Can openvpn (client) be setup completely sandboxed/no-root? Anyone have links to a guide for doing so?
-
-
Replying to @RichFelker
To clarify: setting up interfaces/routes as root is no problem, but I don't want any of the protocol/transport/etc. code running as root.
2 replies 0 retweets 0 likes -
Replying to @RichFelker
use setcap, seccomp-bpf and AppArmor/MAC. I don't know of any good public how-to for OpenVPN? I should probably post it...
1 reply 0 retweets 0 likes -
Replying to @dyn___
I think you missed the point; see the whole thread. Giving non-root openvpn caps to let it change net ifs is not what I want.
2 replies 0 retweets 0 likes -
Replying to @RichFelker
are you talking about tun/tap? With what I mentioned you can run the OpenVPN binary without root.
2 replies 0 retweets 0 likes -
Replying to @dyn___ @RichFelker
could also drop any root caps after it adds routes via net_admin? Or wrap it in new userns ?
1 reply 0 retweets 0 likes -
Replying to @dyn___
By the time it does that it's already had complex interaction with untrusted remote while running as root.
2 replies 0 retweets 0 likes
But more fundamentally I don't want it adding routes under the remote's control. I want to use static addrs/routes & nat to remote.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.