Starting openconnect with NetworkManager as a normal user fails to set the MTU on the vpn tunnel I/F: openconnect[30195]: SIOCSIFMTU: Operation not permitted searching the net suggests: setcap cap_net_admin+ep /usr/sbin/openconnect and this works for me as well. Could Gentoo add this openconnect(possibly behind a USE flag)?
I'm surprised it works at all when run as an unprivileged user. I would like to look into how the NetworkManager plugin actually works before adding filecaps like this. It also seems like this might open up some security holes for people not using NetworkManger.
While playing with starting openconnect via /etc/init.d/openconnect.xxx I cannot enter passwd interactively (from my terminal) due to: start-stop-daemon --start --exec "${command}" -- \ --background \ --interface="${VPN}" \ --pid-file="${pidfile}" \ ${vpnopts} \ "${server}" \ >> "${VPNLOGFILE}" \ 2>> "${VPNERRFILE}" \ <<EOF ${password} EOF I have to remove the redirects: start-stop-daemon --start --exec "${command}" -- \ --background \ --interface="${VPN}" \ --pid-file="${pidfile}" \ ${vpnopts} \ "${server}" eend $? Is this separate logging needed? Can it be made optional?
Ok, so running openconnect as a non-root user is indeed supported, but only if some other program is managing the tun device. http://www.infradead.org/openconnect/nonroot.html This is true with NetworkManager. NM calls openconnect with a special vpnc script that passes values (including the MTU) back to NM via dbus. NM is then responsible for configuring the device. The error message you from openconnect can be safely ignored; openconnect tries to set the MTU itself in case the vpnc script is old and doesn't support setting MTU. When running under NM, this will be handled by the vpnc-script helper that NM provides.
(In reply to Joakim Tjernlund from comment #2) The init script is designed for headless, non-interactive operation. If you are running openconnect interactively, there is really no reason to use the init script at all.
(In reply to Mike Gilbert from comment #3) > Ok, so running openconnect as a non-root user is indeed supported, but only > if some other program is managing the tun device. > > http://www.infradead.org/openconnect/nonroot.html > > This is true with NetworkManager. NM calls openconnect with a special vpnc > script that passes values (including the MTU) back to NM via dbus. NM is > then responsible for configuring the device. > > The error message you from openconnect can be safely ignored; openconnect > tries to set the MTU itself in case the vpnc script is old and doesn't > support setting MTU. When running under NM, this will be handled by the > vpnc-script helper that NM provides. I see, thanks for that. I am still trying get the last pieces to make openconnect connect against Cisco Anyconnect with a csd-wrapper and it looks like https://gist.github.com/l0ki000/56845c00fd2a0e76d688 will do the trick. Would be nice to have that in the ebuild in some form.
(In reply to Mike Gilbert from comment #4) > (In reply to Joakim Tjernlund from comment #2) > > The init script is designed for headless, non-interactive operation. If you > are running openconnect interactively, there is really no reason to use the > init script at all. It is so much nicer to use already prepared scripts. Also one might not want to write the passwd in clear text
Please file separate bugs for CSD and the init script changes.
