Home > Mobile >  Alpine container with openvpn to connect openvpn server gives permission error
Alpine container with openvpn to connect openvpn server gives permission error

Time:10-28

This is my Dockerfile:

FROM  alpine:edge
COPY openvpn.conf /etc/openvpn/
RUN apk update
RUN mkdir /run/openrc
RUN touch /run/openrc/softlevel

RUN apk add --no-cache bash openssl openrc
WORKDIR /etc/openvn
RUN apk add openvpn

CMD ["openvpn", "--script-security", "2", "--config", "/etc/openvpn/openvpn.conf"]

I just want to have a openvpnin alpine based container. I have landed into a problem. What I want is that the vpn should only run inside the container and I should put this openvpn container in same network as haproxy to access the vpn.

When i run the container i am getting below permission denied error in the end.

2021-10-26 20:22:07 Unrecognized option or missing or extra parameter(s) in /etc/openvpn/openvpn.conf:16: block-outside-dns (2.5.3)
2021-10-26 20:22:07 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-10-26 20:22:07 OpenVPN 2.5.3 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Sep 11 2021
2021-10-26 20:22:07 library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
2021-10-26 20:22:07 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-10-26 20:22:07 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2021-10-26 20:22:07 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-10-26 20:22:07 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2021-10-26 20:22:07 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-10-26 20:22:07 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
2021-10-26 20:22:07 Socket Buffers: R=[212992->212992] S=[212992->212992]2021-10-26 20:22:07 UDP link local: (not bound)2021-10-26 20:22:07 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:11942021-10-26 20:22:07 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=96fdd334 e322b4072021-10-26 20:22:07 VERIFY OK: depth=1, CN=ChangeMe
2021-10-26 20:22:07 VERIFY KU OK
2021-10-26 20:22:07 Validating certificate extended key usage2021-10-26 20:22:07    Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication2021-10-26 20:22:07 VERIFY EKU OK
2021-10-26 20:22:07 VERIFY OK: depth=0, CN=server2021-10-26 20:22:07 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA2562021-10-26 20:22:07 [server] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:1194
2021-10-26 20:22:09 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2021-10-26 20:22:09 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 ipv6 bypass-dhcp,dhcp-option DNS 9.9.9.9,dhcp-option DNS 149.112.112.112,tun-ipv6,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 fddd:1194:1194:1194::1003/64 fddd:1194:1194:1194::1,ifconfig 10.8.0.5 255.255.255.0,peer-id 2,cipher AES-256-GCM'
2021-10-26 20:22:09 OPTIONS IMPORT: timers and/or timeouts modified
2021-10-26 20:22:09 OPTIONS IMPORT: --ifconfig/up options modified
2021-10-26 20:22:09 OPTIONS IMPORT: route options modified
2021-10-26 20:22:09 OPTIONS IMPORT: route-related options modified
2021-10-26 20:22:09 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified2021-10-26 20:22:09 OPTIONS IMPORT: peer-id set
2021-10-26 20:22:09 OPTIONS IMPORT: adjusting link_mtu to 1624
2021-10-26 20:22:09 OPTIONS IMPORT: data channel crypto options modified
2021-10-26 20:22:09 Data Channel: using negotiated cipher 'AES-256-GCM'
2021-10-26 20:22:09 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-10-26 20:22:09 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-10-26 20:22:09 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:03
2021-10-26 20:22:09 GDG6: remote_host_ipv6=n/a
2021-10-26 20:22:09 net_route_v6_best_gw query: dst ::
2021-10-26 20:22:09 sitnl_send: rtnl: generic error (-101): Network unreachable2021-10-26 20:22:09 ROUTE6: default_gateway=UNDEF
2021-10-26 20:22:09 TUN/TAP device tun0 opened
2021-10-26 20:22:09 /sbin/ip link set dev tun0 up mtu 15002021-10-26 20:22:09 /sbin/ip link set dev tun0 up2021-10-26 20:22:09 /sbin/ip addr add dev tun0 10.8.0.5/24
2021-10-26 20:22:09 /sbin/ip link set dev tun0 up mtu 1500
2021-10-26 20:22:09 /sbin/ip link set dev tun0 up
2021-10-26 20:22:09 /sbin/ip -6 addr add fddd:1194:1194:1194::1003/64 dev tun0RTNETLINK answers: Permission denied
2021-10-26 20:22:09 Linux ip -6 addr add failed: external program exited with error status: 2
2021-10-26 20:22:09 Exiting due to fatal error

CodePudding user response:

Looking at

Linux ip -6 addr add failed: external program exited with error status: 2

AFAIK docker runs on IPv4 only per default. Are you trying to setup openvpn with IPv6 as well? Then you may have to enable IPv6 on docker level as well.

Page link:https//www.codepudding.com/Mobile/170495.html

Prev:docker-compose - how to pass env variable from .env to Dockerfile?
Next:How to return value from an API call in javascript to a React component
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding