Page 1 of 3
linux-vserver
Posted: Wed Jul 27, 2011 8:59 am
by comeback
Hello,
I have a vps that has this configuration:
RAM (guaranteed) 768 MB
RAM (burstable)3072 MB
Storage 60 GB
Bandwith unmetered
TUN/TAP
Virtualization Software Linux-VServer
I wanted to know if we could install openvpn with linux-vserver?
I used this tutorial:
http://tipupdate.com/how-to-install-ope ... entos-vps/
But I am full of problems
In the tutorial, in step 12, I must:
vi /etc/sysctl.conf
Change net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1
this file does not exist, so I created with these settings:
Code: Select all
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Disables packet forwarding
net.ipv4.ip_forward=1
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Disables the magic-sysrq key
kernel.sysrq = 0
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024
# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000
# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536
Is it correct ?
After that, I must
echo 1 > /proc/sys/net/ipv4/ip_forward
But I have this error message:
-bash: /proc/sys/net/ipv4/ip_forward: Permission denied
Alvotech write:
With Linux-Vserver.org based vServers you don't have full access to /proc and /dev
I have to do what?
Merci
Re: linux-vserver
Posted: Wed Jul 27, 2011 10:24 pm
by Bebop
comeback wrote:Hello,
I have a vps that has this configuration:
RAM (guaranteed) 768 MB
RAM (burstable)3072 MB
Storage 60 GB
Bandwith unmetered
TUN/TAP
Virtualization Software Linux-VServer
I wanted to know if we could install openvpn with linux-vserver?
Those specs are far beyond minimum requirements for OpenVPN server.
You can easily achieve a linux VPN with a 128MB VPS, so your 768 will be fine.
Looks like a good tute.
this file does not exist, so I created with these settings:
That may have been unnecessary. Unless your centos is old or incomplete. But leave it for now.
Code: Select all
echo 1 > /proc/sys/net/ipv4/ip_forward
This step most certainly is required.
bash: /proc/sys/net/ipv4/ip_forward: Permission denied
You need to be root to issue this command. If you don't have root access then you just need to ask your ADMIN or Provider (Linux-VServer) to issue the command for you.
Keep up the good work, you are on the right track.
Re: linux-vserver
Posted: Thu Jul 28, 2011 9:58 am
by comeback
Bebop wrote:Code: Select all
echo 1 > /proc/sys/net/ipv4/ip_forward
This step most certainly is required.
bash: /proc/sys/net/ipv4/ip_forward: Permission denied
You need to be root to issue this command. If you don't have root access then you just need to ask your ADMIN or Provider (Linux-VServer) to issue the command for you.
-bash: /proc/sys/net/ipv4/ip_forward: Permission denied
Alvotech write:
With Linux-Vserver.org based vServers you don't have full access to /proc and /dev
I have to do what?
I wrote to alvotech because iptables does not work.
The answer:
Hello,
iptables don´t work with Linux-VServer but you can use the firewall in the customer panel which is similar to iptables.
Mit freundlichen Grüßen Alvotech Support-Team
Is it still possible to install openvpn?
Merci
Re: linux-vserver
Posted: Thu Jul 28, 2011 12:07 pm
by Bebop
Sounds like a custom firewall implementation. If they offer TAP/TUN then that assumes they would allow OpenVPN.
Without seeing the commands available in your control panel its not possible to say for sure.
Your provider are they helpful? Will they not give you some info how to initiate some settings for this?
The best VPS for VPN is a XEN based VPS. If you have too much difficulty with current provider there are many good VPS less that $10. Some less than $5.
If you want to keep trying though, I think you will get it.. because why they going to offer TAP/TUN? I think only for VPN. So, maybe show us a screenshot of your firewall control panel that they mentioned.
Re: linux-vserver
Posted: Thu Jul 28, 2011 12:15 pm
by comeback
Bebop wrote:Sounds like a custom firewall implementation. If they offer TAP/TUN then that assumes they would allow OpenVPN.
Without seeing the commands available in your control panel its not possible to say for sure.
Your provider are they helpful? Will they not give you some info how to initiate some settings for this?
The best VPS for VPN is a XEN based VPS. If you have too much difficulty with current provider there are many good VPS less that $10. Some less than $5.
If you want to keep trying though, I think you will get it.. because why they going to offer TAP/TUN? I think only for VPN. So, maybe show us a screenshot of your firewall control panel that they mentioned.
Thank you for your help.
Here's the picture:
For the error:
-bash: /proc/sys/net/ipv4/ip_forward: Permission denied
I just received a response from alvotech:
Hello,
ip_forward is enable by default (you can check the default value with "cat /proc/sys/net/ipv4/ip_forward").
Mit freundlichen Grüßen
Alvotech Support-Team
Merci
Re: linux-vserver
Posted: Thu Jul 28, 2011 12:38 pm
by Bebop
With the firewall you showed in the pic, its essential to get a list of all the available commands for "Action" and the full list of "Rule number" meanings (if you want to work with the firewall). That's going to be required for the firewall to be of use.
For now, just keep following the guide.. because it seems that IP forward is already enabled. Follow the guide all the way until you get an error from OpenVPN. When openvpn gives you error.. then we can work with that.
Re: linux-vserver
Posted: Thu Jul 28, 2011 1:31 pm
by comeback
Here's the error I get when I want to connect:
Thu Jul 28 15:29:18 2011 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Thu Jul 28 15:29:18 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Thu Jul 28 15:29:18 2011 Cannot load private key file client1.key: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib
Thu Jul 28 15:29:18 2011 Error: private key password verification failed
Thu Jul 28 15:29:18 2011 Exiting
Re: linux-vserver
Posted: Thu Jul 28, 2011 1:42 pm
by Bebop
comeback wrote:Thu Jul 28 15:29:18 2011 Cannot load private key file client1.key: error:02001002:system library:fopen:No such file or directory
Time for you to go through the steps for certificate creation again.
Your guide that you linked to is good. But when it comes to the nitty gritty of easy-rsa, then this page is better:
http://openvpn.net/index.php/open-sourc ... howto.html
Ctrl+f and search for
easy-rsa.
Congrats on getting this far. Keep at it.
Re: linux-vserver
Posted: Thu Jul 28, 2011 2:28 pm
by comeback
Here is the new error message.
I replaced my ip, for XXX.X.XXX.XX
Thank you indeed for your help.
Thu Jul 28 16:08:17 2011 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006
Thu Jul 28 16:08:17 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Thu Jul 28 16:08:17 2011 LZO compression initialized
Thu Jul 28 16:08:17 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Jul 28 16:08:17 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Jul 28 16:08:17 2011 Local Options hash (VER=V4): '41690919'
Thu Jul 28 16:08:17 2011 Expected Remote Options hash (VER=V4): '530fdded'
Thu Jul 28 16:08:17 2011 UDPv4 link local: [undef]
Thu Jul 28 16:08:17 2011 UDPv4 link remote: XXX.X.XXX.XX:1194
Thu Jul 28 16:08:17 2011 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Re: linux-vserver
Posted: Thu Jul 28, 2011 2:45 pm
by Bebop
Looks like server not accepting your packets on 1194.
Now you need to open that port for UDP with the firewall.
Also, its time for you to post your server and client .conf (or .ovpn) files here.
Re: linux-vserver
Posted: Thu Jul 28, 2011 3:37 pm
by comeback
Hello,
I disabled the firewall, and still have the same problem.
I wrote to alvotech, here are their answers:
Hello,
our firewall is similar to the IPTables features and so the interface should be familiar. Comparing the two, you'll encounter one difference: each rule is processed according to "first match", meaning that once a rule is found where conditions are met, no further rules are examined to override the first matching rule.
To filter incoming requests, please enter an IP address as the source, a network (e.g. 1.2.3.4/24) or the entire Internet (the value 0 / 0 or 0.0.0.0 / 0) and as the target your VPS IP. Your can refine your rule by specifying a protocol and / or a port.
Outgoing requests are filtered in the same way as incoming requests. In this case the source is your VPS IP and the target is a specific IP, a network or the entire web.
To sort the rules, you can assign rule numbers. Rules are evaluated in order of the rule number, for easy reordering. We recommend that your initial setup increment rule numbers by 10: 10, 20, 30, 40 and so on, so you can later easily add rules in the middle, for example adding a rule 11 to go between rule 10 and 20.
The options you can use to filter:
Protocol: tcp, udp, icmp
Port: numeric value (0 = all ports / wildcard) all available actions: drop, reject and accept Rule number: numerical value to the sort of rules (e.g.: 20)
Mit freundlichen Grüßen
Alvotech Support-Team
So I configure the firewall as shown in the image:
But I still have the same error message.
Files server.conf and client1.conf, are in the directory: / root.
server.conf:
Code: Select all
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
Code: Select all
client
dev tun
proto udp
remote XXX.X.XXX.XX 1194 (I replaced my ip, for XXX.X.XXX.XX)
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
comp-lzo
verb 3
Re: linux-vserver
Posted: Thu Jul 28, 2011 3:49 pm
by comeback
I read the tutorial yet.
I saw that the file server.conf, is in the directory:
/etc/openvpn/server.conf
on my vps, it is in the directory:
/root/server.conf
if I put it in the directory:
/etc/openvpn/server.conf
then I type the command:
/etc/init.d/openvpn restart
I have this error message:
Shutting down openvpn: [ OK ]
Starting openvpn: [FAILED]
Thank you for your help.
Re: linux-vserver
Posted: Fri Jul 29, 2011 12:26 am
by Bebop
OK that's progress. Don't worry firewall yet. First get OpenVPN server to start with status [OK].
Your server.conf is incomplete. Its missing a lot of important directives.
Make it look more like this:
Code: Select all
port 1194
proto udp
dev tun0
server 10.8.0.0 255.255.255.0
topology subnet
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
verb 3
log /etc/openvpn/openvpn.log
keepalive 10 120
comp-lzo
Use the same ca.crt that you used with the client. Also use the same dh1024.pem. Only 2 new files for you will be server.key + server.crt. If you haven't already got those files, then try something like this, in your easy-rsa dir:
Code: Select all
. ./vars <----note: there is a space between the 2 dots. important.
./build-key-server server
Then, again: /etc/init.d/openvpn restart
And if its not [OK] then you can show the log from: /etc/openvpn/openvpn.log
Re: linux-vserver
Posted: Fri Jul 29, 2011 6:42 am
by comeback
Hello,
This does not work, here is the error log:
Fri Jul 29 02:36:52 2011 OpenVPN 2.1.4 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Apr 24 2011
Fri Jul 29 02:36:52 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Jul 29 02:36:52 2011 Diffie-Hellman initialized with 1024 bit key
Fri Jul 29 02:36:52 2011 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Jul 29 02:36:52 2011 Socket Buffers: R=[126976->131072] S=[126976->131072]
Fri Jul 29 02:36:52 2011 Note: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
Fri Jul 29 02:36:52 2011 Note: Attempting fallback to kernel 2.2 TUN/TAP interface
Fri Jul 29 02:36:52 2011 Cannot allocate TUN/TAP dev dynamically
Fri Jul 29 02:36:52 2011 Exiting
Yet TUN / TAP is enabled, when I do:
It makes me
Code: Select all
cat: /dev/net/tun: File descriptor in bad state
Re: linux-vserver
Posted: Fri Jul 29, 2011 8:41 am
by Bebop
comeback wrote:
Fri Jul 29 02:36:52 2011 Note: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
Fri Jul 29 02:36:52 2011 Note: Attempting fallback to kernel 2.2 TUN/TAP interface
Fri Jul 29 02:36:52 2011 Cannot allocate TUN/TAP dev dynamically
Fri Jul 29 02:36:52 2011 Exiting
Looks like a permissions problem. Assuming you don't have root access.
The user openvpn runs as does not have access to bring up tun0.
So 2 options: chmod /dev/tun so its available to openvpn, or run openvpn as root or sudo.
I know this next tip wont help you
now, but just keep in mind for the future, get a VPS that is XEN based. All these issues don't exist on XEN because you have full root access, and full iptables no drama.
Anyways, you can still get this working. If you have root access, login with root and restart openvpn. Otherwise, contact the VPS admin and ask him to chmod /dev/tun so you can access it with the vpn user, or ask him to sudo it, so openvpn can acess it.
Re: linux-vserver
Posted: Fri Jul 29, 2011 10:24 am
by comeback
hello,
I typed the command:
su -c ' /etc/init.d/openvpn restart'
I still have the error message:
Code: Select all
Shutting down openvpn: [ OK ]
Starting openvpn: [FAILED]
when I type the command:
chmod /dev/tun
I still have the error message:
Code: Select all
chmod: missing operand after `/dev/tun'
Try `chmod --help' for more information.
I think I do not type the correct command, can you help me?
Bebop wrote:comeback wrote:I know this next tip wont help you now, but just keep in mind for the future, get a VPS that is XEN based. All these issues don't exist on XEN because you have full root access, and full iptables no drama..
I paid the VPS for seven months because it was a promotion.
I still think changing VPS.
What is the ideal configuration?
Does it work with Xen?
Is this also works with Open VZ?
Really thank you for your help.
Re: linux-vserver
Posted: Fri Jul 29, 2011 10:44 am
by Bebop
Lets keep try it. If you got 7 months then it will be good to use it. Openvz is OK too, not quite as good XEN, because OpenVZ you have to wait for admin to enable Tun sometimes.
chmod 666 /dev/net/tun
or
su -c 'chmod 666 /dev/net/tun'
Re: linux-vserver
Posted: Fri Jul 29, 2011 3:03 pm
by comeback
Hello,
The answer I received from Alvotech, but I did not understand:
Hello,
we have a lot of customers there are using OpenVPN with our vservers, it's possible. To get OpenVPN running, use our preconfigured TUN devices, your tun device is: tun1280-76 (for more information about the config style for your server, please take a look to this config example:
http://linux-vserver.org/Frequently_Ask ... a_guest.3F)
Mit freundlichen Grüßen
Alvotech Support-Team
Merci
Re: linux-vserver
Posted: Fri Jul 29, 2011 8:01 pm
by Bebop
Instead of that in your
server.conf, replace it with this:
Re: linux-vserver
Posted: Sat Jul 30, 2011 11:13 am
by comeback
This still does not work.
Here is the log file:
Code: Select all
Sat Jul 30 07:09:47 2011 OpenVPN 2.1.4 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Apr 24 2011
Sat Jul 30 07:09:47 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Jul 30 07:09:47 2011 Diffie-Hellman initialized with 1024 bit key
Sat Jul 30 07:09:47 2011 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sat Jul 30 07:09:47 2011 Socket Buffers: R=[126976->131072] S=[126976->131072]
Sat Jul 30 07:09:47 2011 TUN/TAP device tun1280-76 opened
Sat Jul 30 07:09:47 2011 Note: Cannot set tx queue length on tun1280-76: Operation not permitted (errno=1)
Sat Jul 30 07:09:47 2011 /sbin/ip link set dev tun1280-76 up mtu 1500
SIOCSIFMTU: Operation not permitted
Sat Jul 30 07:09:47 2011 Linux ip link set failed: external program exited with error status: 255
Sat Jul 30 07:09:47 2011 Exiting