[SOLVED] VPN Client (Proxmox + Docker). No /dev/ppp interface

C

chencho

Well-Known Member
Nov 25, 2010
92
8
48
Hi all.

I'm on Proxmox 7.2

Then I install a LXC container from here: https://github.com/tteck/Proxmox (Docker LXC script).

Code: 
arch: amd64
cores: 14
features: fuse=1,nesting=1
hostname: docker
memory: 122880
net0: name=eth0,bridge=vmbr0,gw=xx.xx.xx.xx,hwaddr=xx:xx:xx:xx:xx:xx,ip=xx.xx.xx.xx/32,type=veth
onboot: 1
ostype: debian
rootfs: vz:subvol-900-disk-0,size=3140G
swap: 512
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.cap.drop:
lxc.mount.entry: /dev/net dev/net none bind,create=dir

Inside it, I create a privileged docker container with:

Code: 
0 AUDIT_WRITE
1 CHOWN
2 DAC_OVERRIDE
3 FOWNER
4 FSETID
5 KILL
6 MKNOD
7 NET_ADMIN
8 NET_BIND_SERVICE
9 NET_RAW
10 SETFCAP
11 SETGID
12 SETPCAP
13 SETUID
14 SYS_ADMIN
15 SYS_CHROOT

It's improtant NET_ADMIN flag to work with VPN

Then, I have a script to connect to my VPN, but it fails

Code: 
Stopping xl2tpd: xl2tpd.
Stopping strongSwan IPsec...
Starting strongSwan 5.9.1 IPsec [starter]...
initiating Main Mode IKE_SA L2TP-PSK[1] to VPN_SERVER_IP
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 172.17.0.11[500] to VPN_SERVER_IP[500] (240 bytes)
received packet: from VPN_SERVER_IP[500] to 172.17.0.11[500] (160 bytes)
parsed ID_PROT response 0 [ SA V V V V ]
received NAT-T (RFC 3947) vendor ID
received XAuth vendor ID
received DPD vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 172.17.0.11[500] to VPN_SERVER_IP[500] (372 bytes)
received packet: from VPN_SERVER_IP[500] to 172.17.0.11[500] (364 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
remote host is behind NAT
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 172.17.0.11[4500] to VPN_SERVER_IP[4500] (108 bytes)
received packet: from VPN_SERVER_IP[4500] to 172.17.0.11[4500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA L2TP-PSK[1] established between 172.17.0.11[172.17.0.11]...VPN_SERVER_IP[192.168.168.5]
scheduling reauthentication in 3284s
maximum IKE_SA lifetime 3464s
generating QUICK_MODE request 320812190 [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from 172.17.0.11[4500] to VPN_SERVER_IP[4500] (252 bytes)
received packet: from VPN_SERVER_IP[4500] to 172.17.0.11[4500] (188 bytes)
parsed QUICK_MODE response 320812190 [ HASH SA No ID ID NAT-OA NAT-OA ]
selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
CHILD_SA L2TP-PSK{1} established with SPIs cfca60a2_i 0d7afb02_o and TS 172.17.0.11/32[udp/l2f] === VPN_SERVER_IP/32[udp/l2f]
generating QUICK_MODE request 320812190 [ HASH ]
connection 'L2TP-PSK' established successfully
Status of IKE charon daemon (strongSwan 5.9.1, Linux 5.15.53-1-pve, x86_64):
  uptime: 4 seconds, since Sep 29 14:21:42 2022
  malloc: sbrk 2334720, mmap 0, used 614528, free 1720192
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 7
  loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
  172.17.0.11
Connections:
    L2TP-PSK:  %any...VPN_SERVER_IP  IKEv1
    L2TP-PSK:   local:  uses pre-shared key authentication
    L2TP-PSK:   remote: [192.168.168.5] uses pre-shared key authentication
    L2TP-PSK:   child:  dynamic[udp/l2f] === dynamic[udp/l2f] TRANSPORT
Security Associations (1 up, 0 connecting):
    L2TP-PSK[1]: ESTABLISHED 2 seconds ago, 172.17.0.11[172.17.0.11]...VPN_SERVER_IP[192.168.168.5]
    L2TP-PSK[1]: IKEv1 SPIs: caad7141acabc728_i* c96b543ae833adcb_r, pre-shared key reauthentication in 54 minutes
    L2TP-PSK[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
    L2TP-PSK{1}:  INSTALLED, TRANSPORT, reqid 1, ESP in UDP SPIs: cfca60a2_i 0d7afb02_o
    L2TP-PSK{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 14 minutes
    L2TP-PSK{1}:   172.17.0.11/32[udp/l2f] === VPN_SERVER_IP/32[udp/l2f]
xl2tpd[56819]: Not looking for kernel SAref support.
xl2tpd[56819]: Using l2tp kernel support.
xl2tpd[56819]: xl2tpd version xl2tpd-1.3.12 started on 56d4fbfdfc9f PID:56819
xl2tpd[56819]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
xl2tpd[56819]: Forked by Scott Balmos and David Stipp, (C) 2001
xl2tpd[56819]: Inherited by Jeff McAdams, (C) 2002
xl2tpd[56819]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
xl2tpd[56819]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[56819]: Connecting to host VPN_SERVER_IP, port 1701
xl2tpd[56819]: Connection established to VPN_SERVER_IP, 1701.  Local: 3108, Remote: 65472 (ref=0/0).
xl2tpd[56819]: Calling on tunnel 3108
xl2tpd[56819]: Call established with VPN_SERVER_IP, Local: 63436, Remote: 1, Serial: 1 (ref=0/0)
xl2tpd[56819]: start_pppd: I'm running:
xl2tpd[56819]: "/usr/sbin/pppd"
xl2tpd[56819]: "plugin"
xl2tpd[56819]: "pppol2tp.so"
xl2tpd[56819]: "pppol2tp"
xl2tpd[56819]: "7"
xl2tpd[56819]: "passive"
xl2tpd[56819]: "nodetach"
xl2tpd[56819]: ":"
xl2tpd[56819]: "debug"
xl2tpd[56819]: "file"
xl2tpd[56819]: "/etc/ppp/options.l2tpd.client"
xl2tpd[56819]: child_handler : pppd exited for call 1 with code 1
xl2tpd[56819]: call_close: Call 63436 to VPN_SERVER_IP disconnected
xl2tpd[56819]: result_code_avp: avp is incorrect size.  8 < 10
xl2tpd[56819]: handle_avps: Bad exit status handling attribute 1 (Result Code) on mandatory packet.
xl2tpd[56819]: Terminating pppd: sending TERM signal to pid 56821
xl2tpd[56819]: Connection 65472 closed to VPN_SERVER_IP, port 1701 (Result Code: expected at least 10, got 8)
xl2tpd[56819]: Connecting to host VPN_SERVER_IP, port 1701
xl2tpd[56819]: Connection established to VPN_SERVER_IP, 1701.  Local: 10489, Remote: 65475 (ref=0/0).
xl2tpd[56819]: Calling on tunnel 10489
xl2tpd[56819]: Call established with VPN_SERVER_IP, Local: 49268, Remote: 1, Serial: 2 (ref=0/0)
xl2tpd[56819]: start_pppd: I'm running:
xl2tpd[56819]: "/usr/sbin/pppd"
xl2tpd[56819]: "plugin"
xl2tpd[56819]: "pppol2tp.so"
xl2tpd[56819]: "pppol2tp"
xl2tpd[56819]: "7"
xl2tpd[56819]: "passive"
xl2tpd[56819]: "nodetach"
xl2tpd[56819]: ":"
xl2tpd[56819]: "debug"
xl2tpd[56819]: "file"
xl2tpd[56819]: "/etc/ppp/options.l2tpd.client"
xl2tpd[56819]: child_handler : pppd exited for call 1 with code 1
xl2tpd[56819]: call_close: Call 49268 to VPN_SERVER_IP disconnected
xl2tpd[56819]: result_code_avp: avp is incorrect size.  8 < 10
xl2tpd[56819]: handle_avps: Bad exit status handling attribute 1 (Result Code) on mandatory packet.
xl2tpd[56819]: Terminating pppd: sending TERM signal to pid 56881
xl2tpd[56819]: Connection 65475 closed to VPN_SERVER_IP, port 1701 (Result Code: expected at least 10, got 8)
xl2tpd[56819]: death_handler: Fatal signal 15 received

Seems all goes fine, but when try to use ppp device fails:

Code: 
xl2tpd[56819]: "/etc/ppp/options.l2tpd.client"
xl2tpd[56819]: child_handler : pppd exited for call 1 with code 1
xl2tpd[56819]: call_close: Call 63436 to VPN_SERVER_IP disconnected
xl2tpd[56819]: result_code_avp: avp is incorrect size.  8 < 10

My /etc/ppp/options.l2tpd.client

Code: 
ipcp-accept-local
ipcp-accept-remote
refuse-eap
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
userpeerdns
debug
conectar-delay 5000
name "USER"
password "pass"

The same config is working on AWS / ECS

I can do in Proxmox

Code: 
root@rosita:~# ls -al /dev/ppp
crw------- 1 root root 108, 0 sep 16 12:21 /dev/ppp

But inside the container

Code: 
root@docker:~# ls -al /dev/ppp
ls: no se puede acceder a '/dev/ppp': No existe el fichero o el directorio

---

I just see lxc.mount.entry: /dev/net dev/net none bind,create=dir needs to be lxc.mount.entry: /dev/ppp dev/ppp none bind,create=dir

I'm trying to restart tonight
 
Last edited:
After restart all seems equal. VPN can't connect.

Code: 
root@rosita:~# ls -l /lib/modules/5.15.53-1-pve/kernel/drivers/net/ppp
total 180
-rw-r--r-- 1 root root 16824 ago 26 16:53 bsd_comp.ko
-rw-r--r-- 1 root root 24944 ago 26 16:53 ppp_async.ko
-rw-r--r-- 1 root root 14664 ago 26 16:53 ppp_deflate.ko
-rw-r--r-- 1 root root 16160 ago 26 16:53 ppp_mppe.ko
-rw-r--r-- 1 root root 33528 ago 26 16:53 pppoe.ko
-rw-r--r-- 1 root root 13152 ago 26 16:53 pppox.ko
-rw-r--r-- 1 root root 22600 ago 26 16:53 ppp_synctty.ko
-rw-r--r-- 1 root root 24016 ago 26 16:53 pptp.ko

Seems ppp is available.

Try to add

Code: 
root@rosita:~# vim /etc/pve/lxc/900.conf
lxc.cap.keep: net_admin

But after restart LXC don't start
 
Last edited:
I can access to VPN into my Mac using docker.

But when I use it over proxmox, I can't access to /dev/ppp interface :( , I think it's the only thing I need to make it work
 
Solved.

My actual config:

Code: 
lxc.cgroup2.devices.allow: c 108:0 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir
lxc.mount.entry: /dev/ppp dev/ppp none bind,create=file

Then

lxc-device -n MyContainer add /dev/ppp

After this, I need to restart my docker container and finally I can connect to VPN :)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back