search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.58k stars 13.73k forks source link

openvpn nixos module can't reconnect or disconnect on failure #233662

Open Thra11 opened 1 year ago

Thra11 commented 1 year ago

Describe the bug

When using the openvpn nixos module, with updateResolvConf = true;, it is possible to get into a state where

  1. The openvpn connection has failed (openvpn server down, transient network connectivity issue, etc.)
  2. The systemd openvpn-<name>.service is still "active"
  3. /etc/resolv.conf still contains the nameservers to use when connected to the VPN.

In this state, the network cannot connect to the nameservers in resolv.conf, because they aren't accessible unless connected to the VPN. openvpn can't renegotiate the VPN connection, because it can't resolve the address of the server.

Manually editing /etc/resolv.conf to add a public nameserver above the VPN ones allows it to break out of the loop and disconnect or reconnect to the VPN.

Not sure if this is a nixos problem or an upstream issue. Openvpn doesn't appear to integrate very well with systemd (for example, the service will show as successfully started before it actually completes the initialisation sequence), so not sure how easily solvable this will be.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Have access to an openvpn server, either one you're running or someone else's.
  2. Configure an openvpn client using the nixos module, including setting updateResolvConf = true, and run nixos-rebuild switch.
  3. Connect to the vpn by running systemctl start openvpn-<name>.service
  4. Cause the connection to fail in some way (e.g. stop the openvpn server, or disconnect the network for longer than the vpn connection can tolerate)
  5. Run systemctl stop openvpn-<name>.service
  6. Look at the status with systemctl status openvpn-<name>.service or journalctl. You will see a number of errors, "RESOLVE: Cannot resolve host address", and the openvpn service has not stopped, and hasn't run the down script to update resolv.conf.

Expected behaviour

openvpn-<name>.service enters some sort of failed state. I'm not sure that it should immediately update resolv.conf, since silently turning off the VPN and sending info to nameservers outside the VPN is probably a security issue. However, it should be possible for the user to stop or restart the openvpn service without manually editing resolv.conf.

Notify maintainers

@MarcWeber @bennofs

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.1.19-rt8, NixOS, 23.05 (Stoat), 23.05.20230520.3005f20`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.13.3`
 - nixpkgs: `/home/nixpkgs`
gbtb commented 1 year ago

Hi. How about --ping-restart n option? From the description it seems that using this you can force a restart of the openvpn process, which should trigger up and down scripts dealing with resolv.conf