Home Features Getting Started Mailing List / Help Contribute Protocols VPN Server

OpenConnect VPN client

Feature list Running as non-root user GUI Character sets One Time Passwords Smart Cards / PKCS#11 Trusted Platform Module (TPM) Cisco Secure Desktop (CSD) Juniper Host Checker (TNCC) Host Integrity Protection (HIP)

Running as non-root user

Under normal circumstances OpenConnect needs to be run as the root user. If it cannot create the local tun network interface, you will see an error such as:

  Failed to bind (TUNSETIFF) tun device: Operation not permitted

or in older versions, "TUNSETIFF failed: Operation not permitted". The simple fix for this problem is, of course, to run OpenConnect as root.

For security reasons, it is better if network-facing code can run without root privileges — and there are a few options which allow OpenConnect to run as an unprivileged user instead.

Pre-configured tun device

On Linux, it's possible to create its tun device in advance. For example:

# ip tuntap add vpn0 mode tun user dwmw2

This creates a device vpn0 which can be opened by user dwmw2 who can pass traffic to/from it without needing any elevated privileges. You can now tell OpenConnect to use that device by adding "-i vpn0" to its command-line arguments. Note that the /dev/net/tun device node should be readable and writeable by everyone. (Some distributions misconfigure that, so if it isn't world-writeable then please file a bug against your distribution.)

Of course, something does also need to configure the IP addresses and routing. You could either add "-s /bin/true" to OpenConnect's command line to stop it trying to run vpnc-script for itself, and manually configure the network as root too. Or you could use "-s 'sudo -E /etc/vpnc/vpnc-script'" so that OpenConnect itself runs without elevated privileges but can still invoke vpnc-script as root. Note the -E part which ensures the environment variables with the configuration are actually passed through to vpnc-script.

NetworkManager usually has a dedicated unprivileged user nm-openconnect and runs OpenConnect as that user, having pre-created the tun device for it. OpenConnect then invokes a "vpnc-script" provided by NetworkManager which just passes all the configuration back to NetworkManager over DBus.

SOCKS / port-forwarding proxy

An alternative option which doesn't require any root access at all, is simply not to create the tun device and modify the system's network configuration. Instead, OpenConnect can spawn a user-supplied program, passing all data traffic through a UNIX socket to that program.

This option can be used in conjunction with a userspace TCP stack such as lwip to provide SOCKS access to the VPN, without requiring root privileges at all.

SOCKS proxy implementions suitable for being used from OpenConnect include:

• ocproxy
• tunsocks