OpenVZ supports VPN inside a container via kernel TUN/TAP module and device.
First thing you need to do is to enable TUN/TAP if you didn't already:
Enable TUN/TAP via SolusVM Webinterface
First, install the openvpn package:
sudo apt-get install openvpn
sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn
sudo gunzip server.conf.gz
This will copy and unpack the example server config. The sample config uses the ip range 10.8.0.0 and subnet 255.255.255.255
Edit the server.conf file with your favorite editor:
Now you need to uncomment the following (remove the ";" in front of the line):
push "redirect-gateway def1 bypass-dhcp"�
push "dhcp-option DNS 126.96.36.199"�
push "dhcp-option DNS 188.8.131.52"�
Copy the necessary files to to create our certificates:
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
We need to adjust the vars file, which contains the settings for the certificates.
Please keep in mind that the "country" field may only contain 2 letters.
Open the vars file and go to the end.
The default file contains:
# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_EMAIL="[email protected]"
You can modify these values if you like.
After that create the necessary key and CA's:
Creating server certificates
./pkitool --server server
This will build your proper certificates based up the example files slightly edited. I recommend this for non-advanced users and first-timers.
Creating client certificates
Remember to replace hostname with the name of the client you want to connect. This can be used as an identifier for example "client1"�
You'll need to do 1 thing more to fix the routing. That is to route the traffic from tun0 to the interface that provides internet (venet0:0 by default).
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source your_vps_ip
Since we can't use the MASQUERADE command, we need to use SNAT. Also only full interfaces are supported (So venet0:0 isn't compatible with the -o option). That's why I cover this on a static IP based configuration. This will route all network traffic on 10.8.0.0 to the internet-supplying interface.
sudo /etc/init.d/openvpn restart
COnfigure your VPN client on your computer:
The client will need the following files
Create a config file, for example intovps.ovpn and change the certificate settings to include the files above:
In the line "remote hostname 1194" change "hostname" with your VPS hostname that will match the certificate.
Also change the ssl settings in case you used a different name for the client certificates then intovps:
#Sample config file
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote hostname 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
# Most clients don't need to bind to
# a specific local port number.
# Downgrade privileges after initialization (non-Windows only)
# Try to preserve some state across restarts.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
# Verify server certificate by checking
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
# Set log file verbosity.
# Silence repeating messages
When this is done, import the client files into your favorite openVPN client and you should be ready to go.
To confirm the connection you can try to ping the server locally (10.8.0.1) or connect to the internet through a web browser.
If some things don't work out, please contact us.
- 98 Users Found This Useful
This article will show you how to setup and configure the BIND DNS Server.Before we begin, it is...
Setup Before installing cPanel on, we need to take two additional steps. First we need to make...
In order to activate TUN/TAP on your OpenVZ VPS log into Hypanel, go...
Have you ever wondered if there is a simple way to copy files and run commands on multiple...
In order to activate PPP (PPPD) on your OpenVZ VPS log into Hypanel, go to Machine...