Site-to-site OpenVPN in unprivileged containers on Proxmox VE 5

The plan

I recently acquired a VPS and wanted to link it with my home network using the OpenVPN server I already have un place.  This VPS runs Proxmox 5.2 to spawn containers.  In this article, I explain how to get OpenVPN working in unprivileged containers and the specifics of a site-to-site link with OpenVPN.

In the future I will probably move to an IPsec-based solution, but this does the job.

Getting OpenVPN to work

I found a working solution in [1].  Stop the container and edit the file /etc/pve/lxc/102.conf.  Add the following line:

lxc.mount.entry = /dev/net dev/net none bind,create=dir

Start the container again.  OpenVPN will work like a charm.

Site-to-site link with OpenVPN

Say you want to link site B (192.168.20.0/24) with site A (192.168.10.0/24 and 192.168.11.0/24).  To acheive this with OpenVPN, the simplest way to go is to have one server (site A) and one or more clients (site B).

[2] gives a good overview of what needs to be done.

On the client

Enable IP routing on the OpenVPN client OS.

Connect the site B client like you would with any regular client.  If your server is not configured to automatically push routes, add them to your OpenVPN client OS.

If the OpenVPN client is not the main gateway of site B, add routes to the subnets of site A (192.168.10.0/24 and 192.168.11.0/24 in our example) through the OpenVPN client on the main gateway.

On the server

Add the following lines to your server config and restart it:

# Site-to-site
client-config-dir ccd
route 192.168.20.0 255.255.255.0

If the OpenVPN server is not the main gateway of site A, add routes to the subnets of site B (192.168.20.0/24 in our example) through the OpenVPN server on the main gateway.

Go to /etc/openvpn and Create a ccd folder.  Inside this folder, create a file with the CN of the site B client certificate.  This file allows you to define routes dynamically when the client connects to the server.  In our case, it contains:

iroute 192.168.20.0/24

Together with the directives added in the main configuration file, this tells the OpenVPN server it has a route towards 192.168.20.0/24, and that it will go through the client associated with the CCD file we created.

Sources

Add a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.