Open bjoernv opened 5 months ago
Describe the bug If DCO is setup correctly, openvpn uses DCO, if it is started manually. See logs: DCO device tun0 opened
DCO device tun0 opened
But if openvpn started with the systemd unit openvpn@.service and a user is set, DCO is disabled. See logs: TUN/TAP device tun1 opened
TUN/TAP device tun1 opened
Version information (please complete the following information):
This is caused by a missing capability in the systemd unit file /etc/systemd/system/openvpn@.service.
[Service] ... CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
The missing capability is CAP_SETPCAP.
The work-around is to create /etc/systemd/system/openvpn@.service.d/override.conf with this content:
[Service] CapabilityBoundingSet=CAP_SETPCAP CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
From the configuration file:
user openvpn group openvpn
See openvpn-2.6.8/src/openvpn/dco.c:
if (!capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) { msg(msglevel, "--user specified but lacking CAP_SETPCAP. " "Cannot retain CAP_NET_ADMIN. Disabling data channel offload"); return false; } if (!capng_have_capability(CAPNG_PERMITTED, CAP_NET_ADMIN)) { msg(msglevel, "--user specified but not permitted to retain CAP_NET_ADMIN. " "Disabling data channel offload"); return false; }
@dsommers you have more experience on this part. Do you agree with the proposed solution?
Describe the bug If DCO is setup correctly, openvpn uses DCO, if it is started manually. See logs:
DCO device tun0 opened
But if openvpn started with the systemd unit openvpn@.service and a user is set, DCO is disabled. See logs:
TUN/TAP device tun1 opened
Version information (please complete the following information):
This is caused by a missing capability in the systemd unit file /etc/systemd/system/openvpn@.service.
The missing capability is CAP_SETPCAP.
The work-around is to create /etc/systemd/system/openvpn@.service.d/override.conf with this content:
From the configuration file:
See openvpn-2.6.8/src/openvpn/dco.c: