Re: [oi-dev] OpenVPN in a local zone
Sorry for the obvious, but this does mean that you need to install tun/tap in the global zone ... which I guess is the reason you're getting the permission problems. Jon On Mon, 21 Jan 2019 at 09:33, Jonathan Adams wrote: > root@moysalsrv:~# zonecfg -z vpnzone info > zonename: vpnzone > zonepath: /zones/vpnzone > brand: ipkg > autoboot: true > bootargs: > pool: > limitpriv: default > scheduling-class: > ip-type: exclusive > hostid: > fs-allowed: > net: > address not specified > allowed-address not specified > physical: vpninternal0 > defrouter not specified > net: > address not specified > allowed-address not specified > physical: vpnvnic0 > defrouter not specified > device: > match: /dev/lockstat > device: > match: /dev/tun* > > ... > > this is for a "client" rather than for a "server", but hopefully this will > give you some mileage. > > Jon > > On Mon, 21 Jan 2019 at 08:30, Jonathan Adams > wrote: > >> I know in the past that I had to pass through specific dev interfaces. >> I'll take a look when I get to work, as I think we still have one box set >> up that way. >> Jon >> >> On Mon, 21 Jan 2019 07:46 Alexander Pyhalov via oi-dev < >> oi-dev@openindiana.org wrote: >> >>> Hi. >>> I suppose some of the privileges mentioned in >>> /lib/svc/manifest/network/openvpn.xml are not available in zone (look at >>> method_credential section). >>> >>> С уважением, >>> Александр Пыхалов, >>> программист отдела телекоммуникационной инфраструктуры >>> управления информационно-коммуникационной инфраструктуры ЮФУ >>> >>> >>> >>> От: Sven Schmeling >>> Отправлено: 18 января 2019 г. 23:36:17 >>> Кому: OpenIndiana Developer mailing >>> Тема: [oi-dev] OpenVPN in a local zone >>> >>> Hello, >>> >>> i have installed OpenVPN in a local zone. >>> >>> Starting the service with "svcadm enable svc:/network/openvpn:default" >>> (or rebooting the zone) ends in the maintenance mode: >>> >>> # svcs openvpn >>> STATE STIMEFMRI >>> maintenance19:46:37 svc:/network/openvpn:default >>> >>> cat /var/svc/log/network-openvpn:default.log >>> >>> [ Jan 18 19:46:37 Enabled. ] >>> [ Jan 18 19:46:37 Executing start method ("/usr/sbin/openvpn --daemon >>> openvpn --config '/etc/openvpn/openvpn.conf'"). ] >>> [ Jan 18 19:46:37 svc.startd could not set context for method: ] >>> setppriv: Not owner >>> [ Jan 18 19:46:37 Method "start" exited with status 96. ] >>> >>> Hints to add "limitpriv="default,priv_net_rawaccess" to the zone config >>> are maded but doesn't change the behavior. >>> >>> Starting openvpn with "/usr/sbin/openvpn --verb 9 --config >>> '/etc/openvpn/openvpn.conf'" on the command line works fine and >>> connections are possible. >>> >>> >>> Any hints about the "setppriv" error? >>> >>> -- >>> >>> pkg info openvpn >>> Name: network/openvpn >>> Summary: OpenVPN is a full-featured open source SSL VPN solution >>> Category: Applications/Internet >>> State: Installed >>> Publisher: openindiana.org >>> Version: 2.4.3 >>> Branch: 2018.0.0.1 >>> Packaging Date: Sun Feb 11 13:19:38 2018 >>> Size: 1.19 MB >>> FMRI: >>> pkg://openindiana.org/network/openvpn@2.4.3-2018.0.0.1:20180211T131938Z >>> Project URL: http://openvpn.net >>> Source URL: >>> http://swupdate.openvpn.org/community/releases/openvpn-2.4.3.tar.xz >>> >>> -- >>> >>> Thanks >>> >>> Sven Schmeling >>> >>> >>> - -- >>> Sven Schmeling, Oldenburg, Germany >>> mailto:sven.schmel...@schmeling-ol.de >>> >>> >>> >>> >>> >>> ___ >>> oi-dev mailing list >>> oi-dev@openindiana.org >>> https://openindiana.org/mailman/listinfo/oi-dev >> >> ___ oi-dev mailing list oi-dev@openindiana.org https://openindiana.org/mailman/listinfo/oi-dev
Re: [oi-dev] OpenVPN in a local zone
root@moysalsrv:~# zonecfg -z vpnzone info zonename: vpnzone zonepath: /zones/vpnzone brand: ipkg autoboot: true bootargs: pool: limitpriv: default scheduling-class: ip-type: exclusive hostid: fs-allowed: net: address not specified allowed-address not specified physical: vpninternal0 defrouter not specified net: address not specified allowed-address not specified physical: vpnvnic0 defrouter not specified device: match: /dev/lockstat device: match: /dev/tun* ... this is for a "client" rather than for a "server", but hopefully this will give you some mileage. Jon On Mon, 21 Jan 2019 at 08:30, Jonathan Adams wrote: > I know in the past that I had to pass through specific dev interfaces. > I'll take a look when I get to work, as I think we still have one box set > up that way. > Jon > > On Mon, 21 Jan 2019 07:46 Alexander Pyhalov via oi-dev < > oi-dev@openindiana.org wrote: > >> Hi. >> I suppose some of the privileges mentioned in >> /lib/svc/manifest/network/openvpn.xml are not available in zone (look at >> method_credential section). >> >> С уважением, >> Александр Пыхалов, >> программист отдела телекоммуникационной инфраструктуры >> управления информационно-коммуникационной инфраструктуры ЮФУ >> >> >> ____________ >> От: Sven Schmeling >> Отправлено: 18 января 2019 г. 23:36:17 >> Кому: OpenIndiana Developer mailing >> Тема: [oi-dev] OpenVPN in a local zone >> >> Hello, >> >> i have installed OpenVPN in a local zone. >> >> Starting the service with "svcadm enable svc:/network/openvpn:default" >> (or rebooting the zone) ends in the maintenance mode: >> >> # svcs openvpn >> STATE STIMEFMRI >> maintenance19:46:37 svc:/network/openvpn:default >> >> cat /var/svc/log/network-openvpn:default.log >> >> [ Jan 18 19:46:37 Enabled. ] >> [ Jan 18 19:46:37 Executing start method ("/usr/sbin/openvpn --daemon >> openvpn --config '/etc/openvpn/openvpn.conf'"). ] >> [ Jan 18 19:46:37 svc.startd could not set context for method: ] >> setppriv: Not owner >> [ Jan 18 19:46:37 Method "start" exited with status 96. ] >> >> Hints to add "limitpriv="default,priv_net_rawaccess" to the zone config >> are maded but doesn't change the behavior. >> >> Starting openvpn with "/usr/sbin/openvpn --verb 9 --config >> '/etc/openvpn/openvpn.conf'" on the command line works fine and >> connections are possible. >> >> >> Any hints about the "setppriv" error? >> >> -- >> >> pkg info openvpn >> Name: network/openvpn >> Summary: OpenVPN is a full-featured open source SSL VPN solution >> Category: Applications/Internet >> State: Installed >> Publisher: openindiana.org >> Version: 2.4.3 >> Branch: 2018.0.0.1 >> Packaging Date: Sun Feb 11 13:19:38 2018 >> Size: 1.19 MB >> FMRI: >> pkg://openindiana.org/network/openvpn@2.4.3-2018.0.0.1:20180211T131938Z >> Project URL: http://openvpn.net >> Source URL: >> http://swupdate.openvpn.org/community/releases/openvpn-2.4.3.tar.xz >> >> -- >> >> Thanks >> >> Sven Schmeling >> >> >> - -- >> Sven Schmeling, Oldenburg, Germany >> mailto:sven.schmel...@schmeling-ol.de >> >> >> >> >> >> ___ >> oi-dev mailing list >> oi-dev@openindiana.org >> https://openindiana.org/mailman/listinfo/oi-dev > > ___ oi-dev mailing list oi-dev@openindiana.org https://openindiana.org/mailman/listinfo/oi-dev
Re: [oi-dev] OpenVPN in a local zone
I know in the past that I had to pass through specific dev interfaces. I'll take a look when I get to work, as I think we still have one box set up that way. Jon On Mon, 21 Jan 2019 07:46 Alexander Pyhalov via oi-dev < oi-dev@openindiana.org wrote: > Hi. > I suppose some of the privileges mentioned in > /lib/svc/manifest/network/openvpn.xml are not available in zone (look at > method_credential section). > > С уважением, > Александр Пыхалов, > программист отдела телекоммуникационной инфраструктуры > управления информационно-коммуникационной инфраструктуры ЮФУ > > > > От: Sven Schmeling > Отправлено: 18 января 2019 г. 23:36:17 > Кому: OpenIndiana Developer mailing > Тема: [oi-dev] OpenVPN in a local zone > > Hello, > > i have installed OpenVPN in a local zone. > > Starting the service with "svcadm enable svc:/network/openvpn:default" > (or rebooting the zone) ends in the maintenance mode: > > # svcs openvpn > STATE STIMEFMRI > maintenance19:46:37 svc:/network/openvpn:default > > cat /var/svc/log/network-openvpn:default.log > > [ Jan 18 19:46:37 Enabled. ] > [ Jan 18 19:46:37 Executing start method ("/usr/sbin/openvpn --daemon > openvpn --config '/etc/openvpn/openvpn.conf'"). ] > [ Jan 18 19:46:37 svc.startd could not set context for method: ] > setppriv: Not owner > [ Jan 18 19:46:37 Method "start" exited with status 96. ] > > Hints to add "limitpriv="default,priv_net_rawaccess" to the zone config > are maded but doesn't change the behavior. > > Starting openvpn with "/usr/sbin/openvpn --verb 9 --config > '/etc/openvpn/openvpn.conf'" on the command line works fine and > connections are possible. > > > Any hints about the "setppriv" error? > > -- > > pkg info openvpn > Name: network/openvpn > Summary: OpenVPN is a full-featured open source SSL VPN solution > Category: Applications/Internet > State: Installed > Publisher: openindiana.org > Version: 2.4.3 > Branch: 2018.0.0.1 > Packaging Date: Sun Feb 11 13:19:38 2018 > Size: 1.19 MB > FMRI: > pkg://openindiana.org/network/openvpn@2.4.3-2018.0.0.1:20180211T131938Z > Project URL: http://openvpn.net > Source URL: > http://swupdate.openvpn.org/community/releases/openvpn-2.4.3.tar.xz > > -- > > Thanks > > Sven Schmeling > > > - -- > Sven Schmeling, Oldenburg, Germany > mailto:sven.schmel...@schmeling-ol.de > > > > > > ___ > oi-dev mailing list > oi-dev@openindiana.org > https://openindiana.org/mailman/listinfo/oi-dev ___ oi-dev mailing list oi-dev@openindiana.org https://openindiana.org/mailman/listinfo/oi-dev
Re: [oi-dev] OpenVPN in a local zone
Hi. I suppose some of the privileges mentioned in /lib/svc/manifest/network/openvpn.xml are not available in zone (look at method_credential section). С уважением, Александр Пыхалов, программист отдела телекоммуникационной инфраструктуры управления информационно-коммуникационной инфраструктуры ЮФУ От: Sven Schmeling Отправлено: 18 января 2019 г. 23:36:17 Кому: OpenIndiana Developer mailing Тема: [oi-dev] OpenVPN in a local zone Hello, i have installed OpenVPN in a local zone. Starting the service with "svcadm enable svc:/network/openvpn:default" (or rebooting the zone) ends in the maintenance mode: # svcs openvpn STATE STIMEFMRI maintenance19:46:37 svc:/network/openvpn:default cat /var/svc/log/network-openvpn:default.log [ Jan 18 19:46:37 Enabled. ] [ Jan 18 19:46:37 Executing start method ("/usr/sbin/openvpn --daemon openvpn --config '/etc/openvpn/openvpn.conf'"). ] [ Jan 18 19:46:37 svc.startd could not set context for method: ] setppriv: Not owner [ Jan 18 19:46:37 Method "start" exited with status 96. ] Hints to add "limitpriv="default,priv_net_rawaccess" to the zone config are maded but doesn't change the behavior. Starting openvpn with "/usr/sbin/openvpn --verb 9 --config '/etc/openvpn/openvpn.conf'" on the command line works fine and connections are possible. Any hints about the "setppriv" error? -- pkg info openvpn Name: network/openvpn Summary: OpenVPN is a full-featured open source SSL VPN solution Category: Applications/Internet State: Installed Publisher: openindiana.org Version: 2.4.3 Branch: 2018.0.0.1 Packaging Date: Sun Feb 11 13:19:38 2018 Size: 1.19 MB FMRI: pkg://openindiana.org/network/openvpn@2.4.3-2018.0.0.1:20180211T131938Z Project URL: http://openvpn.net Source URL: http://swupdate.openvpn.org/community/releases/openvpn-2.4.3.tar.xz -- Thanks Sven Schmeling - -- Sven Schmeling, Oldenburg, Germany mailto:sven.schmel...@schmeling-ol.de ___ oi-dev mailing list oi-dev@openindiana.org https://openindiana.org/mailman/listinfo/oi-dev
[oi-dev] OpenVPN in a local zone
Hello, i have installed OpenVPN in a local zone. Starting the service with "svcadm enable svc:/network/openvpn:default" (or rebooting the zone) ends in the maintenance mode: # svcs openvpn STATE STIME FMRI maintenance 19:46:37 svc:/network/openvpn:default cat /var/svc/log/network-openvpn:default.log [ Jan 18 19:46:37 Enabled. ] [ Jan 18 19:46:37 Executing start method ("/usr/sbin/openvpn --daemon openvpn --config '/etc/openvpn/openvpn.conf'"). ] [ Jan 18 19:46:37 svc.startd could not set context for method: ] setppriv: Not owner [ Jan 18 19:46:37 Method "start" exited with status 96. ] Hints to add "limitpriv="default,priv_net_rawaccess" to the zone config are maded but doesn't change the behavior. Starting openvpn with "/usr/sbin/openvpn --verb 9 --config '/etc/openvpn/openvpn.conf'" on the command line works fine and connections are possible. Any hints about the "setppriv" error? -- pkg info openvpn Name: network/openvpn Summary: OpenVPN is a full-featured open source SSL VPN solution Category: Applications/Internet State: Installed Publisher: openindiana.org Version: 2.4.3 Branch: 2018.0.0.1 Packaging Date: Sun Feb 11 13:19:38 2018 Size: 1.19 MB FMRI: pkg://openindiana.org/network/openvpn@2.4.3-2018.0.0.1:20180211T131938Z Project URL: http://openvpn.net Source URL: http://swupdate.openvpn.org/community/releases/openvpn-2.4.3.tar.xz -- Thanks Sven Schmeling - -- Sven Schmeling, Oldenburg, Germany mailto:sven.schmel...@schmeling-ol.de pEpkey.asc Description: application/pgp-keys ___ oi-dev mailing list oi-dev@openindiana.org https://openindiana.org/mailman/listinfo/oi-dev