TL;DR some pointers for those interested to deploy an openvpn server in an unprivilged container
- host ubuntu bionic 4.15.0-23
lxc 3.0.1
dnsmasq 2.79 - container gentoo
netifrc
nftables 0.8.3
openvpn 2.4.6
as baseline it assumed that host’s and container’s network are working.
- this example is set with TUN UDP4 only. TCP4/6 | UDPv6 may require additional steps but certainly some alterations
- TAP been tried but did not work out (something about gateway information going wrong)
- any IP addresses/ranges, bridge names, mac addresses stated below are specifics of this setup and may require tailoring to other particular network environments
-
dnsmasq on host - assign static ip to the container’s veth iface (alternative to the mac address can be the container’s name space)
dhcp-range=br3,172.25.120.0,static
dhcp-host=00:16:3e:88:b0:c5,172.25.120.2
-
enable container access to kernel’s
netdev tun
(which though weakens the security of the unpriviliged environment!)
-
in the container
mkdir -p /dev/net/tun
-
shut down the container
-
add to the container’s conf
lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file 0 0
-
in the host add nf rule to open (accept) openvpn udp port on the wan
-
in the host add nf rule (nat prerouting dnat) to foward opvpn udp port from the wan ip to the container lan ip (172.25.120.1)
-
in the container add nf rule to NAT (postrouting masquerade) for the container’s ethernet iface
-
add TUN ifcae in the container’s network (/etc/conf.d/net)
tuntap_tun0="tun"
config_tun0="null"
and then from cli
ln -s /etc/init.d/net.lo /etc/init.d/net.tun0
rc-update add net.tun0 default
-
ensure forwarding is enabled in the container
net.ipv4.ip_forward=1
-
openvpn server conf (important that the openvpn server’s subnet is different from the container’s)
dev tun0
proto udp4
local 172.25.120.2
server 172.25.121.0 255.255.255.0
topology subnet
push "route 172.25.0.0 255.255.0.0"
In case the keys/certs pertinent to openvpn server conf are lcated on the host and not the container than the respective lxc.mount.entry
have to be added to the container conf and mirroring directories created on the container and access to be granted to the keys/certs to the user of the unprivilged container user (setfacl -m u:100000:r
)