Site-to-site OpenVPN in unprivileged containers on Proxmox VE 5
The plan
I recently acquired a VPS and wanted to link it with my home network using the OpenVPN server I already have un place. This VPS runs Proxmox 5.2 to spawn containers. In this article, I explain how to get OpenVPN working in unprivileged containers and the specifics of a site-to-site link with OpenVPN.
In the future I will probably move to an IPsec-based solution, but this does the job.
Getting OpenVPN to work
I found a working solution in [1]. Stop the container and edit the file /etc/pve/lxc/102.conf. Add the following line:
lxc.mount.entry = /dev/net dev/net none bind,create=dir
Start the container again. OpenVPN will work like a charm.
Site-to-site link with OpenVPN
Say you want to link site B (192.168.20.0/24) with site A (192.168.10.0/24 and 192.168.11.0/24). To acheive this with OpenVPN, the simplest way to go is to have one server (site A) and one or more clients (site B).
[2] gives a good overview of what needs to be done.
On the client
Enable IP routing on the OpenVPN client OS.
Connect the site B client like you would with any regular client. If your server is not configured to automatically push routes, add them to your OpenVPN client OS.
If the OpenVPN client is not the main gateway of site B, add routes to the subnets of site A (192.168.10.0/24 and 192.168.11.0/24 in our example) through the OpenVPN client on the main gateway.
On the server
Add the following lines to your server config and restart it:
# Site-to-site client-config-dir ccd route 192.168.20.0 255.255.255.0
If the OpenVPN server is not the main gateway of site A, add routes to the subnets of site B (192.168.20.0/24 in our example) through the OpenVPN server on the main gateway.
Go to /etc/openvpn and Create a ccd folder. Inside this folder, create a file with the CN of the site B client certificate. This file allows you to define routes dynamically when the client connects to the server. In our case, it contains:
iroute 192.168.20.0/24
Together with the directives added in the main configuration file, this tells the OpenVPN server it has a route towards 192.168.20.0/24, and that it will go through the client associated with the CCD file we created.
Sources
- [1] https://forum.proxmox.com/threads/openvpn-in-unprivileged-container.38670/
- [2] https://medium.com/@bjammal/site-to-site-vpn-on-a-single-host-using-openvpn-e9c5cdb22f92