search

cenk1cenk2 / docker-softether-vpnsrv

SoftEther VPN Server with DNSMASQ DHCP Server or bridge mode connection for VPN-to-site setup.
29 stars 15 forks source link

running without `--privileged` #20

Closed ghost closed 2 years ago

ghost commented 2 years ago

These are the minimal capabilities required to run:

sudo podman run \
--device /dev/net/tun \
--cap-drop all --cap-add cap_setgid,cap_setuid,cap_net_admin,cap_net_raw,cap_net_bind_service \
...
docker.io/cenk1cenk2/softether-vpnsrv:latest

rootful is still required, but now that only necessary capabilities are granted it should be more secure than running with full privileges. don't know how docker works with above options, but podman works just fine.

I didn't do more testing, don't know if network bridge works (local network bridges button in vpn manager is not grayed out so it should work). but there's a capsh utility to help working with capabilities.

--privileged should be avoided if possible: https://www.redhat.com/sysadmin/privileged-flag-container-engines

As a security engineer, I actually do not like users running with the --privileged mode. I wish they would figure out what privileges their container requires and run with as much security as possible, or better yet, they would redesign their application to run without requiring as many privileges.

cenk1cenk2 commented 2 years ago

Hey @thjderjktyrjkt,

Thank you for informing of this! I had been lazy and did not go in deeper for finding the right permissions a couple of years ago, so it stayed as it is.

I will add this to the README and update the relevant documentation.

This repository will have a big overhaul soon since my intended use case is now changed and I want to do a Linux network bridge to a for providing access directly to the network.

malikshi commented 2 years ago 
docker create \
--name=softether-vpnsrv \
-e TZ=Asia/Seoul \
-e SRVIPSUBNET=10.10.0 \
-e SRVIPNETMASK=255.255.255.0 \
-e DHCP_LEASE=168h \
-p 110:110/tcp \
-p 992:992/tcp \
-p 5555:5555/tcp \
-p 1194:1194/udp \
-p 54783:54783/udp \
-p 25000:25000/udp \
-p 500:500/udp \
-p 4500:4500/udp \
-p 1701:1701/tcp \
-v /etc/letsencrypt/:/etc/letsencrypt/ \
-v /etc/ssl/:/etc/ssl/ \
--restart unless-stopped \
--device /dev/net/tun \
--cap-drop all --cap-add cap_setgid,cap_setuid,cap_net_admin,cap_net_raw,cap_net_bind_service \
cenk1cenk2/softether-vpnsrv:edge

with error messages

Error response from daemon: invalid CapAdd: unknown capability: "CAP_SETGID,CAP_SETUID,CAP_NET_ADMIN,CAP_NET_RAW,CAP_NET_BIND_SERVICE"
Error response from daemon: No such container: softether-vpnsrv
Error: failed to start containers: softether-vpnsrv

i am doing wrong?

ghost commented 2 years ago

@malikshi I don't use docker, but here's a few suggestions:

root (sudo) may be required for additional capabilities (or it may be different in docker).

Also seeing this

Error response from daemon: invalid CapAdd: unknown capability: "CAP_SETGID,CAP_SETUID,CAP_NET_ADMIN,CAP_NET_RAW,CAP_NET_BIND_SERVICE"

I think you should try removing cap_ string:

--cap-drop all --cap-add setgid,setuid,net_admin,net_raw,net_bind_service

if it still doesn't work then i don't know how to fix it.

malikshi commented 2 years ago

@thjderjktyrjkt already have solution for that problems. 

...
--device /dev/net/tun \
--cap-add={SETGID,SETUID,NET_ADMIN,NET_RAW,NET_BIND_SERVICE} \
...