Hi, I've got a non-global zone for which I want to do an OpenVPN connection so that it has a different route to the internet than my global zone.
I've tried running OpenVPN in the non-global zone, but it won't let me (I can export the device /dev/tun to get rid of one error): "Can't push IP module: Not owner (errno=1)". The discussion on zones-discuss (see http://mail.opensolaris.org/pipermail/zones-discuss/2007-March/001996.html) seems to suggest that it simply is not possible to run OpenVPN within a NGZ. Fine for me, I can run the OpenVPN in the global zone if necessary. I've created an etherstub0, vnic0 and vnic1 and connected the NGZ and the global zone via this virtual network 10.42.0.0/24 (10.42.0.1 is the global zone, 10.42.0.2 the NGZ). My VPN is at 10.23.0.33 (my side) / 10.23.0.34 (remote side) in the global zone. In the NGZ, I've added a network route to 10.23.0.0/24 via 10.42.0.1 in the NGZ. I've added NATing from 10.42.0.0/24 to 10.23.0.0/24 via the tun0 interface in the global zone. Now I wanted to add a default route to 10.23.0.34 (the VPN endpoint) in the NGZ, but apparently that is not possible: r...@anon:~# netstat -rn Routing Table: IPv4 Destination Gateway Flags Ref Use Interface -------------------- -------------------- ----- ----- ---------- --------- 10.23.0.0 10.42.0.1 UG 1 0 vnic1 10.42.0.0 10.42.0.2 U 1 1 vnic1 127.0.0.1 127.0.0.1 UH 1 0 lo0 Routing Table: IPv6 Destination/Mask Gateway Flags Ref Use If --------------------------- --------------------------- ----- --- ------- ----- ::1 ::1 UH 1 0 lo0 r...@anon:~# ping 10.42.0.1 10.42.0.1 is alive r...@anon:~# ping 10.23.0.33 10.23.0.33 is alive r...@anon:~# route add default 10.23.0.34 add net default: gateway 10.23.0.34: Network is unreachable It looks like I would need to add a default route to the global zone in the NGZ and then decide which route to use in the global zone based on source IP. Apparently, this is an RFE (see http://bugs.opensolaris.org/view_bug.do?bug_id=4777670), but it claims this is also possible using ipfilter. Can someone point me in the right direction on how I would accomplish this? Thanks in advance, Cheers, Alex -- This message posted from opensolaris.org _______________________________________________ networking-discuss mailing list [email protected]
