带有openvpn的Alpine容器连接openvpn服务器给出权限错误
Alpine container with openvpn to connect openvpn server gives permission error
这是我的 Dockerfile:
FROM alpine:edge
COPY openvpn.conf /etc/openvpn/
RUN apk update
RUN mkdir /run/openrc
RUN touch /run/openrc/softlevel
RUN apk add --no-cache bash openssl openrc
WORKDIR /etc/openvn
RUN apk add openvpn
CMD ["openvpn", "--script-security", "2", "--config", "/etc/openvpn/openvpn.conf"]
我只想拥有一个基于 openvpnin alpine 的容器。我遇到了一个问题。我想要的是 vpn 应该只 运行 在容器内,我应该将这个 openvpn 容器放在与 haproxy 相同的网络中以访问 vpn。
当我 运行 容器时,我最终遇到了权限被拒绝的错误。
2021-10-26 20:22:07 Unrecognized option or missing or extra parameter(s) in /etc/openvpn/openvpn.conf:16: block-outside-dns (2.5.3)
2021-10-26 20:22:07 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-10-26 20:22:07 OpenVPN 2.5.3 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Sep 11 2021
2021-10-26 20:22:07 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
2021-10-26 20:22:07 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-10-26 20:22:07 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2021-10-26 20:22:07 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-10-26 20:22:07 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2021-10-26 20:22:07 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-10-26 20:22:07 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
2021-10-26 20:22:07 Socket Buffers: R=[212992->212992] S=[212992->212992]2021-10-26 20:22:07 UDP link local: (not bound)2021-10-26 20:22:07 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:11942021-10-26 20:22:07 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=96fdd334 e322b4072021-10-26 20:22:07 VERIFY OK: depth=1, CN=ChangeMe
2021-10-26 20:22:07 VERIFY KU OK
2021-10-26 20:22:07 Validating certificate extended key usage2021-10-26 20:22:07 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication2021-10-26 20:22:07 VERIFY EKU OK
2021-10-26 20:22:07 VERIFY OK: depth=0, CN=server2021-10-26 20:22:07 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA2562021-10-26 20:22:07 [server] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:1194
2021-10-26 20:22:09 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2021-10-26 20:22:09 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 ipv6 bypass-dhcp,dhcp-option DNS 9.9.9.9,dhcp-option DNS 149.112.112.112,tun-ipv6,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 fddd:1194:1194:1194::1003/64 fddd:1194:1194:1194::1,ifconfig 10.8.0.5 255.255.255.0,peer-id 2,cipher AES-256-GCM'
2021-10-26 20:22:09 OPTIONS IMPORT: timers and/or timeouts modified
2021-10-26 20:22:09 OPTIONS IMPORT: --ifconfig/up options modified
2021-10-26 20:22:09 OPTIONS IMPORT: route options modified
2021-10-26 20:22:09 OPTIONS IMPORT: route-related options modified
2021-10-26 20:22:09 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified2021-10-26 20:22:09 OPTIONS IMPORT: peer-id set
2021-10-26 20:22:09 OPTIONS IMPORT: adjusting link_mtu to 1624
2021-10-26 20:22:09 OPTIONS IMPORT: data channel crypto options modified
2021-10-26 20:22:09 Data Channel: using negotiated cipher 'AES-256-GCM'
2021-10-26 20:22:09 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-10-26 20:22:09 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-10-26 20:22:09 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:03
2021-10-26 20:22:09 GDG6: remote_host_ipv6=n/a
2021-10-26 20:22:09 net_route_v6_best_gw query: dst ::
2021-10-26 20:22:09 sitnl_send: rtnl: generic error (-101): Network unreachable2021-10-26 20:22:09 ROUTE6: default_gateway=UNDEF
2021-10-26 20:22:09 TUN/TAP device tun0 opened
2021-10-26 20:22:09 /sbin/ip link set dev tun0 up mtu 15002021-10-26 20:22:09 /sbin/ip link set dev tun0 up2021-10-26 20:22:09 /sbin/ip addr add dev tun0 10.8.0.5/24
2021-10-26 20:22:09 /sbin/ip link set dev tun0 up mtu 1500
2021-10-26 20:22:09 /sbin/ip link set dev tun0 up
2021-10-26 20:22:09 /sbin/ip -6 addr add fddd:1194:1194:1194::1003/64 dev tun0RTNETLINK answers: Permission denied
2021-10-26 20:22:09 Linux ip -6 addr add failed: external program exited with error status: 2
2021-10-26 20:22:09 Exiting due to fatal error
正在看
Linux ip -6 addr add failed: external program exited with error status: 2
AFAIK docker 默认情况下仅在 IPv4 上运行。您是否也尝试使用 IPv6 设置 openvpn?那你可能要enable IPv6 on docker级了。
这是我的 Dockerfile:
FROM alpine:edge
COPY openvpn.conf /etc/openvpn/
RUN apk update
RUN mkdir /run/openrc
RUN touch /run/openrc/softlevel
RUN apk add --no-cache bash openssl openrc
WORKDIR /etc/openvn
RUN apk add openvpn
CMD ["openvpn", "--script-security", "2", "--config", "/etc/openvpn/openvpn.conf"]
我只想拥有一个基于 openvpnin alpine 的容器。我遇到了一个问题。我想要的是 vpn 应该只 运行 在容器内,我应该将这个 openvpn 容器放在与 haproxy 相同的网络中以访问 vpn。
当我 运行 容器时,我最终遇到了权限被拒绝的错误。
2021-10-26 20:22:07 Unrecognized option or missing or extra parameter(s) in /etc/openvpn/openvpn.conf:16: block-outside-dns (2.5.3)
2021-10-26 20:22:07 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-10-26 20:22:07 OpenVPN 2.5.3 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Sep 11 2021
2021-10-26 20:22:07 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
2021-10-26 20:22:07 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-10-26 20:22:07 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2021-10-26 20:22:07 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-10-26 20:22:07 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2021-10-26 20:22:07 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-10-26 20:22:07 TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
2021-10-26 20:22:07 Socket Buffers: R=[212992->212992] S=[212992->212992]2021-10-26 20:22:07 UDP link local: (not bound)2021-10-26 20:22:07 UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:11942021-10-26 20:22:07 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=96fdd334 e322b4072021-10-26 20:22:07 VERIFY OK: depth=1, CN=ChangeMe
2021-10-26 20:22:07 VERIFY KU OK
2021-10-26 20:22:07 Validating certificate extended key usage2021-10-26 20:22:07 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication2021-10-26 20:22:07 VERIFY EKU OK
2021-10-26 20:22:07 VERIFY OK: depth=0, CN=server2021-10-26 20:22:07 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA2562021-10-26 20:22:07 [server] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:1194
2021-10-26 20:22:09 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
2021-10-26 20:22:09 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 ipv6 bypass-dhcp,dhcp-option DNS 9.9.9.9,dhcp-option DNS 149.112.112.112,tun-ipv6,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig-ipv6 fddd:1194:1194:1194::1003/64 fddd:1194:1194:1194::1,ifconfig 10.8.0.5 255.255.255.0,peer-id 2,cipher AES-256-GCM'
2021-10-26 20:22:09 OPTIONS IMPORT: timers and/or timeouts modified
2021-10-26 20:22:09 OPTIONS IMPORT: --ifconfig/up options modified
2021-10-26 20:22:09 OPTIONS IMPORT: route options modified
2021-10-26 20:22:09 OPTIONS IMPORT: route-related options modified
2021-10-26 20:22:09 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified2021-10-26 20:22:09 OPTIONS IMPORT: peer-id set
2021-10-26 20:22:09 OPTIONS IMPORT: adjusting link_mtu to 1624
2021-10-26 20:22:09 OPTIONS IMPORT: data channel crypto options modified
2021-10-26 20:22:09 Data Channel: using negotiated cipher 'AES-256-GCM'
2021-10-26 20:22:09 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-10-26 20:22:09 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-10-26 20:22:09 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0 HWADDR=02:42:ac:11:00:03
2021-10-26 20:22:09 GDG6: remote_host_ipv6=n/a
2021-10-26 20:22:09 net_route_v6_best_gw query: dst ::
2021-10-26 20:22:09 sitnl_send: rtnl: generic error (-101): Network unreachable2021-10-26 20:22:09 ROUTE6: default_gateway=UNDEF
2021-10-26 20:22:09 TUN/TAP device tun0 opened
2021-10-26 20:22:09 /sbin/ip link set dev tun0 up mtu 15002021-10-26 20:22:09 /sbin/ip link set dev tun0 up2021-10-26 20:22:09 /sbin/ip addr add dev tun0 10.8.0.5/24
2021-10-26 20:22:09 /sbin/ip link set dev tun0 up mtu 1500
2021-10-26 20:22:09 /sbin/ip link set dev tun0 up
2021-10-26 20:22:09 /sbin/ip -6 addr add fddd:1194:1194:1194::1003/64 dev tun0RTNETLINK answers: Permission denied
2021-10-26 20:22:09 Linux ip -6 addr add failed: external program exited with error status: 2
2021-10-26 20:22:09 Exiting due to fatal error
正在看
Linux ip -6 addr add failed: external program exited with error status: 2
AFAIK docker 默认情况下仅在 IPv4 上运行。您是否也尝试使用 IPv6 设置 openvpn?那你可能要enable IPv6 on docker级了。