Can openvpn (client) be setup completely sandboxed/no-root? Anyone have links to a guide for doing so?
What I'd really want is to just pick a fake local ip and the networks I want to route, and have the vpn client nat-in-userspace.
-
-
The threat model is a compromised remote injecting malicious network configuration to client.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
You'd still need some routes or rules to send traffic down the vpn interface.
-
Right but they'd be static and independent of anything the server assigns. client-nat option seems promising...
-
But I don't see any way to make the client-nat option nat to the remote-assigned ip...
-
Yeah, I'm not sure you'll be able make it work. On a different note, does this have to be openvpn?
-
Yes, server is openvpn. Only viable solution I'm seeing without major coding is stuffing it in a container...
-
oh I have a container for that, and fear not it uses alpine
-
I think
@jpetazzo made this one: https://github.com/jessfraz/dockerfiles/blob/master/openvpn/README.md … and you can --net container:openvpn too -
That one adds server-provided ips/routes to the host, which is exactly what I'm trying to avoid.
- 9 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.