softether TAP interface on unprivileged container not passing to host

Discussion in 'Proxmox VE: Installation and configuration' started by rexkani, May 16, 2019.

  1. rexkani

    rexkani New Member

    Joined:
    May 4, 2019
    Messages:
    18
    Likes Received:
    0
    Dear all,

    I have been trying to follow instructions found on this forum to enable my container to create a TAP device.
    i used this on the pve host:

    i see the TAP device successfully created by softether:

    but when i try to establish a L2TP vpn from a remote host, the remote host traffic cant seem to go to the pve host and DHCP cannot be processed:


    Can anyone please help to solve this problem please?
     
  2. rexkani

    rexkani New Member

    Joined:
    May 4, 2019
    Messages:
    18
    Likes Received:
    0
    Futher looking at my host, I'm not seeing any TAP device on the host, is this going to be an issue?
     
  3. LnxBil

    LnxBil Well-Known Member

    Joined:
    Feb 21, 2015
    Messages:
    3,696
    Likes Received:
    331
    No, host has no tap device, it is in the container.

    I have no experience with L2TP, but OpenVPN works like a charm in an unprivileged container.
    (https://forum.proxmox.com/threads/proxmox-5-and-openvpn.46614/)
     
  4. rexkani

    rexkani New Member

    Joined:
    May 4, 2019
    Messages:
    18
    Likes Received:
    0
    Therefore, with this showing in my "ip addr", it looks like it should be working?
    is there any other ways i could troubleshoot this issue? i'm kinda stuck on how to further investigate on the issue. i'm not sure where is the problem happening now.
     
  5. rexkani

    rexkani New Member

    Joined:
    May 4, 2019
    Messages:
    18
    Likes Received:
    0
    I'm not seeing the TAP mac address on the router bridge.
     
  6. rexkani

    rexkani New Member

    Joined:
    May 4, 2019
    Messages:
    18
    Likes Received:
    0
    can someone help to point me to the direction on how to further investigate please? hope to at least find out if its the host config's or the container config's problem
     
  7. rexkani

    rexkani New Member

    Joined:
    May 4, 2019
    Messages:
    18
    Likes Received:
    0
    just found this on the softether interface, which shows the mac address learned from the local-bridge, on the local-bridge built on the container's eth0, i can see mac addresses.



    but on the local-bridge built on the TAP interface, no mac can be learnt


    upload_2019-5-17_11-16-35.png
     
  8. LnxBil

    LnxBil Well-Known Member

    Joined:
    Feb 21, 2015
    Messages:
    3,696
    Likes Received:
    331
    Maybe, you need some kernel modules to forward the traffic. IIRC, there was VPN solutions that used GRE. On the other hand, you can always run tcdpump on your PVE and visualize via wireshark. Often, it's the only way to "see" what's going on.
     
  9. rexkani

    rexkani New Member

    Joined:
    May 4, 2019
    Messages:
    18
    Likes Received:
    0
    I have ran tcpdump on the PVE host and i cannot see any DHCP traffic going out of my physical interface. and then i dont know how to further investigate.
     
  10. LnxBil

    LnxBil Well-Known Member

    Joined:
    Feb 21, 2015
    Messages:
    3,696
    Likes Received:
    331
    I have no idea how L2TP works, but for other VPN solutions, I've never seen DHCP on a VPN. The IP configuration is integrated in the connection handshake, so that there is no DHCP. Are you certain that you have and want DHCP over VPN?
     
  11. rexkani

    rexkani New Member

    Joined:
    May 4, 2019
    Messages:
    18
    Likes Received:
    0
    L2TP/IPsec is a sort of Layer 2 VPN through a secure IPsec tunnel, therefore, the DHCP will be done inside the tunnel.

    no matter which tunnel protocol i'm going to run, if no mac addresses can be learnt from the bridge interface, no network connectivity can be established.

    it doesnt seem like the guest host is really using the "TAP device" but i have no idea what can be done to solve this...
     
  12. LnxBil

    LnxBil Well-Known Member

    Joined:
    Feb 21, 2015
    Messages:
    3,696
    Likes Received:
    331
    Thanks for the explanation. I've only used ipsec inside of qemu-based VMs, so I cannot give any other recommendation except using a "real" VM.
     
  13. rexkani

    rexkani New Member

    Joined:
    May 4, 2019
    Messages:
    18
    Likes Received:
    0
    thanks for discussing with me.

    I hope there are more ideas here from the community could lead me to a solution.
     
  14. rexkani

    rexkani New Member

    Joined:
    May 4, 2019
    Messages:
    18
    Likes Received:
    0
    I'm still desperate on settling this issue. anyone have some ideas?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice