subject:"\[systemd\-devel\] Run OpenVPN unprivileged as systemd user service"

Re: [systemd-devel] Run OpenVPN unprivileged as systemd user service

2018-11-01 Thread Cristian Rodríguez




El 01-11-2018 a las 9:41, Paul Menzel escribió:



If yes, do you have any hints before I start to dig into that?


opening TUN/TAP interfaces and changing routing is a privileged operation.

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Run OpenVPN unprivileged as systemd user service

2018-11-01 Thread Király , István

Hello Paul, ...

As one option, it is possible to spin up a systemd-nspawn container, run
the openvpn server in there with it's own networking namespace, and map the
port of the openvpn server to the host.
You can make all kind's of scenarios, ...

Greetings, ...


Paul Menzel  ezt írta (időpont: 2018.
nov. 1., Cs, 13:41):

> Dear systemd folks,
>
>
> Our users sometimes need to access the internal network of another
> organization, but unfortunately SSH access is blocked, and it’s only
> possible
> over OpenVPN. With that, they could use their browser and SSH to access the
> internal network.
>
> Due to security reasons, we do not want to allow OpenVPN on our systems,
> and
> wonder, if systemd user service would enable us to run OpenVPN
> unprivileged for
> a user, so that the user has no chance of disturbing other users.
>
> OpenVPN provides systemd units [1].
>
> Do you think, it’d be easily possible, that the OpenVPN sets up the
> connection
> in a separate network name space, and the user can enter that name space
> and
> start SSH and a browser from there?
>
> If yes, do you have any hints before I start to dig into that?
>
>
> Kind regards,
>
> Paul
>
>
> [1]: https://github.com/OpenVPN/openvpn/blob/master/distro/systemd/
> ___
> systemd-devel mailing list
> systemd-devel@lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
>


-- 
 Király István
+36 209 753 758
lak...@d250.hu

___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

[systemd-devel] Run OpenVPN unprivileged as systemd user service

2018-11-01 Thread Paul Menzel

Dear systemd folks,


Our users sometimes need to access the internal network of another
organization, but unfortunately SSH access is blocked, and it’s only possible
over OpenVPN. With that, they could use their browser and SSH to access the
internal network.

Due to security reasons, we do not want to allow OpenVPN on our systems, and
wonder, if systemd user service would enable us to run OpenVPN unprivileged for
a user, so that the user has no chance of disturbing other users.

OpenVPN provides systemd units [1].

Do you think, it’d be easily possible, that the OpenVPN sets up the connection
in a separate network name space, and the user can enter that name space and
start SSH and a browser from there?

If yes, do you have any hints before I start to dig into that?


Kind regards,

Paul


[1]: https://github.com/OpenVPN/openvpn/blob/master/distro/systemd/
[Unit]
Description=OpenVPN tunnel for %I
After=syslog.target network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/client
ExecStart=/usr/local/sbin/openvpn --suppress-timestamps --nobind --config 
%i.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID 
CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true
KillMode=process

[Install]
WantedBy=multi-user.target
[Unit]
Description=OpenVPN service for %I
After=syslog.target network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/server
ExecStart=/usr/local/sbin/openvpn --status %t/openvpn-server/status-%i.log 
--status-version 2 --suppress-timestamps --config %i.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE 
CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE 
CAP_AUDIT_WRITE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true
KillMode=process
RestartSec=5s
Restart=on-failure

[Install]
WantedBy=multi-user.target


smime.p7s
Description: S/MIME Cryptographic Signature
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

Re: [systemd-devel] Run OpenVPN unprivileged as systemd user service

Re: [systemd-devel] Run OpenVPN unprivileged as systemd user service

[systemd-devel] Run OpenVPN unprivileged as systemd user service

3 matches

Site Navigation

Mail list logo

Footer information