Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Help with OpenVPN "environment"
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
don quixada
l33t
l33t


Joined: 15 May 2003
Posts: 730

PostPosted: Thu Apr 11, 2019 2:05 am    Post subject: Help with OpenVPN "environment" Reply with quote

Hi I need to connect two programs to the the same VPN (and IP) while not having the whole machine connected to the VPN.

My initial thought was to use a terminal and create and environment where only the terminal was connected to the VPN using OpenVPN running it in the background, then running the other programs.

So I tried that but it needed to be root which doesn't work for my purposes. And in non-root, I get this error message (certain information removed):

Code:
$ openvpn config.file
Tue Apr  9 23:53:53 2019 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr  9 2019
Tue Apr  9 23:53:53 2019 library versions: OpenSSL 1.0.2r  26 Feb 2019, LZO 2.10
Tue Apr  9 23:54:22 2019 TCP/UDP: Preserving recently used remote address: [AF_INET] <redacted IP address>
Tue Apr  9 23:54:22 2019 UDP link local: (not bound)
Tue Apr  9 23:54:22 2019 UDP link remote: [AF_INET] <redacted IP address>
Tue Apr  9 23:54:22 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Apr  9 23:54:22 2019 [redacted] Peer Connection Initiated with [AF_INET]<redacted IP address>
Tue Apr  9 23:54:23 2019 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
Tue Apr  9 23:54:23 2019 Exiting due to fatal error


Or is there a better way to do it altogether?

Thanks in advance.

dq
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13512

PostPosted: Thu Apr 11, 2019 4:48 am    Post subject: Reply with quote

OpenVPN creates a virtual NIC. Traffic sent over that NIC is sent over the VPN. Everything in the network namespace of that NIC can see the NIC and, subject to the usual routing and firewall rules, will use that NIC. You can use a private network namespace to restrict which programs can see the virtual NIC. I am not aware of a way for you to use OpenVPN without at least some assistance from the root user. You may be able to have the root user prepare an environment for you and then run a shell as you in that environment. Please explain why you cannot involve the root user.
Back to top
View user's profile Send private message
don quixada
l33t
l33t


Joined: 15 May 2003
Posts: 730

PostPosted: Thu Apr 11, 2019 12:22 pm    Post subject: Reply with quote

If I run OpenVPN as root then the whole machine connects to the VPN which is not what I want.

dq
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13512

PostPosted: Fri Apr 12, 2019 2:08 am    Post subject: Reply with quote

No, it only connects the current network namespace to the VPN. Other namespaces are unaffected. Systems start with only one network namespace, but you can have more if you choose.
Back to top
View user's profile Send private message
don quixada
l33t
l33t


Joined: 15 May 2003
Posts: 730

PostPosted: Fri Apr 12, 2019 2:37 am    Post subject: Reply with quote

Do you recommend a good guide to have separate namespaces?

dq
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Fri Apr 12, 2019 9:05 am    Post subject: Reply with quote

Quote:
Do you recommend a good guide to have separate namespaces?
Unfortunatelly such a thing does not seem to exist.
Here's a tip though:

ip link add <interface1> type veth peer name <interface2>
ip netns add <namespace>
ip link set <interface> netns <namespace>

nsenter -n/var/run/netns/<namespace>

There is also 'ip netns exec' for running stuff inside the namespace.
man ip-netns is your friend.
Obviously, you have to bridge or route traffic from than namespace to the world (unless you give it your physical NIC).

Or - since you want that traffic from your NS to go through openvpn - you could start openvpn, create the namespace, and then move openvpn's tap nterface into your namespace instead of creating a new pair of veth devices and moving one end of that link into your namespace. You'd probably have to block route updates from openvpn.
Never tried this one, I think it will work, if you manage the routes by yourself. Give it a shot and share your experience.
Back to top
View user's profile Send private message
don quixada
l33t
l33t


Joined: 15 May 2003
Posts: 730

PostPosted: Thu Apr 18, 2019 2:44 pm    Post subject: Reply with quote

Maybe I'll try this one day and thank you for your instructions. Instead I used a VM, seemed easier to me (less of a learning curve). The nuances of networking have always eluded me much to my detriment I'm sure!

dq
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum