Openvpn WARNING: Failed running command (--up/--down): could not execu

skyler · 2023-04-29 19:51:47

Im using openvpn and trying to use the mullvad config.
output of openvpn:
```
sudo openvpn --config /home/$USER/path/to/conf/mullvad_br_sao.conf
2023-04-29 16:49:04 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.
2023-04-29 16:49:04 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
2023-04-29 16:49:04 Note: Kernel support for ovpn-dco missing, disabling data channel offload.
2023-04-29 16:49:04 WARNING: file 'mullvad_userpass.txt' is group or others accessible
2023-04-29 16:49:04 OpenVPN 2.6.3 [git:makepkg/94aad8c51043a805+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO] built on Apr 14 2023
2023-04-29 16:49:04 library versions: OpenSSL 3.0.8 7 Feb 2023, LZO 2.10
2023-04-29 16:49:04 DCO version: N/A
2023-04-29 16:49:04 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2023-04-29 16:49:04 TCP/UDP: Preserving recently used remote address: [AF_INET]177.67.80.186:1194
2023-04-29 16:49:04 Socket Buffers: R=[212992->425984] S=[212992->425984]
2023-04-29 16:49:04 UDPv4 link local: (not bound)
2023-04-29 16:49:04 UDPv4 link remote: [AF_INET]177.67.80.186:1194
2023-04-29 16:49:04 TLS: Initial packet from [AF_INET]177.67.80.186:1194, sid=b7f07925 fc188c11
2023-04-29 16:49:04 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2023-04-29 16:49:04 VERIFY OK: depth=2, C=SE, ST=Gotaland, L=Gothenburg, O=Amagicom AB, OU=Mullvad, CN=Mullvad Root CA v2, emailAddress=security@mullvad.net
2023-04-29 16:49:04 VERIFY OK: depth=1, C=SE, ST=Gotaland, O=Amagicom AB, OU=Mullvad, CN=Mullvad Intermediate CA v5, emailAddress=security@mullvad.net
2023-04-29 16:49:04 VERIFY KU OK
2023-04-29 16:49:04 Validating certificate extended key usage
2023-04-29 16:49:04 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2023-04-29 16:49:04 VERIFY EKU OK
2023-04-29 16:49:04 VERIFY OK: depth=0, C=SE, ST=Gotaland, O=Amagicom AB, OU=Mullvad, CN=br-sao-001.mullvad.net, emailAddress=security@mullvad.net
2023-04-29 16:49:04 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 4096 bit RSA, signature: RSA-SHA256
2023-04-29 16:49:04 [br-sao-001.mullvad.net] Peer Connection Initiated with [AF_INET]177.67.80.186:1194
2023-04-29 16:49:04 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-04-29 16:49:04 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-04-29 16:49:05 SENT CONTROL [br-sao-001.mullvad.net]: 'PUSH_REQUEST' (status=1)
2023-04-29 16:49:08 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.8.0.1,redirect-gateway def1 bypass-dhcp,route-ipv6 0000::/2,route-ipv6 4000::/2,route-ipv6 8000::/2,route-ipv6 C000::/2,comp-lzo no,route-gateway 10.8.0.1,topology subnet,socket-flags TCP_NODELAY,ifconfig-ipv6 fdda:d0d0:cafe:1194::1014/64 fdda:d0d0:cafe:1194::,ifconfig 10.8.0.22 255.255.0.0,peer-id 18,cipher CHACHA20-POLY1305'
2023-04-29 16:49:08 OPTIONS IMPORT: --socket-flags option modified
2023-04-29 16:49:08 NOTE: setsockopt TCP_NODELAY=1 failed
2023-04-29 16:49:08 OPTIONS IMPORT: --ifconfig/up options modified
2023-04-29 16:49:08 OPTIONS IMPORT: route options modified
2023-04-29 16:49:08 OPTIONS IMPORT: route-related options modified
2023-04-29 16:49:08 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2023-04-29 16:49:08 net_route_v4_best_gw query: dst 0.0.0.0
2023-04-29 16:49:08 net_route_v4_best_gw result: via 192.168.0.1 dev eth0
2023-04-29 16:49:08 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=eth0 HWADDR=4c:cc:6a:4b:25:1c
2023-04-29 16:49:08 GDG6: remote_host_ipv6=n/a
2023-04-29 16:49:08 net_route_v6_best_gw query: dst ::
2023-04-29 16:49:08 net_route_v6_best_gw result: via fe80::5a90:43ff:fe5c:3d43 dev eth0
2023-04-29 16:49:08 ROUTE6_GATEWAY fe80::5a90:43ff:fe5c:3d43 IFACE=eth0
2023-04-29 16:49:08 TUN/TAP device tun0 opened
2023-04-29 16:49:08 net_iface_mtu_set: mtu 1500 for tun0
2023-04-29 16:49:08 net_iface_up: set tun0 up
2023-04-29 16:49:08 net_addr_v4_add: 10.8.0.22/16 dev tun0
2023-04-29 16:49:08 net_iface_mtu_set: mtu 1500 for tun0
2023-04-29 16:49:08 net_iface_up: set tun0 up
2023-04-29 16:49:08 net_addr_v6_add: fdda:d0d0:cafe:1194::1014/64 dev tun0
2023-04-29 16:49:08 /etc/openvpn/update-resolv-conf tun0 1500 0 10.8.0.22 255.255.0.0 init
2023-04-29 16:49:08 WARNING: Failed running command (--up/--down): could not execute external program
2023-04-29 16:49:08 Exiting due to fatal error
```
the conf itself:

```
client
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
verb 3
remote-cert-tls server
ping 10
ping-restart 60
sndbuf 524288
rcvbuf 524288
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
proto udp
auth-user-pass mullvad_userpass.txt
ca mullvad_ca.crt
tun-ipv6
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
fast-io
remote 177.67.80.186 1194 # br-sao-001
```
and the update-resolv-conf:
```
#!/bin/bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood and Chris Hanson.
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.
#
# Example envs set from openvpn:
#
# foreign_option_1='dhcp-option DNS 193.43.27.132'
# foreign_option_2='dhcp-option DNS 193.43.27.133'
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
#

[ -x /sbin/resolvconf ] || exit 0
[ "$script_type" ] || exit 0
[ "$dev" ] || exit 0

split_into_parts()
{
part1="$1"
part2="$2"
part3="$3"
}

case "$script_type" in
up)
NMSRVRS=""
SRCHS=""
for optionvarname in ${!foreign_option_*} ; do
option="${!optionvarname}"
echo "$option"
split_into_parts $option
if [ "$part1" = "dhcp-option" ] ; then
if [ "$part2" = "DNS" ] ; then
NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
elif [ "$part2" = "DOMAIN" ] ; then
SRCHS="${SRCHS:+$SRCHS }$part3"
fi
fi
done
R=""
[ "$SRCHS" ] && R="search $SRCHS
"
for NS in $NMSRVRS ; do
R="${R}nameserver $NS
"
done
echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
;;
down)
/sbin/resolvconf -d "${dev}.openvpn"
;;
esac
```

-thc · 2023-04-29 21:02:15

Please use code tags to for logs or configuration files.

Your OpenVPN server pushes several connection options to your client:

2023-04-29 16:49:08 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.8.0.1,redirect-gateway def1 bypass-dhcp,route-ipv6 0000::/2,route-ipv6 4000::/2,route-ipv6 8000::/2,route-ipv6 C000::/2,comp-lzo no,route-gateway 10.8.0.1,topology subnet,socket-flags TCP_NODELAY,ifconfig-ipv6 fdda:d0d0:cafe:1194::1014/64 fdda:d0d0:cafe:1194::,ifconfig 10.8.0.22 255.255.0.0,peer-id 18,cipher CHACHA20-POLY1305'

One of them is an IPv4 address of a new primary DNS server (10.8.0.1) for the duration of your VPN connection.
The mullvad conf file assumes "update-resolv-conf" is needed - but that may be not the case.
How this DNS server should be set (and removed) correctly depends on your network management. Which one do you use?

Last edited by -thc (2023-04-29 21:03:10)

skyler · 2023-04-29 21:24:07

sorry for the code tags i tought that this uses markdown, anyway if i understand your question, i have a static ip address and i use NetworkManager.

-thc · 2023-04-30 07:47:54

The most convenient way would be to install "networkmanager-openvpn" and import the conf file (after editing - see below) as a new VPN in the connection editor. You can start/stop the VPN via NetworkManager applet.

There are a few caveats:

- Please comment out or delete the two "up/down /etc/openvpn/update-resolv-conf" lines - NetworkManager does the DNS reconfiguration on it's own.

- NetworkManager does the permanent storage of passwords via "system-connections"-file (for all users) or the users keyring (for you only)

Last edited by -thc (2023-04-30 07:59:21)

Arch Linux

#1 2023-04-29 19:51:47

Openvpn WARNING: Failed running command (--up/--down): could not execu

#2 2023-04-29 21:02:15

Re: Openvpn WARNING: Failed running command (--up/--down): could not execu

#3 2023-04-29 21:24:07

Re: Openvpn WARNING: Failed running command (--up/--down): could not execu

#4 2023-04-30 07:47:54

Re: Openvpn WARNING: Failed running command (--up/--down): could not execu

Board footer