vserver development mailing list: Re: [Vserver] can't terminate OpenVPN tunnel within a vserver?

From: Baltasar Cevc <baltasar_at_cevc-topp.de>
Date: Tue 04 Jul 2006 - 23:38:30 BST
Message-Id: <b147736163f9584a4e524a8f2e848330@cevc-topp.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On 04.07.2006, at 10:29, Daniel W. Crompton wrote:
> On 7/3/06, Eugen Leitl <eugen@leitl.org> wrote:
>> On Mon, Jul 03, 2006 at 12:12:34PM +0200, Baltasar Cevc wrote:
>> > >I can't have an OpenVPN tunnel terminate in a vserver,
>> > >can I?
>
> You can, I just did it yesterday. You need to set the following in the
> file "bcapabilities":
> CAP_NET_ADMIN
> CAP_NET_RAW
I haven't tested it myself as I run OpenVPN in the host system only,
but I'd say that these caps are not nice to give to a guest, as far as
I know, you could more or less do any network operation (for any
interface) in the guest then.

However, maybe, you will have to do this to get it working. I can't
remember any option that could make OpenVPN use an already existing
interface (I don't know how tun/tap work, thus whether that would be
feasible at all). It should be worth searching the OpenVPN and/or
kernel docs about that, though.

Just quickly searching around, my understanding is that you have to
create the tun device on the host (which is what you want from a
security perspective). Afterwards you can assign it to a guest and
OpenVPN should be happy to use that one. However that seems to work
with tap, I assume it won't work using tun as a device.

> Add if you want to load the module inside the vserver on access:
> CAP_SYS_MODULE
That would be quite crazy, I'd say. You could load anything, thus
provide the guest with any priviledge ever wanted...
You absolutely want to load the modules manually on the host and never
give the guest permission to do so.

> Add if you want to mknod the device inside the vserver:
> CAP_MKNOD
Quite dangerous, too, as it enables you to access the whole HD for
exemple.

Baltasar

((( Baltasar Cevc

) World wide web:
   * http://www.openairkino.net/ (a project for the local youth; German
only)
   * http://technik.juz-kirchheim.de/ (programming and admin projects)
   * http://baltasar.cevc-topp.de/ (private homepage)
) Phone:
   +49 176 232 20 822
)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFEqu3pp2YsmzTbIwYRAuQzAJ428ERq5k8E+hFl35wVE2WkZavKlwCeJAVr
5Yv6+dzCtQ+zG85UNKIvTeM=
=by/8
-----END PGP SIGNATURE-----

_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Tue Jul 4 23:39:07 2006