Calling OpenConnect VPN client in docker container shows TUNSETIFF failed: Operation not permitted

Question

I'm calling openconnect inside an ubuntu based docker container. It successfully connects to the server and prompt for my password, but then

Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
TUNSETIFF failed: Operation not permitted

I search for the TUNSETIFF word and every answer is about the command not running in sudo, but I am already root inside the container. What else can go wrong?

Answer 1

Either run the container privileged via

docker run -d --privileged myimage

as Adrian pointed out or run it with the NET_ADMIN capability added and pass the tunnel device e.g.:

docker run -d --cap-add NET_ADMIN --device /dev/net/tun myimage

Answer 2

By default, Docker containers are started with a reduced set of linux capabilities (see man capabilities). The reduced set doesn't include some network related functionality (presumably so that containers can't sniff traffic from the host or other containers).

To start a container with full network capabilities, either explicitly add the SYS_NET_ADMIN capability with --cap-add argument e.g:

docker run -d --cap-add SYS_NET_ADMIN myimage

Or give the container the full set of privileges with --privileged e.g:

docker run -d --privileged myimage

Answer 3

Starting the container with --privileged. (Thanks Adrian Mouat for the answer).