Page MenuHomeVyOS Platform

openvpn op-mode scripts broken after migrating to systemd service
Closed, ResolvedPublic


After migrating to systemd, op-mode scripts don't work. Paths should be updated to /run/openvpn.

The op-mode scripts used /tmp/openvpn-mgmt-intf to reset a single client. systemd uses a private /tmp:

vyos@rt-home:~$ sudo ls -la /tmp|grep systemd
drwx------  3 root root         60 Apr 14 18:04 systemd-private-3968e4ac269541639d8b3c8413e72e45-haveged.service-VpheTj
drwx------  3 root root         60 Apr 14 18:05 systemd-private-3968e4ac269541639d8b3c8413e72e45-ntp.service-0yOxFs
drwx------  3 root root         60 Apr 16 12:48 systemd-private-3968e4ac269541639d8b3c8413e72e45-openvpn@vtun0.service-SqURDU
drwx------  3 root root         60 Apr 14 18:06 systemd-private-3968e4ac269541639d8b3c8413e72e45-pdns-recursor.service-TjzzLV
drwx------  3 root root         60 Apr 14 18:06 systemd-private-3968e4ac269541639d8b3c8413e72e45-radvd.service-Xdsj93
vyos@rt-home:~$ sudo ls -la /tmp/systemd-private-3968e4ac269541639d8b3c8413e72e45-openvpn@vtun0.service-SqURDU/tmp
total 0
drwxrwxrwt 2 root root 60 Apr 16 12:48 .
drwx------ 3 root root 60 Apr 16 12:48 ..
srwxrwxrwx 1 root root  0 Apr 16 12:48 openvpn-mgmt-intf

In addition, all openvpn interfaces/processes used the same management inerface name. I'm not sure this ever worked for more than one interface, they should probably each have its own management interface.
Additionally file permissions on the socket are 777 by default. This is a security risk. It should be 660 and chown root:vyattacfg, or something even more secure (maybe using selinux to secure access).

At the same time it'd be nice to upgrade to --status version 1 or 2 which provides much more info than default version 0.


Difficulty level
Unknown (require assessment)
VyOS 1.3-rolling-202004141515
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)