Bug#382470: marked as done (Own OPENVPN user and group with access to /dev/net/tun)

[Debian Bug Tracking System]

Your message dated Thu, 23 Jul 2009 13:24:23 +0200
with message-id <20090723112423.ga6...@var.inittab.org>
and subject line Not a bug, solution explained in the report
has caused the Debian Bug report #382470,
regarding Own OPENVPN user and group with access to /dev/net/tun
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
382470: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=382470
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: openvpn
Version: 2.0-1sarge3
Severity: wishlist

In most cases i use the Downgrade privileges to drop openvpn to user nobody.

this can cause problems, because when the push options are changed on the server the clients will terminate.

-----------------------------------------------------------------------------------------------

Aug 11 03:11:34 localhost ovpn-client[18092]: Preserving previous TUN/TAP instance: tun0 Aug 11 03:11:34 localhost ovpn-client[18092]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device. Aug 11 03:11:34 localhost ovpn-client[18092]: /sbin/route del -net 10.8.0.0 netmask 255.255.0.0 Aug 11 03:11:34 localhost ovpn-client[18092]: ERROR: Linux route delete command failed: shell command exited with error status: 7 Aug 11 03:11:34 localhost ovpn-client[18092]: /sbin/route del -net 10.10.0.0 netmask 255.255.0.0 Aug 11 03:11:34 localhost ovpn-client[18092]: ERROR: Linux route delete command failed: shell command exited with error status: 7

Aug 11 03:11:34 localhost ovpn-client[18092]: Closing TUN/TAP interface

Aug 11 03:11:35 localhost ovpn-client[18092]: Note: Cannot open TUN/TAP dev /dev/net/tun: Permission denied (errno=13) Aug 11 03:11:35 localhost ovpn-client[18092]: Note: Attempting fallback to kernel 2.2 TUN/TAP interface Aug 11 03:11:35 localhost ovpn-client[18092]: Cannot allocate TUN/TAP dev dynamically

Aug 11 03:11:35 localhost ovpn-client[18092]: Exiting
-------------------------------------------------------------------------------------------------


/dev/net/tun is owned by root, so openvpn cant reopen the device.

btw, i havent restarted the server by myself, the connection broke because the dsl line disconnected, so this can happen often.

its not very serious, you can run openvpn as root, or create the user/group for this yourself, perhaps its even a security problem to give the user access to tun, i dont know that. In case its not a security problem, i would really recommend this to be default.

--
Mit freundlichen Grüßen / Best regards

Christian Michallek
IT Management und Integration

DATA CONSULT SYSTEMHAUS GMBH
Bahnhofstraße 26
36037 Fulda

Tel.: 0661- 9339-481
Fax: 0661- 9337-567
eMail: christian.michal...@data-consult.com

http://www.data-consult.com

--- End Message ---

--- Begin Message ---

I'm closing this report since it's not a bug, and a possible solution
was given.

Thanks,

Alberto


-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3

--- End Message ---