You are not logged in.

#1 2017-12-18 11:02:49

MarthaParkin
Member
Registered: 2016-03-19
Posts: 232

Questions on setting up openvpn within containers

So after reading for days and days about security risk of enabling user namespaces and reading this flame war it seems enabling user namespaces is an awful idea from what the majority are saying in that thread.

The archwiki on setting openvpn in containers only pertains to using lxc and since I know nothing about this area and bubblewrap seems quite sparsely explained I am not sure how to do the equivalent in the latter.

Could anyone advise how I do the same as OpenVPN (client) in Linux containers in bubblewrap?

Or are the concerns overblown and would it be ok to use user namespaces (if so which one would you advise privileged or unprivileged) if I am the only one using the computer?

Can't really get enough info one way or the other so I have been on the fence for days as to what the best course of action would be.

My goal is just to use several openvpn connections at once.

Last edited by MarthaParkin (2017-12-18 11:03:38)

Offline

#2 2017-12-18 11:37:49

positronik
Member
Registered: 2016-02-08
Posts: 94

Re: Questions on setting up openvpn within containers

MarthaParkin wrote:

My goal is just to use several openvpn connections at once.

What do you mean with this?
In what way you want to use the different openvpn sessions?

Offline

#3 2017-12-18 12:48:23

MarthaParkin
Member
Registered: 2016-03-19
Posts: 232

Re: Questions on setting up openvpn within containers

positronik wrote:
MarthaParkin wrote:

My goal is just to use several openvpn connections at once.

What do you mean with this?
In what way you want to use the different openvpn sessions?

What isn't clear? I want several openvpn sessions running at once on the same system - using different clients for each openvpn session; so different IP address for each session. So I want to use containers for the discreet network for each enabling multiple openvpn instances on the same machine.

Offline

#4 2017-12-18 12:57:08

positronik
Member
Registered: 2016-02-08
Posts: 94

Re: Questions on setting up openvpn within containers

I'm sorry, I just didn't get the reason for using many vpn's connection but I guess it's not relevant.

Another thing I didn't get is why you don't want to use LXC, given that openvpn LXC containers are documented on wiki.

Offline

#5 2017-12-18 13:01:39

MarthaParkin
Member
Registered: 2016-03-19
Posts: 232

Re: Questions on setting up openvpn within containers

positronik wrote:

I'm sorry, I just didn't get the reason for using many vpn's connection but I guess it's not relevant.

Another thing I didn't get is why you don't want to use LXC, given that openvpn LXC containers are documented on wiki.

I just read so much online about the 'security risks' of user namespaces and the fact that arch disables them by default made me think it must be a significant issue? I don't know enough to make an informed decision but being a paranoid person is what made me err on side of caution so far.

Offline

#6 2017-12-18 13:24:00

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: Questions on setting up openvpn within containers

You don't need to use unprivilliged lxcs.  Follow the wiki to setup a privileged lxc and you'll be fine.  Also consider using lxc-snapshots for openvpn: https://aur.archlinux.org/packages/lxc-snapshots/


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#7 2017-12-18 13:39:09

MarthaParkin
Member
Registered: 2016-03-19
Posts: 232

Re: Questions on setting up openvpn within containers

graysky wrote:

You don't need to use unprivilliged lxcs.  Follow the wiki to setup a privileged lxc and you'll be fine.  Also consider using lxc-snapshots for openvpn: https://aur.archlinux.org/packages/lxc-snapshots/

Ah ok. So a privileged container won't be more of a security problem? Why not? ie is it a non issue since I am the only one who is using this server? so don't have to worry about untrusted users?

Just trying to understand things.

I will go ahead and follow the wiki for privileged ones though in the meantime as you suggest since I have been stalled for days trying to know what to do here and need this job off the ground.

Offline

#8 2017-12-18 15:12:45

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: Questions on setting up openvpn within containers

The LXC article is outdated. In linux-hardened User namespaces are enabled by default and in the linux package >= 4.14.5 in a slightly patched version.
If I understand the patch for the linux package correctly, then root can always create unprivileged containes, while it can be enabled for normal users with sysctl (kernel.unprivileged_userns_clone.)

Edit: This does not address your security concerns though.

Last edited by progandy (2017-12-18 15:14:41)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#9 2017-12-18 18:12:12

MarthaParkin
Member
Registered: 2016-03-19
Posts: 232

Re: Questions on setting up openvpn within containers

I'm not sure how to get networking going?

I followed the wiki and made file /etc/default/lxc-net and also edited /etc/lxc/default.conf as per the containers wiki but there is no internet access in the container when I try and ping or install a package.

Was I supposed to change any settings to my own system's details pertaining to ips or suchlike because the wiki does not indicate that I should have so I just copy and pasted what was there for those 2 files.

How do I troubleshoot that to see what the problem is?

Last edited by MarthaParkin (2017-12-18 18:13:21)

Offline

#10 2017-12-18 22:33:13

lo1
Member
Registered: 2017-09-25
Posts: 584

Re: Questions on setting up openvpn within containers

https://wiki.archlinux.org/index.php/Li … networking have you checked this yet?

However, I understand that you need to create a bridge to get networking going, and bridges are quite tricky, so post your configuration(s) and every step you take to make it work.

Offline

#11 2017-12-19 11:00:15

MarthaParkin
Member
Registered: 2016-03-19
Posts: 232

Re: Questions on setting up openvpn within containers

Oops I had not put the networking part into the config file before you said it but I have now. Before it would start the container but now I added the lines it fails. I did '-F' switch to show error output and it gives

$  sudo lxc-start -n arch1 -F
lxc-start: arch1: network.c: lxc_ovs_attach_bridge: 1860 Failed to attach "br0" to openvswitch bridge "veth0J4HOM": lxc-start: arch1: utils.c: run_command: 2294 failed to exec command
                                                                                          lxc-start: arch1: network.c: instantiate_veth: 194 Failed to attach "veth0J4HOM" to bridge "br0": Operation not permitted
                         lxc-start: arch1: network.c: lxc_create_network_priv: 2402 Failed to create network device
                      lxc-start: arch1: start.c: lxc_spawn: 1206 Failed to create the network.
 lxc-start: arch1: start.c: __lxc_start: 1459 Failed to spawn container "arch1".
                                                                                lxc-start: arch1: tools/lxc_start.c: main: 371 The container failed to start.
lxc-start: arch1: tools/lxc_start.c: main: 375 Additional information can be obtained by setting the --logfile and --logpriority options.

Do I need to have dnsmasq setup and running too? It wasn't clear as wiki says to just install it; it doesn't mention setting it up and running it.

Contents of /var/lib/lxc/arch1/config...

# Template used to create this container: /usr/share/lxc/templates/lxc-archlinux
# Parameters passed to the template:
# Template script checksum (SHA-1): 3b82acc9a7419c083b0bfe7598667310fb318698
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)

## for openvpn
lxc.mount.entry = /dev/net dev/net none bind,create=dir
lxc.cgroup.devices.allow = c 10:200 rwm

lxc.net.0.type = empty
lxc.rootfs.path = dir:/var/lib/lxc/arch1/rootfs
lxc.uts.name = arch1
lxc.arch = x86_64
lxc.include = /usr/share/lxc/config/archlinux.common.conf

## network
lxc.net.0.type = veth
lxc.net.0.link = br0
lxc.net.0.flags = up
lxc.net.0.name = eth0
lxc.net.0.hwaddr = ee:ec:fa:e9:56:7d
# uncomment the next two lines if static IP addresses are needed
# leaving these commented will imply DHCP networking
#
#lxc.net.0.ipv4.address = 192.168.0.3/24
#lxc.net.0.ipv4.gateway = 192.168.0.1

/etc/lxc/default.conf

#lxc.net.0.type = empty
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx

/etc/default/lxc-net

# Leave USE_LXC_BRIDGE as "true" if you want to use lxcbr0 for your
# containers.  Set to "false" if you'll use virbr0 or another existing
# bridge, or mavlan to your host's NIC.
USE_LXC_BRIDGE="true"

# If you change the LXC_BRIDGE to something other than lxcbr0, then
# you will also need to update your /etc/lxc/default.conf as well as the
# configuration (/var/lib/lxc/<container>/config) for any containers
# already created using the default config to reflect the new bridge
# name.
# If you have the dnsmasq daemon installed, you'll also have to update
# /etc/dnsmasq.d/lxc and restart the system wide dnsmasq daemon.
LXC_BRIDGE="lxcbr0"
LXC_ADDR="10.0.3.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="10.0.3.0/24"
LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
LXC_DHCP_MAX="253"
# Uncomment the next line if you'd like to use a conf-file for the lxcbr0
# dnsmasq.  For instance, you can use 'dhcp-host=mail1,10.0.3.100' to have
# container 'mail1' always get ip address 10.0.3.100.
#LXC_DHCP_CONFILE=/etc/lxc/dnsmasq.conf

# Uncomment the next line if you want lxcbr0's dnsmasq to resolve the .lxc
# domain.  You can then add "server=/lxc/10.0.3.1' (or your actual $LXC_ADDR)
# to your system dnsmasq configuration file (normally /etc/dnsmasq.conf,
# or /etc/NetworkManager/dnsmasq.d/lxc.conf on systems that use NetworkManager).
# Once these changes are made, restart the lxc-net and network-manager services.
# 'container1.lxc' will then resolve on your host.
#LXC_DOMAIN="lxc"

Last edited by MarthaParkin (2017-12-19 11:05:29)

Offline

#12 2017-12-19 11:32:13

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: Questions on setting up openvpn within containers

You are using the wrong bridge name in arch1/config. It should be lxcbr0

lxc.net.0.link = br0
==>
lxc.net.0.link = lxcbr0

Last edited by progandy (2017-12-19 11:32:45)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#13 2017-12-19 13:02:12

MarthaParkin
Member
Registered: 2016-03-19
Posts: 232

Re: Questions on setting up openvpn within containers

Awesome! working. smile Thanks.

Once I get the hang of things more I am thinking maybe unprivileged containers might be preferable as I would prefer not have to sudo for every command.

But I am glad to have got the first container going.

Last edited by MarthaParkin (2017-12-19 13:04:15)

Offline

#14 2017-12-22 11:07:59

MarthaParkin
Member
Registered: 2016-03-19
Posts: 232

Re: Questions on setting up openvpn within containers

graysky wrote:

You don't need to use unprivilliged lxcs.  Follow the wiki to setup a privileged lxc and you'll be fine.  Also consider using lxc-snapshots for openvpn: https://aur.archlinux.org/packages/lxc-snapshots/

I'm just following your github and at the part which says

For openvpn, setup /etc/conf.d/openvpn-lxc-snaphot.conf to your liking.

and on the part in the conf which says

# Name of the openvpn config you setup in the base image for example
# /etc/openvpn/server/foo.conf would be VPNCFG=foo'
VPNCFG='foo'

but I want a different config file for each snapshot instance so how can I do that? I want many snapshots with different openvpn config files and thus many ip address so that line defeats the object. So how can I set it up with the way I intended?

btw I want openvpn as client not server- I notice in your snapshot file it is pointing to server in openvpn folder.

I would like a snapshot to start with it's own config file.

The snapshot won't start if I try and comment that line out.

Also what is the advised way to share a folder from host to snapshot? I need to be able to write files on the snapshot but don't want them messing with the host files. For qemu/remote server I use lsyncd which updates files on the target but I add excludes where I don't want the files edited. I could use lsyncd still but is there a better in house way to do it? I looked up for lxc and see there are solutions for filesharing but I saw they are readonly or read and write which neither are just the same as what I have on lsyncd. I want read and write on the container but pull/read-only from the host. Not sure if it is explained correctly.

Last edited by MarthaParkin (2017-12-22 11:23:18)

Offline

#15 2017-12-22 11:56:48

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: Questions on setting up openvpn within containers

MarthaParkin wrote:

btw I want openvpn as client not server- I notice in your snapshot file it is pointing to server in openvpn folder.

What you're wanting to do is beyond the scope of lxc-snaphots.  It was designed to add protection to an internet-facing instance of OpenVPN configured to run as server.  Although implicate in the docs, I will edit them to make it more clear.

Last edited by graysky (2017-12-22 12:15:50)


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#16 2017-12-22 11:59:12

MarthaParkin
Member
Registered: 2016-03-19
Posts: 232

Re: Questions on setting up openvpn within containers

?

Offline

#17 2017-12-22 12:16:19

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: Questions on setting up openvpn within containers

@MP - Sorry about that... dunno why my text wasn't posted along with your quote.  I edited the above.


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#18 2017-12-22 12:38:19

MarthaParkin
Member
Registered: 2016-03-19
Posts: 232

Re: Questions on setting up openvpn within containers

Ah, that's ok.

I will look to another solution. I just wanted to check it wasn't me not understanding so I will not be barking up the wrong tree smile.

Offline

Board footer

Powered by FluxBB