OpenVZ supports VPN inside a container via kernel TUN/TAP module and device. To allow container #101 to use the TUN/TAP device the following should be done:

Make sure the tun module has been already loaded on the hardware node:

lsmod | grep tun

If it is not there, use the following command to load tun module:

modprobe tun

To make sure that tun module will be automatically loaded on every reboot you can also add it or into /etc/modules.conf (on RHEL see/etc/sysconfig/modules/ directory).

Granting container an access to TUN/TAP

Allow your container to use the tun/tap device by running the following commands on the host node:

CTID=101
vzctl set $CTID --devnodes net/tun:rw --capability net_admin:on --save

Configuring VPN inside container

After the configuration steps above are done it is possible to use VPN software working with TUN/TAP inside container just like on a usual standalone Linux box.

The following software can be used for VPN with TUN/TAP:

• Tinc (http://tinc-vpn.org)
• OpenVPN (http://openvpn.net)
• Virtual TUNnel (http://vtun.sourceforge.net)

openvz母鸡上最好打开如下几项模块： 

tun
nf_conntrack
nf_conntrack_netlink
pppoe
pppol2tp
ip_tunnel

modprob载入  ， 并且写入到  /etc/modules 中

更多详情：  http://wiki.openvz.org/VPN_via_the_TUN/TAP_device