Also prepped the SRU Template to help reviewers ... ** Description changed:
+ [Impact] + + * non-default but still common openvpn setups use callout scripts with + sudo (if the openvpn user was set up to work with sudo). That breaks in + >=Bionic since CAP_AUDIT_WRITE was dropped which makes pam/sudo denying + the call. + + * We brought the change upstream and want to backport into Cosmic/Bionic + to avoid Xenial upgrades to hit this. + + * Interesting is that the upstream .deb is not affected by still having + Xenial rules: + =>https://github.com/OpenVPN/sbuild_wrapper/tree/master/packaging/xenial/debian + + [Test Case] + + * details in https://www.techgrube.de/tutorials/openvpn-server-mit-ipv4- + und-ipv6 which the reporter and I followed (warning: non commands are + german) + + * there is no need to do any of the IPV6 stuff in the guide nor the + iptables actionsa, a simplified version is in comment #25 + + TL;DR would be: + * apt install openvpn (on client and server) + * add "openvpn" user and grant him sudo permission for your test script + * add server/client config as outlined in comment #25 + the important bit is to have a sudo call to a helper like: + learn-address "/usr/bin/sudo -u root /etc/openvpn/scripts/test.sh" + (see the example in comment #25 for a copy&paste config) + * Start the server service and run journalctl -f + * Let the client connect (you will see the denies on the server) + + + [Regression Potential] + + * It adds one allowed capability (a rather safe one btw) to the service + of openvpn. There should be no regression risk breaking functional + setups. + If anything security concerns, but since it was this way in Xenial even + that should not apply + + [Other Info] + + * This was in Xenial, picked by upstream for their own .deb package but + not integrated in their actual repository. Debian by aligning with + upstream dropped it and we followed. This time we made sure it gets + upstream and therefore hopefully should not reoccur again + + --- + I updated my Server from xenial to bionic today. on xenial I was using the openvpn repo from the openvpn developers (https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) now that bionic ships a more recent version I removed the ppa and switched to the distro version (2.4.4) - my openvpn server assings a real ipv6 address and does nat for ipv4 forevery client. Also i push a route so a /64 ipv6 net and one ipv4 address is reachable through the tunnel. + my openvpn server assings a real ipv6 address and does nat for ipv4 forevery client. Also i push a route so a /64 ipv6 net and one ipv4 address is reachable through the tunnel. (I have firewalled a server so it is only reachable through the tunnels ips) - With openvpn 2.4.4 from bionic repo this does not work anymore, aka the server is not reachable anymore. + With openvpn 2.4.4 from bionic repo this does not work anymore, aka the server is not reachable anymore. I quicky reactivated the xenial repo from https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos and upgraded the server again (to 2.4.6) after a restart I was able to reach my server again. so most likely there is a bug in bionics 2.4.4 version of openvpn client config: client dev tun proto udp remote <ipv4-address> 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert martin-pc.crt key martin-pc.key remote-cert-tls server - tls-crypt ta.key + tls-crypt ta.key cipher AES-256-GCM tls-version-min 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 auth SHA512 comp-lzo explicit-exit-notify pull-filter ignore "route" pull-filter ignore "dhcp" pull-filter ignore "redirect" route-ipv6 <ipv6-net i want to reach>/64 <ipv6 ip of server> 1 route <server i want to reach ipv4> 255.255.255.255 10.8.0.1 1 server config: port 1194 proto udp dev tun ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh4096.pem topology subnet server 10.8.0.0 255.255.255.0 server-ipv6 <ipv6 net usable for clients>/112 ifconfig-pool-persist ipp.txt push "route-ipv6 2000::/3 <ipv6 server ip> 1" script-security 2 learn-address "/usr/bin/sudo -u root /etc/openvpn/scripts/ndp-proxy-setup.sh" push "redirect-gateway def1" push "redirect-gateway ipv6" push "dhcp-option DNS 1.1.1.1" keepalive 10 120 tls-crypt /etc/openvpn/easy-rsa/keys/ta.key tls-version-min 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 auth SHA512 cipher AES-256-GCM #compress lz4 comp-lzo persist-key persist-tun status openvpn-status.log #verb 6 user openvpn group openvpn -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1787208 Title: Openvpn routing issue To manage notifications about this bug go to: https://bugs.launchpad.net/openvpn/+bug/1787208/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
