You are not logged in.

#1 2020-11-09 16:56:21

schard
Forum Moderator
From: Hannover
Registered: 2016-05-06
Posts: 2,111
Website

[WORKAROUND] OpenVPN client broken after recent update

After the update to openvpn-2.5.0-3 my OpenVPN clients can no longer configure routes pushed by the OpenVPN server due to the system unit now running as an unprivileged user.
The update notice stated:

:: OpenVPN now uses a netlink interface for network configuration. The systemd
   units start the process with a dedicated unprivileged user 'openvpn', with
   extra capabilities(7). The configuration should no longer drop privileges,
   so remove 'user' and 'group' directives.
   Scripts that require elevated privileges may need a workaround.

I read this as: "The systemd units shipped with the OpenVPN package are now useless if you want your client to configure pushed routes".
If this is really true, do I really need to write my own systemd units now, so that the OpenVPN client can configure pushed routes?
In other words: How do I get my client working again and properly configure pushed routes?

On a second note, I cannot resist to point out, that I am unsatisfied with the information policy regarding such a drastic change which is breaking common and proven VPN setups.
A pacman message is a good thing, but I would have liked to see an Arch News article on this or at least get a heads-up on the arch-devel-public list.

Last edited by schard (2020-11-10 09:04:40)


Inofficial first vice president of the Rust Evangelism Strike Force

Offline

#2 2020-11-09 18:33:10

demaio
Member
From: Germany
Registered: 2012-09-02
Posts: 101
Website

Re: [WORKAROUND] OpenVPN client broken after recent update

The pushed routes from my OpenVPN server still work with the new Openvpn 2.5.0-3 package and its unpriviliged "openvpn" user. I looked at the Openvpn 2.5 changelog and found:

Netlink support

    On Linux, if configured without --enable-iproute2, configuring IP addresses and adding/removing routes is now done via the netlink(3) kernel interface. This is much faster than calling ifconfig or route and also enables OpenVPN to run with less privileges.

    If configured with --enable-iproute2, the ip command is used (as in 2.4). Support for ifconfig and route is gone.

I did and do not use the "user" and "group" directives in the openvpn client config btw. Do you?

Offline

#3 2020-11-09 18:36:42

crazystick
Member
Registered: 2012-11-22
Posts: 7

Re: [WORKAROUND] OpenVPN client broken after recent update

I have the same problem as @schard. I don't use user or group directives either.

Offline

#4 2020-11-10 07:03:29

schard
Forum Moderator
From: Hannover
Registered: 2016-05-06
Posts: 2,111
Website

Re: [WORKAROUND] OpenVPN client broken after recent update

I did never use privilege drops. Configuration:

0 ✓ 434 /etc/openvpn/client $ ls -la
insgesamt 28
drwxr-x--- 2 openvpn network 4096 10. Nov 07:53 .
drwxr-xr-x 4 root    root    4096  9. Nov 15:16 ..
-rw-r----- 1 openvpn network 5959 20. Feb 2017  105.1031002.crt
-rw-r----- 1 openvpn network 1704 20. Feb 2017  105.1031002.key
-rw-r----- 1 openvpn network 2049  7. Mai 2015  ca.crt
-rw------- 1 openvpn network 3849 27. Feb 2017  terminals.conf
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Windows adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote REDACTED 1194
remote REDACTED 1194
remote REDACTED 1194

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca ca.crt
cert 105.1031002.crt
key 105.1031002.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher CAMELLIA-256-CBC
auth SHA512

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
;comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

Status after upgrade:

$ journalctl -au openvpn-client@terminals --since=now --follow
-- Logs begin at Thu 2019-02-07 10:20:54 CET. --
Nov 10 07:56:34 434 openvpn[34169]: event_wait : Interrupted system call (code=4)
Nov 10 07:56:34 434 openvpn[34169]: net_route_v4_del: 10.8.0.0/16 via 10.8.0.1 dev [NULL] table 0 metric -1
Nov 10 07:56:34 434 openvpn[34169]: Closing TUN/TAP interface
Nov 10 07:56:34 434 openvpn[34169]: net_addr_v4_del: 10.8.1.188 dev tun0
Nov 10 07:56:34 434 systemd[1]: Stopping OpenVPN tunnel for terminals...
Nov 10 07:56:34 434 openvpn[34169]: SIGTERM[hard,] received, process exiting
Nov 10 07:56:34 434 systemd[1]: openvpn-client@terminals.service: Succeeded.
Nov 10 07:56:34 434 systemd[1]: Stopped OpenVPN tunnel for terminals.
Nov 10 07:56:34 434 systemd[1]: Starting OpenVPN tunnel for terminals...
Nov 10 07:56:34 434 openvpn[34185]: DEPRECATED OPTION: --cipher set to 'CAMELLIA-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'CAMELLIA-256-CBC' to --data-ciphers or change --cipher 'CAMELLIA-256-CBC' to --data-ciphers-fallback 'CAMELLIA-256-CBC' to silence this warning.
Nov 10 07:56:34 434 openvpn[34185]: WARNING: file '105.1031002.key' is group or others accessible
Nov 10 07:56:34 434 openvpn[34185]: OpenVPN 2.5.0 [git:makepkg/a73072d8f780e888+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  6 2020
Nov 10 07:56:34 434 openvpn[34185]: library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10
Nov 10 07:56:34 434 openvpn[34185]: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Nov 10 07:56:34 434 systemd[1]: Started OpenVPN tunnel for terminals.
Nov 10 07:56:34 434 openvpn[34185]: TCP/UDP: Preserving recently used remote address: [AF_INET]REDACTED:1194
Nov 10 07:56:34 434 openvpn[34185]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Nov 10 07:56:34 434 openvpn[34185]: UDP link local: (not bound)
Nov 10 07:56:34 434 openvpn[34185]: UDP link remote: [AF_INET]REDACTED:1194
Nov 10 07:56:34 434 openvpn[34185]: TLS: Initial packet from [AF_INET]REDACTED:1194, sid=a958e792 309d356b
Nov 10 07:56:34 434 openvpn[34185]: VERIFY OK: nsCertType=SERVER
Nov 10 07:56:34 434 openvpn[34185]: VERIFY OK: depth=0, C=DE, ST=NI, L=Hannover, O=HOMEINFO - Digitale Informationssysteme GmbH, OU=Terminal Network, CN=srv, name=Terminals, emailAddress=REDACTED
Nov 10 07:56:34 434 openvpn[34185]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Nov 10 07:56:34 434 openvpn[34185]: [srv] Peer Connection Initiated with [AF_INET]REDACTED:1194
Nov 10 07:56:36 434 openvpn[34185]: SENT CONTROL [srv]: 'PUSH_REQUEST' (status=1)
Nov 10 07:56:36 434 openvpn[34185]: PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.0 255.255.0.0,route 10.200.200.0 255.255.255.0,topology subnet,route-gateway 10.8.0.1,topology subnet,ping 30,ping-restart 120,ifconfig 10.8.1.188 255.255.0.0,peer-id 775,cipher AES-256-GCM'
Nov 10 07:56:36 434 openvpn[34185]: OPTIONS IMPORT: timers and/or timeouts modified
Nov 10 07:56:36 434 openvpn[34185]: OPTIONS IMPORT: --ifconfig/up options modified
Nov 10 07:56:36 434 openvpn[34185]: OPTIONS IMPORT: route options modified
Nov 10 07:56:36 434 openvpn[34185]: OPTIONS IMPORT: route-related options modified
Nov 10 07:56:36 434 openvpn[34185]: OPTIONS IMPORT: peer-id set
Nov 10 07:56:36 434 openvpn[34185]: OPTIONS IMPORT: adjusting link_mtu to 1624
Nov 10 07:56:36 434 openvpn[34185]: OPTIONS IMPORT: data channel crypto options modified
Nov 10 07:56:36 434 openvpn[34185]: Data Channel: using negotiated cipher 'AES-256-GCM'
Nov 10 07:56:36 434 openvpn[34185]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Nov 10 07:56:36 434 openvpn[34185]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Nov 10 07:56:36 434 openvpn[34185]: net_route_v4_best_gw query: dst 0.0.0.0
Nov 10 07:56:36 434 openvpn[34185]: net_route_v4_best_gw result: via 77.21.144.254 dev enp3s0
Nov 10 07:56:36 434 openvpn[34185]: ROUTE_GATEWAY 77.21.144.254/255.255.255.0 IFACE=enp3s0 HWADDR=00:30:18:cc:4c:04
Nov 10 07:56:36 434 openvpn[34185]: TUN/TAP device tun0 opened
Nov 10 07:56:36 434 openvpn[34185]: net_iface_mtu_set: mtu 1500 for tun0
Nov 10 07:56:36 434 openvpn[34185]: net_iface_up: set tun0 up
Nov 10 07:56:36 434 openvpn[34185]: net_addr_v4_add: 10.8.1.188/16 dev tun0
Nov 10 07:56:36 434 openvpn[34185]: net_route_v4_add: 10.8.0.0/16 via 10.8.0.1 dev [NULL] table 0 metric -1
Nov 10 07:56:36 434 openvpn[34185]: net_route_v4_add: 10.200.200.0/24 via 10.8.0.1 dev [NULL] table 0 metric -1
Nov 10 07:56:36 434 openvpn[34185]: sitnl_send: rtnl: generic error (-101): Network is unreachable
Nov 10 07:56:36 434 openvpn[34185]: ERROR: Linux route add command failed
Nov 10 07:56:36 434 openvpn[34185]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 10 07:56:36 434 openvpn[34185]: Initialization Sequence Completed
$ ip route
default via 77.21.144.254 dev enp3s0 proto dhcp src 77.21.144.123 metric 1024 
10.8.0.0/16 via 10.8.0.1 dev tun0 
77.21.144.0/24 dev enp3s0 proto kernel scope link src 77.21.144.123 
77.21.144.254 dev enp3s0 proto dhcp scope link src 77.21.144.123 metric 1024

After downgrade to openvpn-2.4.9-2 via

pacman -U /var/cache/pacman/pkg/openvpn-2.4.9-2-x86_64.pkg.tar.zst
0 ✓ homeinfo@434 ~ $ journalctl -au openvpn-client@terminals --since=now --follow
-- Logs begin at Thu 2019-02-07 10:20:54 CET. --
Nov 10 08:01:39 434 openvpn[34371]: event_wait : Interrupted system call (code=4)
Nov 10 08:01:39 434 openvpn[34371]: /usr/bin/ip route del 10.200.200.0/24
Nov 10 08:01:39 434 systemd[1]: Stopping OpenVPN tunnel for terminals...
Nov 10 08:01:39 434 openvpn[34371]: Closing TUN/TAP interface
Nov 10 08:01:39 434 openvpn[34371]: /usr/bin/ip addr del dev tun0 10.8.1.188/16
Nov 10 08:01:39 434 openvpn[34371]: SIGTERM[hard,] received, process exiting
Nov 10 08:01:39 434 systemd[1]: openvpn-client@terminals.service: Succeeded.
Nov 10 08:01:39 434 systemd[1]: Stopped OpenVPN tunnel for terminals.
Nov 10 08:01:39 434 systemd[1]: Starting OpenVPN tunnel for terminals...
Nov 10 08:01:39 434 openvpn[34431]: WARNING: file '105.1031002.key' is group or others accessible
Nov 10 08:01:39 434 openvpn[34431]: OpenVPN 2.4.9 [git:makepkg/9b0dafca6c50b8bb+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 20 2020
Nov 10 08:01:39 434 openvpn[34431]: library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10
Nov 10 08:01:39 434 openvpn[34431]: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Nov 10 08:01:39 434 systemd[1]: Started OpenVPN tunnel for terminals.
Nov 10 08:01:39 434 openvpn[34431]: TCP/UDP: Preserving recently used remote address: [AF_INET]REDACTED:1194
Nov 10 08:01:39 434 openvpn[34431]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Nov 10 08:01:39 434 openvpn[34431]: UDP link local: (not bound)
Nov 10 08:01:39 434 openvpn[34431]: UDP link remote: [AF_INET]REDACTED:1194
Nov 10 08:01:39 434 openvpn[34431]: TLS: Initial packet from [AF_INET]REDACTED:1194, sid=0d801e2e 5a9d7e62
Nov 10 08:01:39 434 openvpn[34431]: VERIFY OK: nsCertType=SERVER
Nov 10 08:01:39 434 openvpn[34431]: VERIFY OK: depth=0, C=DE, ST=NI, L=Hannover, O=HOMEINFO - Digitale Informationssysteme GmbH, OU=Terminal Network, CN=srv, name=Terminals, emailAddress=REDACTED
Nov 10 08:01:39 434 openvpn[34431]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Nov 10 08:01:39 434 openvpn[34431]: [srv] Peer Connection Initiated with [AF_INET]REDACTED:1194
Nov 10 08:01:40 434 openvpn[34431]: SENT CONTROL [srv]: 'PUSH_REQUEST' (status=1)
Nov 10 08:01:40 434 openvpn[34431]: PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.0 255.255.0.0,route 10.200.200.0 255.255.255.0,topology subnet,route-gateway 10.8.0.1,topology subnet,ping 30,ping-restart 120,ifconfig 10.8.1.188 255.255.0.0,peer-id 269,cipher AES-256-GCM'
Nov 10 08:01:40 434 openvpn[34431]: OPTIONS IMPORT: timers and/or timeouts modified
Nov 10 08:01:40 434 openvpn[34431]: OPTIONS IMPORT: --ifconfig/up options modified
Nov 10 08:01:40 434 openvpn[34431]: OPTIONS IMPORT: route options modified
Nov 10 08:01:40 434 openvpn[34431]: OPTIONS IMPORT: route-related options modified
Nov 10 08:01:40 434 openvpn[34431]: OPTIONS IMPORT: peer-id set
Nov 10 08:01:40 434 openvpn[34431]: OPTIONS IMPORT: adjusting link_mtu to 1624
Nov 10 08:01:40 434 openvpn[34431]: OPTIONS IMPORT: data channel crypto options modified
Nov 10 08:01:40 434 openvpn[34431]: Data Channel: using negotiated cipher 'AES-256-GCM'
Nov 10 08:01:40 434 openvpn[34431]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Nov 10 08:01:40 434 openvpn[34431]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Nov 10 08:01:40 434 openvpn[34431]: ROUTE_GATEWAY 77.21.144.254/255.255.255.0 IFACE=enp3s0 HWADDR=00:30:18:cc:4c:04
Nov 10 08:01:40 434 openvpn[34431]: TUN/TAP device tun0 opened
Nov 10 08:01:40 434 openvpn[34431]: TUN/TAP TX queue length set to 100
Nov 10 08:01:40 434 openvpn[34431]: /usr/bin/ip link set dev tun0 up mtu 1500
Nov 10 08:01:40 434 openvpn[34431]: /usr/bin/ip addr add dev tun0 10.8.1.188/16 broadcast 10.8.255.255
Nov 10 08:01:40 434 openvpn[34431]: /usr/bin/ip route add 10.8.0.0/16 via 10.8.0.1
Nov 10 08:01:40 434 openvpn[34436]: RTNETLINK answers: File exists
Nov 10 08:01:40 434 openvpn[34431]: ERROR: Linux route add command failed: external program exited with error status: 2
Nov 10 08:01:40 434 openvpn[34431]: /usr/bin/ip route add 10.200.200.0/24 via 10.8.0.1
Nov 10 08:01:40 434 openvpn[34431]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 10 08:01:40 434 openvpn[34431]: Initialization Sequence Completed
$ ip route
default via 77.21.144.254 dev enp3s0 proto dhcp src 77.21.144.123 metric 1024 
10.8.0.0/16 dev tun0 proto kernel scope link src 10.8.1.188 
10.200.200.0/24 via 10.8.0.1 dev tun0 
77.21.144.0/24 dev enp3s0 proto kernel scope link src 77.21.144.123 
77.21.144.254 dev enp3s0 proto dhcp scope link src 77.21.144.123 metric 1024

So the question remains, why the pushed route

10.200.200.0/24 via 10.8.0.1 dev tun0

is no longer set after the upgrade?

Solution / Workaround
The error seems to be in

ERROR: Linux route add command failed

When I attempt to set the route manually like OpenVPN does, I get

$ sudo ip route add 10.200.200.0/24 via 10.8.0.1 dev tun0
Error: Nexthop has invalid gateway.

I am not sure why this happens, since the address 10.8.0.1 is on the VPN.
However, I figured out, that setting the route with the respective system's VPN address as gateway works:

$ sudo ip route add 10.200.200.0/24 via 10.8.1.188 dev tun0

So, I moved the route pushing to the respecive client's ccd file and added the explicit nexthop:

ifconfig-push 10.8.1.188 255.255.0.0
push "route 10.8.0.0 255.255.0.0"
push "route 10.200.200.0 255.255.255.0 10.8.1.188"

Which seems to work fine so far:

$ journalctl -au openvpn-client@terminals -b --no-pager
-- Logs begin at Tue 2019-03-12 11:18:27 CET, end at Tue 2020-11-10 10:00:28 CET. --
Nov 10 09:58:33 434 systemd[1]: Starting OpenVPN tunnel for terminals...
Nov 10 09:58:39 434 openvpn[394]: DEPRECATED OPTION: --cipher set to 'CAMELLIA-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'CAMELLIA-256-CBC' to --data-ciphers or change --cipher 'CAMELLIA-256-CBC' to --data-ciphers-fallback 'CAMELLIA-256-CBC' to silence this warning.
Nov 10 09:58:39 434 systemd[1]: Started OpenVPN tunnel for terminals.
Nov 10 09:58:39 434 openvpn[394]: WARNING: file '105.1031002.key' is group or others accessible
Nov 10 09:58:39 434 openvpn[394]: OpenVPN 2.5.0 [git:makepkg/a73072d8f780e888+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  6 2020
Nov 10 09:58:39 434 openvpn[394]: library versions: OpenSSL 1.1.1h  22 Sep 2020, LZO 2.10
Nov 10 09:58:39 434 openvpn[394]: WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Nov 10 09:58:39 434 openvpn[394]: TCP/UDP: Preserving recently used remote address: [AF_INET]REDACTED:1194
Nov 10 09:58:39 434 openvpn[394]: Socket Buffers: R=[212992->212992] S=[212992->212992]
Nov 10 09:58:39 434 openvpn[394]: UDP link local: (not bound)
Nov 10 09:58:39 434 openvpn[394]: UDP link remote: [AF_INET]REDACTED:1194
Nov 10 09:58:39 434 openvpn[394]: TLS: Initial packet from [AF_INET]REDACTED:1194, sid=0668864d a71f4a2d
Nov 10 09:58:39 434 openvpn[394]: VERIFY OK: nsCertType=SERVER
Nov 10 09:58:39 434 openvpn[394]: VERIFY OK: depth=0, C=DE, ST=NI, L=Hannover, O=HOMEINFO - Digitale Informationssysteme GmbH, OU=Terminal Network, CN=srv, name=Terminals, emailAddress=REDACTED
Nov 10 09:58:39 434 openvpn[394]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Nov 10 09:58:39 434 openvpn[394]: [srv] Peer Connection Initiated with [AF_INET]REDACTED:1194
Nov 10 09:58:40 434 openvpn[394]: SENT CONTROL [srv]: 'PUSH_REQUEST' (status=1)
Nov 10 09:58:40 434 openvpn[394]: PUSH: Received control message: 'PUSH_REPLY,topology subnet,route-gateway 10.8.0.1,topology subnet,ping 30,ping-restart 120,route 10.8.0.0 255.255.0.0,route 10.200.200.0 255.255.255.0 10.8.1.188,ifconfig 10.8.1.188 255.255.0.0,peer-id 0,cipher AES-256-GCM'
Nov 10 09:58:40 434 openvpn[394]: OPTIONS IMPORT: timers and/or timeouts modified
Nov 10 09:58:40 434 openvpn[394]: OPTIONS IMPORT: --ifconfig/up options modified
Nov 10 09:58:40 434 openvpn[394]: OPTIONS IMPORT: route options modified
Nov 10 09:58:40 434 openvpn[394]: OPTIONS IMPORT: route-related options modified
Nov 10 09:58:40 434 openvpn[394]: OPTIONS IMPORT: peer-id set
Nov 10 09:58:40 434 openvpn[394]: OPTIONS IMPORT: adjusting link_mtu to 1624
Nov 10 09:58:40 434 openvpn[394]: OPTIONS IMPORT: data channel crypto options modified
Nov 10 09:58:40 434 openvpn[394]: Data Channel: using negotiated cipher 'AES-256-GCM'
Nov 10 09:58:40 434 openvpn[394]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Nov 10 09:58:40 434 openvpn[394]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Nov 10 09:58:40 434 openvpn[394]: net_route_v4_best_gw query: dst 0.0.0.0
Nov 10 09:58:40 434 openvpn[394]: net_route_v4_best_gw result: via 77.23.43.254 dev enp3s0
Nov 10 09:58:40 434 openvpn[394]: ROUTE_GATEWAY 77.23.43.254/255.255.255.0 IFACE=enp3s0 HWADDR=00:30:18:cc:4c:04
Nov 10 09:58:40 434 openvpn[394]: TUN/TAP device tun0 opened
Nov 10 09:58:40 434 openvpn[394]: net_iface_mtu_set: mtu 1500 for tun0
Nov 10 09:58:40 434 openvpn[394]: net_iface_up: set tun0 up
Nov 10 09:58:40 434 openvpn[394]: net_addr_v4_add: 10.8.1.188/16 dev tun0
Nov 10 09:58:40 434 openvpn[394]: net_route_v4_add: 10.8.0.0/16 via 10.8.0.1 dev [NULL] table 0 metric -1
Nov 10 09:58:40 434 openvpn[394]: net_route_v4_add: 10.200.200.0/24 via 10.8.1.188 dev [NULL] table 0 metric -1
Nov 10 09:58:40 434 openvpn[394]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 10 09:58:40 434 openvpn[394]: Initialization Sequence Completed
$ ip route
default via 77.23.43.254 dev enp3s0 proto dhcp src 77.23.43.37 metric 1024 
10.8.0.0/16 via 10.8.0.1 dev tun0 
10.200.200.0/24 via 10.8.1.188 dev tun0 
77.23.43.0/24 dev enp3s0 proto kernel scope link src 77.23.43.37 
77.23.43.254 dev enp3s0 proto dhcp scope link src 77.23.43.37 metric 1024

Update
To address the issue of possibly faulty permissions after the upgrade, I added this ALPM hook:

[Trigger]
Operation = Install
Operation = Upgrade
Type = Package
Target = openvpn

[Action]
Description = Updating ownership of OpenVPN configuration...
When = PostTransaction
Exec = /usr/bin/chown -R openvpn.network /etc/openvpn/client /etc/openvpn/server

Note that you'll need to ensure that it runs *after* 20-systemd-sysusers.hook.

Last edited by schard (2020-11-10 12:12:49)


Inofficial first vice president of the Rust Evangelism Strike Force

Offline

#5 2020-11-30 10:13:45

crazystick
Member
Registered: 2012-11-22
Posts: 7

Re: [WORKAROUND] OpenVPN client broken after recent update

Turns out my issue was something different - missing cipher. After enabling that in my client config, the latest OpenVPN is working for me with no changes needed.

Offline

Board footer

Powered by FluxBB