Search Type:
Search for:

Language:

Product:
Category:
No categories for selected product

Is VPN via the TUN/TAP device supported inside a Container?

Article ID: 696 
Last Review: Nov,16 2009
Author: Kolomoets Alexey
Last updated by: Kolomoets Alexey APPLIES TO:
  • Parallels Virtuozzo Containers for Linux

Resolution

Since Virtuozzo 2.6.1, VPN support for a container via the TUN/TAP device is available. To allow container #101 to use the TUN/TAP device the following steps should be taken:


1. Make sure the tun module has been already loaded on the hardware node:
# lsmod | grep tun

If it is not there, use
# modprobe tun

to load it and add it into /etc/modules.conf. This module should have been loaded before Virtuozzo is started, so you should run
# service vz restart

to make it available at runtime (all containers will be restarted).

In order to automate modules loading before Virtuozzo services are started you may install 'openvpn' package from Virtuozzo distributive (in HW/RPMS folder) and enable it in default runlevel (use 'chkconfig' utility to do that). Please also use instructions on automated module loading suitable for base OS installed on hardware node.
Just for example, for  RedHat-based systems (such as Fedora Core, RedHat AS3/AS4, CentOS 3/4/5) it should be enough to add 'modprobe tun' command into /etc/rc.modules file and make it executable:
# chmod a+rx /etc/rc.modules

On SuSE based systems usually should be enough to add tun module into MODULES_LOADED_ON_BOOT variable in /etc/sysconfig/kernel file (it should be processed by /etc/init.d/boot.loadmodules initscript).

2. Allow the container to use the tun/tap device:
# vzctl set 101 --devices c:10:200:rw --save

In case you notice the following error message:

Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)

you may add required permission:
# vzctl set 101 --capability net_admin:on --save

however please use this capability in case only the functionality is affected without it. Granting such capability should be done to trusted environments only.

3. Create the device in the container:
# vzctl exec 101 mkdir -p /dev/net
# vzctl exec 101 mknod /dev/net/tun c 10 200

 
4. Set proper permissions for /dev/net/tun:
# vzctl exec 101 chmod 600 /dev/net/tun

 
Popular Linux VPN software working with the TUN/TAP interface includes Virtual TUNnel (http://vtun.sourceforge.net) and OpenVPN (http://openvpn.sourceforge.net).
Keywords: tun,vpn,openvpn,tunnel,tap


Subscription for changes to this article Subscription for changes to this article

Please provide feedback on this article

Did this article help you solve your issue?
Yes
No
Partially
I do not know yet
 
Strongly Agree   Strongly Disagree
  9 8 7 6 5 4 3 2 1
The article is easy to understand
The article is accurate
Additional Comments:
*Please provide us with your email address in case we need to contact you.
* - required fields
 
 
 
 
 
 
For Home
For Business
For Hosters
For SaaS
For Developers
 
Desktop Virtualization
- Parallels Desktop Switch to Mac Edition
- Parallels Desktop for Mac
- Parallels Desktop 4 for Windows & Linux
- Parallels Workstation Extreme
- Parallels Solution for Windows 7
Server Virtualization
- Parallels Server for Mac
- Parallels Server 4 Bare Metal
- Parallels Virtuozzo Containers
Automation
- Parallels Operations Automation
- Parallels Business Automation
- Parallels Virtual Automation
- Parallels Plesk Panel Suite
More Products