# Help with OpenVPN "environment"

## don quixada

Hi I need to connect two programs to the the same VPN (and IP) while not having the whole machine connected to the VPN.

My initial thought was to use a terminal and create and environment where only the terminal was connected to the VPN using OpenVPN running it in the background, then running the other programs.

So I tried that but it needed to be root which doesn't work for my purposes. And in non-root, I get this error message (certain information removed):

```
$ openvpn config.file 

Tue Apr  9 23:53:53 2019 OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr  9 2019

Tue Apr  9 23:53:53 2019 library versions: OpenSSL 1.0.2r  26 Feb 2019, LZO 2.10

Tue Apr  9 23:54:22 2019 TCP/UDP: Preserving recently used remote address: [AF_INET] <redacted IP address>

Tue Apr  9 23:54:22 2019 UDP link local: (not bound)

Tue Apr  9 23:54:22 2019 UDP link remote: [AF_INET] <redacted IP address>

Tue Apr  9 23:54:22 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

Tue Apr  9 23:54:22 2019 [redacted] Peer Connection Initiated with [AF_INET]<redacted IP address>

Tue Apr  9 23:54:23 2019 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)

Tue Apr  9 23:54:23 2019 Exiting due to fatal error

```

Or is there a better way to do it altogether?

Thanks in advance.

dq

----------

## Hu

OpenVPN creates a virtual NIC.  Traffic sent over that NIC is sent over the VPN.  Everything in the network namespace of that NIC can see the NIC and, subject to the usual routing and firewall rules, will use that NIC.  You can use a private network namespace to restrict which programs can see the virtual NIC.  I am not aware of a way for you to use OpenVPN without at least some assistance from the root user.  You may be able to have the root user prepare an environment for you and then run a shell as you in that environment.  Please explain why you cannot involve the root user.

----------

## don quixada

If I run OpenVPN as root then the whole machine connects to the VPN which is not what I want. 

dq

----------

## Hu

No, it only connects the current network namespace to the VPN.  Other namespaces are unaffected.  Systems start with only one network namespace, but you can have more if you choose.

----------

## don quixada

Do you recommend a good guide to have separate namespaces?

dq

----------

## szatox

 *Quote:*   

> Do you recommend a good guide to have separate namespaces? 

 Unfortunatelly such a thing does not seem to exist.

Here's a tip though:

ip link add <interface1> type veth peer name <interface2>

ip netns add <namespace>

ip link set <interface> netns <namespace>

nsenter -n/var/run/netns/<namespace>

There is also 'ip netns exec' for running stuff inside the namespace.

man ip-netns is your friend.

Obviously, you have to bridge or route traffic from than namespace to the world (unless you give it your physical NIC).

Or - since you want that traffic from your NS to go through openvpn - you could start openvpn, create the namespace, and then move openvpn's tap nterface into your namespace instead of creating a new pair of veth devices and moving one end of that link into your namespace. You'd probably have to block route updates from openvpn.

Never tried this one, I think it will work, if you manage the routes by yourself. Give it a shot and share your experience.

----------

## don quixada

Maybe I'll try this one day and thank you for your instructions. Instead I used a VM, seemed easier to me (less of a learning curve). The nuances of networking have always eluded me much to my detriment I'm sure!

dq

----------

