ovpn_dco_v2 module to lxc unprivileged container for Openvpn.

R

r4w

New Member
Oct 1, 2024
2
0
1
Hi all,

I am new to Proxmox but I have been a long time user of virtualisation using Vmware.
I am trying to build an unprivileged container for Openvpn and trying to leverage the DCO (ovpn_dco_v2) module.
I have successfully compiled and loaded the module on the host (PVE) and I can also see loaded in LXC container.
However, when openvpn tries to use that, I get the following:

Code: 
2025-01-15 11:22:28 dco_get_peer_stats_multi: netlink reports error (-28): Operation not permitted
2025-01-15 11:22:28 dco_get_peer_stats_multi: failed to send netlink message: Operation not permitted (-1)

I didn't try yet to use a privileged container, I am wondering if there is the container is missing some permissions in the configuration which I am not aware of.
Any help is greatly appreciated.

Thank you.
 
Update, I don't see the error with a privileged container.
I tried to add lxc.apparmor.profile = unconfined to the unprivileged container but no changes in behaviour.
 
I use also OpenVPN on an unprivileged Ubuntu 24.04 CT. Packages come directly from the repositories. But I had to set this LXC features:

Code: 
lxc.cgroup.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir
features: nesting=1

This allows openvpn to work normally here.
 
  • Like
Reactions: Johannes S
Hi,
I have to confirm that OpenVPN with a DCO module doesn't work in an unprivileged container (pve-manager/8.3.1/fb48e850ef9dde27 (running kernel: 6.8.8-2-pve)) even with this recommendation
Code: 
lxc.cgroup.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir
features: nesting=1

Upd: after few restarts of an OpenVPN daemon the following errors disappeared:
Code: 
2025-07-23 15:05:50 dco_get_peer_stats_multi: netlink reports error (-28): Operation not permitted
2025-07-23 15:05:50 dco_get_peer_stats_multi: failed to send netlink message: Operation not permitted (-1)
After I restarted a container itself they didn't come back. That's odd... I'm using an old DCO version, which is not a 'DCO next'.

r4w said:
Hi all,

I am new to Proxmox but I have been a long time user of virtualisation using Vmware.
I am trying to build an unprivileged container for Openvpn and trying to leverage the DCO (ovpn_dco_v2) module.
I have successfully compiled and loaded the module on the host (PVE) and I can also see loaded in LXC container.
However, when openvpn tries to use that, I get the following:

Code: 
2025-01-15 11:22:28 dco_get_peer_stats_multi: netlink reports error (-28): Operation not permitted
2025-01-15 11:22:28 dco_get_peer_stats_multi: failed to send netlink message: Operation not permitted (-1)

I didn't try yet to use a privileged container, I am wondering if there is the container is missing some permissions in the configuration which I am not aware of.
Any help is greatly appreciated.

Thank you
Click to expand...
 
Last edited:
You must log in or register to reply here.
Top Bottom