Changes between Version 15 and Version 16 of UnprivilegedUser

Timestamp:

02/14/20 17:08:10 (4 years ago)

Author:

grzeg0rz

Comment:

Correction to procedure for unprivileged server

UnprivilegedUser

@@ -255 +255 @@
 I was able to run openvpn from within unprivileged podman container.
 
-1. install podman (https://podman.io/getting-started/installation)
-2. Create Dockerfile (as target unprivileged user)
-
-{{{
-FROM archlinux
-RUN pacman -Sy --noconfirm openvpn
-}}}
-
-3. Build image (as target unprivileged user)
-
-{{{
-podman build -t openvpn .
-}}}
-
-4. Create systemd openvpn.service file (as root)
-
-{{{
+1. Install podman (https://podman.io/getting-started/installation)
+
+2. Create unprivileged user
+
+{{{
+useradd -m openvpn
+# Automatically start-up systemd user instances
+loginctl enable-linger openvpn
+}}}
+
+3. Create directories where configuration, certificates and entrypoint script will be stored
+
+{{{
+mkdir -p /opt/openvpn/server/{ssl,status,ccd}
+}}}
+
+4. Make systemd-networkd to create tun0 which will be required by openvpn in later step
+
+{{{
+cat > /etc/systemd/network/21_openvpn.tun0.netdev<<EOF
+[NetDev]
+Name=tun0
+Kind=tun
+
+[Tun]
+User=openvpn
+Group=openvpn
+EOF
+
+cat > /etc/systemd/network/22_openvpn.tun0.network<<EOF
+[Match]
+Name=tun0
+
+[Network]
+Address=10.254.254.1/24
+
+#KeepConfiguration=yes
+#BindCarrier=yes
+#CriticalConnection=yes
+
+ConfigureWithoutCarrier=yes
+IgnoreCarrierLoss=yes
+IPForward=yes
+
+[Link]
+MTUBytes=1500
+EOF
+
+systemctl restart systemd-networkd
+}}}
+
+5. Use easy-rsa to create your CA authority and all required certificates, at the end of this step you should create ca.crt, ta.key, dh.pem, crl.pem, your_server.key, your_server.crt - copy everything to /opt/openvpn/server/ssl
+
+6. Create /opt/openvpn/server/server.conf - at least following keys should match (below is not a complete conf file, only key options are mentioned)
+
+{{{
+dev tun0
+ca /server/ssl/ca.crt
+cert /server/ssl/your_server.crt
+key /server/ssl/easy-rsa/pki/private/your_server.key
+crl-verify /server/ssl/crl.pem
+dh /server/ssl/dh.pem
+tls-auth /server/ssl/ta.key 0
+server 10.254.254.0 255.255.255.0
+}}}
+
+7. Ensure /opt/openvpn is owned by and can be read only by openvpn:openvpn
+
+8. Create systemd openvpn.service file (as root)
+
+{{{
+cat > /etc/systemd/system/openvpn.service<<EOF
 [Unit]
 Description=OpenVPN in Podman container
@@ -278 +333 @@
 
 [Service]
-User=target_unprivileged_user
-Group=target_unprivileged_group
-ExecStart=/usr/bin/podman run --rm -v /home/target_unprivileged_user/ovpn_config_files/:/ovpn_config_files -p 56787:56787 --device /dev/net/tun --device /dev/null --cap-add CAP_IPC_LOCK,CAP_NET_ADMIN,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SETGID,CAP_SETUID,CAP_SYS_CHROOT,CAP_DAC_OVERRIDE,CAP_AUDIT_WRITE localhost/openvpn:latest /usr/bin/openvpn --config /ovpn_config_files/openvpn_server.conf
-ExecStop=/usr/bin/podman stop -t 0 localhost/openvpn:latest
-Capabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+User=openvpn
+Group=openvpn
+DeviceAllow=/dev/null rw
+DeviceAllow=/dev/net/tun rw
+AmbientCapabilities=CAP_MKNOD CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
+WorkingDirectory=/opt/openvpn
+ExecStart=/usr/bin/podman run --rm --name openvpn -v /opt/openvpn/server:/server --network="host" -p 37898:37898 --device /dev/net/tun --device /dev/null --cap-add CAP_IPC_LOCK,CAP_NET_ADMIN,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SETGID,CAP_SETUID,CAP_SYS_CHROOT,CAP_DAC_OVERRIDE,CAP_AUDIT_WRITE archlinux:latest /usr/bin/bash /server/entrypoint.sh
+ExecStop=/usr/bin/podman stop -t 0 openvpn
+ProtectSystem=true
 RestartSec=5s
 Restart=on-failure
+TimeoutSec=5s
 
 [Install]
 WantedBy=multi-user.target
-}}}
-
-5. Drop configuration (openvpn-server.conf) and other required files under /home/target_unprivileged_user/ovpn_config_files, configuration file should have paths relative to podman container (/ovpn_config_files, not /home/target_unprivileged_user/ovpn_config_files); Also note port exposed within systemd service is 56787 (either keep this in mind when writing your configuration file or change systemd service file)
-
-6. Make sure systemd for openvpn user is always started and kept (otherwise podman won't start)
-{{{
-loginctl enable-linger openvpn
-}}}
-
-7. Start the service (as root) - this will result in podman container running as target_unprivileged_user, openvpn port exposed and openvpn available to receive connections
+EOF
+}}}
+
+9. Create /opt/openvpn/server/entrypoint.sh
+
+{{{
+cat > /opt/openvpn/server/entrypoint.sh<<EOF
+#!/bin/bash
+
+pacman -Sy --noconfirm openvpn net-tools nano
+
+# we have done all required network configuration so openvpn does not have to
+cp -p /usr/bin/ip /usr/bin/ip.bak
+echo "#!/bin/bash" > /usr/bin/ip
+echo 'echo "$@" >> /tmp/ip_res' >> /usr/bin/ip
+echo "exit 0" >> /usr/bin/ip
+chmod ugo+x /usr/bin/ip
+
+openvpn --cd /server --config /server/server.conf
+
+EOF
+
+chmod ugo+x /opt/openvpn/server/entrypoint.sh
+}}}
+
+10. Start the service (as root) - this will result in podman container running as openvpn user
 
 {{{