systemd units and config templates to start OpenConnect as a non-root inside a namespace.
Notes
This approach is not compatible with systemd-networkd. You need to remove "resolve" from /etc/nsswitch.conf to stop using systemd-networkd to have DNS working inside namespace, as well as not have 127.0.0.53 in /etc/resolv.conf. It might as well make sense to stop & disable systemd-networkd. You need to use vpnc-script which is not aware of systemd-networkd (shipped with vpnc as of May 2017), modified versions which communicate with systemd-networkd will fail (such as patched script from openconnect vpnc-scripts repo), you may need to modify such script to use resolvconf instead. The "netns@.service" unit ensures that a separate resolve.conf is used inside the namespace, allowing DNS to work as expected both inside VPN and outside VPN.
Usage
- Put files into
/etc
:cp -r etc/* /etc
. - Rename all files with
example
by replacingexample
with a desired name for the VPN connection. You will use this new name to start the unit. I will usemyconn
in this readme. - Modify
/etc/openconnect/myconn.conf
,/etc/openconnect/myconn.systemd-env
and/etc/netns-veth.myconn.systemd-env
to match your VPN configuration and system environment./etc/netns-veth.myconn.systemd-env
is used for veth setup, make sure the IPs and netmask there do not collide with your local or VPN networks. - Ensure that the user defined in
/etc/openconnect/myconn.systemd-env
has automatic passwordless token generation properly configured (for ex. if using stoken, ensure that ~/.stokenrc is present and thatstoken
does not request a password or PIN) and that tokentype is correct in/etc/openconnect/myconn.conf
(tokentype=rsa
will use stoken) - Use visudo to allow your user to run
/etc/vpnc/vpnc-script
(or any other script defined in/etc/openconnect/myconn.conf
inscript=
line) without password and with allowed -E option. Add:%sudo ALL=(ALL) NOPASSWD:SETENV: /etc/vpnc/vpnc-script
- Give /usr/bin/openconnect network admin capabilities:
sudo setcap cap_net_admin+ep /usr/bin/openconnect
. # sudo systemctl daemon-reload
# sudo systemctl start openconnect-ns@myconn
- Check that everything works - you should have
myconn
in output of "# ip netns", and you should have openconnect running inside this namespace. You should be able to access VPN resources from a console started like soip netns exec myconn bash
. You can use https://github.com/f3flight/netns-exec to spawn broswer or other apps inside this namespace. - Use
# sudo systemctl enable openconnect-ns@myconn
to start this VPN automatically at boot, if desired. - Enjoy.
Start a shell with VPN access as a current user:
sudo ip netns exec myconn sudo -u $(whoami) -i
or netns-exec myconn bash
if https://github.com/f3flight/netns-exec is installed (uses sticky bit to execute as root).
Start a separate window of Chromium inside namespace:
- Install https://github.com/f3flight/netns-exec which helps passing dbus into namepsace.
- Create a new folder for user data. Chromium cannot reuse the same user folder.
- It is possible to copy current user data dir to retain configuration, but syncronisation of these folders my be a problem.
nohup netns-exec myconn chromium --user-data-dir=/home/myuser/my-new-chromium-data-dir &
No comments:
Post a Comment