I want to connect to an OpenVPN server, from a Linux client where I don't have root access and cannot (and want not) create a TUN device. I don't really need the TUN device: I just want to connect to a SSH server within the VPN.
This is possible. But it needs a patched openvpn. Specifically bendlas/openvpn-tuna or ValdikSS/openvpn-tunpipe. That adds the possibility to use --dev "|<pipetool>" for openvpn. So instead of using a TUN device, it would run some command and pipe all the data to it. Then, there is russdill/tunsocks which you can use as the program here. For example, tunsocks -L [bind_address:]bind_port:host_address:host_port.
It took me a while to get this working:
I first tried with bendlas/openvpn-tuna. The README suggested to use Nix. So I tried with Nix. Running nix directly was not really working well as non-root (I did not knew about the custom --store), so I tried it within Docker/Apptainer/Singularity. I first tried with --fakeroot, which also does not work well with nix. But without --fakeroot, it worked. But then, the suggested commands did not really work. E.g. I tried nix run github:bendlas/openvpn-tuna#tunsocks -- config.ovpn. That asked the for login, but ended up in an endless loop of Connection reset, restarting [0], SIGUSR1[soft,connection-reset] received, process restarting, Restart pause, 1 second(s). I also tried the other commands but nothing really worked.
Then I also compiled bendlas/openvpn-tuna directly without Apptainer and Nix, by just using autoreconf, configure and make, and could also run it. But I got just the same behavior.
Gemini was quite helpful in debugging random Apptainer and Nix issues (e.g. the problem with --fakeroot, which was quite involved and non-trivial to figure out).
Then I tried the slightly older ValdikSS/openvpn-tunpipe. Now without Nix. I again did autoreconf, configure and make, and could also run it. I first tried ./src/openvpn/openvpn config.ovpn. And that worked, up to ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1), which was expected. So then I wanted to try the --dev "|tunsocks -L ...". For that, I also needed to clone russdill/tunsocks and build that, which was fairly straightforward. And then it just worked!
The final command:
./src/openvpn/openvpn --config config.ovpn --script-security 2 --dev "|../tunsocks/tunsocks -L 2222:<sshhost>:22"
Note, alternatively, you could also make a SOCKS proxy, or use other things from tunsocks.
Note, for WireGuard, there seem to exist easier-to-use solutions for the same functionality. There is whyvl/wireproxy. There is aramperes/onetun. There is noisysockets/noisysockets. There is cloudflare/boringtun.
Top comments (0)