Skip to content

Permissions

The following aspects of skywire require elevated or special permissions:

VPN Applications

Both VPN client and server require special permissions for network configuration.

VPN Client

The VPN client requires the CAP_NET_ADMIN capability to create and configure TUN/TAP network interfaces.

Method 1: Using setcap (Recommended) 

# Grant CAP_NET_ADMIN capability to the skywire binary
sudo setcap cap_net_admin+eip /path/to/skywire

# Verify the capability was set
getcap /path/to/skywire
# Should output: /path/to/skywire cap_net_admin=eip

Method 2: Running as root 

sudo skywire visor

VPN Server

The VPN server requires elevated privileges to execute iptables and sysctl commands for: - Configuring iptables FORWARD policy - Enabling IP masquerading (NAT) - Setting IP forwarding (IPv4/IPv6) - Managing firewall rules for client traffic

Method 1: Configure sudoers (Recommended for systemd services) 

# Add to /etc/sudoers.d/skywire-vpn
yourusername ALL=(ALL) NOPASSWD: /usr/sbin/iptables, /usr/sbin/ip6tables, /usr/sbin/sysctl

Method 2: Using setcap for network administration 

# Grant CAP_NET_ADMIN and CAP_NET_RAW capabilities
sudo setcap cap_net_admin,cap_net_raw+eip /path/to/skywire

Method 3: Running as root 

sudo skywire visor

Note for systemd services: When running skywire as a systemd service (non-interactive), pkexec cannot prompt for authentication. Use the sudoers method or run the service as root.

Other Permissions

  • File system access: Writing to the local folder path and default config paths generated by linux/macOS packages or windows .msi installer.
  • System survey: Some aspects require elevated access — only generated if a reward address is set.

See mainnet_rules.md for more details about the system survey and eligibility requirements for rewards.