VPN issues (PPP, TUN interfaces)

[TheWorkingDeveloper]

At whits end, made an account because between 2005 and 2019 apparently very few people ever tried this.

Trying to install and set up VPN's with 'ubuntu-18.04-standard_18.04.1-1_amd64.tar.gz'.
Installing PPTP, IPsec/L2TP, IPsec/IKEv2 and OpenVPN all have different kinds of issues relating to interfaces and permissions.

One thing that's fairly hard to find here is that ALL modprobe commands should be ran on the HOST, not the VM. (For archive purposes).

So following and running this: github.com hwdsl2/setup-ipsec-vpn
And enabling all modprob modules:

modprobe tun
modprobe ppp-compress-18
modprobe ppp_mppe
modprobe ppp_deflate
modprobe ppp_async
modprobe pppoatm
modprobe ppp_generic


The errors from syslog:
May 25 17:58:34 VPN pppd[1050]: Couldn't open the /dev/ppp device: Operation not permitted
May 25 17:58:39 VPN pppd[1050]: Kernel doesn't support ppp_generic - needed for PPPoL2TP

Other issues are that different modules aren't created, devices don't exist etc.etc.
I tried using mknod /dev/ppp c 108 0
and chmod 600 /dev/ppp

on both the Host and VM, but no results.


Conclusion: Is there anyone that knows how to solve this, or set up an IPsec/IKEv2 VPN on Proxmox with the Ubuntu container template?

 

[t.lamprecht]

At whits end, made an account because between 2005 and 2019 apparently very few people ever tried this.

Or, they were more familiar with Containers (which we even do not used the same backing technology since 2005, since ~ 2015 we're using LXC, before OpenVZ, for example) and their head-aches and restrictions if one needs special devices btw. did you actually tried this out in all versions between 2005 and now ;P

One thing that's fairly hard to find here is that ALL modprobe commands should be ran on the HOST, not the VM. (For archive purposes).

For VM's (virtual machines) that's not the case, but yes for CT's (containers) - which use the host kernel, yes you need to load modules there to be sure it works.

May 25 17:58:34 VPN pppd[1050]: Couldn't open the /dev/ppp device: Operation not permitted
May 25 17:58:39 VPN pppd[1050]: Kernel doesn't support ppp_generic - needed for PPPoL2TP

Expected, as you normally do not want do just allow CTs (which may be untrusted and not under your control) to create and read/write to all possible Linux Kernel devices, that opens a big attack area, or better said voids most of the security restriction in place to, well, contain containers.

But, you can explicitly allow some kernel device with specifics permissions to a container, for ppp you'd add something like:

lxc.cgroup.devices.allow = c 108:0 rwm

EDIT: almost forgot: the place you can add this is /etc/pve/nodes/NODENAME/lxc/VMID.conf

Here "c" means character device, and 108, 0 are major, minor numbers denoting the PPP device in "kernel language". rwm are the permissions allowed for the system inside the cgroup where the container lives.

As it seems your system already tries to create the ppp device, else for testing one could do it manually, inside the CT:

mknod /dev/ppp c 108 0

and chmod 600 /dev/ppp

on both the Host and VM, but no results.

yes, the host already has access, and the CT isn't allowed it - as it's contained in a cgroup (rightfully so) and wasn't given the correct permissions, please try above, it should fix at least this one.

Conclusion: Is there anyone that knows how to solve this, or set up an IPsec/IKEv2 VPN on Proxmox with the Ubuntu container template?

If you're not too familiar with CTs and want to avoid doing manual stuff to allow the CTs elevated permissions just use a real Virtual Machine, there you won't have any of this issues as it's its own OS with it's own kernel.