Page MenuHomePhabricator

OpenVPN after changing it from root to nobody (unprivileged user) cant add routes
Closed, ResolvedPublicBUG

Description

I found this https://community.openvpn.net/openvpn/wiki/UnprivilegedUser

After update of VyOS to current git version I started to got this errors on one of my sites:

Sep  3 09:59:56 M-P openvpn-vtun1[1757]: ERROR: Cannot ioctl TUNSETIFF vtun1: Operation not permitted (errno=1)
Sep  3 09:59:56 M-P openvpn-vtun1[1757]: Exiting due to fatal error

I think it happens when this site loos connection and trying to reconnect.
When I reboot VyOS it connects normally:

Sep  3 16:36:05 M-P openvpn-vtun1[1756]: /sbin/ip link set dev vtun1 up mtu 1500
Sep  3 16:36:05 M-P openvpn-vtun1[1756]: /sbin/ip addr add dev vtun1 10.x.y.z/16 broadcast 10.255.255.255
Sep  3 16:36:05 M-P openvpn-vtun1[1756]: /sbin/ip route add 10.0.0.0/8 via 10.255.0.1

What do you think? Is it could be interconnected? I'm not sure be cause on other sites same version works good.

Details

Difficulty level
Easy (less than an hour)
Version
1.2-rolling
Why the issue appeared?
Design mistake
Is it a breaking change?
Perfectly compatible

Event Timeline

hexes created this task.Sep 3 2019, 3:29 PM
hexes updated the task description. (Show Details)Sep 3 2019, 3:32 PM
c-po added a subscriber: c-po.Sep 3 2019, 4:16 PM

When the site looses connection and thus a SIGUSR21 is sent to OpenVPN to restart internally the priviledges have dropped and yes, /sbin/ip can't be called again.

c-po claimed this task.Sep 3 2019, 4:17 PM
c-po triaged this task as Normal priority.
c-po updated the task description. (Show Details)
c-po edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
c-po changed Difficulty level from Unknown (require assessment) to Normal (likely a few hours).
c-po changed Version from 1.2 to 1.2-rolling.
c-po changed Why the issue appeared? from Will be filled on close to Design mistake.
c-po removed a subscriber: c-po.
hexes added a comment.Sep 3 2019, 4:40 PM

How can I help you to fix it? In this article https://community.openvpn.net/openvpn/wiki/UnprivilegedUser looks like it's not so hard...

hexes added a comment.Sep 3 2019, 4:41 PM

And may be change nobody:nogroup to openvpn:openvpn? It's more clear, i think...

c-po added a comment.Sep 3 2019, 5:30 PM

The config generator would need to be adopted https://github.com/vyos/vyos-1x/blob/current/src/conf_mode/interface-openvpn.py and the wrapper script added. I have no time before tomorrow, sorry

hexes added a comment.Sep 4 2019, 1:53 PM

Thanks, I'll try to figure it out. What do you think about openvpn:openvpn?

c-po added a comment.Sep 4 2019, 2:15 PM

I like the openvpn:openvpn ownership idea

hexes added a comment.Sep 4 2019, 2:27 PM

As i understand this script only generate conf file, but we need to change init script, add wrapper script and grant sudo access to the openvpn user to exec this wrapper script...

hexes added a comment.Sep 4 2019, 2:37 PM

So in conf file should be enabled by default:
iproute /usr/local/sbin/unpriv-ip
persist-tun

And that's all.

c-po added a comment.Sep 6 2019, 11:07 AM

Persistent tunnel is a configuration option set interfaces openvpn vtun10 persistent-tunnel

c-po added a comment.Sep 6 2019, 1:19 PM

OpenVPN now runs as user openvpn with the above helper script. Please also test this new implementation, it will be in the rolling ISO which is building right now.

c-po changed the task status from Open to Needs testing.Sep 6 2019, 1:20 PM
c-po changed Difficulty level from Normal (likely a few hours) to Easy (less than an hour).
c-po added a comment.Sep 15 2019, 11:56 AM

No feedback received, considering this as resolved. please reopen if issue reappears.

c-po closed this task as Resolved.Sep 15 2019, 11:56 AM

Using 1.2-rolling-201909210810, it has happened to me.

Sep 21 18:14:34 vyos openvpn-vtun0[4078]: OPTIONS IMPORT: data channel crypto options modified
Sep 21 18:14:34 vyos openvpn-vtun0[4078]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep 21 18:14:34 vyos openvpn-vtun0[4078]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep 21 18:14:34 vyos openvpn-vtun0[4078]: ROUTE_GATEWAY 172.30.4.1/255.255.255.128 IFACE=eth0 HWADDR=00:50:56:b0:46:55
Sep 21 18:14:34 vyos openvpn-vtun0[4078]: ERROR: Cannot ioctl TUNSETIFF vtun0: Operation not permitted (errno=1)
Sep 21 18:14:34 vyos openvpn-vtun0[4078]: Exiting due to fatal error

OpenVPN config:

set interfaces openvpn vtun0 authentication password xxxxxx
set interfaces openvpn vtun0 authentication username xxxxxx
set interfaces openvpn vtun0 description 'VPN'
set interfaces openvpn vtun0 encryption 'aes256'
set interfaces openvpn vtun0 keep-alive failure-count '3'
set interfaces openvpn vtun0 keep-alive interval '10'
set interfaces openvpn vtun0 mode 'client'
set interfaces openvpn vtun0 protocol 'udp'
set interfaces openvpn vtun0 remote-host 'vpn-service-address'
set interfaces openvpn vtun0 remote-port '1194'
set interfaces openvpn vtun0 tls auth-file '/config/auth/static-key.crt'
set interfaces openvpn vtun0 tls ca-cert-file xxxxxx
set interfaces openvpn vtun0 tls role 'active'
set interfaces openvpn vtun0 use-lzo-compression
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Sun, Oct 13, 3:05 PM