Page MenuHomeVyOS Platform
Create Task
Maniphest T3822

OpenVPN processes do not have permission to read key files generated with `run generate openvpn key`
Closed, ResolvedPublicBUG
Actions

Description

run generate openvpn key gives the key file 600 permissions with root:vyattacfg as the owner, but OpenVPN can't read such files.

# run show log openvpn
Sep 12 09:13:40 reki systemd[1]: [email protected]: Failed with result 'exit-code'.
Sep 12 09:13:45 reki openvpn-vtun1[3436]: Cipher negotiation is disabled since neither P2MP client nor server mode is enabled
Sep 12 09:13:45 reki openvpn-vtun1[3436]: Options error: --secret fails with '/config/auth/sentrium.key': Permission denied (errno=13)
Sep 12 09:13:45 reki systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE
Sep 12 09:13:45 reki openvpn-vtun1[3436]: Options error: Please correct these errors.
Sep 12 09:13:45 reki systemd[1]: [email protected]: Failed with result 'exit-code'.
Sep 12 09:13:45 reki openvpn-vtun1[3436]: Use --help for more information.

# ls -alh /config/auth/sentrium.key
-rw------- 1 root vyattacfg 637 Oct 13  2017 /config/auth/sentrium.key

Details

Difficulty level
Easy (less than an hour)
Version
1.3.0-rc6
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

dmbaturin triaged this task as Unbreak Now! priority.Sep 12 2021, 2:19 AM
dmbaturin created this task.
pasik added a subscriber: pasik.Sep 12 2021, 9:26 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus (1.3.0-epa1).Nov 1 2021, 10:09 PM
Viacheslav added a subscriber: Viacheslav.Nov 2 2021, 9:03 AM

Still not fixed VyOS 1.3-beta-202110300342:

vyos@r4-epa2:~$ generate openvpn key foo
Generating OpenVPN key to /config/auth/foo
Your new local OpenVPN key has been generated
vyos@r4-epa2:~$ 
vyos@r4-epa2:~$ ls -la /config/auth/
total 12
drwxrwsr-x 2 root vyattacfg 4096 Nov  2 09:00 .
drwxrwxr-x 7 root vyattacfg 4096 Nov  2 08:54 ..
-rw------- 1 root vyattacfg  636 Nov  2 09:00 foo
vyos@r4-epa2:~$
syncer assigned this task to Viacheslav.Nov 6 2021, 11:40 PM
Viacheslav closed this task as Resolved.Jan 9 2022, 4:28 PM
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0) board.

It was fixed in above commits, wrong testing form my site.

Config and generate:

run generate openvpn key foo.key

set interfaces openvpn vtun10 local-address 192.0.2.14
set interfaces openvpn vtun10 mode 'site-to-site'
set interfaces openvpn vtun10 remote-address '192.0.2.11'
set interfaces openvpn vtun10 shared-secret-key-file '/config/auth/foo.key'

Correct owner.

vyos@r4# ls -la /config/auth/ | grep foo
-rw------- 1 openvpn openvpn    636 Jan  9 18:22 foo.key
[edit]
vyos@r4#