[strongSwan] Is there a supported way for non-root users to get tunnel status?

Martin Willi martin at strongswan.org
Wed Jun 12 11:24:52 CEST 2013

Hi Jeremy,

> I'm toying with the idea of building a status monitor for StrongSwan
> tunnels, but I obviously don't want the tool to run as root, 

charon can run as non-root user, but keeps a few capabilities it needs
for operation (CAP_NET_ADMIN), see [1]. This should allow you to run
"ipsec statusall" with that non-privileged user, and you won't need any
special capabilities to do such a query.

> nor have the ability to set up or tear down tunnels.  Basically, all I
> want is the data contained in a 'ipsec statusall' command.

If you need a monitory-only interface, stroke is probably not the
correct backend. But you could write a similar plugin, just with
monitoring functionality, having a Unix socket with permissions allowing
any/a specific user to do queries.



More information about the Users mailing list