openvpn-client icon indicating copy to clipboard operation
openvpn-client copied to clipboard
verified publisher icon dperson

write UDP: Operation not permitted

Open Neurrone opened this issue 5 years ago • 3 comments

I recently pulled the latest version of this image, was previously using one from 6 months ago.

I now get the following error when enabling the firewall setting on a Synology DS918+:

ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.4 (legacy): can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
iptables v1.8.4 (legacy): invalid port/service `''' specified
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.8.4 (legacy): Port "''" does not resolve to anything.

Try `iptables -h' or 'iptables --help' for more information.
+ exec sg vpn -c 'openvpn --cd /vpn --config /vpn/mullvad.conf --script-security 2 --redirect-gateway def1                 '
Sun Oct 25 15:20:50 2020 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
Sun Oct 25 15:20:50 2020 OpenVPN 2.4.9 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020
Sun Oct 25 15:20:50 2020 library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
Sun Oct 25 15:20:50 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sun Oct 25 15:20:50 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]94.198.43.2:1195
Sun Oct 25 15:20:50 2020 Socket Buffers: R=[212992->425984] S=[212992->425984]
Sun Oct 25 15:20:50 2020 UDP link local: (not bound)
Sun Oct 25 15:20:50 2020 UDP link remote: [AF_INET]94.198.43.2:1195
Sun Oct 25 15:20:50 2020 write UDP: Operation not permitted (code=1)
Sun Oct 25 15:20:52 2020 write UDP: Operation not permitted (code=1)
Sun Oct 25 15:20:57 2020 write UDP: Operation not permitted (code=1)
Sun Oct 25 15:21:05 2020 write UDP: Operation not permitted (code=1)

This is the configuration:

services:
  vpn:
    image: dperson/openvpn-client:latest
    container_name: openvpn-client
    cap_add:
      - net_admin
    devices:
      - /dev/net/tun:/dev/net/tun
    dns:
      - 1.1.1.1
      - 1.0.0.1
    environment:
      - FIREWALL=''
      - TZ=Asia/Singapore
    networks:
      - vpn
      - web
    ports:
      # for transmission
      - 9091:9091
      - 10508:10508
      - 10508:10508/udp
    sysctls:
      - net.ipv6.conf.all.disable_ipv6=0
    tmpfs:
      - /run
      - /tmp
    restart: unless-stopped
    security_opt:
      - label:disable
    volumes:
      - /dev/net:/dev/net:z
      - ./vpn:/vpn
      - ./mullvad_config_linux/mullvad_sg_all.conf:/vpn/mullvad.conf
      - ./vpn/update-resolv-conf:/etc/openvpn/update-resolv-conf

This error does not occur when uncommenting the firewall line.

Neurrone avatar Oct 25 '20 08:10 Neurrone

What happens if you remove the 'networks' declarations?

On Sun, Oct 25, 2020, 4:27 AM Dickson Tan [email protected] wrote:

I recently pulled the latest version of this image, was previously using one from 6 months ago.

I now get the following error when enabling the firewall setting on a Synology DS918+:

ip6tables v1.8.4 (legacy): can't initialize ip6tables table nat': Table does not exist (do you need to insmod?) Perhaps ip6tables or your kernel needs to be upgraded. ip6tables v1.8.4 (legacy): can't initialize ip6tables table nat': Table does not exist (do you need to insmod?) Perhaps ip6tables or your kernel needs to be upgraded. iptables v1.8.4 (legacy): invalid port/service ''' specified Try iptables -h' or 'iptables --help' for more information. iptables v1.8.4 (legacy): Port "''" does not resolve to anything.

Try `iptables -h' or 'iptables --help' for more information.

  • exec sg vpn -c 'openvpn --cd /vpn --config /vpn/mullvad.conf --script-security 2 --redirect-gateway def1 ' Sun Oct 25 15:20:50 2020 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore. Sun Oct 25 15:20:50 2020 OpenVPN 2.4.9 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020 Sun Oct 25 15:20:50 2020 library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10 Sun Oct 25 15:20:50 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Sun Oct 25 15:20:50 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]94.198.43.2:1195 Sun Oct 25 15:20:50 2020 Socket Buffers: R=[212992->425984] S=[212992->425984] Sun Oct 25 15:20:50 2020 UDP link local: (not bound) Sun Oct 25 15:20:50 2020 UDP link remote: [AF_INET]94.198.43.2:1195 Sun Oct 25 15:20:50 2020 write UDP: Operation not permitted (code=1) Sun Oct 25 15:20:52 2020 write UDP: Operation not permitted (code=1) Sun Oct 25 15:20:57 2020 write UDP: Operation not permitted (code=1) Sun Oct 25 15:21:05 2020 write UDP: Operation not permitted (code=1)

This is the configuration:

services: vpn: image: dperson/openvpn-client:latest container_name: openvpn-client cap_add: - net_admin devices: - /dev/net/tun:/dev/net/tun dns: - 1.1.1.1 - 1.0.0.1 environment: - FIREWALL='' - TZ=Asia/Singapore networks: - vpn - web ports: # for transmission - 9091:9091 - 10508:10508 - 10508:10508/udp sysctls: - net.ipv6.conf.all.disable_ipv6=0 tmpfs: - /run - /tmp restart: unless-stopped security_opt: - label:disable volumes: - /dev/net:/dev/net:z - ./vpn:/vpn - ./mullvad_config_linux/mullvad_sg_all.conf:/vpn/mullvad.conf - ./vpn/update-resolv-conf:/etc/openvpn/update-resolv-conf

This error does not occur when uncommenting the firewall line.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/dperson/openvpn-client/issues/339, or unsubscribe https://github.com/notifications/unsubscribe-auth/AD64EH25WMTHK5Z5RU6QTSTSMPOPJANCNFSM4S6FQMWQ .

gynnantonix avatar Oct 25 '20 17:10 gynnantonix

Just set your FIREWALL='' line to FIREWALL='1195' so iptables won't block your udp based openvpn connection... Detection for the actual port in use doesn't work very well in the included scripting and then ends up defaulting to 1194.

gjmoed avatar Oct 30 '20 14:10 gjmoed

I had this same issue but the VPN provider was using port udp/443, with FIREWALL='443' it allows both TCP and UDP traffic on the port entered which then means all traffic on that port out of the container is working inside and outside the VPN. This could be dangerous if the service you are trying to force over a VPN is also using 443 as 443 then is then open inside and out the VPN tunnel.

My workaround for now was to create a .firewall_cust file in the /vpn folder with a rule to allow only udp port 443 and not tcp - iptables -A OUTPUT -p udp -m udp --dport 443 -j ACCEPT

pug306d avatar Jan 31 '21 14:01 pug306d