search

OpenVPN / openvpn

OpenVPN is an open source VPN daemon
http://openvpn.net
Other
10.26k stars 2.92k forks source link

DCO does not work with Ubuntu SystemD unit, if user is set #486

Open bjoernv opened 5 months ago

bjoernv commented 5 months ago

Describe the bug If DCO is setup correctly, openvpn uses DCO, if it is started manually. See logs: DCO device tun0 opened

But if openvpn started with the systemd unit openvpn@.service and a user is set, DCO is disabled. See logs: TUN/TAP device tun1 opened

Version information (please complete the following information):

This is caused by a missing capability in the systemd unit file /etc/systemd/system/openvpn@.service.

[Service]
...
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE

The missing capability is CAP_SETPCAP.

The work-around is to create /etc/systemd/system/openvpn@.service.d/override.conf with this content:

[Service]
CapabilityBoundingSet=CAP_SETPCAP CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE

From the configuration file:

user openvpn
group openvpn

See openvpn-2.6.8/src/openvpn/dco.c:

        if (!capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP))
        {
            msg(msglevel, "--user specified but lacking CAP_SETPCAP. "
                "Cannot retain CAP_NET_ADMIN. Disabling data channel offload");
            return false;
        }
        if (!capng_have_capability(CAPNG_PERMITTED, CAP_NET_ADMIN))
        {
            msg(msglevel, "--user specified but not permitted to retain CAP_NET_ADMIN. "
                "Disabling data channel offload");
            return false;
        }
ordex commented 2 months ago

@dsommers you have more experience on this part. Do you agree with the proposed solution?