[oi-dev] OpenVPN in a local zone

Jonathan Adams t12nslookup at gmail.com
Mon Jan 21 09:56:07 UTC 2019


Sorry for the obvious, but this does mean that you need to install tun/tap
in the global zone ... which I guess is the reason you're getting the
permission problems.

Jon

On Mon, 21 Jan 2019 at 09:33, Jonathan Adams <t12nslookup at gmail.com> wrote:

> root at moysalsrv:~# zonecfg -z vpnzone info
> zonename: vpnzone
> zonepath: /zones/vpnzone
> brand: ipkg
> autoboot: true
> bootargs:
> pool:
> limitpriv: default
> scheduling-class:
> ip-type: exclusive
> hostid:
> fs-allowed:
> net:
> address not specified
> allowed-address not specified
> physical: vpninternal0
> defrouter not specified
> net:
> address not specified
> allowed-address not specified
> physical: vpnvnic0
> defrouter not specified
> device:
> match: /dev/lockstat
> device:
> match: /dev/tun*
>
> ...
>
> this is for a "client" rather than for a "server", but hopefully this will
> give you some mileage.
>
> Jon
>
> On Mon, 21 Jan 2019 at 08:30, Jonathan Adams <t12nslookup at gmail.com>
> wrote:
>
>> I know in the past that I had to pass through specific dev interfaces.
>> I'll take a look when I get to work, as I think we still have one box set
>> up that way.
>> Jon
>>
>> On Mon, 21 Jan 2019 07:46 Alexander Pyhalov via oi-dev <
>> oi-dev at openindiana.org wrote:
>>
>>> Hi.
>>> I suppose some of the privileges mentioned in
>>> /lib/svc/manifest/network/openvpn.xml are not available in zone (look at
>>> method_credential section).
>>>
>>> С уважением,
>>> Александр Пыхалов,
>>> программист отдела телекоммуникационной инфраструктуры
>>> управления информационно-коммуникационной инфраструктуры ЮФУ
>>>
>>>
>>> ________________________________________
>>> От: Sven Schmeling <sven.schmeling at schmeling-ol.de>
>>> Отправлено: 18 января 2019 г. 23:36:17
>>> Кому: OpenIndiana Developer mailing
>>> Тема: [oi-dev] OpenVPN in a local zone
>>>
>>> Hello,
>>>
>>> i have installed OpenVPN in a local zone.
>>>
>>> Starting the service with "svcadm enable svc:/network/openvpn:default"
>>> (or rebooting the zone) ends in the maintenance mode:
>>>
>>> # svcs openvpn
>>> STATE          STIME    FMRI
>>> maintenance    19:46:37 svc:/network/openvpn:default
>>>
>>> cat /var/svc/log/network-openvpn:default.log
>>>
>>> [ Jan 18 19:46:37 Enabled. ]
>>> [ Jan 18 19:46:37 Executing start method ("/usr/sbin/openvpn --daemon
>>> openvpn --config '/etc/openvpn/openvpn.conf'"). ]
>>> [ Jan 18 19:46:37 svc.startd could not set context for method:  ]
>>> setppriv: Not owner
>>> [ Jan 18 19:46:37 Method "start" exited with status 96. ]
>>>
>>> Hints to add "limitpriv="default,priv_net_rawaccess" to the zone config
>>> are maded but doesn't change the behavior.
>>>
>>> Starting openvpn with "/usr/sbin/openvpn --verb 9 --config
>>> '/etc/openvpn/openvpn.conf'" on the command line works fine and
>>> connections are possible.
>>>
>>>
>>> Any hints about the "setppriv" error?
>>>
>>> --------------
>>>
>>> pkg info openvpn
>>> Name: network/openvpn
>>> Summary: OpenVPN is a full-featured open source SSL VPN solution
>>> Category: Applications/Internet
>>> State: Installed
>>> Publisher: openindiana.org
>>> Version: 2.4.3
>>> Branch: 2018.0.0.1
>>> Packaging Date: Sun Feb 11 13:19:38 2018
>>> Size: 1.19 MB
>>> FMRI:
>>> pkg://openindiana.org/network/openvpn@2.4.3-2018.0.0.1:20180211T131938Z
>>> Project URL: http://openvpn.net
>>> Source URL:
>>> http://swupdate.openvpn.org/community/releases/openvpn-2.4.3.tar.xz
>>>
>>> --------------
>>>
>>> Thanks
>>>
>>> Sven Schmeling
>>>
>>>
>>> - --
>>> Sven Schmeling, Oldenburg, Germany
>>> mailto:sven.schmeling at schmeling-ol.de
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> oi-dev mailing list
>>> oi-dev at openindiana.org
>>> https://openindiana.org/mailman/listinfo/oi-dev
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openindiana.org/pipermail/oi-dev/attachments/20190121/8e0ecc04/attachment-0005.html>


More information about the oi-dev mailing list