Opened 6 years ago

Closed 22 months ago

#918 closed Bug / Defect (fixed)

openvpn-server@ systemd unit has insufficient capabilities

Reported by: jdh28 Owned by: David Sommerseth
Priority: major Milestone: release 2.4.7
Component: Installation Version: OpenVPN 2.4.0 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: systemd


The openvpn-server@ systemd unit has a CapabilityBoundingSet? line in it. On Debian 9 (stretch) this is insufficient and the service cannot accept connections when using the auth-pam plugin.

The CAP_AUDIT_WRITE capability needs to be added.

Change History (10)

comment:1 Changed 6 years ago by tct


comment:2 Changed 6 years ago by jdh28

The Debian unit also has CAP_DAC_READ_SEARCH, but I did not need that for it to work.

The related Debian bugs are: and

comment:3 Changed 6 years ago by David Sommerseth

Component: PackagingInstallation
Keywords: systemd added
Milestone: release 2.4.4
Owner: set to David Sommerseth
Status: newaccepted

I have not dug into the core details yet, but that auth-pam and the PAM infrastructure requires additional privileges for writing audit information is quite likely. This is now on my todo-list and will submit patches to the ML asap.

comment:4 Changed 5 years ago by mazzanet

Can we consider adding CAP_KILL to the list as well?

Example use case is a kill -HUP to dnsmasq in a learn-address script which is now denied.

comment:5 Changed 4 years ago by paelzer

sorry that I need to revive this old ticket, but I really think the CapabilityBoundingSet? of today is too narrow and breaks some sue cases.

In addition there is quite some confusion going on due a desynced upstream repository ( vs upstream .deb file (

Let me first shed a bit of history on this (as I reconstructed it over the last few days):

  1. Jan 2016 Debian/Ubuntu? added CAP_AUDIT_WRITE as it is needed for e.g. pam


  1. May 2016 sbuild_wrapper building your upstream .deb package copied from Xenial


It still has that content this way


  1. Janary 2017 Upsteam adds systemd service files

Those are NOT based on the same that systemd_wrapper contains all the time

  1. June 2017 Debian/Ubuntu? tries to follow upstream guidance and adapts service file to be closer to what is upstream


  1. June 2017 Debian bug report finds AUDIT_WRITE is needed

From the discussion there this bug report here is opened

  1. August 2018 Ubuntu bug report on the same topic (we didn't know initially, but it turned out to be the same)

After wondering why some issues occur with the Ubuntu version, but not with the.deb from OpenVpn? we (again) found this is CAP_AUDIT_WRITE

After that let me also please summarize what should be done IMHO:

  1. please someone take a look and ack to the sugegsted changes to add CAP_AUDIT_WRITE and CAP_KILL to the "official" file at

  1. someone also should adapt the sbuild_wrapper to use what the main repo provides as service files to eliminate this gap


  1. once agreed that this is the right thing to do Debian and Ubuntu can adapt the .service file delivered by them to match

I'd hope that this ends up with upstream-openvpn, openvpn .deb file, Ubuntu/Debian? .deb files all having the same content.

comment:7 Changed 4 years ago by eworm

Citing myself from the mailing list:

I do not like services being allowed to send signals to other processes. As
dnsmasq supports a dbus interface... How about using that? For example to
clear the dns cache of an instance started from Networkmanager:

dbus-send --system --print-reply \
--dest=org.freedesktop.NetworkManager?.dnsmasq /uk/org/thekelleys/dnsmasq \

comment:8 Changed 4 years ago by paelzer

I don't mind the KILL signal so much we can keep that off for another discussion.
I like the suggestion if the dbus signal, clearly worth a try for those with a matching setup.

What this bug was originally about and would have to be cleared soon is the AUDIT_WRITE.

Replying on the List as well as needed ...

comment:9 Changed 4 years ago by paelzer

FYI - there is an ack now on the patch Mail thread - thanks David!
And shortly after a commit:

commit a564781cfd9912d0f755394d1fa610706d93e707 (master)
commit 7cc372c7f6b4dcc20533433a20dfd5a95f117146 (release/2.4)
Author: Christian Ehrhardt
Date: Wed Aug 29 16:27:14 2018 +0200

systemd: extend CapabilityBoundingSet? for auth_pam

Thanks everybody!

This bug can go to fixed once you released the next minor version I think?

comment:10 Changed 22 months ago by Gert Döring

Milestone: release 2.4.4release 2.4.7
Resolution: fixed
Status: acceptedclosed

Since the ticket said "this can go into fixed", I'll do that now. It went into v2.4.7.

Note: See TracTickets for help on using tickets.