Page MenuHomeVyOS Platform
Create Task
Maniphest T3805

OpenVPN insufficient privileges for rtnetlink when closing TUN/TAP interface
Closed, ResolvedPublicBUG
Actions

Description

OpenVPN 2.5 uses rtnetlink instead of iproute2 which has resulted in openvpn being unable to delete IP addresses or otherwise modify the interface after root privileges are dropped.

Resetting an OpenVPN client interface (to NordVPN), I get the following errors:

openvpn-vtun0[155033]: Closing TUN/TAP interface
openvpn-vtun0[155033]: net_addr_v4_del: 10.8.1.7 dev vtun0
openvpn-vtun0[155033]: sitnl_send: rtnl: generic error (-1): Operation not permitted
openvpn-vtun0[155033]: Linux can't del IP from iface vtun0
openvpn-vtun0[155033]: TUN/TAP device vtun0 opened
openvpn-vtun0[155033]: net_iface_mtu_set: mtu 1500 for vtun0
openvpn-vtun0[155033]: sitnl_send: rtnl: generic error (-1): Operation not permitted
openvpn-vtun0[155033]: Linux can't set mtu (1500) on vtun0
systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE
openvpn-vtun0[155033]: Exiting due to fatal error
systemd[1]: [email protected]: Failed with result 'exit-code'.
systemd[1]: [email protected]: Scheduled restart job, restart counter is at 2.
systemd[1]: Stopped OpenVPN connection to vtun0.

Multiple restarts end up with vtun0 gaining multiple addresses. which breaks routing via that interface.

However, with OpenVPN 2.5 and rtnetlink, it should now be possible to run openvpn as non-root from start to finish, using systemd capabilities. I tried the following (based on the archlinux solution):

Remove user & group directives from /run/vtun0.conf and add the following to /etc/systemd/system/[email protected]/override.conf

User=openvpn
Group=openvpn
AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE

Ensure that the runtime directory and existing files were writable by openvpn user:

chmod -R openvpn:openvpn /run/openvpn

After executing systemctl daemon-reload and reset openvpn interface vtun0 everything appears to be working nicely, with the openvpn client running without root from start to finish.

Details

Difficulty level
Easy (less than an hour)
Version
VyOS 1.4-rolling-202108090815
Why the issue appeared?
Design mistake
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

amxj9 created this task.Sep 6 2021, 2:39 AM
c-po added a subscriber: c-po.Sep 6 2021, 4:41 PM

Does it work if you grand the capabilities to the openvpn group in /etc/security/capability.conf?

amxj9 added a comment.Sep 7 2021, 1:18 PM

Unfortunately not. I reverted my changes and then added:

cap_dac_override,cap_setgid,cap_setuid,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_sys_chroot,cap_audit_write   @openvpn

to /etc/security/capability.conf but got the same errors as before (I rebooted to make sure).

pasik added a subscriber: pasik.Sep 7 2021, 1:43 PM
c-po claimed this task.Sep 7 2021, 3:26 PM
c-po added a comment.Sep 7 2021, 8:35 PM

Can you please share a version of your anonymized client configuration?

amxj9 added a comment.Sep 8 2021, 3:06 AM

Certainly, here it is:

openvpn vtun0 {                                                  
    authentication {                                             
        password ******                                          
        username ******                                          
    }                                                                                            
    encryption {                                                 
        cipher aes256                                            
    }                                                            
    hash sha512                                                  
    mode client                                                  
    openvpn-option fast-io                                       
    openvpn-option "remote-cert-tls server"                      
    openvpn-option "resolv-retry infinite"                       
    openvpn-option "pull-filter ignore redirect-gateway"         
    openvpn-option "tun-mtu 1500"                                
    openvpn-option "tun-mtu-extra 32"                            
    openvpn-option "mssfix 1450"                                 
    openvpn-option "comp-lzo no"                                 
    openvpn-option "ping-restart 0"                              
    openvpn-option ping-timer-rem                                
    openvpn-option "ping 15"                                     
    openvpn-option "reneg-sec 0"                                 
    persistent-tunnel                                            
    protocol udp                                                 
    remote-host xxx.xxx.xx.xxx                                   
    remote-port 1194                                             
    tls {                                                        
        auth-key ****************                                
        ca-certificate ***************                          
        tls-version-min 1.2                                      
    }                                                            
}
c-po changed the task status from Open to Confirmed.Sep 8 2021, 12:28 PM
c-po triaged this task as Normal priority.
c-po changed Difficulty level from Unknown (require assessment) to Easy (less than an hour).
c-po changed Why the issue appeared? from Will be filled on close to Design mistake.
c-po changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
c-po changed the task status from Confirmed to Needs testing.Sep 8 2021, 12:37 PM
c-po added a project: VyOS 1.3 Equuleus.
c-po moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.
c-po added a comment.Sep 8 2021, 12:43 PM

A new ISO 1.4-rolling-202109081242 is currently build - you may check in 30 minutes and try if this works for you - it did in my example config.

If you say that this change works as expected - I am going to backport it to VyOS 1.3 for the upcoming release.

c-po mentioned this in T3809: Not possible to add existing ca?.Sep 8 2021, 6:24 PM
c-po closed this task as Resolved.Sep 9 2021, 7:16 AM
c-po moved this task from Need Triage to 1.3.0-epa1 on the VyOS 1.3 Equuleus board.
c-po edited projects, added VyOS 1.3 Equuleus (1.3.0-epa1); removed VyOS 1.3 Equuleus.
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus (1.3.0-epa1) board.
amxj9 added a comment.Sep 9 2021, 10:44 AM

Sorry, I haven;t managed to test yet, due to some configuration migration errors leaving me unable to login. Will comment once I've confirmed though, most likely tomorrow.

amxj9 added a comment.Sep 10 2021, 7:51 AM

Change works as expected for me. Thank you!

lucasec added a subscriber: lucasec.Sep 11 2021, 8:58 AM

FYI, if your OpenVPN config relies on cert files or anything you uploaded into the config directory, you may need to change the owner to the openvpn user or widen file permissions. Oddly this only seems to affect equuleus, not sagitta (OpenVPN seems fine reading files owned by "root" out of "/config/auth").