Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Error] SNX VPN in rootful container: Connection NetworkManager possible? #1703

Open
TobiPeterG opened this issue Mar 2, 2025 · 0 comments
Open

[Error] SNX VPN in rootful container: Connection NetworkManager possible? #1703

TobiPeterG opened this issue Mar 2, 2025 · 0 comments
Labels
bug Something isn't working

Comments

@TobiPeterG
Copy link

TobiPeterG commented Mar 2, 2025
edited
Loading

Describe the bug
My university uses SNX VPN to connect to internal resources. The client is quite outdated, but I managed to install it successfully in a rootful distrobox container. It also says that it connected successfully after installing kmod in the container. However, I still can't access internal web pages. The weird thing is: After some time, it started working and I could access internal pages, but after a reboot, it doesn't work again. ip link and ip route show that it is able to do something, but I'm not sure why it isn't connecting.

To Reproduce
Create distrobox using this command: distrobox-create --name Tumbleweed-SNX --image opensuse/distrobox:latest --additional-flags "--cap-add=ALL -v /lib/modules:/lib/modules --privileged" --root
Install SNX VPN in container
Try to connect to a supported VPN

Expected behavior
The connections should work, I should be able to access internal resources

Logs
Run the commands with --verbose and post the log here as a file upload
Attach also the output of podman logs or docker logs, possibly with --latest flag
podman logs doesn't find the container help?

Desktop (please complete the following information):

  • Are you using podman, docker or lilipod? podman
  • Which version or podman, docker or lilipod? podman version 5.4.0
  • Which version of distrobox? distrobox: 1.8.1.2
  • Which host distribution? Aeon
  • How did you install distrobox? was preinstalled

Additional context
Add any other context about the problem here.
ip link and ip route on the host and in the container are identical.
They show:
with VPN:

ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DORMANT group default qlen 1000
    link/ether 14:ac:60:d8:3f:1f brd ff:ff:ff:ff:ff:ff
    altname wlx14ac60d83f1f
15: tunsnx: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1350 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 100
    link/none 

ip route
0.0.0.0 dev tunsnx src 192.168.26.249 
default via 192.168.1.10 dev wlp1s0 proto dhcp src 192.168.1.142 metric 600 
10.0.4.0/29 dev tunsnx src 192.168.26.249 
10.10.10.0/24 dev tunsnx src 192.168.26.249 
10.60.0.0/18 dev tunsnx src 192.168.26.249 
10.60.64.1 dev tunsnx src 192.168.26.249 
10.60.64.3 dev tunsnx src 192.168.26.249 
10.61.0.0/27 dev tunsnx src 192.168.26.249 
10.61.1.0/24 dev tunsnx src 192.168.26.249 
10.61.2.0/24 dev tunsnx src 192.168.26.249 
10.61.200.1 dev tunsnx src 192.168.26.249 
10.149.0.0/18 dev tunsnx src 192.168.26.249 
10.170.1.1 dev tunsnx src 192.168.26.249 
10.170.2.1 dev tunsnx src 192.168.26.249 
10.170.3.1 dev tunsnx src 192.168.26.249 
10.224.0.0/13 dev tunsnx src 192.168.26.249 
141.89.221.0/25 dev tunsnx src 192.168.26.249 
141.89.224.0/24 dev tunsnx src 192.168.26.249 
141.89.225.0/25 dev tunsnx src 192.168.26.249 
141.89.225.145 dev tunsnx src 192.168.26.249 
141.89.225.160/27 dev tunsnx src 192.168.26.249 
141.89.225.192/26 dev tunsnx src 192.168.26.249 
141.89.226.1 dev tunsnx src 192.168.26.249 
141.89.226.64/27 dev tunsnx src 192.168.26.249 
141.89.226.97 dev tunsnx src 192.168.26.249 
141.89.226.136/29 dev tunsnx src 192.168.26.249 
141.89.226.161 dev tunsnx src 192.168.26.249 
141.89.226.192/26 dev tunsnx src 192.168.26.249 
172.16.1.0/28 dev tunsnx src 192.168.26.249 
172.16.16.0/20 dev tunsnx src 192.168.26.249 
172.16.48.1 dev tunsnx src 192.168.26.249 
172.16.52.0/22 dev tunsnx src 192.168.26.249 
172.16.56.0/22 dev tunsnx src 192.168.26.249 
172.16.60.1 dev tunsnx src 192.168.26.249 
172.16.60.34 dev tunsnx src 192.168.26.249 
172.16.64.0/22 dev tunsnx src 192.168.26.249 
172.16.68.1 dev tunsnx src 192.168.26.249 
172.16.72.1 dev tunsnx src 192.168.26.249 
172.16.254.1 dev tunsnx src 192.168.26.249 
172.17.0.0/20 dev tunsnx src 192.168.26.249 
172.17.16.0/21 dev tunsnx src 192.168.26.249 
172.17.24.0/22 dev tunsnx src 192.168.26.249 
172.17.128.0/20 dev tunsnx src 192.168.26.249 
172.18.0.0/20 dev tunsnx src 192.168.26.249 
172.18.16.0/21 dev tunsnx src 192.168.26.249 
172.18.24.0/22 dev tunsnx src 192.168.26.249 
172.18.128.0/21 dev tunsnx src 192.168.26.249 
172.18.136.0/22 dev tunsnx src 192.168.26.249 
172.19.0.0/20 dev tunsnx src 192.168.26.249 
172.19.16.0/21 dev tunsnx src 192.168.26.249 
172.19.24.0/22 dev tunsnx src 192.168.26.249 
172.20.1.0/24 dev tunsnx src 192.168.26.249 
172.20.2.0/23 dev tunsnx src 192.168.26.249 
172.20.4.0/22 dev tunsnx src 192.168.26.249 
172.20.8.0/21 dev tunsnx src 192.168.26.249 
172.20.16.0/22 dev tunsnx src 192.168.26.249 
172.20.20.0/24 dev tunsnx src 192.168.26.249 
172.20.21.1 dev tunsnx src 192.168.26.249 
172.20.22.0/23 dev tunsnx src 192.168.26.249 
172.20.24.0/22 dev tunsnx src 192.168.26.249 
172.20.28.0/23 dev tunsnx src 192.168.26.249 
172.20.30.0/24 dev tunsnx src 192.168.26.249 
172.20.32.0/23 dev tunsnx src 192.168.26.249 
172.20.34.1 dev tunsnx src 192.168.26.249 
172.20.40.0/23 dev tunsnx src 192.168.26.249 
172.21.0.1 dev tunsnx src 192.168.26.249 
172.21.4.1 dev tunsnx src 192.168.26.249 
172.21.8.1 dev tunsnx src 192.168.26.249 
172.21.12.1 dev tunsnx src 192.168.26.249 
172.21.16.1 dev tunsnx src 192.168.26.249 
172.21.20.1 dev tunsnx src 192.168.26.249 
172.21.24.1 dev tunsnx src 192.168.26.249 
172.22.0.1 dev tunsnx src 192.168.26.249 
172.22.4.1 dev tunsnx src 192.168.26.249 
172.22.8.1 dev tunsnx src 192.168.26.249 
172.22.12.1 dev tunsnx src 192.168.26.249 
172.22.16.1 dev tunsnx src 192.168.26.249 
172.22.20.1 dev tunsnx src 192.168.26.249 
172.22.24.1 dev tunsnx src 192.168.26.249 
172.23.0.1 dev tunsnx src 192.168.26.249 
172.23.4.1 dev tunsnx src 192.168.26.249 
172.23.8.1 dev tunsnx src 192.168.26.249 
172.23.12.1 dev tunsnx src 192.168.26.249 
172.23.16.1 dev tunsnx src 192.168.26.249 
172.23.20.1 dev tunsnx src 192.168.26.249 
172.23.24.1 dev tunsnx src 192.168.26.249 
172.23.28.1 dev tunsnx src 192.168.26.249 
172.23.128.1 dev tunsnx src 192.168.26.249 
172.24.1.0/24 dev tunsnx src 192.168.26.249 
172.24.2.0/24 dev tunsnx src 192.168.26.249 
172.24.4.0/24 dev tunsnx src 192.168.26.249 
172.24.6.0/24 dev tunsnx src 192.168.26.249 
172.24.9.0/24 dev tunsnx src 192.168.26.249 
172.24.10.0/24 dev tunsnx src 192.168.26.249 
172.25.0.0/24 dev tunsnx src 192.168.26.249 
172.25.3.0/24 dev tunsnx src 192.168.26.249 
172.25.5.0/24 dev tunsnx src 192.168.26.249 
172.25.6.0/23 dev tunsnx src 192.168.26.249 
172.25.8.0/24 dev tunsnx src 192.168.26.249 
172.25.10.0/23 dev tunsnx src 192.168.26.249 
172.25.12.0/22 dev tunsnx src 192.168.26.249 
172.25.17.0/24 dev tunsnx src 192.168.26.249 
172.25.18.0/23 dev tunsnx src 192.168.26.249 
172.25.23.0/24 dev tunsnx src 192.168.26.249 
172.25.50.0/23 dev tunsnx src 192.168.26.249 
172.25.52.0/24 dev tunsnx src 192.168.26.249 
192.168.0.0/23 dev tunsnx src 192.168.26.249 
192.168.1.0/24 dev wlp1s0 proto kernel scope link src 192.168.1.142 metric 600 
192.168.5.1 dev tunsnx src 192.168.26.249 
192.168.8.0/24 dev tunsnx src 192.168.26.249 
192.168.26.248 dev tunsnx proto kernel scope link src 192.168.26.249 
192.168.30.0/23 dev tunsnx src 192.168.26.249 
192.168.32.0/23 dev tunsnx src 192.168.26.249 
192.168.44.0/23 dev tunsnx src 192.168.26.249 
192.168.52.0/24 dev tunsnx src 192.168.26.249 
192.168.55.1 dev tunsnx src 192.168.26.249 
192.168.66.0/24 dev tunsnx src 192.168.26.249 
192.168.68.0/23 dev tunsnx src 192.168.26.249 
192.168.75.0/24 dev tunsnx src 192.168.26.249 
192.168.77.1 dev tunsnx src 192.168.26.249 
192.168.78.1 dev tunsnx src 192.168.26.249 
192.168.88.0/24 dev tunsnx src 192.168.26.249 
192.168.99.0/24 dev tunsnx src 192.168.26.249 
192.168.130.1 dev tunsnx src 192.168.26.249 
192.168.131.1 dev tunsnx src 192.168.26.249 
192.168.144.0/24 dev tunsnx src 192.168.26.249 
192.168.166.1 dev tunsnx src 192.168.26.249 
192.168.188.1 dev tunsnx src 192.168.26.249 
192.168.205.0/28 dev tunsnx src 192.168.26.249 
192.168.244.0/24 dev tunsnx src 192.168.26.249

without VPN:

ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DORMANT group default qlen 1000
    link/ether 14:ac:60:d8:3f:1f brd ff:ff:ff:ff:ff:ff
    altname wlx14ac60d83f1f

ip route
default via 192.168.1.10 dev wlp1s0 proto dhcp src 192.168.1.142 metric 600 
192.168.1.0/24 dev wlp1s0 proto kernel scope link src 192.168.1.142 metric 600

Since the connection already worked, I know that there is a way to get it to work, but I don't know why it mysteriously started working and I don't know why it stopped working now. :(

The VPN needs access to kernel modules and the network, so I didn't try unshare options yet.

EDIT: I am able to ping the internal DNS servers, so maybe it is a DNS issue?

EDIT 2: Under /etc/resolve.conf the VPN DNS servers are entered correctly:

# Generated by NetworkManager
search hpi.uni-potsdam.de hpi.de openhpi.net openhpi.cloud openhpicloud.de fritz.box
nameserver 10.10.10.12
nameserver 10.10.10.13
nameserver 10.10.10.11
nameserver 191.168.1.10

The 10.XX... are the VPN DNS servers

EDIT 3:
Aha, after I verified that the DNS servers are in the resolve.conf, the websites were reachable again. I disconnected and reconnected and now the /etc/resolv.conf only shows:

cat /etc/resolv.conf
# Generated by NetworkManager
search fritz.box
nameserver 192.168.1.10

So the DNS servers were not entered correctly. Could it be that NetworkManager would need to be triggered to add the DNS servers?

EDIT 4: I can confirm, after manually adding the dns servers to the resolv.conf, the websites are all reachable. :)
Is there a way to make the hosts NetworkManager aware that it needs to update the DNS entries or bind something into the container so snx can tell NetworkManager to update the DNS servers?
@TobiPeterG TobiPeterG added the bug Something isn't working label Mar 2, 2025
@TobiPeterG TobiPeterG changed the title [Error] SNX VPN in rootful container doesn't quite work [Error] SNX VPN in rootful container: Connection NetworkManager possible? Mar 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@TobiPeterG