search

schwabe / ics-openvpn

OpenVPN for Android
3.31k stars 1.19k forks source link

remap-usr1 SIGHUP broken after 0.7.33 #1491

Closed johnassel closed 2 years ago

johnassel commented 2 years ago

To make issues more manageable, I would appreciate it if you fill out the following details as applicable:

General information

  1. Android Version: 12
  2. Android Vendor/Custom ROM: LineageOS 19.1
  3. Device: Pixel 4a
  4. Version of the app (version number/play store version/self-built): 0.7.34 and up

Description of the issue

Because of dynamic IPs of the endpoint I am using the OpenVPN parameter remap-usr1 SIGHUP in advanced config so that the config is re-read and reset when the connection drops because of the renewal of the IP of the endpoint. In that way the DNS-name is re-resolved and the new IP address is used. The last version which worked as expected was 0.7.33.

Every other build after that (0.7.34 and up) the reconnect quits with "Options error: You must define TUN/TAP device (--dev)" and stops completely. The connection has to be re-established manually.

Log (if applicable)

2022-05-29 08:00:06 TCP/UDP: Closing socket
2022-05-29 08:00:06 Closing TUN/TAP interface
2022-05-29 08:00:06 SIGHUP[soft,ping-restart] received, process restarting
2022-05-29 08:00:06 MANAGEMENT: >STATE:1653804006,RECONNECTING,ping-restart,,,,,
2022-05-29 08:00:06 Options error: You must define TUN/TAP device (--dev)
2022-05-29 08:00:07 Use --help for more information.
2022-05-29 08:00:07 Process exited with exit value 1

Configuration file

# Config for OpenVPN 2.x
# Enables connection to GUI
management /data/user/0/de.blinkt.openvpn/cache/mgmtsocket unix
management-client
management-query-passwords
management-hold

setenv IV_GUI_VER "de.blinkt.openvpn 0.7.33" 
setenv IV_SSO openurl,webauth,crtext
setenv IV_PLAT_VER "32 12 arm64-v8a google sunfish Pixel 4a"
tls-cert-profile legacy
machine-readable-output
allow-recursive-routing
ifconfig-nowarn
client
verb 4
connect-retry 2 300
resolv-retry 60
dev tun
remote xyz 443 tcp-client
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

</ca>
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

</key>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

</cert>
route 0.0.0.0 0.0.0.0 vpn_gateway
nobind
verify-x509-name xyz.de name
auth sha512
float
persist-tun
# persist-tun also enables pre resolving to avoid DNS resolve problem
preresolve
# Use system proxy setting
management-query-proxy
# Custom configuration options
# You are on your on own here :)
resolv-retry infinite
remap-usr1 SIGHUP
ping 15
ping-restart 300 # 5 minutes
resolv-retry 300 # 5 minutes
key-direction 1
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-crypt>
schwabe commented 2 years ago

This change is kind of intentional. The security audit sponsernd by Google complained about the config file being on the file system, so it is now feed to standard in. But you should just disable persist-tun instead:

persist-tun
# persist-tun also enables pre resolving to avoid DNS resolve problem
preresolve

Your remap-usr1 SIGHUP effectively disables that anyway.