However – still – trying to use sit, is a no go.


Upptäck mer från Tornevall

Prenumerera för att få de senaste inläggen skickade till din e-post.

You may also like