Openvpn stopped working in unprivileged lxc container after upgrading from pve 7.3.8 to pve 7.4.3

M

moleh2011

New Member
May 16, 2023
2
0
1
Openvpn in the LXC container (Debian 11) is configured according to the following instructions (https://pve.proxmox.com/wiki/OpenVPN_in_LXC)
After upgrading from 7.3.8 to 7.4.3 it stopped working.
The same container on the host with pve version 7.3.8 works without problems.

On host
Code: 
root@50-MTL414479:~# pveversion
pve-manager/7.4-3/9002ab8a (running kernel: 5.15.107-2-pve)

root@50-MTL414479:~# ls -l /dev/net/tun
crw-rw-rw- 1 100000 100000 10, 200 May 15 15:54 /dev/net/tun

root@50-MTL414479:~# cat /etc/pve/lxc/100.conf
arch: amd64
cores: 2
features: nesting=1
hostname: CT100
memory: 2048
net0: name=eth0,bridge=vmbr0,firewall=1,gw=10.10.10.1,gw6=2607:5300:aa:bbbb::1,hwaddr=AA:CC:55:49:96:8E,ip=10.10.10.100/24,ip6=2607:5300:aa:bbbb:100::/80,type=veth
onboot: 1
ostype: debian
rootfs: local:100/vm-100-disk-0.raw,size=7G
startup: order=10,up=0
swap: 2048
unprivileged: 1
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir

LXC container
Code: 
root@CT100:~# cat /etc/issue
Debian GNU/Linux 11 \n \l

root@CT100:~# ls -l /dev/net/tun
crw-rw-rw- 1 root root 10, 200 May 15 15:54 /dev/net/tun

root@CT100:~# openvpn openvpn.ovpn
2023-05-16 07:01:55 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2023-05-16 07:01:55 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2023-05-16 07:01:55 WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
2023-05-16 07:01:55 OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
2023-05-16 07:01:55 library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
2023-05-16 07:01:55 TCP/UDP: Preserving recently used remote address: [AF_INET]211.22.33.44:443
2023-05-16 07:01:55 Socket Buffers: R=[212992->212992] S=[212992->212992]
2023-05-16 07:01:55 UDPv4 link local: (not bound)
2023-05-16 07:01:55 UDPv4 link remote: [AF_INET]211.22.33.44:443
2023-05-16 07:02:55 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2023-05-16 07:02:55 TLS Error: TLS handshake failed
2023-05-16 07:02:55 SIGUSR1[soft,tls-error] received, process restarting
2023-05-16 07:02:55 Restart pause, 5 second(s)

I repeat again in version 7.3.8 everything works fine, the problem appeared immediately after updating to version 7.4.3
any suggestions how to solve the problem?
 
Last edited:
Hello, can you ping the VPN host from inside the container? Do you have any firewall rules set up that may block traffic on port 443?
 
You must log in or register to reply here.
Top Bottom