I'm trying to start openvpn from a systemd container. At first, I created the sytemd container by following the Systemd-nspawn here at Arch Wiki. Made sure, everything works and I can connect to internet. Now whenever I try to connect to openvpn, it gives the following error
[root@ghost ~]# openvpn /etc/openvpn/UK_London.conf Mon Jan 18 21:05:12 2016 OpenVPN 2.3.9 x86_64-unknown-linux-gnu[SSL(OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec 24 2015 Mon Jan 18 21:05:12 2016 library versions: OpenSSL 1.0.2e 3 Dec 2015, LZO 2.09 Mon Jan 18 21:05:12 2016 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mon Jan 18 21:05:12 2016 UDPv4 link local: [undef] Mon Jan 18 21:05:12 2016 UDPv4 link remote: [AF_INET]220.127.116.11:1194 Mon Jan 18 21:05:12 2016 [Private Internet Access] Peer Connection Initiated with [AF_INET]18.104.22.168:1194 Mon Jan 18 21:05:14 2016 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1) Mon Jan 18 21:05:14 2016 Exiting due to fatal error
Troubleshooting further, I found this video which basically demonstrates what I've done but what's interesting is that he doesn't come across this issue. Reading in forums and further Google-fu got me at Openvpn in Linux Containers but I think this doesn't necessarily mean using systemd-nspawn. Is there any particular aspect that I'm missing? I can think of some cgroups related thing where the container doesn't have access to create tun devices?? Any help would be appreciated.
My guess is that inside the nspawn chroot you don't have the necessary privileges to setup the tun device. You probably need to allow/add extra capabilities to the chroot, see 'man systemd-nspawn' and 'man 7 capabilities'.
If you can't make it work even after adding all possible capabilities (and googling for similar problems and solutions) then I recommend you ask in systemd's irc channel. My previous experience is that if you explain succinctly what you are trying to do and the steps you have tried to make things work, you will most probably have someone chime in and try to help you.