openvpn does work. dev/tun:rw and full netfilter is all the 'extras' I have in the container's config
1) not sure if it's still works but probably not useful in this particular case, never used any capabilities for openvpn. 2) I use a single postrouting rule. Like the last one in your list. I don't quite understand your setup. Do you use routed or bridged networking? with firewalld you configure eth0 but I see venet0 in iptables. I don't have much experience with eth devices inside container, perhaps you might need to configure rp_filter for it to work with openvpn. On Tue, 25 Feb 2020 10:21:33 +0100 Jehan Procaccia <jehan.procac...@imtbs-tsp.eu> wrote: > Hello > > I have running VPNs that works perfectly on openvz6 , now I move to > openvz7 and I cannot make it forward or masquerade between > interfaces . > > I am questionning about different concepts: > > 1) is enabling capablities still enable/usefull ? > > ie: prlctl set ctvpn --capability net_admin:on => doesn't save > anything in the CT conf ... > > I did set > > prlctl set ctvpn --netfilter full => in order to have nat and mangle > chains > > 2) is using iptables or firewalld determinent ? masquerade or SNAT ? > > neither of those works > > for Masquerade I did > > firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A > POSTROUTING -s 10.91.10.0/22 -o eth0 -j MASQUERADE > > for iptables I tried with > > *nat > :PREROUTING ACCEPT [0:0] > :POSTROUTING ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > -A POSTROUTING -o venet0 -j SNAT --to-source 157.109.2.13 > -A POSTROUTING -s 10.91.10.0/22 -j SNAT --to-source 157.109.2.13 > > by the way is venet0 important as it appears down in the CT !? > > 2: venet0: <BROADCAST,POINTOPOINT,NOARP> mtu 1500 qdisc noop state > DOWN group default > link/void > 3: eth0@if248: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc > noqueue state UP group default qlen 1000 > > dev/tun is working correctly > > I set it with: vzctl set ctvpn --devnodes net/tun:rw --save > > CT-ABC /# ls -l /dev/net/tun > crw-rw-rw- 1 root root 10, 200 Feb 25 10:07 /dev/net/tun > CT-ABC /# cat /dev/net/tun > cat: /dev/net/tun: File descriptor in bad state > => message that means it is operational ! > > openvpn uses tun interface, connecting clients to openvpn server > works fine, but routing between interfaces (tun0 and eth0 ) doesn't > work . > > of course ip_forward is enabled > > CT-ABC /# cat /proc/sys/net/ipv4/ip_forward > 1 > > Thanks for your help . > > _______________________________________________ > Users mailing list > Users@openvz.org > https://lists.openvz.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@openvz.org https://lists.openvz.org/mailman/listinfo/users