Page MenuHomeVyOS Platform

OpenVPN after changing it from root to nobody (unprivileged user) cant add routes
Closed, ResolvedPublicBUG

Description

I found this https://community.openvpn.net/openvpn/wiki/UnprivilegedUser

After update of VyOS to current git version I started to got this errors on one of my sites:

Sep  3 09:59:56 M-P openvpn-vtun1[1757]: ERROR: Cannot ioctl TUNSETIFF vtun1: Operation not permitted (errno=1)
Sep  3 09:59:56 M-P openvpn-vtun1[1757]: Exiting due to fatal error

I think it happens when this site loos connection and trying to reconnect.
When I reboot VyOS it connects normally:

Sep  3 16:36:05 M-P openvpn-vtun1[1756]: /sbin/ip link set dev vtun1 up mtu 1500
Sep  3 16:36:05 M-P openvpn-vtun1[1756]: /sbin/ip addr add dev vtun1 10.x.y.z/16 broadcast 10.255.255.255
Sep  3 16:36:05 M-P openvpn-vtun1[1756]: /sbin/ip route add 10.0.0.0/8 via 10.255.0.1

What do you think? Is it could be interconnected? I'm not sure be cause on other sites same version works good.

Details

Difficulty level
Easy (less than an hour)
Version
1.2-rolling
Why the issue appeared?
Design mistake
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

When the site looses connection and thus a SIGUSR21 is sent to OpenVPN to restart internally the priviledges have dropped and yes, /sbin/ip can't be called again.

c-po triaged this task as Normal priority.
c-po updated the task description. (Show Details)
c-po edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.
c-po changed Difficulty level from Unknown (require assessment) to Normal (likely a few hours).
c-po changed Version from 1.2 to 1.2-rolling.
c-po changed Why the issue appeared? from Will be filled on close to Design mistake.
c-po removed a subscriber: c-po.

How can I help you to fix it? In this article https://community.openvpn.net/openvpn/wiki/UnprivilegedUser looks like it's not so hard...

And may be change nobody:nogroup to openvpn:openvpn? It's more clear, i think...

The config generator would need to be adopted https://github.com/vyos/vyos-1x/blob/current/src/conf_mode/interface-openvpn.py and the wrapper script added. I have no time before tomorrow, sorry

Thanks, I'll try to figure it out. What do you think about openvpn:openvpn?

I like the openvpn:openvpn ownership idea

As i understand this script only generate conf file, but we need to change init script, add wrapper script and grant sudo access to the openvpn user to exec this wrapper script...

So in conf file should be enabled by default:
iproute /usr/local/sbin/unpriv-ip
persist-tun

And that's all.

Persistent tunnel is a configuration option set interfaces openvpn vtun10 persistent-tunnel

OpenVPN now runs as user openvpn with the above helper script. Please also test this new implementation, it will be in the rolling ISO which is building right now.

c-po changed the task status from Open to Needs testing.Sep 6 2019, 1:20 PM
c-po changed Difficulty level from Normal (likely a few hours) to Easy (less than an hour).

No feedback received, considering this as resolved. please reopen if issue reappears.

Using 1.2-rolling-201909210810, it has happened to me.

Sep 21 18:14:34 vyos openvpn-vtun0[4078]: OPTIONS IMPORT: data channel crypto options modified
Sep 21 18:14:34 vyos openvpn-vtun0[4078]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep 21 18:14:34 vyos openvpn-vtun0[4078]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Sep 21 18:14:34 vyos openvpn-vtun0[4078]: ROUTE_GATEWAY 172.30.4.1/255.255.255.128 IFACE=eth0 HWADDR=00:50:56:b0:46:55
Sep 21 18:14:34 vyos openvpn-vtun0[4078]: ERROR: Cannot ioctl TUNSETIFF vtun0: Operation not permitted (errno=1)
Sep 21 18:14:34 vyos openvpn-vtun0[4078]: Exiting due to fatal error

OpenVPN config:

set interfaces openvpn vtun0 authentication password xxxxxx
set interfaces openvpn vtun0 authentication username xxxxxx
set interfaces openvpn vtun0 description 'VPN'
set interfaces openvpn vtun0 encryption 'aes256'
set interfaces openvpn vtun0 keep-alive failure-count '3'
set interfaces openvpn vtun0 keep-alive interval '10'
set interfaces openvpn vtun0 mode 'client'
set interfaces openvpn vtun0 protocol 'udp'
set interfaces openvpn vtun0 remote-host 'vpn-service-address'
set interfaces openvpn vtun0 remote-port '1194'
set interfaces openvpn vtun0 tls auth-file '/config/auth/static-key.crt'
set interfaces openvpn vtun0 tls ca-cert-file xxxxxx
set interfaces openvpn vtun0 tls role 'active'
set interfaces openvpn vtun0 use-lzo-compression

Using 1.3-rolling-202001270217, its happening too:

OpenVPN: /usr/libexec/vyos/system/unpriv-ip addr del dev vtun0 10.62.32.67/26
OpenVPN: openvpn : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/sbin/ip addr del dev vtun0 10.62.32.67/26
OpenVPN: ERROR: Cannot ioctl TUNSETIFF vtun0: Operation not permitted (errno=1)
OpenVPN: Exiting due to fatal error

OpenVPN config:

set interfaces openvpn vtun0 device-type 'tap'
set interfaces openvpn vtun0 ip ospf dead-interval '4'
set interfaces openvpn vtun0 ip ospf hello-interval '1'
set interfaces openvpn vtun0 ip ospf mtu-ignore
set interfaces openvpn vtun0 ip ospf priority '150'
set interfaces openvpn vtun0 ip ospf retransmit-interval '5'
set interfaces openvpn vtun0 ip ospf transmit-delay '1'
set interfaces openvpn vtun0 mode 'client'
set interfaces openvpn vtun0 persistent-tunnel
set interfaces openvpn vtun0 remote-host 'xxxxx'
set interfaces openvpn vtun0 tls ca-cert-file '/config/auth/ca.crt'
set interfaces openvpn vtun0 tls cert-file '/config/auth/xxxx.crt'
set interfaces openvpn vtun0 tls key-file '/config/auth/xxxx.key'
set interfaces openvpn vtun0 tls tls-version-min '1.0'
erkin set Issue type to Bug (incorrect behavior).Aug 31 2021, 6:52 PM