running as non-root

markballard markballard at verizon.net
Wed Aug 14 20:19:16 EDT 2013 

first of all thanks so much for openconnect!!

I d/l entire mailing list to search for my prob, only got a couple hits but 
none were addressing mine specifically.

my openconnect (3.11) setup runs perfect with sudo.  now I want to run as 
non-root.  during boot (linux amd64/gentoo) I run this:

/sbin/ip tuntap add dev tun0 mode tun user mark
/sbin/ip link set tun0 up

user owns tun0:

cat /sys/class/net/tun0/owner
500

ls -la /dev/net/tun:

crw-rw-rw- 1 root root 10, 200 Aug 14 06:29 /dev/net/tun

this is my openconnect cmd line:

echo pw | /usr/bin/openconnect --syslog -i tun0 --user=name 
--authgroup=group --passwd-on-stdin --background 
--script=/etc/openconnect/openconnect.sh vpn_site

syslog shows this:

Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
RTNETLINK answers: Operation not permitted
Cannot open "/proc/sys/net/ipv4/route/flush"
SIOCSIFADDR: Permission denied
SIOCSIFFLAGS: Permission denied
SIOCSIFDSTADDR: Permission denied
SIOCSIFFLAGS: Permission denied
SIOCSIFNETMASK: Permission denied
SIOCSIFMTU: Operation not permitted
SIOCSIFFLAGS: Permission denied
RTNETLINK answers: Operation not permitted
Cannot open "/proc/sys/net/ipv4/route/flush"
RTNETLINK answers: Operation not permitted
Cannot open "/proc/sys/net/ipv4/route/flush"
RTNETLINK answers: Operation not permitted
Cannot open "/proc/sys/net/ipv4/route/flush"
RTNETLINK answers: Operation not permitted
Cannot open "/proc/sys/net/ipv4/route/flush"
SIOCSIFMTU: Operation not permitted
Connected tun0 as 192.168.160.155, using SSL
Continuing in background; pid 17435

it seems my linux user doesn't have privs for something?  is there a way to 
resolve that (I don't really know what's trying to be done except perhaps 
set up routing with the vpn).

the other posts I saw on this were aug 2009 and that user was running as 
non-root and only had the trouble when shutting down, so it seems this does 
work but I'm not sure why not for me.

btw I tried ocproxy as a way around this and while it got me logged in fine 
to the vpn, there's an additional login I need to do once on the vpn but was 
no matter what I tried was unable to do so (iirc somewhere I saw a proxy for 
vpn may not work for everyone?)

thanks for looking at this.

More information about the openconnect-devel mailing list