NeoRouter
http://www.neorouter.com/forum/

[SOLVED] NeoRouter Free not working in LXC
http://www.neorouter.com/forum/viewtopic.php?f=6&t=5741
Page 1 of 1

Author:  rldleblanc [ Tue Aug 04, 2015 4:01 pm ]
Post subject:  [SOLVED] NeoRouter Free not working in LXC

I'd really like to move my KVM guests to LXC containers, but NeoRouter is not functioning properly in the container. If I run nrclientcmd in the container, the container is added as a computer and gets an IP address. However, there is no nrtap device in the container, and there is no communication in/out of the container although the server can see when the client disconnects. Also, the nrservice process does not register with the server, only the nrclientcmd seems to.

I'd love to help get this working properly, but I don't know how to get appropriate debugging information.

Configuration:
Host Debian Jessie
Container Debian Jessie (built from LXC image which is a minimal Debian install, possibly some tools not installed that NeoRouter relies on and not specified in the Debian package as a dependency?)
Host eth0 tied to br0 (dhcp)
Container veth to br0 (dhcp)

Any push in the right direction would be helpful.

Thanks,
Robert LeBlanc

Author:  kevinz [ Thu Aug 06, 2015 9:31 am ]
Post subject:  Re: NeoRouter Free not working in LXC

Hi rldleblanc,

You may want to create tun device in LXC.

Code:
# mkdir /dev/net
# mknod /dev/net/tun c 10 200
# chmod 666 /dev/net/tun




You may also need to change the LXC config file to keep it:

Code:
#tun
lxc.cgroup.devices.allow = c 10:200 rwm


NR client service needs tun device to create the nrtap. You may also need to modify the firewall rules in LXC to route packets through nrtap if you use it.

Thanks,
KevinZ - NeoRouter team

Author:  rldleblanc [ Tue Aug 11, 2015 2:43 pm ]
Post subject:  Re: NeoRouter Free not working in LXC

KevinZ,

Sorry for the delay, I'm not getting e-mail notifications when someone replies to my threads.

Thanks for pointing me to creating the tun device. I've added the appropriate configurations to the LXC and it is creating the tun device correctly, but NeoRouter is still not creating the nrtap device.

As a test I set up a simple OpenVPN server and it is creating a tun0 device correctly.

I added logging to the nrservice and I'm only seeing 'I' and 'T' status. I don't see anything pointing to a failure to create the nrtap.

About the only thing I see in the logs is:
2015-08-11 19:34:14|07562|140511411578624| | +[static void* CStdTcpDevice::_ThreadProc(void*)]
2015-08-11 19:34:14|07562|140511411578624| | +[HRESULT CStdTcpDevice::_WaitForConnectComplete()]
2015-08-11 19:34:14|07562|140511411578624| | +[HRESULT CStdTcpDevice::_SetSocketOptions()]
2015-08-11 19:34:14|07562|140511411578624| | -[HRESULT CStdTcpDevice::_SetSocketOptions()](hr=0x0)
2015-08-11 19:34:14|07562|140511411578624| | +[void CStdTcpDevice::_OnConnect(HRESULT)]
2015-08-11 19:34:14|07562|140511411578624|T| CStdTcpDevice::_OnConnect 0
2015-08-11 19:34:14|07562|140511411578624| | +[void CTcpBase<TCPDEVICE>::SocketDevice_OnConnect() [with TCPDEVICE = CStdTcpDevice]]
2015-08-11 19:34:14|07562|140511411578624| | +[void CTcpBase<TCPDEVICE>::ConnectInfo_OnComplete() [with TCPDEVICE = CStdTcpDevice]]
2015-08-11 19:34:14|07562|140511411578624| | +[virtual void COSSLConnector::Connect()]
2015-08-11 19:34:14|07562|140511411578624|I| SSL_CB_HANDSHAKE_START
2015-08-11 19:34:14|07562|140511411578624|I| SSL_connect:before/connect initialization
2015-08-11 19:34:14|07562|140511411578624|I| SSL_connect:SSLv2/v3 write client hello A
2015-08-11 19:34:14|07562|140511411578624|I| R retry R
2015-08-11 19:34:14|07562|140511411578624|I| SSL handshaking W 307
2015-08-11 19:34:14|07562|140511411578624|I| R retry R
2015-08-11 19:34:14|07562|140511411578624|I| W retry R
2015-08-11 19:34:14|07562|140511411578624| | +[HRESULT CStdTcpDevice::SocketDevice_Send(BYTE*, DWORD)]
2015-08-11 19:34:14|07562|140511411578624|I| send() failed:-2147024785
2015-08-11 19:34:14|07562|140511411578624| | +[void CStdTcpDevice::SocketDevice_Close(HRESULT)]
2015-08-11 19:34:14|07562|140511411578624| | -[void CStdTcpDevice::SocketDevice_Close(HRESULT)]
2015-08-11 19:34:14|07562|140511411578624| | -[HRESULT CStdTcpDevice::SocketDevice_Send(BYTE*, DWORD)](hr=0x8007006f)
2015-08-11 19:34:14|07562|140511411578624| | -[virtual void COSSLConnector::Connect()]
2015-08-11 19:34:14|07562|140511411578624| | -[void CTcpBase<TCPDEVICE>::ConnectInfo_OnComplete() [with TCPDEVICE = CStdTcpDevice]]
2015-08-11 19:34:14|07562|140511411578624| | -[void CTcpBase<TCPDEVICE>::SocketDevice_OnConnect() [with TCPDEVICE = CStdTcpDevice]]
2015-08-11 19:34:14|07562|140511411578624| | -[void CStdTcpDevice::_OnConnect(HRESULT)](hr=0x0)

Would more log be benficial for you? Anything else I can try that you can think of?

This container is on a bridge with the host's adapter so there is not NAT business going on. It has Internet access and the host also has NeoRouter on it.

Thanks,
Robert

Author:  kevinz [ Wed Aug 12, 2015 1:02 pm ]
Post subject:  Re: NeoRouter Free not working in LXC

Hi rldleblanc,

Please help collect the log file of nrservice and send it to us (support (at) neorouter (dot) com), so that we can help you to investigate it.

Based on the log you posted, there is an error while sending message. Seems it didn't finish SSL handshake yet.

NR tap will be created after NR client successfully signs in the NR server and received the VIP allocated.

You may want to run nrclientcmd (assume NR client service daemon is running) and sign in, then check ifconfig in another terminal.

Thanks,
KevinZ - NeoRouter team

Author:  rldleblanc [ Wed Aug 12, 2015 2:20 pm ]
Post subject:  [SOLVED] Re: NeoRouter Free not working in LXC

You were correct, I had the container connected to NeoRouter Free before fixing the tun issue, but I still needed to relogin. After the relogin, it created the nrtap just fine and I'm able to pass traffic through the VPN just fine. Thanks again for your help KevinZ.

Here are the steps I took for others stumbling upon this thread (I verified with a new clean LXC):
1. Create /var/lib/lxc/common/autodev with mode 0755:
Code:
#! /bin/sh

cd ${LXC_ROOTFS_MOUNT}/dev
mkdir net
mknod net/tun c 10 200
chmod 0666 net/tun

2. Add the following to /var/lib/lxc/<container name>/config (single container) or /etc/lxc/default.conf (for all new containers):
Code:
lxc.hook.autodev = /var/lib/lxc/common/autodev

lxc.cgroup.devices.allow = c 10:200 rwm

3. Create and/or start up container and install and log into NeoRouter.

Page 1 of 1 All times are UTC - 5 hours
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/