ok, it' a bit desappointing that I ended in that dead end .
If namespaces are properly isolated then I guess that I might have
something wrong in my config, perhaps my bridge configuration or the way
I use nftables, my deisappointment is that I don't know where to start
debug that pb , on the h
Dear Jehan,
we are not aware about described problem.
It looks quite strange for me, we believe network namespaces are properly
isolated
and any settings (including any netfilter configuration) in one network
namespace should not affect another ones.
Thank you,
Vasily Averin
On 3/4/20
I did some more tests to try to resolve the SNAT/Postrouting problemĀ
concurrency on VZ7 same host .
definitively I confirm that I cannot have more than 1 CT doing SNAT on a
single hardware node host .
If I vzMigrate the second CT (failing to SNAT) to a different hardware
node, then it works fin
Hello
back to VZ netfilter, I still encounter difficulties with NAT (SNAT /
POSTROUTING) in openvpn containers working in concurrency .
with 2 openvpn containers using SNAT in PostRouting , only one can do it
, the second one doesn't perform the SNAT anymore.
if I stop the 1st one and restart t
I finally found a working solution, not a VZ pb but rather an
openvpn-server configuration => I move to "proto tcp" instead of "proto
udp" ! both proto worked to open the VPN , but with udp routing didn't
worked,
thanks to your 5 steps check procedure I realized that at step 3)
"tcpdump on vpn'
1) I meant you don't need any special capabilities to run openvpn.
Just the tun device should be available.
2) Sorry for the confusion, I meant the openvz networking. routed (venet
device) or bridged (veth).
2.1) I don't use firewalld and not familiar with its syntax.
2.2) it really depends on
OK for 1) , then I don't need any capability (net_admin, sys_time), I
was wondering because I read that on lots of docs as in :
https://github.com/OpenVZ/vz-docs/blob/master/virtuozzo_7_users_guide.asc
perhaps deprecated ?
for 2) I use routed openvpn (tun0)
yes I mess a lot between iptables and
openvpn does work. dev/tun:rw and full netfilter is all the
'extras' I have in the container's config
1) not sure if it's still works but probably not useful in
this particular case, never used any capabilities for openvpn.
2) I use a single postrouting rule. Like the last one in your list.
I d
Hello
I have running VPNs that works perfectly on openvz6 , now I move to
openvz7 and I cannot make it forward or masquerade between interfaces .
I am questionning about different concepts:
1) is enabling capablities still enable/usefull ?
ie: prlctl set ctvpn --capability net_admin:on => do
