From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Sun 29 May 2005 - 13:08:08 BST
On Sun, May 29, 2005 at 02:11:14AM -0700, gary ng wrote:
> Hi,
>
> I just did a little more experiment and can now
> establish vpn links with outside using either
> pptp(Windows) or openvpn, from within a vserver.
>
> As pointed out by other experts, this requires
> CAP_NET_ADMIN and this right alone can allow the root
> inside the jail to mess with most of the network layer
> things(including peeking?) so this is really not for a
> for public VDS but more for internal function
> seggregation, or fun.
>
> It seems that even with CAP_NET_ADMIN, there is still
> some restrictions on what ip address the jailed system
> can use. It seems that only the specific ip
> address(es) specific in the IPROOT parameter can be
> used to be assigned to the "my" side of either PPP or
> openvpn connection, regardless what interface it
> applies to(ppp* or tun*/tap*).
you could disable the chbind completely, then you
would be allowed to use any ip ...
> As a result, I need to specify 2 IPROOT address to the
> vserver, one is for the local subnet(so it can
> communicate with other machines on the lan) and
> another one(on different subnet) which can be
> piggybacked by these ppp/tun/tap service as the "my
> ip". The net result is that all these ppp*/tun*/tap*
> and eth* devices would have the same ip. But it seems
> to be fine in finding the right device to communicate
> to the other side.
>
> This restriction also mean that it would be quite
> difficult to make vserver as a client of a VPN as
> unless the ip that would be passed by the peer server
> is known in advance(can be setup for pptp or openvpn,
> by not a generic way of doing things on the server
> side) and then specified in IPROOT, the connection
> would fail at the last stage.
ngnet will allow this and similar, but as you said,
it's not the typical application for linux-vserver
yet ;)
> I don't think this is a generic usage of vserver but
> just in case there are people who want to play with
> it, I hope this can be of some help.
probably ...
best,
Herbert
> regards,
>
> gary
>
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Small Business - Try our new Resources site
> http://smallbusiness.yahoo.com/resources/
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver