https://community.openvpn.net/openvpn/w ... ilegedUser
https://stackoverflow.com/questions/571 ... ith-podman
I built a custom container image rather then using what is available on dockerhub because I was having issues with a few of those as well.
I can get the container running as root based off of the Dockerfile below and creating an selinux module for the container.
Code: Select all
podman run -d --name=vpn --network=host -v openvpn_config:/etc/openvpn:exec -v openvpn_easyrsa:/etc/easy-rsa:exec -v openvpn_gauth:/etc/google-authenticator --security-opt label=type:ovpn_container.process --cap-add=NET_ADMIN --device /dev/net/tun --device /dev/null localhost/openvpn
Code: Select all
FROM centos:centos8
RUN /usr/bin/dnf -y update && \
/usr/bin/dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \
/usr/bin/dnf -y install openvpn google-authenticator wget openssl qrencode passwd && \
/usr/bin/wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz && \
/usr/bin/tar xf EasyRSA-unix-v3.0.6.tgz && \
/usr/bin/mv -i EasyRSA-v3.0.6/ /etc/easy-rsa/ && \
/usr/bin/rm -i -f EasyRSA-unix-v3.0.6.tgz && \
/usr/bin/mkdir -p /etc/openvpn/server && \
/usr/bin/mkdir -p /etc/openvpn/log && \
/usr/bin/mkdir -p /etc/google-authenticator && \
/usr/sbin/groupadd gauth && \
/usr/sbin/useradd -g gauth gauth && \
/usr/bin/chown gauth:gauth /etc/google-authenticator && \
/usr/bin/chmod 700 /etc/google-authenticator
COPY vars /etc/easy-rsa/
COPY setup_ca.sh /etc/easy-rsa/
COPY server.conf /etc/openvpn/
COPY client.ovpn /etc/openvpn/
COPY make_client.sh /etc/openvpn/
COPY openvpn.pam /etc/pam.d/openvpn
COPY start.sh /usr/bin/
EXPOSE 1194
VOLUME ["/etc/openvpn"]
VOLUME ["/etc/easy-rsa"]
VOLUME ["etc/google-authenticator"]
CMD ["/usr/bin/start.sh"]
Code: Select all
port 1194
;proto tcp
proto udp4
;dev tap
dev tun0
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/vpnserver.crt
key /etc/openvpn/server/vpnserver.key
dh /etc/openvpn/server/dh.pem
crl-verify /etc/openvpn/server/crl.pem
tls-auth /etc/openvpn/server/ta.key 0
server 10.5.0.0 255.255.255.0
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
ifconfig-pool-persist ipp.txt 600
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
push "redirect-gateway def1"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
;client-to-client
;duplicate-cn
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256
auth SHA512
topology subnet
keepalive 10 120
persist-key
persist-tun
push "compress lz4-v2"
compress lz4-v2
max-clients 100
user nobody
group nobody
status /etc/openvpn/log/openvpn-status.log
;log openvpn.log
log-append /etc/openvpn/log/openvpn.log
verb 4
;mute 20
explicit-exit-notify
Error
Code: Select all
Fri Mar 27 12:36:20 2020 us=387304 ERROR: Cannot ioctl TUNSETIFF tun0: Operation not permitted (errno=1)
Fri Mar 27 12:36:20 2020 us=387441 Exiting due to fatal error
AUTH-PAM: BACKGROUND: received command code: 1
AUTH-PAM: BACKGROUND: EXIT
ovpn_container.cil
Code: Select all
(block ovpn_container
(blockinherit container)
(allow process process ( capability ( chown dac_override fsetid fowner mknod net_raw setgid setuid setfcap setpcap net_bind_service sys_chroot kill audit_write net_admin )))
(allow process container_file_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process container_file_t ( file ( getattr read write append ioctl lock map open create )))
(allow process container_file_t ( sock_file ( getattr read write append open )))
(allow process container_file_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process container_file_t ( file ( getattr read write append ioctl lock map open create )))
(allow process container_file_t ( sock_file ( getattr read write append open )))
(allow process container_file_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process container_file_t ( file ( getattr read write append ioctl lock map open create )))
(allow process container_file_t ( sock_file ( getattr read write append open )))
(allow process container_file_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
(allow process container_file_t ( file ( getattr read write append ioctl lock map open create )))
(allow process container_file_t ( sock_file ( getattr read write append open )))
(allow process kernel_t ( system ( module_request )))
(allow process node_t ( udp_socket (node_bind )))
(allow process self ( netlink_route_socket ( nlmsg_write )))
(allow process unreserved_port_t ( udp_socket ( udp_socket name_bind )))
(allow process tun_tap_device_t ( chr_file ( ioctl open read write )))
)
/etc/NetworkManager/system-connections/tun0.nmconnection
Code: Select all
[connection]
id=tun0
uuid=9e503105-6e07-41f2-a6d2-ef087ef7656e
type=tun
autoconnect=false
interface-name=tun0
permissions=user:vpnuser:;
[ipv4]
address1=10.5.0.1/24
dns-priority=100
dns-search=
method=manual
[ipv6]
addr-gen-mode=stable-privacy
dns-priority=100
dns-search=
method=link-local