Bug#976070: openvpn fails with iproute option
On 29/11/20 11:05 AM, Glennie Vignarajah wrote: > In order to use openvpn with non root priviliges, iproute is need as > state in openvpn's howto document [1]. By default, iproute is disabled > on compile time and needs to enabled with ``--enable-iproute2``. Upstream has now added the option for openvpn to retain the CAP_NET_ADMIN capability while dropping priviledges. OpenVPN now works correctly with --user something. Bernhard
Bug#976070: openvpn fails with iproute option
Hello, Has any progress been made on this? i tried to apply the Arch patch manually, but either it doesn't work or I didn't do it right. Downgrading to 2.4 is only workaround for me Thank you
Bug#976070: openvpn fails with iproute option
On Sun, Nov 29, 2020 at 11:05:36AM +0100, Glennie Vignarajah wrote: Hi, > Hello, > In order to use openvpn with non root priviliges, iproute is need as > state in openvpn's howto document [1]. By default, iproute is disabled > on compile time and needs to enabled with ``--enable-iproute2``. > > Could you, please, rebuild the openvpn package with this option? > > Many thaks and kind regards > > 1: https://community.openvpn.net/openvpn/wiki/HOWTO#UnprivilegedmodeLinuxonly Upstream actually suggested to drop iproute2 and use the newer netlink based approach. --- Netlink support On Linux, if configured without ``--enable-iproute2``, configuring IP addresses and adding/removing routes is now done via the netlink(3) kernel interface. This is much faster than calling ``ifconfig`` or ``route`` and also enables OpenVPN to run with less privileges. --- However, there is a bug over with ArchLinux that suggests this does not work out-of-the-box when you set User/Group in the configuration as opposed to setting it in the systemd unit https://bugs.archlinux.org/task/68480 (did not load for me at the moment, Google Cache helped) Could you try a fix similar to the one Arch used in https://github.com/archlinux/svntogit-packages/commit/a871e4297bb73be9c9f5eeb33630b24766366ac5#diff-d7067e90cf384bf5e9e8791cc82be773e5bce9152438b1b51ae424b0c111d1fc That is, set the user inside the systemd unit instead of in the openvpn config and add AmbientCapabilities? Bernhard
Bug#976070: openvpn fails with iproute option
Package: openvpn Version: 2.5.0-1 Severity: important Hello, In order to use openvpn with non root priviliges, iproute is need as state in openvpn's howto document [1]. By default, iproute is disabled on compile time and needs to enabled with ``--enable-iproute2``. Could you, please, rebuild the openvpn package with this option? Many thaks and kind regards 1: https://community.openvpn.net/openvpn/wiki/HOWTO#UnprivilegedmodeLinuxonly -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.9.0-1-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/bash Init: systemd (via /run/systemd/system) Versions of packages openvpn depends on: ii debconf [debconf-2.0] 1.5.74 ii iproute2 5.9.0-1 ii libc6 2.31-4 ii liblz4-1 1.9.2-2 ii liblzo2-2 2.10-2 ii libpam0g 1.3.1-5 ii libpkcs11-helper1 1.26-1+b1 ii libssl1.1 1.1.1h-1 ii libsystemd0246.6-2 ii lsb-base 11.1.0 Versions of packages openvpn recommends: ii easy-rsa 3.0.6-1 Versions of packages openvpn suggests: ii openssl 1.1.1h-1 pn openvpn-systemd-resolved pn resolvconf -- debconf information: openvpn/create_tun: false
