Cannot `ssh` from container with `openvpn`

问题

Basic setup

Using:

• Fedora 30, fully upgraded (kernel 5.1.19)
• Podman 1.4.4

I have this Dockerfile:

FROM fedora:30

ENV LANG C.UTF-8

RUN dnf upgrade -y \
    && dnf install -y \
        openssh-clients \
        openvpn \
        slirp4netns \
    && dnf clean all

CMD ["openvpn", "--config", "/vpn/ovpn.config", "--auth-user-pass", "/vpn/ovpn.auth"]

Which I build with:

podman build -t peque/vpn .

Now, in order to be able to run it successfully, I have to take care of some SELinux issues (see Connect to VPN with Podman).

Fixing SELinux permission issues

sudo dnf install udica

I define this ovpn_container.cil custom policy for the VPN container:

(block ovpn_container
    (blockinherit container)
    (blockinherit restricted_net_container)
    (allow process process (capability (chown dac_override fsetid fowner mknod net_raw setgid setuid setfcap setpcap net_bind_service sys_chroot kill audit_write net_admin)))

    (allow process default_t (dir (open read getattr lock search ioctl add_name remove_name write)))
    (allow process default_t (file (getattr read write append ioctl lock map open create)))
    (allow process default_t (sock_file (getattr read write append open)))

    (allow process tun_tap_device_t (chr_file (ioctl open read write)))
    (allow process self (netlink_route_socket (nlmsg_write)))
    (allow process unreserved_port_t (tcp_socket (name_connect)))
)

I apply the policy with:

sudo semodule -r ovpn_container
sudo semodule -i ovpn_container.cil /usr/share/udica/templates/{base_container.cil,net_container.cil}

Running the container

Now I can successfully run the container with:

podman run -v $(pwd):/vpn:Z --cap-add=NET_ADMIN --device=/dev/net/tun --security-opt label=type:ovpn_container.process -it peque/vpn

Issues

Once the container is running, I open a terminal, within the container, from which I want to ssh to remote servers:

podman exec -it container_name bash

From the container I am able to ssh to remote servers successfully, but only if they are not within the VPN.

When I try to ssh to servers in the VPN, it gets stuck for a while and then throws this error:

$ ssh server.domain.com
ssh: connect to host server.domain.com port 22: Connection refused 
kex_exchange_identification: Connection closed by remote host

What could I be missing?

来源：https://stackoverflow.com/questions/57186289/cannot-ssh-from-container-with-openvpn