I wonder if it is possible to initiate an openvpn (client) connection from a rootless podman container.
I have the following Dockerfile
FROM docker.io/alpine:latest
ENV USER=openvpn
ENV GROUPNAME=$USER
ENV UID=1001
ENV GID=1001
RUN addgroup \
--gid "$GID" \
"$GROUPNAME" \
&& adduser \
--disabled-password \
--gecos "" \
--ingroup "$GROUPNAME" \
--no-create-home \
--uid "$UID" \
$USER \
&& apk add --no-cache openvpn
EXPOSE 1194
USER openvpn
ENTRYPOINT [ "/usr/sbin/openvpn", "--config", "/config/openvpn.ovpn" ]
and I’m using it with the following podman-compose/docker-compose file
version: '3.8'
services:
openvpn-client:
container_name: openvpn-client
build: .
dns:
# germany - Frankfurt - no vpn
- 54.93.169.181
# uk - London - no vpn
- 212.71.249.225
cap_add:
- NET_ADMIN
devices:
- /dev/net/tun
- /dev/null
# security_opt:
# - "label=disable"
# - "label=type:ovpn_container.process"
entrypoint: /usr/sbin/openvpn --config /config/getflix-dnsonly.ovpn --auth-user-pass /config/passfile
network_mode: "host"
restart: unless-stopped
volumes:
- ./config:/config:z,ro
However, I always get the following error (on container stderr):
$ podman-compose up
110 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
However, no problem with a rootful container, i.e. sudo podman-compose up works as expected.
I wonder if it is possible to tweak fedora’s SELinux (if it is the culprit, of course!), to allow the VPN connection in rootless mode as well.
I read about creating a custom SELinux label with the appropriate policy (BWT, is this a SELinux TypeStatement?) here. However, I cannot get it working this way.
Also there are some configuration hints for unprivileged users at the OpenVPN community. Most interesting part is to create the tun device with appropriate permission with systemd on system start (/etc/systemd/network/21_openvpn.tun0.netdev, /etc/systemd/network/22_openvpn.tun0.netdev). I tried this as well, but with no success.