Community


All times are UTC - 5 hours




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: [SOLVED] NeoRouter Free not working in LXC
PostPosted: Tue Aug 04, 2015 4:01 pm 
Offline

Joined: Tue Dec 17, 2013 3:19 pm
Posts: 20
I'd really like to move my KVM guests to LXC containers, but NeoRouter is not functioning properly in the container. If I run nrclientcmd in the container, the container is added as a computer and gets an IP address. However, there is no nrtap device in the container, and there is no communication in/out of the container although the server can see when the client disconnects. Also, the nrservice process does not register with the server, only the nrclientcmd seems to.

I'd love to help get this working properly, but I don't know how to get appropriate debugging information.

Configuration:
Host Debian Jessie
Container Debian Jessie (built from LXC image which is a minimal Debian install, possibly some tools not installed that NeoRouter relies on and not specified in the Debian package as a dependency?)
Host eth0 tied to br0 (dhcp)
Container veth to br0 (dhcp)

Any push in the right direction would be helpful.

Thanks,
Robert LeBlanc


Last edited by rldleblanc on Wed Aug 12, 2015 2:21 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: NeoRouter Free not working in LXC
PostPosted: Thu Aug 06, 2015 9:31 am 
Offline

Joined: Sun Nov 16, 2008 6:41 am
Posts: 1878
Hi rldleblanc,

You may want to create tun device in LXC.

Code:
# mkdir /dev/net
# mknod /dev/net/tun c 10 200
# chmod 666 /dev/net/tun




You may also need to change the LXC config file to keep it:

Code:
#tun
lxc.cgroup.devices.allow = c 10:200 rwm


NR client service needs tun device to create the nrtap. You may also need to modify the firewall rules in LXC to route packets through nrtap if you use it.

Thanks,
KevinZ - NeoRouter team


Top
 Profile  
 
 Post subject: Re: NeoRouter Free not working in LXC
PostPosted: Tue Aug 11, 2015 2:43 pm 
Offline

Joined: Tue Dec 17, 2013 3:19 pm
Posts: 20
KevinZ,

Sorry for the delay, I'm not getting e-mail notifications when someone replies to my threads.

Thanks for pointing me to creating the tun device. I've added the appropriate configurations to the LXC and it is creating the tun device correctly, but NeoRouter is still not creating the nrtap device.

As a test I set up a simple OpenVPN server and it is creating a tun0 device correctly.

I added logging to the nrservice and I'm only seeing 'I' and 'T' status. I don't see anything pointing to a failure to create the nrtap.

About the only thing I see in the logs is:
2015-08-11 19:34:14|07562|140511411578624| | +[static void* CStdTcpDevice::_ThreadProc(void*)]
2015-08-11 19:34:14|07562|140511411578624| | +[HRESULT CStdTcpDevice::_WaitForConnectComplete()]
2015-08-11 19:34:14|07562|140511411578624| | +[HRESULT CStdTcpDevice::_SetSocketOptions()]
2015-08-11 19:34:14|07562|140511411578624| | -[HRESULT CStdTcpDevice::_SetSocketOptions()](hr=0x0)
2015-08-11 19:34:14|07562|140511411578624| | +[void CStdTcpDevice::_OnConnect(HRESULT)]
2015-08-11 19:34:14|07562|140511411578624|T| CStdTcpDevice::_OnConnect 0
2015-08-11 19:34:14|07562|140511411578624| | +[void CTcpBase<TCPDEVICE>::SocketDevice_OnConnect() [with TCPDEVICE = CStdTcpDevice]]
2015-08-11 19:34:14|07562|140511411578624| | +[void CTcpBase<TCPDEVICE>::ConnectInfo_OnComplete() [with TCPDEVICE = CStdTcpDevice]]
2015-08-11 19:34:14|07562|140511411578624| | +[virtual void COSSLConnector::Connect()]
2015-08-11 19:34:14|07562|140511411578624|I| SSL_CB_HANDSHAKE_START
2015-08-11 19:34:14|07562|140511411578624|I| SSL_connect:before/connect initialization
2015-08-11 19:34:14|07562|140511411578624|I| SSL_connect:SSLv2/v3 write client hello A
2015-08-11 19:34:14|07562|140511411578624|I| R retry R
2015-08-11 19:34:14|07562|140511411578624|I| SSL handshaking W 307
2015-08-11 19:34:14|07562|140511411578624|I| R retry R
2015-08-11 19:34:14|07562|140511411578624|I| W retry R
2015-08-11 19:34:14|07562|140511411578624| | +[HRESULT CStdTcpDevice::SocketDevice_Send(BYTE*, DWORD)]
2015-08-11 19:34:14|07562|140511411578624|I| send() failed:-2147024785
2015-08-11 19:34:14|07562|140511411578624| | +[void CStdTcpDevice::SocketDevice_Close(HRESULT)]
2015-08-11 19:34:14|07562|140511411578624| | -[void CStdTcpDevice::SocketDevice_Close(HRESULT)]
2015-08-11 19:34:14|07562|140511411578624| | -[HRESULT CStdTcpDevice::SocketDevice_Send(BYTE*, DWORD)](hr=0x8007006f)
2015-08-11 19:34:14|07562|140511411578624| | -[virtual void COSSLConnector::Connect()]
2015-08-11 19:34:14|07562|140511411578624| | -[void CTcpBase<TCPDEVICE>::ConnectInfo_OnComplete() [with TCPDEVICE = CStdTcpDevice]]
2015-08-11 19:34:14|07562|140511411578624| | -[void CTcpBase<TCPDEVICE>::SocketDevice_OnConnect() [with TCPDEVICE = CStdTcpDevice]]
2015-08-11 19:34:14|07562|140511411578624| | -[void CStdTcpDevice::_OnConnect(HRESULT)](hr=0x0)

Would more log be benficial for you? Anything else I can try that you can think of?

This container is on a bridge with the host's adapter so there is not NAT business going on. It has Internet access and the host also has NeoRouter on it.

Thanks,
Robert


Top
 Profile  
 
 Post subject: Re: NeoRouter Free not working in LXC
PostPosted: Wed Aug 12, 2015 1:02 pm 
Offline

Joined: Sun Nov 16, 2008 6:41 am
Posts: 1878
Hi rldleblanc,

Please help collect the log file of nrservice and send it to us (support (at) neorouter (dot) com), so that we can help you to investigate it.

Based on the log you posted, there is an error while sending message. Seems it didn't finish SSL handshake yet.

NR tap will be created after NR client successfully signs in the NR server and received the VIP allocated.

You may want to run nrclientcmd (assume NR client service daemon is running) and sign in, then check ifconfig in another terminal.

Thanks,
KevinZ - NeoRouter team


Top
 Profile  
 
 Post subject: [SOLVED] Re: NeoRouter Free not working in LXC
PostPosted: Wed Aug 12, 2015 2:20 pm 
Offline

Joined: Tue Dec 17, 2013 3:19 pm
Posts: 20
You were correct, I had the container connected to NeoRouter Free before fixing the tun issue, but I still needed to relogin. After the relogin, it created the nrtap just fine and I'm able to pass traffic through the VPN just fine. Thanks again for your help KevinZ.

Here are the steps I took for others stumbling upon this thread (I verified with a new clean LXC):
1. Create /var/lib/lxc/common/autodev with mode 0755:
Code:
#! /bin/sh

cd ${LXC_ROOTFS_MOUNT}/dev
mkdir net
mknod net/tun c 10 200
chmod 0666 net/tun

2. Add the following to /var/lib/lxc/<container name>/config (single container) or /etc/lxc/default.conf (for all new containers):
Code:
lxc.hook.autodev = /var/lib/lxc/common/autodev

lxc.cgroup.devices.allow = c 10:200 rwm

3. Create and/or start up container and install and log into NeoRouter.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron