Hi, On Thu, Mar 31, 2022 at 12:06:06PM +0200, David Sommerseth wrote: > There is however another related challenge in OpenVPN 2.x, which became > even clearer than be fore with the sitnl implementation we switched over > to on Linux by default with v2.5. When using --user/--group without > --persist-tun, a reconnect would tear down the interface but could not > recover again and the connection dies. Using --persist-tun, it could > work a bit better *unless* it needs to change the IP address of the tun > interface. I'm not sure how well, OpenVPN 2.x works if new routes are > being pushed (OpenVPN 3 supports that as well). This challenge is also > resolved by granting the process CAP_NET_ADMIN capabilities.
For most non-trivial stuff, OpenVPN with --user will run into problems,
be it route teardown, installing of new routes at renegotiation time,
...
So most people today just run 2.x as root, not getting any security
benefits.
> For now, my opinion is that it is currently acceptable to have
> CAP_NET_ADMIN available when running with ovpn-dco; to have a smooth
> user experience. OpenVPN is after all a network related process.
I'd even go for "keep CAP_NET_ADMIN for DCO and sitnl" - because it
means "all the route/interface manipulation *and cleanup* stuff can
be done properly, without having to carry root privileges".
> As a way forward after this, the aspect of how much to trust,
> capabilities and privileges you put into a single process needs to be
> better defined. OpenVPN 2.x has a monolithic design, and the
> architecture of privilege separation is lacking at best.
You might be surprised at what we have in 2.x :-) - with the service
pipe, we can run OpenVPN fully unprivileged, and do so on Windows.
We just never had anyone bother to implement a backend for this for
"Unixy" platforms...
The benefit of that, securitywise, wouldn't be very large anyway,
compared to "CAP_NET_ADMIN + --user nobody" - the service is still
able to mess up routing and interface config, and that's about what
privileges remain in that combo... - so, dubious benefits, lots of
work.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
