Re: apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/run/NetworkManager/resolv.conf"
Le 21/03/2020 à 08:56, Reco a écrit :
On Sat, Mar 21, 2020 at 10:52:53AM +0300, Reco wrote:
What I figure out is the problem is that somehow, apparmor denies to network-manager the ability to provide a valid resolv.conf file.
So ipsec can't add a DNS server to my VPN connection.
For that particular file it's:
Forgot a coma:
echo "/run/NetworkManager/resolv.conf rwk," \
>> /etc/apparmor.d/local/usr.lib.ipsec.charon
aa-complain /usr/lib/ipsec/charon
aa-enforce /usr/lib/ipsec/charon
Reco
Thank you very much Reco, you taught me something I had to know indeed.
Apparmor isn't installed on my laptop, but it is on my desktop and I
wasn't aware of this.
It explains why I hadn't experienced any problem setting up the laptop.
I had to install apparmor-utils on my desktop though, it wasn't there so
neither were
the aa-logprof, aa-complain and aa-enforce commands (among others).
So I read some docs online to understand the general idea, then :
birdynam:~# echo "/run/NetworkManager/resolv.conf rwk," >>
/etc/apparmor.d/local/usr.lib.ipsec.charon
birdynam:~# cat /etc/apparmor.d/local/usr.lib.ipsec.charon
/run/NetworkManager/resolv.conf rwk,
birdynam:~# systemctl restart apparmor.service
birdynam:~# ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.8.2 IPsec [starter]...
birdynam:~# ipsec up protonvpn
[...]
scheduling reauthentication in 9993s
maximum IKE_SA lifetime 10533s
installing DNS server 10.6.9.1 to /etc/resolv.conf
installing new virtual IP 10.6.6.11
selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
CHILD_SA protonvpn{1} established with SPIs c14ac58d_i c5737b8a_o and TS
10.6.6.11/32 === 0.0.0.0/0
received AUTH_LIFETIME of 27883s, reauthentication already scheduled in
9993s
peer supports MOBIKE
connection 'protonvpn' established successfully
birdynam:~#
Et voilà !!
Now I'm surfing through my protonvpn access.
Again thanks a lot Reco
Rudu
Reply to: