Page MenuHomeVyOS Platform
Create Task
Maniphest T3805

OpenVPN insufficient privileges for rtnetlink when closing TUN/TAP interface
Closed, ResolvedPublicBUG
Actions

Description

OpenVPN 2.5 uses rtnetlink instead of iproute2 which has resulted in openvpn being unable to delete IP addresses or otherwise modify the interface after root privileges are dropped.

Resetting an OpenVPN client interface (to NordVPN), I get the following errors:

openvpn-vtun0[155033]: Closing TUN/TAP interface
openvpn-vtun0[155033]: net_addr_v4_del: 10.8.1.7 dev vtun0
openvpn-vtun0[155033]: sitnl_send: rtnl: generic error (-1): Operation not permitted
openvpn-vtun0[155033]: Linux can't del IP from iface vtun0
openvpn-vtun0[155033]: TUN/TAP device vtun0 opened
openvpn-vtun0[155033]: net_iface_mtu_set: mtu 1500 for vtun0
openvpn-vtun0[155033]: sitnl_send: rtnl: generic error (-1): Operation not permitted
openvpn-vtun0[155033]: Linux can't set mtu (1500) on vtun0
systemd[1]: openvpn@vtun0.service: Main process exited, code=exited, status=1/FAILURE
openvpn-vtun0[155033]: Exiting due to fatal error
systemd[1]: openvpn@vtun0.service: Failed with result 'exit-code'.
systemd[1]: openvpn@vtun0.service: Scheduled restart job, restart counter is at 2.
systemd[1]: Stopped OpenVPN connection to vtun0.

Multiple restarts end up with vtun0 gaining multiple addresses. which breaks routing via that interface.

However, with OpenVPN 2.5 and rtnetlink, it should now be possible to run openvpn as non-root from start to finish, using systemd capabilities. I tried the following (based on the archlinux solution):

Remove user & group directives from /run/vtun0.conf and add the following to /etc/systemd/system/openvpn@.service.d/override.conf

User=openvpn
Group=openvpn
AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE

Ensure that the runtime directory and existing files were writable by openvpn user:

chmod -R openvpn:openvpn /run/openvpn

After executing systemctl daemon-reload and reset openvpn interface vtun0 everything appears to be working nicely, with the openvpn client running without root from start to finish.

Details

Version
VyOS 1.4-rolling-202108090815
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

amxj9 created this task.Sep 6 2021, 2:39 AM
c-po subscribed.Sep 6 2021, 4:41 PM

Does it work if you grand the capabilities to the openvpn group in /etc/security/capability.conf?

amxj9 added a comment.Sep 7 2021, 1:18 PM

Unfortunately not. I reverted my changes and then added:

cap_dac_override,cap_setgid,cap_setuid,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_sys_chroot,cap_audit_write   @openvpn

to /etc/security/capability.conf but got the same errors as before (I rebooted to make sure).

pasik subscribed.Sep 7 2021, 1:43 PM
c-po claimed this task.Sep 7 2021, 3:26 PM
c-po added a comment.Sep 7 2021, 8:35 PM

Can you please share a version of your anonymized client configuration?

amxj9 added a comment.Sep 8 2021, 3:06 AM

Certainly, here it is:

openvpn vtun0 {                                                  
    authentication {                                             
        password ******                                          
        username ******                                          
    }                                                                                            
    encryption {                                                 
        cipher aes256                                            
    }                                                            
    hash sha512                                                  
    mode client                                                  
    openvpn-option fast-io                                       
    openvpn-option "remote-cert-tls server"                      
    openvpn-option "resolv-retry infinite"                       
    openvpn-option "pull-filter ignore redirect-gateway"         
    openvpn-option "tun-mtu 1500"                                
    openvpn-option "tun-mtu-extra 32"                            
    openvpn-option "mssfix 1450"                                 
    openvpn-option "comp-lzo no"                                 
    openvpn-option "ping-restart 0"                              
    openvpn-option ping-timer-rem                                
    openvpn-option "ping 15"                                     
    openvpn-option "reneg-sec 0"                                 
    persistent-tunnel                                            
    protocol udp                                                 
    remote-host xxx.xxx.xx.xxx                                   
    remote-port 1194                                             
    tls {                                                        
        auth-key ****************                                
        ca-certificate ***************                          
        tls-version-min 1.2                                      
    }                                                            
}
c-po changed the task status from Open to Confirmed.Sep 8 2021, 12:28 PM
c-po triaged this task as Normal priority.
c-po edited a custom field.
c-po edited a custom field.
c-po changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
c-po changed the task status from Confirmed to Needs testing.Sep 8 2021, 12:37 PM
c-po added a project: VyOS 1.3 Equuleus.
c-po moved this task from Open to Finished on the VyOS 1.4 Sagitta board.
c-po mentioned this in rVYOSONEX63fbd8c663c8: openvpn: T3805: use vyos.util.write_file() to store certificates.Sep 8 2021, 12:39 PM
c-po mentioned this in rVYOSONEX84e912ab2f58: openvpn: T3805: use vyos.util.makedir() to create system directories.
c-po mentioned this in rVYOSONEX2647edc30f1e: openvpn: T3805: drop privileges using systemd - required for rtnetlink.
c-po mentioned this in rVYOSONEX588cc03a6141: openvpn: T3805: fix bool logic in verify_pki() for client mode.
c-po added a comment.Sep 8 2021, 12:43 PM

A new ISO 1.4-rolling-202109081242 is currently build - you may check in 30 minutes and try if this works for you - it did in my example config.

If you say that this change works as expected - I am going to backport it to VyOS 1.3 for the upcoming release.

c-po mentioned this in T3809: Not possible to add existing ca?.Sep 8 2021, 6:24 PM
c-po closed this task as Resolved.Sep 9 2021, 7:16 AM
c-po moved this task from Need Triage to 1.3.0-epa1 on the VyOS 1.3 Equuleus board.
c-po edited projects, added VyOS 1.3 Equuleus (1.3.0-epa1); removed VyOS 1.3 Equuleus.
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0-epa1) board.
c-po mentioned this in rVYOSONEX451a7d6d97ee: openvpn: T3805: use vyos.util.makedir() to create system directories.Sep 9 2021, 7:17 AM
c-po mentioned this in rVYOSONEXc593bf7f5977: openvpn: T3805: drop privileges using systemd - required for rtnetlink.
amxj9 added a comment.Sep 9 2021, 10:44 AM

Sorry, I haven;t managed to test yet, due to some configuration migration errors leaving me unable to login. Will comment once I've confirmed though, most likely tomorrow.

amxj9 added a comment.Sep 10 2021, 7:51 AM

Change works as expected for me. Thank you!

lucasec subscribed.Sep 11 2021, 8:58 AM

FYI, if your OpenVPN config relies on cert files or anything you uploaded into the config directory, you may need to change the owner to the openvpn user or widen file permissions. Oddly this only seems to affect equuleus, not sagitta (OpenVPN seems fine reading files owned by "root" out of "/config/auth").

Restricted Repository Identity mentioned this in rVYOSONEXc567b43807fa: openvpn: T3805: fix bool logic in verify_pki() for client mode.Oct 31 2021, 1:05 PM
Restricted Repository Identity mentioned this in rVYOSONEX699d4533c543: openvpn: T3805: drop privileges using systemd - required for rtnetlink.
Restricted Repository Identity mentioned this in rVYOSONEX2349f2d91213: openvpn: T3805: use vyos.util.makedir() to create system directories.
Restricted Repository Identity mentioned this in rVYOSONEX9cd3c3bfe04b: openvpn: T3805: use vyos.util.write_file() to store certificates.