Create OpenVPN connection from docker container

Question

I have a simple docker file

FROM ubuntu:14.04

USER root

RUN apt-get update && sudo apt-get -y install openvpn

COPY . /tmp

where . contains all necessary information about the vpn connection (ovpn file, ca file, user certificate and key).

Building and running the container via docker run -it --device=/dev/net/tun, then changing to /tmp directory and executing sudo openvpn config.ovpn I get the following error:

Fri Aug 23 06:15:21 2019 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)

[EDIT] Starting the .ovpn configuration via the OpenVPN GUI works fine.

Any advice?

Thanks.

Try `--cap-add=net_admin` in addition to `--device=/dev/net/tun`. — Danila Kiver, Aug 22 '19 at 18:06
Yay, using this command I get a new error - the connection is nearly established. Can you maybe also help out with this: Thu Aug 22 18:16:07 2019 /sbin/ip addr add dev tun0 10.8.0.170/24 broadcast 10.8.0.255 Thu Aug 22 18:16:07 2019 /sbin/ip route add 10.8.0.0/24 via 10.8.0.1 RTNETLINK answers: File exists Thu Aug 22 18:16:07 2019 ERROR: Linux route add command failed: external program exited with error status: 2 — Florian Hansen, Aug 22 '19 at 18:21
Please update the question and put the formatted output there - it's hard to perceive it in one line :) — Danila Kiver, Aug 22 '19 at 18:24
This one seems to be related to the connection configuration itself rather than to Docker... Unless your Docker network uses the same network as your VPN tries. — Danila Kiver, Aug 22 '19 at 18:51
Yeah I thought about that... Although the OpenVPN GUI client can manage the configuration perfectly fine :o do you have any other idea? — Florian Hansen, Aug 22 '19 at 18:53
No, sorry, no immediate thoughts. It would be nice to see your client configuration (without sensitive parameters) and (if accessible) the server one for further troubleshooting. And just to check - ensure that you don't have similar route in your container before the connection attempt. — Danila Kiver, Aug 22 '19 at 18:58
And regarding GUI client: I'm not sure that it works identically to the CLI. Recently [we've faced an issue](https://stackoverflow.com/questions/57186289/cannot-ssh-from-container-with-openvpn) when `NetworkManager` was overriding the OVPN configuration and handled routes setup on its own, so the connection profile worked well with NM, but not with OVPN CLI. Maybe there is some difference between OVPN GUI and CLI in similar way (though this is less probable, of course). — Danila Kiver, Aug 22 '19 at 19:03
It worked after your first comment - I just did not know I could not ping the target URL. Thanks a lot for your help. If you make your comment an answer, Ill mark it as the correct one :) — Florian Hansen, Aug 23 '19 at 06:14

score 4 · Accepted Answer · answered Aug 23 '19 at 07:59

The problem is that sudo in your case does not change anything. It is not the ultimate solution for "Permission denied" kind of issues. This especially does not work when your container already runs on behalf of root.

Privileged actions in Linux are governed by capabilities, which represent permissions for specific privileged operations. To keep this model compatible with classic UNIX model the processes running on behalf of root by default have all capabilities. For example, things like sudo, which escalate your UID to 0, also grant you a full set of capabilities.

However, this is not true in containers — the amount of capabilities being available to the process in the container (even root-owned) is limited by so-called bounding set, which by default contains very limited amount of capabilities, when running in Docker:

$ docker run -it ubuntu:14.04
root@fe50edf72783:/# capsh --print

Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,
cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,
cap_mknod,cap_audit_write,cap_setfcap+eip

Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,
cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,
cap_mknod,cap_audit_write,cap_setfcap

Network administration (interfaces configuration, etc.) requires CAP_NET_ADMIN capability. As you see, it is not in the default bounding set of Docker containers, so you need to add it explicitly using --cap-add=net_admin:

docker run -it --device=/dev/net/tun --cap-add=net_admin

After this, you will have this capability in the container. Considering that you run it on behalf of root, having this capability makes using sudo useless (it will not grant you more capabilities than now), so you may drop it and run OpenVPN simply with openvpn config.ovpn.

Create OpenVPN connection from docker container

1 Answers1