From: gary ng (garyng2000_at_yahoo.com)
Date: Sun 29 May 2005 - 10:11:14 BST
I just did a little more experiment and can now
establish vpn links with outside using either
pptp(Windows) or openvpn, from within a vserver.
As pointed out by other experts, this requires
CAP_NET_ADMIN and this right alone can allow the root
inside the jail to mess with most of the network layer
things(including peeking?) so this is really not for a
for public VDS but more for internal function
seggregation, or fun.
It seems that even with CAP_NET_ADMIN, there is still
some restrictions on what ip address the jailed system
can use. It seems that only the specific ip
address(es) specific in the IPROOT parameter can be
used to be assigned to the "my" side of either PPP or
openvpn connection, regardless what interface it
applies to(ppp* or tun*/tap*).
As a result, I need to specify 2 IPROOT address to the
vserver, one is for the local subnet(so it can
communicate with other machines on the lan) and
another one(on different subnet) which can be
piggybacked by these ppp/tun/tap service as the "my
ip". The net result is that all these ppp*/tun*/tap*
and eth* devices would have the same ip. But it seems
to be fine in finding the right device to communicate
to the other side.
This restriction also mean that it would be quite
difficult to make vserver as a client of a VPN as
unless the ip that would be passed by the peer server
is known in advance(can be setup for pptp or openvpn,
by not a generic way of doing things on the server
side) and then specified in IPROOT, the connection
would fail at the last stage.
I don't think this is a generic usage of vserver but
just in case there are people who want to play with
it, I hope this can be of some help.
Do you Yahoo!?
Yahoo! Small Business - Try our new Resources site
Vserver mailing list