Opened 3 years ago
Closed 3 years ago
#1464 closed Bug / Defect (wontfix)
Option persist-local-ip does not work
Reported by: | mk3pq28 | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Generic / unclassified | Version: | OpenVPN 2.5.1 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | persist-local-ip permission |
Cc: |
Description
Original topic with workaround can be found here.
System: Debian 11, OpenVpn? 2.5.1
Server configuration:
port 443 dev tun proto tcp-server ifconfig 10.3.4.1 10.3.4.2 secret /etc/openvpn/server-tcp/static.key cipher AES-256-CBC user openvpn group openvpn persist-local-ip persist-key persist-tun status-version 1 mute 20 status /var/log/openvpn/openvpn-tcp-status.log 1 status-version 3 verb 3
Important lines:
- port 443 - privileged port must be used
- user openvpn; group openvpn - run as unprivileged user and group
- persist-local-ip - the option wich does not work
Steps to reproduce:
- Run the server with configuration above
- Send an unrecognized package to let SIGUSR1 be rised and initiate connection reset (nc localhost 443)
- Verify privileges are dropped to openvpn:openvpn
- Then get an error in logs when the server is trying to re-bind the socket: TCP/UDP: Socket bind failed on local address [AF_INET][undef]:443: Permission denied (errno=13)
- The server fails then.
The option persist-local-ip is expected to solve this by re-using previously allocated socket, but it does not.
(Similar options persist-key and persist-tun are explicitly mentioned in logs on reset, but not persist-local-ip)
Logs:
Apr 26 14:14:08 vps systemd[1]: Starting OpenVPN connection to server-tcp... Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Cipher negotiation is disabled since neither P2MP client nor server mode is enabled Apr 26 14:14:08 vps ovpn-server-tcp[112347]: OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021 Apr 26 14:14:08 vps ovpn-server-tcp[112347]: library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10 Apr 26 14:14:08 vps systemd[1]: Started OpenVPN connection to server-tcp. Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Outgoing Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Incoming Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication Apr 26 14:14:08 vps ovpn-server-tcp[112347]: TUN/TAP device tun1 opened Apr 26 14:14:08 vps ovpn-server-tcp[112347]: net_iface_mtu_set: mtu 1500 for tun1 Apr 26 14:14:08 vps ovpn-server-tcp[112347]: net_iface_up: set tun1 up Apr 26 14:14:08 vps ovpn-server-tcp[112347]: net_addr_ptp_v4_add: 10.3.4.1 peer 10.3.4.2 dev tun1 Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Could not determine IPv4/IPv6 protocol. Using AF_INET Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Socket Buffers: R=[131072->131072] S=[16384->16384] Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Listening for incoming TCP connection on [AF_INET][undef]:443 Apr 26 14:23:05 vps ovpn-server-tcp[112347]: TCP connection established with [AF_INET]127.0.0.1:52630 Apr 26 14:23:05 vps ovpn-server-tcp[112347]: TCPv4_SERVER link local (bound): [AF_INET][undef]:443 ### Here openvpn waits for incomming connections ### ### Then I send bad package with nc localhost 443 ### Apr 26 14:23:05 vps ovpn-server-tcp[112347]: TCPv4_SERVER link remote: [AF_INET]127.0.0.1:52630 Apr 26 14:23:05 vps ovpn-server-tcp[112347]: GID set to openvpn Apr 26 14:23:05 vps ovpn-server-tcp[112347]: UID set to openvpn Apr 26 14:23:07 vps ovpn-server-tcp[112347]: WARNING: Bad encapsulated packet length from peer (24947), which must be > 0 and <= 1565 -- please ensure that --tun-mtu or --link-mtu is equal on bot> Apr 26 14:23:07 vps ovpn-server-tcp[112347]: Connection reset, restarting [0] Apr 26 14:23:07 vps ovpn-server-tcp[112347]: SIGUSR1[soft,connection-reset] received, process restarting Apr 26 14:23:07 vps ovpn-server-tcp[112347]: Restart pause, 1 second(s) Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Re-using pre-shared static key Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Preserving previous TUN/TAP instance: tun1 Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Could not determine IPv4/IPv6 protocol. Using AF_INET Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Socket Buffers: R=[131072->131072] S=[16384->16384] Apr 26 14:23:08 vps ovpn-server-tcp[112347]: TCP/UDP: Socket bind failed on local address [AF_INET][undef]:443: Permission denied (errno=13) Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Exiting due to fatal error Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Closing TUN/TAP interface Apr 26 14:23:08 vps ovpn-server-tcp[112347]: net_addr_ptp_v4_del: 10.3.4.1 dev tun1 Apr 26 14:23:08 vps ovpn-server-tcp[112347]: sitnl_send: rtnl: generic error (-1): Operation not permitted Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Linux can't del IP from iface tun1 Apr 26 14:23:08 vps systemd[1]: openvpn@server-tcp.service: Main process exited, code=exited, status=1/FAILURE Apr 26 14:23:08 vps systemd[1]: openvpn@server-tcp.service: Failed with result 'exit-code'. Apr 26 14:23:14 vps systemd[1]: openvpn@server-tcp.service: Scheduled restart job, restart counter is at 84. Apr 26 14:23:14 vps systemd[1]: Stopped OpenVPN connection to server-tcp.
Change History (2)
comment:1 Changed 3 years ago by
Priority: | minor → major |
---|
comment:2 Changed 3 years ago by
Resolution: | → wontfix |
---|---|
Status: | new → closed |
Note: See
TracTickets for help on using
tickets.
---persist-local-ip
does not what you think it does - what it does isso this translates to "do not do another DNS lookup if
--local
is used with a hostname".In other words, if you want to bind to a privileged port AND want to use p2p mode, then you can not use a non-root account today. This will change in 2.6, which brings options to keep linux network capabilities around, but not in 2.5 or earlier.