You are not logged in.
- Topics: Active | Unanswered
#1 2021-05-10 19:54:54
- Gregosky
- Member
- From: UK
- Registered: 2013-07-26
- Posts: 174
Root-less OpenVPN (used to work, broken after recent update)
Hi,
I know this issue is not directly related to Arch Linux so I do apologize if posting this question here will annoy anybody. For my defense - system in question runs on Arch, both on host and within podman container.
I am running my VPN gateway within root-less podman container - I use setup from this section of OpenVPN guide
Everything was working fine until yesterday. Yesterday I updated system within my unprivileged podman container where I run openvpn server and it won't start anymore because OpenVPN tries to adjust MTU of tun device.
In the past I was setting up tun device myself using systemd-networkd (including MTU) and then within container I was replacing `ip` command with empty script which was always returning 0 - this was making OpenVPN happy. But yesterday I noticed MTU is set through different method, this is my log:
TUN/TAP device tun0 opened
net_iface_mtu_set: mtu 1500 for tun0
sitnl_send: rtnl: generic error (-1): Operation not permitted
Linux can't set mtu (1500) on tun0
Exiting due to fatal errorIf I pull arch from before November then everything works as it used to... So something changed within OpenVPN since they had a release in November.
Can somebody point me at direction what can I do to preserve my root-less setup and use most up to date OpenVPN? I was looking at -up argument but it says script specified within this argument is executed after interface is up. Thanks for any hints!
Last edited by Gregosky (2021-05-10 21:08:37)
Offline
#2 2021-05-11 02:08:34
- amish
- Member
- Registered: 2014-05-10
- Posts: 470
Re: Root-less OpenVPN (used to work, broken after recent update)
Have you checked this change done in November to Openvpn service file by Arch developers?
https://github.com/archlinux/svntogit-p … 5eb9b7203a
Do not know if your bug is related to it but "rtnl" error seems to be related to this post-install note: "OpenVPN now uses a netlink interface for network configuration"
Do you have any service file override setup somewhere?
Offline
#3 2021-05-11 09:57:03
- Gregosky
- Member
- From: UK
- Registered: 2013-07-26
- Posts: 174
Re: Root-less OpenVPN (used to work, broken after recent update)
Hi @amish, thanks for your hint! I was running openvpn from within podman container. I can run it without systemd (although I use systemd-networkd to create tun device which openvpn is then making use of). So the change in systemd scripts that you linked to is not directly related to my issue. However what you wrote about post install note, that OpenVPN now uses a netlink interface for network configuration, would explain why I don't see openvpn to use `ip` anymore... Looks like I'll have to read more about netlink interface.
Offline
#4 2021-05-11 11:01:56
- amish
- Member
- Registered: 2014-05-10
- Posts: 470
Re: Root-less OpenVPN (used to work, broken after recent update)
You probably need to start OpenVPN with specified capabilities. (Refer to service file OR above commit to know what capabilities you may need)
Offline
#5 2021-05-11 11:30:53
- Gregosky
- Member
- From: UK
- Registered: 2013-07-26
- Posts: 174
Re: Root-less OpenVPN (used to work, broken after recent update)
Thanks @amish - yep, I know about capabilities and before November I was running OpenVPN without granting it any extra capabilities... It makes me a bit sad that I won't be able to run it that way anymore.
Offline
#6 2021-05-11 11:38:54
- amish
- Member
- Registered: 2014-05-10
- Posts: 470
Re: Root-less OpenVPN (used to work, broken after recent update)
While I think netlink way is better, but if you still want iproute2 method then may be you can recompile with --enable-iproute2.
But I am not sure if OpenVPN developers will support it in future and may deprecate / remove it completely.
Offline
#7 2021-05-11 11:41:51
- Gregosky
- Member
- From: UK
- Registered: 2013-07-26
- Posts: 174
Re: Root-less OpenVPN (used to work, broken after recent update)
I definitely need to read about netlink, looks like this change caught me off-guard. So once again many thanks for pointing me out with this hint!
Offline
#8 2021-05-12 18:22:27
- Gregosky
- Member
- From: UK
- Registered: 2013-07-26
- Posts: 174
Re: Root-less OpenVPN (used to work, broken after recent update)
Just a follow-up to whoever reads this.
In short - it does not look like it's possible to run OpenVPN the way I used to run it (within unprivileged podman container with no extra capabilities).
This thread explains the switch to netlink.
This post mentions a potential issue I was afraid of - a process could get root by just being granted CAP_NET_ADMIN capability
As far as I can see recompiling with --enable-iproute2 (as suggested by @amish above) is currently the only way to have openvpn running with no extra capabilities nor elevated permissions. I'll rebuild my podman image and update my hints here
Last edited by Gregosky (2021-05-12 18:23:22)
Offline