Proxmox 5 and openvpn

[dominikp]

I want to move openvpn server from VM to CT. So far I ...
1. made debian 9 container from template
2. installed openvpn and easy-rsa
3. copied whole /etc/openvpn from VM to CT (replacing original one)
4. turned forwarding on in /etc/sysctl.conf

Also i
5. Commented out LimitNPROC line in /lib/systemd/system/openvpn@.service.
https://askubuntu.com/questions/747023/systemd-fails-to-start-openvpn-in-lxd-managed-16-04-container

and tried to
6. Add additional line to containers .conf file to allow creating /dev/net/tun device following these guides
https://www.hungred.com/how-to/setup-openvpn-on-proxmox-lxc/
https://blog.davidmoodie.com/secure-openvpn-server-ubuntu-16-04-proxmox-container/

But container didnt get up after last point. And before it it did get up but without tun interface.
So my questions are
Q1: Are mentioned quides relevant to Proxmox 5?
Im especially suspicious about adding those entries with "=" sign when all lines in .cfg files are separated with ":"

Q2. I assume that if i have more than one container with openvpn then on HOST machine i would have to make separate /dev/net/tun0, /dev/net/tun1 etc. for each of them?

 

[LnxBil]

The only two entries I needed in PVE 5.2 for Alpine Linux based OpenVPN gateway is

lxc.cgroup.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

I'm running multiple gateways with this exact setting, so multiple run just fine.

 

[dominikp]

Thank you VERY much! It worked this time. The only thing i had problem with was "modproble tun;". Container was starting but i couldnt login with ssh. I deleted "modprobe tun;" line and it worked. Then i run command manually and i got ...

modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/4.15.18-2-pve/modules.dep.bin'                                                                                                 
modprobe: FATAL: Module tun not found in directory /lib/modules/4.15.18-2-pve

I dont have /lib/modules directory at all

 

[LnxBil]

You have to insert the module on the host, so please add it to proxmox:/etc/modules.

 

[dominikp]

Well this is kind of weird because i dont see tun module on the host.

lsmod | grep tun

... returns nothing, neither ...

modprobe tun

.. also

root@pve:/etc/pve/lxc# ls -la /lib/modules/4.15.18-2-pve/kernel/drivers/net/
total 480
drwxr-xr-x 25 root root    48 Aug 29 08:42 .
drwxr-xr-x 93 root root    93 Aug 29 08:42 ..
drwxr-xr-x  2 root root    13 Aug 29 08:42 arcnet
drwxr-xr-x  2 root root     3 Aug 29 08:42 bonding
drwxr-xr-x  2 root root     6 Aug 29 08:42 caif
drwxr-xr-x 11 root root    16 Aug 29 08:42 can
drwxr-xr-x  5 root root    11 Aug 29 08:42 dsa
-rw-r--r--  1 root root 17744 Aug 16 11:06 dummy.ko
-rw-r--r--  1 root root 13344 Aug 16 11:06 eql.ko
drwxr-xr-x 55 root root    60 Aug 29 08:42 ethernet
drwxr-xr-x  3 root root     4 Aug 29 08:42 fddi
drwxr-xr-x  2 root root     3 Aug 29 08:42 fjes
-rw-r--r--  1 root root 42416 Aug 16 11:06 geneve.ko
-rw-r--r--  1 root root 41296 Aug 16 11:06 gtp.ko
drwxr-xr-x  2 root root    10 Aug 29 08:42 hamradio
drwxr-xr-x  2 root root     3 Aug 29 08:42 hyperv
drwxr-xr-x  2 root root     9 Aug 29 08:42 ieee802154
-rw-r--r--  1 root root 13632 Aug 16 11:06 ifb.ko
drwxr-xr-x  2 root root     4 Aug 29 08:42 ipvlan
-rw-r--r--  1 root root 57912 Aug 16 11:06 macsec.ko
-rw-r--r--  1 root root 37920 Aug 16 11:06 macvlan.ko
-rw-r--r--  1 root root 11088 Aug 16 11:06 macvtap.ko
-rw-r--r--  1 root root 10552 Aug 16 11:06 mdio.ko
-rw-r--r--  1 root root 14240 Aug 16 11:06 mii.ko
-rw-r--r--  1 root root 29608 Aug 16 11:06 netconsole.ko
-rw-r--r--  1 root root  9504 Aug 16 11:06 nlmon.ko
-rw-r--r--  1 root root 18400 Aug 16 11:06 ntb_netdev.ko
drwxr-xr-x  2 root root    39 Aug 29 08:42 phy
drwxr-xr-x  2 root root     3 Aug 29 08:42 plip
drwxr-xr-x  2 root root    10 Aug 29 08:42 ppp
-rw-r--r--  1 root root 26832 Aug 16 11:06 rionet.ko
-rw-r--r--  1 root root 23088 Aug 16 11:06 sb1000.ko
drwxr-xr-x  2 root root     3 Aug 29 08:42 slip
-rw-r--r--  1 root root 23376 Aug 16 11:06 sungem_phy.ko
-rw-r--r--  1 root root 34048 Aug 16 11:06 tap.ko
drwxr-xr-x  2 root root     8 Aug 29 08:42 team
-rw-r--r--  1 root root 32240 Aug 16 11:06 thunderbolt-net.ko
drwxr-xr-x  2 root root    38 Aug 29 08:42 usb
-rw-r--r--  1 root root 15496 Aug 16 11:06 veth.ko
-rw-r--r--  1 root root 78176 Aug 16 11:06 virtio_net.ko
drwxr-xr-x  2 root root     3 Aug 29 08:42 vmxnet3
-rw-r--r--  1 root root 32912 Aug 16 11:06 vrf.ko
-rw-r--r--  1 root root  9440 Aug 16 11:06 vsockmon.ko
-rw-r--r--  1 root root 83312 Aug 16 11:06 vxlan.ko
drwxr-xr-x  3 root root    19 Aug 29 08:42 wan
drwxr-xr-x  3 root root     3 Aug 29 08:42 wimax
drwxr-xr-x 18 root root    22 Aug 29 08:42 wireless
drwxr-xr-x  2 root root     3 Aug 29 08:42 xen-netback
root@pve:/etc/pve/lxc# find /lib/modules/ -iname 'tun.ko'
root@pve:/etc/pve/lxc# find /lib/modules/ -iname 'tun.ko.gz'

... but ...

root@pve:/etc/pve/lxc# ls /dev/net
tun

 

[LnxBil]

Oh, you're right - it is already compiled in and therefore not available as a module:

root@proxmox ~ > grep CONFIG_TUN /boot/config-4.15.18-2-pve  | grep -v ^#
CONFIG_TUN=y

 

[Kimmax]

I'm posting for potential future users that stumble upon this:
Currently the config edit in /etc/pve/lxc won't be applied when starting using `lxc-start`.
To apply the config use the web interface to start the container.
Double check if your changes were applied in /var/lib/lxc/<id>/config, but do not edit this file directly, it'll be replaced by the config in /etc/pve/lxc again.
A bug report was opened regarding this behavior.

Have a nice day!

 

[LnxBil]

Currently the config edit in /etc/pve/lxc won't be applied when starting using `lxc-start`.

Why would you want to use lxc-start if you could just use pct start?