How to use VPN via the TUN/TAP device inside a container.
OpenVPN is a free and open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses SSL/TLS security for encryption and is capable of traversing network address translators (NATs) and firewalls. It was written by James Yonan and is published under the GNU General Public License (GPL).
OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively, as well as the SSLv3/TLSv1 protocol, and contains many security and control features.
OpenVPN is the simplest way to get a VPN server running on VPS since it utilizes the TUN interface /dev/net/tun and creates a tunnel to client software running on PC.
Kernel TUN/TAP support
OpenVZ supports VPN inside a container via kernel TUN/TAP module and device. To allow container to use the TUN/TAP device the following should be done
Make sure the tun module has been already loaded on the hardware node
# lsmod | grep tun
If it is not there, use the following command to load tun module
# modprobe tun
To make sure that tun module will be automatically loaded on every reboot you can also add it or into /etc/modules.conf (on RHEL see /etc/sysconfig/modules/ directory) or into /etc/sysconfig/vz-scripts/CTID.mount.
(echo ‘modprobe tun’ >> /etc/sysconfig/vz-scripts/CTID.mount (NOTE: don’t forget chmod +x + ‘#!/bin/sh’ at the begin of mount file))
Granting container an access to TUN/TAP
Allow container to use the tun/tap device by running the following commands on the host node
#vzctl set CTID–devices c:10:200:rw –save
#vzctl set CTID –capability net_admin:on –save
And create the character device file inside the container (execute the following on the host node)
#vzctl exec CTID mkdir -p /dev/net
#vzctl exec CTID mknod /dev/net/tun c 10 200
#vzctl exec CTID chmod 600 /dev/net/tun
Make vzctl recreate device node on container startup:
#vzctl set CTID –devnodes net/tun:rw –save
Installing OpenVPN on OpenVZ
The following script will do the following things:
It will check to ensure tun/tap is enabled. If it isn’t you will need to contact your support department and have it enabled before continuing.
It will download and install the RPMForge Repository for CentOS (where OpenVPN packages are located)
It will use YUM and install all the required packages (openvpn openssl openssl-devel)
Once the required packages are installed the script will create a sample easy to use configuration for OpenVPN and put the required files you will need for your Client to connect in /root/openvpn-keys.tgz. It will set OpenVPN to run on boot and create the necessary iptables NAT rules to route your traffic to your primary Public IP address and save it so it will remember when iptables is restarted.
Download the following script (CentOS 5 32bit) and run as root
chmod 700 install-openvpn.sh
When asked to enter a “Passphrase” do not enter one, leave it blank and just press “enter”
When asked for Country Code, Province, City… These do not have the be accurate. Any values will do.
When asked if you want to build/sign the generated certificates enter yes (y).
It is normal for it to ask you two times for the same information (Since you are generating both client/server keys)
The final step is to download the /root/openvpn-keys.tgz archive, unzip it on your PC and import the .ovpn file in your OpenVPN Client (you can download it here if you haven’t already). This will create a simple button in client and allow you to quickly establish a VPN connection to your VPS whenever you need it.
The folowing command useful for checking openvpn
# netstat -apn |grep openvpn
udp 0 0 0.0.0.0:1194 0.0.0.0:* 46223/openvpn
# ps aux | grep openvpn
root 46223 0.0 0.0 8568 1216 ? Ss 17:29 0:00 /usr/sbin/openvpn –daemon –writepid /var/run/openvpn/openvpn.pid –config openvpn.conf –cd /etc/openvpn –script-security 2