Passthrough OpenVPN tunnel from host to LXC CT

HeroCC

Member
May 6, 2016
4
0
21
21
Hello! I was wondering if there is a way to do this through proxmox (preferably in the webui). I am running an OpenVPN client on the host, and I want to pass the network link it made (tun0) to several LXC containers, not as default but as a secondary link for applications to use when I tell them. Applications would be able to choose this new bridge as an alternate uplink, but everything else would use the default bridge. I don't want to run a VPN client on each VM. Let me know if you need more information.

Thanks!
 

FastLaneJB

Active Member
Feb 3, 2012
89
6
28
I've something similar to this only I have OpenVPN running inside an LXC with iptables masq to allow it to effectively be a router. I added on dnsmasq as well and can then point an LXC at that for its gateway and DNS server to force all traffic via the VPN.

This works well for me and keeps the host more in it's original state.
 

HeroCC

Member
May 6, 2016
4
0
21
21
I've something similar to this only I have OpenVPN running inside an LXC with iptables masq to allow it to effectively be a router. I added on dnsmasq as well and can then point an LXC at that for its gateway and DNS server to force all traffic via the VPN.

This works well for me and keeps the host more in it's original state.
Could you describe your setup a bit more? I'd like my original setup, but if I can't get that then this would be a good alternative.
 

FastLaneJB

Active Member
Feb 3, 2012
89
6
28
Sure of course. So first of all you need the following lines in your LXC.conf for the container. You can find that in /etc/pve/lxc and then the number of the container.conf. You'll need to be a privileged container vs unprivileged for this one to work.

Code:
lxc.cgroup.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

That should allow you to fire up OpenVPN with a tun adapter inside your container. Next is the configuration of the container:

I have a little script that runs on startup that blocks all none OpenVPN traffic incase the tunnel is down: This will pull the IP addresses of the endpoints for the OpenVPN tunnel from it's config file to allow those but nothing else. It also sets up the IP forwarding, just change 192.168.0.0/24 to whatever internal IP range your using.

Code:
#!/bin/bash

# Get a list of all the IPs used in the OpenVPN config files
grep -h "remote " /etc/openvpn/*.conf | cut -d ' ' -f 2 | sort -u > /tmp/vpn-servers

# Start by wiping the iptables rules completely
iptables -F

# Allow all traffic on the tun interface (OpenVPN)
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT

# Allow all localhost traffic
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT

# Loop through the list of OpenVPN servers so we can allow their IPs
IP_LIST=$(tr '\n' ' ' < /tmp/vpn-servers)
for IP in $IP_LIST; do
        iptables -A INPUT -s $IP -j ACCEPT
        iptables -A OUTPUT -d $IP -j ACCEPT
done

# Allow internal network access to / from this server
iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
iptables -A OUTPUT -d 192.168.0.0/24 -j ACCEPT

# Drop all other traffic, now we'll only have Internet access if the VPN is connected
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

# Setup IP Forwarding
iptables -A FORWARD -o tun0 -i eth0 -s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE

# Save the rules so they persist
iptables-save > /etc/iptables/rules.v4

# Remove our temp file
rm /tmp/vpn-servers

Put DNSMasq on, I think that works pretty much out of the box and give it say Google's DNS servers, it should go via the OpenVPN tunnel because all other IP ranges are blocked.

Finally for any container or VM you want to go via the tunnel just set it to use this LXC container for it's gateway and DNS. I put most of my apps in their own container so I can do it on a container by container basis. Also passing the storage into the containers so they each get access to the right storage where they need.

So for instance if your normal router is 192.168.0.1 then this one could be 192.168.0.2 as a VPN router.

Hope that makes sense and helps out.
 

LnxBil

Famous Member
Feb 21, 2015
6,469
819
163
Saarland, Germany
@FastLaneJB did a good job explaining it, yet one step is forgotten: enable IP forwarding.

I've a similar configuration but I do not use dnsmasq, just use the openvpn lxc machine as a ordinary router with a special host/net route on the clients that need to access the network behind the OpenVPN.
 

FastLaneJB

Active Member
Feb 3, 2012
89
6
28
Very true. Missed that bit but well spotted :)

Yeah there's a few ways to skin a cat. This works for me but tweak as you need.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!