LXC: Allow openfortivpn client to create a ppp0 interface

I get the following error when I try to use openfortivpn in my container:

ERROR:  read: Input/output error
INFO:   Cancelling threads...
DEBUG:  Waiting for pppd to exit...
DEBUG:  waitpid: pppd exit status code 4
ERROR:  pppd: Is not setuid-root and the invoking user is not root.
  1. Created a unprivileged container.
  2. Added lxc.cgroup.devices.allow = c 10:200 rwm to .config/lxc/default.conf
  3. Added lxc.mount.entry = /dev/ppp dev/ppp none bind,create=file to container conf file.

What am I missing?

You need to get more information for this error. Try to get verbose debug or something similar. The rest of the messages may not (and I think do not) be helpful, especially the part about pppd and root.

To increase verbosity, see https://github.com/adrienverge/openfortivpn/issuese, /335
That’s about Crostini which uses LXD. But it does not run proper Linux kernel so it is not possible to make it work there.

Have a look at how to get OpenVPN to work with LXD,

It is likely that you need to do something similar.

It was already verbose logging enabled.
I enabled pppd logging now but this is all I get:

Couldn't open the /dev/ppp device: Permission denied

I tried to enable CAP_NET_ADMIN, but not sure how to enable it. Documentation not clear on this.

lxc config set my-container raw.lxc=lxc.cap.keep=CAP_NET_ADMIN 
error: Bad server config key: 'my-container'

Your lxc config set is wrong, you should have a space between the raw.lxc and lxc.cap.keep rather than that first = sign.

The being said, it won’t do you any good because we don’t drop CAP_NET_ADMIN, so there’s no point in directly asking lxc to keep it.

The permission denied issue is most likely either because the device wasn’t passed through unix-char and is therefore missing a devices cgroup entry (You should be able to confirm by checking /sys/fs/cgroup/devices/devices.list) or because the ppp kernel module is returning the error.

cat /sys/fs/cgroup/devices/devices.list

 a *:* rwm

I have added lxc.cgroup.devices.allow = c 108:0 rwm # /dev/ppp to both global and local config.
But/sys/fs/cgroup/devices/devices.list won’t change.

Okay, so this looks like an unprivileged container in which devices cgroup doesn’t matter which is why it’s got an allow-all rule in place.

So your problem isn’t going to be a pure device permission problem, it’s most likely that the ppp kernel module does its own permission check and looks for the real root user.

I suspect your only workaround at this time would be to switch to a privileged container (set security.privileged=true).

I created a privileged container.

But I kept getting ERROR: /usr/sbin/pppd: No such file or directory.

So I changed the config to this:

lxc.cgroup.devices.allow = c 108:0 rwm # /dev/ppp
lxc.mount.entry = /usr/sbin/pppd usr/sbin/pppd none bind,create=file

But then I get this:

DEBUG:  pppd_read_thread
DEBUG:  ssl_read_thread
DEBUG:  ssl_write_thread
DEBUG:  if_config thread
DEBUG:  pppd_write thread
ERROR:  read: Input/output error
INFO:   Cancelling threads...
DEBUG:  Waiting for pppd to exit...
DEBUG:  waitpid: pppd exit status code 127
ERROR:  pppd: Returned an unknown exit status
INFO:   Terminated pppd.
INFO:   Closed connection to gateway.

You would need to dig into pppd_write and see why it cannot write (and if something can be done about it for an unprivileged container).

Are there any available Fortinet VPN servers in case anyone would like to try and help you out debugging the connection establishment?
For example, for OpenVPN there are several options.

Do you use Apparmor / SELinux? A misconfigured profile can cause such issues.

Don’t know I will have to check with my Fortinet collegues.

I’m using Ubuntu 16.04 so I guess Apparmor can cause issues.

I’m using Ubuntu 16.04 so I guess Apparmor can cause issues.

Check in the logs if some operation was denied. If you can’t find anything, run the VPN client with strace.

I realize this is an old post, /me posting a reply here because I ran into this and have it working.

I had a similar issue around (pppd: Is not setuid-root). Previously I sshed into the lxc container and then did sudo. That, didn’t work. What did work was, in the host, to sudo su and then lxc-attach -n [container_name]. That way, I was root on the host and then was root in the container. Starting openfortivpn then succeeded.

I don’t understand the difference there. If someone else explains that’ll be cool :-). Just posting here since that works for me and might help others in future.