Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"ping: socket: Operation not permitted" inside namespace #103

Open
G4Zz0L1 opened this issue Sep 9, 2021 · 4 comments
Open

"ping: socket: Operation not permitted" inside namespace #103

G4Zz0L1 opened this issue Sep 9, 2021 · 4 comments

Comments

@G4Zz0L1
Copy link

G4Zz0L1 commented Sep 9, 2021

Hi,
I'm using a custom vpn, with the method described in the user guide, but I don't have connection inside namespace.
Inside the namespace I can't ping (with the error on the title) and outside I can't ping the ip of the namespace.
There are some error on the iptables section, but I don't know if it's related.
Here's the full log of the command I'm using (with some data masked).
Let me know if you need something else to debug this out.

❯ vopono -v exec --custom ~/openvpn/custom.ovpn --protocol openvpn "zsh"
 2021-09-09T07:50:05.702Z DEBUG vopono::util > Using config dir from XDG dirs: /home/user/.config
 2021-09-09T07:50:05.707Z DEBUG vopono::pulseaudio > Setting PULSE_SERVER to /run/user/1000/pulse/native
 2021-09-09T07:50:05.707Z INFO  vopono::util       > Calling sudo for elevated privileges, current user will be used as default user
 2021-09-09T07:50:05.707Z DEBUG vopono::util       > Args: ["vopono", "-v", "exec", "--custom", "/home/user/openvpn/custom.ovpn", "--protocol", "openvpn", "zsh"]
[sudo] password di user: 
 2021-09-09T07:50:08.990Z DEBUG vopono::util > Using config dir from $SUDO_USER config: /home/user/.config
 2021-09-09T07:50:08.994Z DEBUG vopono::pulseaudio > Setting PULSE_SERVER to /run/user/1000/pulse/native
 2021-09-09T07:50:08.994Z DEBUG vopono::util       > Using config dir from $SUDO_USER config: /home/user/.config
 2021-09-09T07:50:08.995Z DEBUG vopono::util       > Existing namespaces: []
 2021-09-09T07:50:08.995Z DEBUG vopono::util       > Using config dir from $SUDO_USER config: /home/user/.config
 2021-09-09T07:50:08.995Z DEBUG vopono::util       > Using config dir from $SUDO_USER config: /home/user/.config
 2021-09-09T07:50:08.997Z DEBUG vopono::exec       > vopono config.toml: configuration property "firewall" not found
 2021-09-09T07:50:08.997Z DEBUG vopono::exec       > vopono config.toml: configuration property "postup" not found
 2021-09-09T07:50:08.997Z DEBUG vopono::exec       > vopono config.toml: configuration property "predown" not found
 2021-09-09T07:50:08.997Z DEBUG vopono::exec       > vopono config.toml: configuration property "user" not found
 2021-09-09T07:50:08.997Z DEBUG vopono::exec       > vopono config.toml: configuration property "dns" not found
 2021-09-09T07:50:08.997Z DEBUG vopono::network_interface > ip addr
 2021-09-09T07:50:08.998Z DEBUG vopono::exec              > Interface: enp6s0
 2021-09-09T07:50:08.999Z DEBUG vopono::util              > Existing namespaces: []
 2021-09-09T07:50:08.999Z DEBUG vopono::util              > ip netns add vopono_custom_cust
 2021-09-09T07:50:08.999Z INFO  vopono::netns             > Created new network namespace: vopono_custom_cust
 2021-09-09T07:50:09.000Z DEBUG vopono::util              > Existing interfaces: 11: vethf48bd33@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-042507644f54 state UP group default 
    link/ether d6:bf:7e:e2:dd:a7 brd ff:ff:ff:ff:ff:ff link-netnsid 3
    inet6 fe80::d4bf:7eff:fee2:dda7/64 scope link 
       valid_lft forever preferred_lft forever
13: vethc0970f6@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-eff6729b5c73 state UP group default 
    link/ether aa:a9:db:9b:d1:a7 brd ff:ff:ff:ff:ff:ff link-netnsid 2
    inet6 fe80::a8a9:dbff:fe9b:d1a7/64 scope link 
       valid_lft forever preferred_lft forever
15: veth67c4805@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-b371456cf59d state UP group default 
    link/ether 12:50:7c:dc:6f:9a brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::1050:7cff:fedc:6f9a/64 scope link 
       valid_lft forever preferred_lft forever
17: vethcef0633@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-1d2a79838941 state UP group default 
    link/ether 96:d4:49:33:12:f5 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::94d4:49ff:fe33:12f5/64 scope link 
       valid_lft forever preferred_lft forever

 2021-09-09T07:50:09.001Z DEBUG vopono::util              > Assigned IPs: []
 2021-09-09T07:50:09.001Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust ip addr add 127.0.0.1/8 dev lo
 2021-09-09T07:50:09.002Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust ip link set lo up
STATE      CONNECTIVITY  WIFI-HW    WIFI          WWAN-HW    WWAN      
collegato  pieno         abilitato  disabilitato  abilitato  abilitato 
 2021-09-09T07:50:09.014Z DEBUG vopono::veth_pair         > Detected NetworkManager running
 2021-09-09T07:50:09.014Z DEBUG vopono::veth_pair         > NetworkManager detected, adding custom_cust_d to unmanaged devices
 2021-09-09T07:50:09.014Z DEBUG vopono::veth_pair         > Creating new NetworkManager config file: /etc/NetworkManager/conf.d/unmanaged.conf
 2021-09-09T07:50:09.014Z DEBUG vopono::util              > nmcli connection reload
 2021-09-09T07:50:09.029Z DEBUG vopono::veth_pair         > firewalld not detected running
 2021-09-09T07:50:09.029Z DEBUG vopono::util              > ip link add custom_cust_d type veth peer name custom_cust_s
 2021-09-09T07:50:09.029Z DEBUG vopono::util              > ip link set custom_cust_d up
 2021-09-09T07:50:09.030Z DEBUG vopono::util              > ip link set custom_cust_s netns vopono_custom_cust up
 2021-09-09T07:50:09.073Z DEBUG vopono::util              > ip addr add 10.200.1.1/24 dev custom_cust_d
 2021-09-09T07:50:09.074Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust ip addr add 10.200.1.2/24 dev custom_cust_s
 2021-09-09T07:50:09.075Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust ip route add default via 10.200.1.1 dev custom_cust_s
 2021-09-09T07:50:09.076Z INFO  vopono::netns             > IP address of namespace as seen from host: 10.200.1.2
 2021-09-09T07:50:09.076Z INFO  vopono::netns             > IP address of host as seen from namespace: 10.200.1.1
 2021-09-09T07:50:09.076Z DEBUG vopono::util              > iptables -t nat -A POSTROUTING -s 10.200.1.0/24 -o enp6s0 -j MASQUERADE
 2021-09-09T07:50:09.076Z DEBUG vopono::util              > iptables -I FORWARD -i custom_cust_d -o enp6s0 -j ACCEPT
 2021-09-09T07:50:09.077Z DEBUG vopono::util              > iptables -I FORWARD -o custom_cust_d -i enp6s0 -j ACCEPT
 2021-09-09T07:50:09.078Z DEBUG vopono::util              > sysctl -q net.ipv4.ip_forward=1
 2021-09-09T07:50:09.078Z DEBUG vopono::dns_config        > Setting namespace vopono_custom_cust DNS server to 8.8.8.8
 2021-09-09T07:50:09.079Z INFO  vopono::openvpn           > Launching OpenVPN...
 2021-09-09T07:50:09.079Z DEBUG vopono::openvpn           > Found remotes: [Remote { host: IPv4(123.123.123.123), port: 1194, protocol: TCP }, Remote { host: Hostname("my-server-2"), port: 1194, protocol: TCP }]
 2021-09-09T07:50:09.079Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust openvpn --config /home/user/openvpn/custom.ovpn --machine-readable-output --log /etc/netns/vopono_custom_cust/openvpn.log
 2021-09-09T07:50:09.083Z DEBUG vopono::openvpn           > "1631173809.083691 40 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.\n"
 2021-09-09T07:50:09.083Z DEBUG vopono::openvpn           > "1631173809.083749 1 OpenVPN 2.5.3 [git:makepkg/ecaf88f8a4e75856+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 18 2021\n"
 2021-09-09T07:50:09.083Z DEBUG vopono::openvpn           > "1631173809.083754 1 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10\n"
 2021-09-09T07:50:09.084Z DEBUG vopono::openvpn           > "1631173809.084058 14000002 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication\n"
 2021-09-09T07:50:09.084Z DEBUG vopono::openvpn           > "1631173809.084062 14000002 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication\n"
 2021-09-09T07:50:09.084Z DEBUG vopono::openvpn           > "1631173809.084308 1 TCP/UDP: Preserving recently used remote address: [AF_INET]123.123.123.123:1194\n"
 2021-09-09T07:50:09.084Z DEBUG vopono::openvpn           > "1631173809.084314 2b000003 Socket Buffers: R=[1048576->1048576] S=[1048576->1048576]\n"
 2021-09-09T07:50:09.084Z DEBUG vopono::openvpn           > "1631173809.084316 1 UDP link local: (not bound)\n"
 2021-09-09T07:50:09.084Z DEBUG vopono::openvpn           > "1631173809.084317 1 UDP link remote: [AF_INET]123.123.123.123:1194\n"
 2021-09-09T07:50:09.084Z DEBUG vopono::openvpn           > "1631173809.084319 1 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay\n"
 2021-09-09T07:50:09.224Z DEBUG vopono::openvpn           > "1631173809.224451 14000003 TLS: Initial packet from [AF_INET]123.123.123.123:1194, sid=68f7eeb1 916f49df\n"
 2021-09-09T07:50:09.288Z DEBUG vopono::openvpn           > "1631173809.288401 14000002 VERIFY OK: depth=1, C=IT, ST=FM, L=city, O=custom, OU=org, CN=custom CA, name=server, [email protected]\n"
 2021-09-09T07:50:09.288Z DEBUG vopono::openvpn           > "1631173809.288476 14000002 VERIFY KU OK\n"
 2021-09-09T07:50:09.288Z DEBUG vopono::openvpn           > "1631173809.288480 14000002 Validating certificate extended key usage\n"
 2021-09-09T07:50:09.288Z DEBUG vopono::openvpn           > "1631173809.288482 14000002 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication\n"
 2021-09-09T07:50:09.288Z DEBUG vopono::openvpn           > "1631173809.288483 14000002 VERIFY EKU OK\n"
 2021-09-09T07:50:09.288Z DEBUG vopono::openvpn           > "1631173809.288484 14000002 VERIFY OK: depth=0, C=IT, ST=FM, L=city, O=custom, OU=org, CN=server, name=server, [email protected]\n"
 2021-09-09T07:50:09.380Z DEBUG vopono::openvpn           > "1631173809.380524 40 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1569', remote='link-mtu 1570'\n"
 2021-09-09T07:50:09.380Z DEBUG vopono::openvpn           > "1631173809.380552 40 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'\n"
 2021-09-09T07:50:09.380Z DEBUG vopono::openvpn           > "1631173809.380575 14000002 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256\n"
 2021-09-09T07:50:09.380Z DEBUG vopono::openvpn           > "1631173809.380586 1 [server] Peer Connection Initiated with [AF_INET]123.123.123.123:1194\n"
 2021-09-09T07:50:10.459Z DEBUG vopono::openvpn           > "1631173810.459692 22000003 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)\n"
 2021-09-09T07:50:10.608Z DEBUG vopono::openvpn           > "1631173810.608688 22000003 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 123.123.111.111,dhcp-option DNS 123.123.222.222,compress lz4-v2,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.6 255.255.255.0,peer-id 4,cipher AES-256-GCM'\n"
 2021-09-09T07:50:10.608Z DEBUG vopono::openvpn           > Found OpenVPN DNS response: 123.123.111.111
 2021-09-09T07:50:10.608Z DEBUG vopono::openvpn           > Set OpenVPN DNS to: 123.123.111.111
 2021-09-09T07:50:10.608Z DEBUG vopono::openvpn           > "1631173810.608723 40 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless \"allow-compression yes\" is also set.\n"
 2021-09-09T07:50:10.608Z DEBUG vopono::openvpn           > "1631173810.608748 22000003 OPTIONS IMPORT: timers and/or timeouts modified\n"
 2021-09-09T07:50:10.608Z DEBUG vopono::openvpn           > "1631173810.608750 22000003 OPTIONS IMPORT: compression parms modified\n"
 2021-09-09T07:50:10.608Z DEBUG vopono::openvpn           > "1631173810.608752 22000003 OPTIONS IMPORT: --ifconfig/up options modified\n"
 2021-09-09T07:50:10.608Z DEBUG vopono::openvpn           > "1631173810.608753 22000003 OPTIONS IMPORT: route options modified\n"
 2021-09-09T07:50:10.608Z DEBUG vopono::openvpn           > "1631173810.608755 22000003 OPTIONS IMPORT: route-related options modified\n"
 2021-09-09T07:50:10.608Z DEBUG vopono::openvpn           > "1631173810.608756 22000003 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified\n"
 2021-09-09T07:50:10.608Z DEBUG vopono::openvpn           > "1631173810.608757 22000003 OPTIONS IMPORT: peer-id set\n"
 2021-09-09T07:50:10.608Z DEBUG vopono::openvpn           > "1631173810.608760 22000003 OPTIONS IMPORT: adjusting link_mtu to 1624\n"
 2021-09-09T07:50:10.608Z DEBUG vopono::openvpn           > "1631173810.608762 22000003 OPTIONS IMPORT: data channel crypto options modified\n"
 2021-09-09T07:50:10.608Z DEBUG vopono::openvpn           > "1631173810.608765 14000002 Data Channel: using negotiated cipher 'AES-256-GCM'\n"
 2021-09-09T07:50:10.608Z DEBUG vopono::openvpn           > "1631173810.608806 14000002 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key\n"
 2021-09-09T07:50:10.608Z DEBUG vopono::openvpn           > "1631173810.608809 14000002 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key\n"
 2021-09-09T07:50:10.608Z DEBUG vopono::openvpn           > "1631173810.608821 3 net_route_v4_best_gw query: dst 0.0.0.0\n"
 2021-09-09T07:50:10.608Z DEBUG vopono::openvpn           > "1631173810.608874 3 net_route_v4_best_gw result: via 10.200.1.1 dev custom_cust_s\n"
 2021-09-09T07:50:10.608Z DEBUG vopono::openvpn           > "1631173810.608889 3 ROUTE_GATEWAY 10.200.1.1/255.255.255.0 IFACE=custom_cust_s HWADDR=a6:24:c2:fd:4d:5f\n"
 2021-09-09T07:50:10.612Z DEBUG vopono::openvpn           > "1631173810.612286 1 TUN/TAP device tun0 opened\n"
 2021-09-09T07:50:10.612Z DEBUG vopono::openvpn           > "1631173810.612299 1 net_iface_mtu_set: mtu 1500 for tun0\n"
 2021-09-09T07:50:10.612Z DEBUG vopono::openvpn           > "1631173810.612314 1 net_iface_up: set tun0 up\n"
 2021-09-09T07:50:10.612Z DEBUG vopono::openvpn           > "1631173810.612450 1 net_addr_v4_add: 10.8.0.6/24 dev tun0\n"
 2021-09-09T07:50:10.612Z DEBUG vopono::openvpn           > "1631173810.612483 3 net_route_v4_add: 123.123.123.123/32 via 10.200.1.1 dev [NULL] table 0 metric -1\n"
 2021-09-09T07:50:10.612Z DEBUG vopono::openvpn           > "1631173810.612495 3 net_route_v4_add: 0.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1\n"
 2021-09-09T07:50:10.612Z DEBUG vopono::openvpn           > "1631173810.612503 3 net_route_v4_add: 128.0.0.0/1 via 10.8.0.1 dev [NULL] table 0 metric -1\n"
 2021-09-09T07:50:10.612Z DEBUG vopono::openvpn           > "1631173810.612514 1 GID set to nobody\n"
 2021-09-09T07:50:10.612Z DEBUG vopono::openvpn           > "1631173810.612518 1 UID set to nobody\n"
 2021-09-09T07:50:10.612Z DEBUG vopono::openvpn           > "1631173810.612521 40 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this\n"
 2021-09-09T07:50:10.612Z DEBUG vopono::openvpn           > "1631173810.612524 1 Initialization Sequence Completed\n"
 2021-09-09T07:50:10.612Z DEBUG vopono::openvpn           > Setting OpenVPN killswitch....
 2021-09-09T07:50:10.612Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust iptables -P INPUT DROP
Bind /etc/netns/vopono_custom_cust/openvpn.log -> /etc/openvpn.log failed: No such file or directory
 2021-09-09T07:50:10.613Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust iptables -P FORWARD DROP
Bind /etc/netns/vopono_custom_cust/openvpn.log -> /etc/openvpn.log failed: No such file or directory
 2021-09-09T07:50:10.614Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust iptables -P OUTPUT DROP
Bind /etc/netns/vopono_custom_cust/openvpn.log -> /etc/openvpn.log failed: No such file or directory
 2021-09-09T07:50:10.615Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Bind /etc/netns/vopono_custom_cust/openvpn.log -> /etc/openvpn.log failed: No such file or directory
 2021-09-09T07:50:10.615Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust iptables -A INPUT -i lo -j ACCEPT
Bind /etc/netns/vopono_custom_cust/openvpn.log -> /etc/openvpn.log failed: No such file or directory
 2021-09-09T07:50:10.616Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust iptables -A INPUT -i tun+ -j ACCEPT
Bind /etc/netns/vopono_custom_cust/openvpn.log -> /etc/openvpn.log failed: No such file or directory
 2021-09-09T07:50:10.617Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust iptables -A OUTPUT -o lo -j ACCEPT
Bind /etc/netns/vopono_custom_cust/openvpn.log -> /etc/openvpn.log failed: No such file or directory
 2021-09-09T07:50:10.617Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust iptables -A OUTPUT -d 8.8.8.8 -j ACCEPT
Bind /etc/netns/vopono_custom_cust/openvpn.log -> /etc/openvpn.log failed: No such file or directory
 2021-09-09T07:50:10.618Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust iptables -A OUTPUT -p tcp -m tcp --dport 1194 -j ACCEPT
Bind /etc/netns/vopono_custom_cust/openvpn.log -> /etc/openvpn.log failed: No such file or directory
 2021-09-09T07:50:10.619Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust iptables -A OUTPUT -p tcp -m tcp --dport 1194 -j ACCEPT
Bind /etc/netns/vopono_custom_cust/openvpn.log -> /etc/openvpn.log failed: No such file or directory
 2021-09-09T07:50:10.620Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust iptables -A OUTPUT -o tun+ -j ACCEPT
Bind /etc/netns/vopono_custom_cust/openvpn.log -> /etc/openvpn.log failed: No such file or directory
 2021-09-09T07:50:10.620Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust iptables -A OUTPUT -j REJECT --reject-with icmp-net-unreachable
Bind /etc/netns/vopono_custom_cust/openvpn.log -> /etc/openvpn.log failed: No such file or directory
 2021-09-09T07:50:10.621Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust ip6tables -P INPUT DROP
Bind /etc/netns/vopono_custom_cust/openvpn.log -> /etc/openvpn.log failed: No such file or directory
 2021-09-09T07:50:10.622Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust ip6tables -P FORWARD DROP
Bind /etc/netns/vopono_custom_cust/openvpn.log -> /etc/openvpn.log failed: No such file or directory
 2021-09-09T07:50:10.622Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust ip6tables -P OUTPUT DROP
Bind /etc/netns/vopono_custom_cust/openvpn.log -> /etc/openvpn.log failed: No such file or directory
 2021-09-09T07:50:10.623Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Bind /etc/netns/vopono_custom_cust/openvpn.log -> /etc/openvpn.log failed: No such file or directory
 2021-09-09T07:50:10.624Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust ip6tables -A INPUT -i lo -j ACCEPT
Bind /etc/netns/vopono_custom_cust/openvpn.log -> /etc/openvpn.log failed: No such file or directory
 2021-09-09T07:50:10.625Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust ip6tables -A INPUT -i tun+ -j ACCEPT
Bind /etc/netns/vopono_custom_cust/openvpn.log -> /etc/openvpn.log failed: No such file or directory
 2021-09-09T07:50:10.625Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust ip6tables -A OUTPUT -o lo -j ACCEPT
Bind /etc/netns/vopono_custom_cust/openvpn.log -> /etc/openvpn.log failed: No such file or directory
 2021-09-09T07:50:10.626Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust ip6tables -A OUTPUT -p tcp -m tcp --dport 1194 -j ACCEPT
Bind /etc/netns/vopono_custom_cust/openvpn.log -> /etc/openvpn.log failed: No such file or directory
 2021-09-09T07:50:10.627Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust ip6tables -A OUTPUT -o tun+ -j ACCEPT
Bind /etc/netns/vopono_custom_cust/openvpn.log -> /etc/openvpn.log failed: No such file or directory
 2021-09-09T07:50:10.628Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust ip6tables -A OUTPUT -j REJECT --reject-with icmp-net-unreachable
Bind /etc/netns/vopono_custom_cust/openvpn.log -> /etc/openvpn.log failed: No such file or directory
ip6tables v1.8.7 (legacy): unknown reject type "icmp-net-unreachable"
Try `ip6tables -h' or 'ip6tables --help' for more information.
 2021-09-09T07:50:10.630Z DEBUG vopono::exec              > Checking that OpenVPN is running in namespace: vopono_custom_cust
 2021-09-09T07:50:11.148Z DEBUG vopono::dns_config        > Setting namespace vopono_custom_cust DNS server to 123.123.111.111
 2021-09-09T07:50:11.149Z DEBUG vopono::util              > Using config dir from $SUDO_USER config: /home/user/.config
 2021-09-09T07:50:11.149Z DEBUG vopono::netns             > Writing lockfile: /home/user/.config/vopono/locks/vopono_custom_cust
 2021-09-09T07:50:11.149Z DEBUG vopono::netns             > Lockfile written: /home/user/.config/vopono/locks/vopono_custom_cust/152282
 2021-09-09T07:50:11.149Z DEBUG vopono::util              > Using config dir from $SUDO_USER config: /home/user/.config
 2021-09-09T07:50:11.165Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust sudo -Eu user zsh
 2021-09-09T07:50:11.165Z INFO  vopono::exec              > Application zsh launched in network namespace vopono_custom_cust with pid 152540
Bind /etc/netns/vopono_custom_cust/openvpn.log -> /etc/openvpn.log failed: No such file or directory
❯ ping 8.8.8.8
ping: socket: Operazione non permessa
@jamesmcm
Copy link
Owner

jamesmcm commented Sep 9, 2021

Hey,

Try running it with --no-killswitch and also use sudo ping as you might need root access to ping - see MichaIng/DietPi#1012 I'm not sure why this changes when you run a shell but it must be related to the capabilities settings that the distro puts on ping normally.

@G4Zz0L1
Copy link
Author

G4Zz0L1 commented Sep 9, 2021
edited
Loading

With the --no-killswitch option it works (even on a firefox new instance, I've the vpn ip).
What does that option do, if I may? It's safe to turn on every time I use vopono?
BTW I'm on Arch Linux, ping should have normal privileges.

@jamesmcm
Copy link
Owner

jamesmcm commented Sep 9, 2021

It adds extra firewall rules to stop anything from communicating to the internet without using the VPN from inside the namespace. So like if OpenVPN died for example, it stops it from trying to reconnect via your normal connection.

Specifically above it seems the issue is one of the iptables rules, although I'm not sure why only that one would cause it not to be able to connect:

 2021-09-09T07:50:10.628Z DEBUG vopono::netns             > ip netns exec vopono_custom_cust ip6tables -A OUTPUT -j REJECT --reject-with icmp-net-unreachable
ip6tables v1.8.7 (legacy): unknown reject type "icmp-net-unreachable"
Try `ip6tables -h' or 'ip6tables --help' for more information.

The simplest solution (unless you're using iptables for other things) would be to install nftables and try that:

sudo pacman -S nftables

vopono will use that by default where available.

@G4Zz0L1
Copy link
Author

G4Zz0L1 commented Sep 9, 2021
edited
Loading

I use iptables for fail2ban and custom rules to block some iplist with ufw.
For what I see, I should move everything to nftables, but it will take some time (and I don't know if everything I have can be replicated over there).
In the meantime, if it's not a problem, I think I'll continue to use the killswitch option to use vopono.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jamesmcm @G4Zz0L1