search

dndx / phantun

Transforms UDP stream into (fake) TCP streams that can go through Layer 3 & Layer 4 (NAPT) firewalls/NATs.
Apache License 2.0
1.58k stars 128 forks source link

0.6 crashes, but 0.5 works with the same config. #125

Closed Jimmy-Z closed 11 months ago

Jimmy-Z commented 1 year ago

The gnu build and musl build experienced different errors:

gnu:

Jul 22 22:05:42 Zeta systemd[1]: Starting phantun@rn1-wg.service...
Jul 22 22:05:42 Zeta systemd[1]: phantun@rn1-wg.service: Main process exited, code=exited, status=203/EXEC
Jul 22 22:05:42 Zeta systemd[1]: phantun@rn1-wg.service: Failed with result 'exit-code'.
Jul 22 22:05:42 Zeta systemd[1]: Failed to start phantun@rn1-wg.service.
Jul 22 22:05:42 Zeta systemd[1]: phantun@rn1-wg.service: Scheduled restart job, restart counter is at 1.
Jul 22 22:05:42 Zeta systemd[1]: Stopped phantun@rn1-wg.service.

musl:

Jul 22 22:07:43 Zeta systemd[1]: Starting phantun@rn1-wg.service...
Jul 22 22:07:43 Zeta systemd[1]: Started phantun@rn1-wg.service.
Jul 22 22:07:43 Zeta phantun_client[503940]:  INFO  client > Remote address is: <-snip->:80
Jul 22 22:07:43 Zeta phantun_client[503940]:  INFO  client > 2 cores available
Jul 22 22:07:43 Zeta phantun_client[503940]: thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: EPERM', phantun/src/bin/client.rs:162:10
Jul 22 22:07:43 Zeta phantun_client[503940]: note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Jul 22 22:07:43 Zeta systemd[1]: phantun@rn1-wg.service: Main process exited, code=exited, status=101/n/a
Jul 22 22:07:43 Zeta systemd[1]: phantun@rn1-wg.service: Failed with result 'exit-code'.
Jul 22 22:07:43 Zeta systemd[1]: phantun@rn1-wg.service: Scheduled restart job, restart counter is at 1.
Jul 22 22:07:43 Zeta systemd[1]: Stopped phantun@rn1-wg.service.

it works if reverted to 0.5.0, everything else is the same. my systemd unit file runs phantun in a chroot jail if that matters:

# cat /etc/systemd/system/phantun\@.service
[Unit]
After=network.target

[Service]
Type=exec
EnvironmentFile=/etc/phantun/%i.env
ExecStart=/bin/phantun_client -l $LISTEN -r $REMOTE -4 --tun $TUN --tun-local $TUN_LOCAL --tun-peer $TUN_PEER --handshake-packet /etc/fake-req.txt
RootDirectory=/jails/phantun
Restart=always
User=nobody
Group=nogroup
# DynamicUser=yes
CapabilityBoundingSet=CAP_NET_ADMIN

[Install]
WantedBy=multi-user.target
dndx commented 12 months ago

There are no change between 0.5 and 0.6 on the handling of Tun files, the capacility is probably not set correctly or you had CAP_NET_ADMIN set on 0.5 binary but not 0.6. Check it with getcap to confirm.

Jimmy-Z commented 11 months ago

Sorry for the delay.

Yes I did forget setcap on the 0.6 binary.

So I fixed it:

# getcap /jails/phantun/bin/*
/jails/phantun/bin/phantun_client_v0.2.5 cap_net_admin=ep
/jails/phantun/bin/phantun_client_v0.5.0 cap_net_admin=ep
/jails/phantun/bin/phantun_client_v0.6.0-gnu cap_net_admin=ep
/jails/phantun/bin/phantun_client_v0.6.0-musl cap_net_admin=ep

the gnu binary still doesn't work after changing this. But it works if not running in a chroot jail (remove RootDirectory= from the service file).

the musl binary now works fine in the chroot jail.

and it looks like the 0.5.0 binary I was using is the musl build, so it's likely the gnu variant never worked in chroot.

Sorry for the misleading, and thanks for your time.