Option persist-local-ip does not work

[mk3pq28]

Original topic with workaround can be found ​here.

System: Debian 11, OpenVpn? 2.5.1

Server configuration:

port 443
dev tun
proto tcp-server
ifconfig 10.3.4.1 10.3.4.2
secret /etc/openvpn/server-tcp/static.key
cipher AES-256-CBC
user openvpn
group openvpn
persist-local-ip
persist-key
persist-tun
status-version 1
mute 20
status /var/log/openvpn/openvpn-tcp-status.log 1
status-version 3
verb 3

Important lines:

• port 443 - privileged port must be used
• user openvpn; group openvpn - run as unprivileged user and group
• persist-local-ip - the option wich does not work

Steps to reproduce:

1. Run the server with configuration above
2. Send an unrecognized package to let SIGUSR1 be rised and initiate connection reset (nc localhost 443)
3. Verify privileges are dropped to openvpn:openvpn
4. Then get an error in logs when the server is trying to re-bind the socket: TCP/UDP: Socket bind failed on local address [AF_INET][undef]:443: Permission denied (errno=13)
5. The server fails then.

The option persist-local-ip is expected to solve this by re-using previously allocated socket, but it does not.
(Similar options persist-key and persist-tun are explicitly mentioned in logs on reset, but not persist-local-ip)

Logs:

Apr 26 14:14:08 vps systemd[1]: Starting OpenVPN connection to server-tcp...
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Cipher negotiation is disabled since neither P2MP client nor server mode is enabled
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
Apr 26 14:14:08 vps systemd[1]: Started OpenVPN connection to server-tcp.
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Outgoing Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Incoming Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: TUN/TAP device tun1 opened
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: net_iface_mtu_set: mtu 1500 for tun1
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: net_iface_up: set tun1 up
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: net_addr_ptp_v4_add: 10.3.4.1 peer 10.3.4.2 dev tun1
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Listening for incoming TCP connection on [AF_INET][undef]:443
Apr 26 14:23:05 vps ovpn-server-tcp[112347]: TCP connection established with [AF_INET]127.0.0.1:52630
Apr 26 14:23:05 vps ovpn-server-tcp[112347]: TCPv4_SERVER link local (bound): [AF_INET][undef]:443
### Here openvpn waits for incomming connections ###

### Then I send bad package with nc localhost 443 ###
Apr 26 14:23:05 vps ovpn-server-tcp[112347]: TCPv4_SERVER link remote: [AF_INET]127.0.0.1:52630
Apr 26 14:23:05 vps ovpn-server-tcp[112347]: GID set to openvpn
Apr 26 14:23:05 vps ovpn-server-tcp[112347]: UID set to openvpn
Apr 26 14:23:07 vps ovpn-server-tcp[112347]: WARNING: Bad encapsulated packet length from peer (24947), which must be > 0 and <= 1565 -- please ensure that --tun-mtu or --link-mtu is equal on bot>
Apr 26 14:23:07 vps ovpn-server-tcp[112347]: Connection reset, restarting [0]
Apr 26 14:23:07 vps ovpn-server-tcp[112347]: SIGUSR1[soft,connection-reset] received, process restarting
Apr 26 14:23:07 vps ovpn-server-tcp[112347]: Restart pause, 1 second(s)
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Re-using pre-shared static key
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Preserving previous TUN/TAP instance: tun1
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: TCP/UDP: Socket bind failed on local address [AF_INET][undef]:443: Permission denied (errno=13)
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Exiting due to fatal error
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Closing TUN/TAP interface
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: net_addr_ptp_v4_del: 10.3.4.1 dev tun1
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: sitnl_send: rtnl: generic error (-1): Operation not permitted
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Linux can't del IP from iface tun1
Apr 26 14:23:08 vps systemd[1]: openvpn@server-tcp.service: Main process exited, code=exited, status=1/FAILURE
Apr 26 14:23:08 vps systemd[1]: openvpn@server-tcp.service: Failed with result 'exit-code'.
Apr 26 14:23:14 vps systemd[1]: openvpn@server-tcp.service: Scheduled restart job, restart counter is at 84.
Apr 26 14:23:14 vps systemd[1]: Stopped OpenVPN connection to server-tcp.

[Gert Döring]

---persist-local-ip does not what you think it does - what it does is

              Preserve initially resolved local IP address and port number
              across SIGUSR1 or --ping-restart restarts.

so this translates to "do not do another DNS lookup if --local is used with a hostname".

In other words, if you want to bind to a privileged port AND want to use p2p mode, then you can not use a non-root account today. This will change in 2.6, which brings options to keep linux network capabilities around, but not in 2.5 or earlier.