Flatcar icon indicating copy to clipboard operation
Flatcar copied to clipboard

Published 20 hours ago verified publisher icon flatcar

Flatcar with container openvpn-client not wokring properly

Open lmq1999 opened this issue 6 months ago • 11 comments

Description

Flatcar with openvpn client container not wokring

Impact

Unable to use flatcar with openvpn

Environment and steps to reproduce

  1. Set-up:
    Flatcar image: flatcar_production_openstack_image.img
pool-g4dzrku5-sj3dtqihuu6cjof6-node-hshs3fbx ~ # cat /etc/os-release
NAME="Flatcar Container Linux by Kinvolk"
ID=flatcar
ID_LIKE=coreos
VERSION=3975.2.0
VERSION_ID=3975.2.0
BUILD_ID=2024-08-05-2103
SYSEXT_LEVEL=1.0
PRETTY_NAME="Flatcar Container Linux by Kinvolk 3975.2.0 (Oklo)"
ANSI_COLOR="38;5;75"
HOME_URL="https://flatcar.org/"
BUG_REPORT_URL="https://issues.flatcar.org"
FLATCAR_BOARD="amd64-usr"
CPE_NAME="cpe:2.3:o:flatcar-linux:flatcar_linux:3975.2.0:*:*:*:*:*:*:*"
  1. Task: Running Openvpn-client container (I have tried a lot docker openvpn-client on github and build one myself)

2.1: Install docker-compose

curl -SL https://github.com/docker/compose/releases/download/v2.29.1/docker-compose-linux-x86_64 -o /opt/bin/docker-compose
chmod +x /opt/bin/docker-compose

2.2: Write docker-compose VPN file

version: "3.3"
services:
  vpn:
    image: cr-hn-1.bizflycloud.vn/31ff9581861a4d0ea4df5e7dda0f665d/openvpn-client@sha256:2defe3062e65ad0ecf43bc747d60d1274ebbf7a45100c5cf5448fd7114caac80
    volumes:
      - /etc/openvpn/kengine.conf:/vpn/kengine.conf
      - /dev/net/tun:/dev/net/tun
    cap_add:
    - NET_ADMIN
    restart: always
    network_mode: "host"

2.3: Write openvpn-client file

client
dev kengine
dev-type tap
reneg-sec 0
proto tcp-client
remote xxx.xx.xx.xx xxxxx
resolv-retry infinite
nobind
<ca>
-----BEGIN CERTIFICATE-----
.........
-----END CERTIFICATE-----

</ca>
<key>
-----BEGIN PRIVATE KEY-----
..........
-----END PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
......
-----END CERTIFICATE-----

</cert>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...........
-----END OpenVPN Static key V1-----

</tls-auth>
remote-cert-tls server
key-direction 1
script-security 3
keepalive 10 60
persist-key
persist-tun
comp-lzo
verb 3
  1. Action(s): a. Run the docker-compose
pool-g4dzrku5-sj3dtqihuu6cjof6-node-hshs3fbx ~ # docker-compose -f docker-compose-2.yaml up
WARN[0000] /root/docker-compose-2.yaml: the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion 
WARN[0000] Found orphan containers ([openvpn-client root-openvpn-1]) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up. 
[+] Running 1/0
 ✔ Container root-vpn-1  Created                                                                                                                                                                                                                                                                                                                                                       0.0s 
Attaching to vpn-1
vpn-1  | + exec sg vpn -c 'openvpn --cd /vpn --config /vpn/kengine.conf --script-security 2 --redirect-gateway def1                 '
vpn-1  | Mon Aug 12 08:30:58 2024 OpenVPN 2.4.9 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 20 2020
vpn-1  | Mon Aug 12 08:30:58 2024 library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
vpn-1  | Mon Aug 12 08:30:58 2024 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
vpn-1  | Mon Aug 12 08:30:58 2024 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
vpn-1  | Mon Aug 12 08:30:58 2024 TCP/UDP: Preserving recently used remote address: [AF_INET]123.31.11.151:10001
vpn-1  | Mon Aug 12 08:30:58 2024 Socket Buffers: R=[131072->131072] S=[16384->16384]
vpn-1  | Mon Aug 12 08:30:58 2024 Attempting to establish TCP connection with [AF_INET]123.31.11.151:10001 [nonblock]
vpn-1  | Mon Aug 12 08:30:59 2024 TCP connection established with [AF_INET]123.31.11.151:10001
vpn-1  | Mon Aug 12 08:30:59 2024 TCP_CLIENT link local: (not bound)
vpn-1  | Mon Aug 12 08:30:59 2024 TCP_CLIENT link remote: [AF_INET]123.31.11.151:10001
vpn-1  | Mon Aug 12 08:30:59 2024 TLS: Initial packet from [AF_INET]123.31.11.151:10001, sid=b30c806f 6b1db9ce
vpn-1  | Mon Aug 12 08:30:59 2024 VERIFY OK: depth=1, CN=bke-vpn
vpn-1  | Mon Aug 12 08:30:59 2024 VERIFY KU OK
vpn-1  | Mon Aug 12 08:30:59 2024 Validating certificate extended key usage
vpn-1  | Mon Aug 12 08:30:59 2024 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
vpn-1  | Mon Aug 12 08:30:59 2024 VERIFY EKU OK
vpn-1  | Mon Aug 12 08:30:59 2024 VERIFY OK: depth=0, CN=bke-vpn
vpn-1  | Mon Aug 12 08:30:59 2024 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
vpn-1  | Mon Aug 12 08:30:59 2024 [bke-vpn] Peer Connection Initiated with [AF_INET]123.31.11.151:10001
vpn-1  | Mon Aug 12 08:31:00 2024 SENT CONTROL [bke-vpn]: 'PUSH_REQUEST' (status=1)
vpn-1  | Mon Aug 12 08:31:00 2024 PUSH: Received control message: 'PUSH_REPLY,route-gateway 10.99.0.1,ping 20,ping-restart 60,ifconfig 10.99.0.4 255.255.240.0,peer-id 0,cipher AES-256-GCM'
vpn-1  | Mon Aug 12 08:31:00 2024 OPTIONS IMPORT: timers and/or timeouts modified
vpn-1  | Mon Aug 12 08:31:00 2024 OPTIONS IMPORT: --ifconfig/up options modified
vpn-1  | Mon Aug 12 08:31:00 2024 OPTIONS IMPORT: route-related options modified
vpn-1  | Mon Aug 12 08:31:00 2024 OPTIONS IMPORT: peer-id set
vpn-1  | Mon Aug 12 08:31:00 2024 OPTIONS IMPORT: adjusting link_mtu to 1659
vpn-1  | Mon Aug 12 08:31:00 2024 OPTIONS IMPORT: data channel crypto options modified
vpn-1  | Mon Aug 12 08:31:00 2024 Data Channel: using negotiated cipher 'AES-256-GCM'
vpn-1  | Mon Aug 12 08:31:00 2024 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
vpn-1  | Mon Aug 12 08:31:00 2024 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
vpn-1  | Mon Aug 12 08:31:00 2024 ROUTE_GATEWAY 103.107.182.1/255.255.255.0 IFACE=eth0 HWADDR=fa:16:3e:c1:ee:2b
vpn-1  | Mon Aug 12 08:31:00 2024 TUN/TAP device kengine opened
vpn-1  | Mon Aug 12 08:31:00 2024 TUN/TAP TX queue length set to 100
vpn-1  | Mon Aug 12 08:31:00 2024 /sbin/ip link set dev kengine up mtu 1500
vpn-1  | Mon Aug 12 08:31:00 2024 /sbin/ip addr add dev kengine 10.99.0.4/20 broadcast 10.99.15.255
vpn-1  | Mon Aug 12 08:31:00 2024 /sbin/ip route add 123.31.11.151/32 via 103.107.182.1
vpn-1  | Mon Aug 12 08:31:00 2024 /sbin/ip route add 0.0.0.0/1 via 10.99.0.1
vpn-1  | Mon Aug 12 08:31:00 2024 /sbin/ip route add 128.0.0.0/1 via 10.99.0.1
vpn-1  | Mon Aug 12 08:31:00 2024 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
vpn-1  | Mon Aug 12 08:31:00 2024 Initialization Sequence Completed

This seem working but actually not, the ip addr add dev kengine 10.99.0.4/20 broadcast 10.99.15.255 is not working so there is no ip on the kengine

112: kengine: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/ether 52:a3:e8:10:4c:96 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::ac5b:61ff:fe54:98f6/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever

b. I have to manualy add myself and the VPN finally work

112: kengine: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
  link/ether 52:a3:e8:10:4c:96 brd ff:ff:ff:ff:ff:ff
  inet 10.99.0.4/20 brd 10.99.15.255 scope global kengine
     valid_lft forever preferred_lft forever
  inet6 fe80::ac5b:61ff:fe54:98f6/64 scope link proto kernel_ll 
     valid_lft forever preferred_lft forever

Testing

pool-g4dzrku5-sj3dtqihuu6cjof6-node-hshs3fbx ~ # ping 10.99.0.1
PING 10.99.0.1 (10.99.0.1) 56(84) bytes of data.
64 bytes from 10.99.0.1: icmp_seq=1 ttl=64 time=2.50 ms
64 bytes from 10.99.0.1: icmp_seq=2 ttl=64 time=1.42 ms
64 bytes from 10.99.0.1: icmp_seq=3 ttl=64 time=1.45 ms
^C
--- 10.99.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.416/1.786/2.496/0.502 ms
pool-g4dzrku5-sj3dtqihuu6cjof6-node-hshs3fbx ~ # ping 10.99.0.2
PING 10.99.0.2 (10.99.0.2) 56(84) bytes of data.
64 bytes from 10.99.0.2: icmp_seq=1 ttl=64 time=2.11 ms
64 bytes from 10.99.0.2: icmp_seq=2 ttl=64 time=2.75 ms
64 bytes from 10.99.0.2: icmp_seq=3 ttl=64 time=2.14 ms
^C
--- 10.99.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 2.109/2.334/2.752/0.295 ms

but since i want automaticly run VPN and I cant add it manual all the time so this problem need look up to 4. Error:

Not add IP properly on VPN interface

Expected behavior

The IP on interface automaticlly added

Additional information

None

lmq1999 avatar Aug 12 '24 09:08 lmq1999