Before you attempt to experiment with knockd and/or fwknop, Google around a little for venet0 and packet sniffing.
The virtualization of the interfaces by OpenVZ apparently mangles the IP headers for packet sniffers (like fwknop uses to listen to DROP’d packets). And they then fail to trigger the next step of cleverness (opening the SSH/22 [...]

On “Networking – Linux Firewall” tab of webmin add the following :
Packet Filtering (filter) table
(drop-down box at top of page) :
Forwarded packets (FORWARD)
section :
Rule #1:Comment : #Forward stuff from eth0Action: Acceptif: incoming interface = eth0
Rule #2:Comment : #defaultAction: Run Chain RH-Firewall-1-INPUTif: (always)

Network Address Translation (nat) table
(drop-down box at top of page) [...]