Блог

Running OpenVPN client inside OpenVZ

Running an OpenVPN client is easy - it connects to a remote server, and, if server has a "redirect-gateway" variable - forwards all traffic via the OpenVPN tunnel. Under the hood it means, that OpenVPN adds two routes on your client machine:
  • One routing traffic towards the VPN server IP address via your primary gateway (net_gateway)
  • Second routing traffic to the whole world via the VPN tunnel (default route)
But in OpenVZ there is no primary (or default) gateway inside a virtual server. Instead it uses a special virtual peer-to-peer connection via a special "venet" device forwarding the traffic there:
default dev venet0  scope link

So when OpenVPN establishes a connection to server it's unable to route traffic to VPN server via the existing network connection resulting a total outage of the network in the virtual server.

A solution to this would be adding a route to the VPN server via the virtual venet device. This can be done by adding a simple one line script with:

#!/bin/bash
/sbin/ip route add VPN_SERVER_IP/32 dev venet0

and running this script automatically after the connection is established and routes are added by OpenVPN. Add this to your OpenVPN client config:

route-up /path/to/script_above.sh