This is my Dockerfile:
FROM alpine:edge
COPY openvpn.conf /etc/openvpn/
RUN apk update
RUN mkdir /run/openrc
RUN touch /run/openrc/softlevel
RUN apk add --no-cache bash openssl openrc
WORKDIR /etc/openvn
RUN apk add openvpn
CMD ["openvpn", "--script-security", "2", "--config", "/etc/openvpn/openvpn.conf"]
I just want to have a openvpnin alpine based container. I have landed into a problem. What I want is that the vpn should only run inside the container and I should put this openvpn container in same network as haproxy to access the vpn.
When i run the container i am getting below permission denied error in the end.
2021-10-26 20:22:07 Unrecognized option or missing or extra parameter(s) in /etc/openvpn/openvpn.conf:16: block-outside-dns (2.5.3)
2021-10-26 20:22:07 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-10-26 20:22:07 OpenVPN 2.5.3 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Sep 11 2021
2021-10-26 20:22:07 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
2021-10-26 20:22:07 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-10-26 20:22:07 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2021-10-26 20:22:07 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-10-26 20:22:07 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2021-10-26 20:22:07 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-10-26 20:22:07 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
2021-10-26 20:22:07 Socket Buffers: R=[212992->212992] S=[212992->212992]2021-10-26 20:22:07 UDP link local: (not bound)2021-10-26 20:22:07 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:11942021-10-26 20:22:07 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=96fdd334 e322b4072021-10-26 20:22:07 VERIFY OK: depth=1, CN=ChangeMe
2021-10-26 20:22:07 VERIFY KU OK
2021-10-26 20:22:07 Validating certificate extended key usage2021-10-26 20:22:07 Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication2021-10-26 20:22:07 VERIFY EKU OK
2021-10-26 20:22:07 VERIFY OK: depth=0, CN=server2021-10-26 20:22:07 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA2562021-10-26 20:22:07 [server] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:1194
2021-10-26 20:22:09 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2021-10-26 20:22:09 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 ipv6 bypass-dhcp,dhcp-option DNS 9.9.9.9,dhcp-option DNS 149.112.112.112,tun-ipv6,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 fddd:1194:1194:1194::1003/64 fddd:1194:1194:1194::1,ifconfig 10.8.0.5 255.255.255.0,peer-id 2,cipher AES-256-GCM'
2021-10-26 20:22:09 OPTIONS IMPORT: timers and/or timeouts modified
2021-10-26 20:22:09 OPTIONS IMPORT: --ifconfig/up options modified
2021-10-26 20:22:09 OPTIONS IMPORT: route options modified
2021-10-26 20:22:09 OPTIONS IMPORT: route-related options modified
2021-10-26 20:22:09 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified2021-10-26 20:22:09 OPTIONS IMPORT: peer-id set
2021-10-26 20:22:09 OPTIONS IMPORT: adjusting link_mtu to 1624
2021-10-26 20:22:09 OPTIONS IMPORT: data channel crypto options modified
2021-10-26 20:22:09 Data Channel: using negotiated cipher 'AES-256-GCM'
2021-10-26 20:22:09 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-10-26 20:22:09 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-10-26 20:22:09 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:03
2021-10-26 20:22:09 GDG6: remote_host_ipv6=n/a
2021-10-26 20:22:09 net_route_v6_best_gw query: dst ::
2021-10-26 20:22:09 sitnl_send: rtnl: generic error (-101): Network unreachable2021-10-26 20:22:09 ROUTE6: default_gateway=UNDEF
2021-10-26 20:22:09 TUN/TAP device tun0 opened
2021-10-26 20:22:09 /sbin/ip link set dev tun0 up mtu 15002021-10-26 20:22:09 /sbin/ip link set dev tun0 up2021-10-26 20:22:09 /sbin/ip addr add dev tun0 10.8.0.5/24
2021-10-26 20:22:09 /sbin/ip link set dev tun0 up mtu 1500
2021-10-26 20:22:09 /sbin/ip link set dev tun0 up
2021-10-26 20:22:09 /sbin/ip -6 addr add fddd:1194:1194:1194::1003/64 dev tun0RTNETLINK answers: Permission denied
2021-10-26 20:22:09 Linux ip -6 addr add failed: external program exited with error status: 2
2021-10-26 20:22:09 Exiting due to fatal error
CodePudding user response:
Looking at
Linux ip -6 addr add failed: external program exited with error status: 2
AFAIK docker runs on IPv4 only per default. Are you trying to setup openvpn with IPv6 as well? Then you may have to enable IPv6 on docker level as well.