Timeline for Process can't create tun/tap when run as non-root systemd --user service even with CAP_NET_ADMIN
Current License: CC BY-SA 4.0
5 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Sep 5 at 15:20 | comment | added | user31422095 | Thank you, I will review and follow up. | |
| Sep 5 at 14:30 | comment | added | Hauke Laging |
@user31422095 Sure, you must connect the unit namespace with the main namespace. This is done with veth pairs. You can either add the outer veth to a bridge or use the outer namespace as a (masquerading) router. How that is done best / easiest depends on your network situation. unix.stackexchange.com/questions/537014/… unix.stackexchange.com/questions/491366/…
|
|
| Sep 5 at 13:12 | comment | added | user31422095 |
Here it is unable to reach DNS. Changing the endpoint to IP results in similar "network is unreachable" message. "Nebula interface is active" boringcrypto=false build=1.9.3 interface=nebula1 network=192.168.111.100/24 udpAddr="0.0.0.0:37231" "Failed to set tun tx queue length" error="operation not permitted" "DNS resolution failed for static_map host" error="lookup google.com on 1.0.0.1:53: dial udp 1.0.0.1:53: connect: network is unreachable" hostname=google.com network=ip4 Is there any way to make it see the Internet?
|
|
| Sep 5 at 13:03 | comment | added | user31422095 | Thank you for clarification and the advise. Nebula is able to create the tun interface now, but as I understand, when using PrivateNetwork=true it isolates the process from the host namespace completely (at least in the networking part), so it no longer sees host network interfaces and thus unable to communicate with the outside world. | |
| Sep 5 at 11:21 | history | answered | Hauke Laging | CC BY-SA 4.0 |