** Description changed: [Impact] - * non-default but still common openvpn setups use callout scripts with - sudo (if the openvpn user was set up to work with sudo). That breaks in - >=Bionic since CAP_AUDIT_WRITE was dropped which makes pam/sudo denying - the call. + * non-default but still common openvpn setups use callout scripts with + sudo (if the openvpn user was set up to work with sudo). That breaks in + >=Bionic since CAP_AUDIT_WRITE was dropped which makes pam/sudo denying + the call. - * We brought the change upstream and want to backport into Cosmic/Bionic - to avoid Xenial upgrades to hit this. + * We brought the change upstream and want to backport into Cosmic/Bionic + to avoid Xenial upgrades to hit this. - * Interesting is that the upstream .deb is not affected by still having - Xenial rules: - =>https://github.com/OpenVPN/sbuild_wrapper/tree/master/packaging/xenial/debian + * Interesting is that the upstream .deb is not affected by still having + Xenial rules: + =>https://github.com/OpenVPN/sbuild_wrapper/tree/master/packaging/xenial/debian [Test Case] - * details in https://www.techgrube.de/tutorials/openvpn-server-mit-ipv4- - und-ipv6 which the reporter and I followed (warning: non commands are - german) + * details in https://www.techgrube.de/tutorials/openvpn-server-mit-ipv4- + und-ipv6 which the reporter and I followed (warning: non commands are + german) - * there is no need to do any of the IPV6 stuff in the guide nor the - iptables actionsa, a simplified version is in comment #25 + * there is no need to do any of the IPV6 stuff in the guide nor the + iptables actions - TL;DR would be: - * apt install openvpn (on client and server) - * add "openvpn" user and grant him sudo permission for your test script - * add server/client config as outlined in comment #25 - the important bit is to have a sudo call to a helper like: - learn-address "/usr/bin/sudo -u root /etc/openvpn/scripts/test.sh" - (see the example in comment #25 for a copy&paste config) - * Start the server service and run journalctl -f - * Let the client connect (you will see the denies on the server) + TL;DR would be: + * apt install openvpn (on client and server) + $ sudo apt install openvpn easy-rsa + Use easy-rsa to create 1 server and 1 client certificate + See the link above for commands to do so if you are unfamiliar + * add "openvpn" user and grant him sudo permission for your test script + $ addgroup --system --no-create-home --disabled-login --group openvpn + $ adduser --system --no-create-home --disabled-login --ingroup openvpn openvpn + * add server/client config as outlined in comment #25 + the important bit is to have a sudo call to a helper like: + learn-address "/usr/bin/sudo -u root /etc/openvpn/scripts/test.sh" + client.conf + client + dev tun + proto udp + remote 192.168.122.29 1194 + resolv-retry infinite + nobind + persist-key + persist-tun + ca /etc/openvpn/easy-rsa/pki/ca.crt + cert /etc/openvpn/easy-rsa/pki/issued/guest1.crt + key /etc/openvpn/easy-rsa/pki/private/guest1.key + remote-cert-tls server + cipher AES-256-CBC + tls-version-min 1.2 + tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 + auth SHA512 + comp-lzo + verb 6 + explicit-exit-notify + server.conf + port 1194 + proto udp + dev tun + ca /etc/openvpn/easy-rsa/pki/ca.crt + cert /etc/openvpn/easy-rsa/pki/issued/server.crt + key /etc/openvpn/easy-rsa/pki/private/server.key + dh /etc/openvpn/easy-rsa/pki/dh.pem + topology subnet + server 10.8.0.0 255.255.255.0 + ifconfig-pool-persist ipp.txt + script-security 2 + push "redirect-gateway def1" + push "dhcp-option DNS 8.8.8.8" + keepalive 10 120 + tls-version-min 1.2 + tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 + auth SHA512 + cipher AES-256-CBC + comp-lzo + persist-key + persist-tun + status openvpn-status.log + verb 6 + user openvpn + group openvpn - [Regression Potential] + * Create the test script + $ sudo mkdir -p /etc/openvpn/scripts/ + $ sudo echo "id" >> /etc/openvpn/scripts/test.sh + $ sudo chmod +x /etc/openvpn/scripts/test.sh + * Start the server service and run journalctl -f + * Let the client connect (you will see the denies on the server) - * It adds one allowed capability (a rather safe one btw) to the service - of openvpn. There should be no regression risk breaking functional - setups. - If anything security concerns, but since it was this way in Xenial even - that should not apply + [Regression Potential] + + * It adds one allowed capability (a rather safe one btw) to the service + of openvpn. There should be no regression risk breaking functional + setups. + If anything security concerns, but since it was this way in Xenial even + that should not apply [Other Info] - - * This was in Xenial, picked by upstream for their own .deb package but - not integrated in their actual repository. Debian by aligning with - upstream dropped it and we followed. This time we made sure it gets - upstream and therefore hopefully should not reoccur again + + * This was in Xenial, picked by upstream for their own .deb package but + not integrated in their actual repository. Debian by aligning with + upstream dropped it and we followed. This time we made sure it gets + upstream and therefore hopefully should not reoccur again --- I updated my Server from xenial to bionic today. on xenial I was using the openvpn repo from the openvpn developers (https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos) now that bionic ships a more recent version I removed the ppa and switched to the distro version (2.4.4) my openvpn server assings a real ipv6 address and does nat for ipv4 forevery client. Also i push a route so a /64 ipv6 net and one ipv4 address is reachable through the tunnel. (I have firewalled a server so it is only reachable through the tunnels ips) With openvpn 2.4.4 from bionic repo this does not work anymore, aka the server is not reachable anymore. I quicky reactivated the xenial repo from https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos and upgraded the server again (to 2.4.6) after a restart I was able to reach my server again. so most likely there is a bug in bionics 2.4.4 version of openvpn client config: client dev tun proto udp remote <ipv4-address> 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert martin-pc.crt key martin-pc.key remote-cert-tls server tls-crypt ta.key cipher AES-256-GCM tls-version-min 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 auth SHA512 comp-lzo explicit-exit-notify pull-filter ignore "route" pull-filter ignore "dhcp" pull-filter ignore "redirect" route-ipv6 <ipv6-net i want to reach>/64 <ipv6 ip of server> 1 route <server i want to reach ipv4> 255.255.255.255 10.8.0.1 1 server config: port 1194 proto udp dev tun ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh4096.pem topology subnet server 10.8.0.0 255.255.255.0 server-ipv6 <ipv6 net usable for clients>/112 ifconfig-pool-persist ipp.txt push "route-ipv6 2000::/3 <ipv6 server ip> 1" script-security 2 learn-address "/usr/bin/sudo -u root /etc/openvpn/scripts/ndp-proxy-setup.sh" push "redirect-gateway def1" push "redirect-gateway ipv6" push "dhcp-option DNS 1.1.1.1" keepalive 10 120 tls-crypt /etc/openvpn/easy-rsa/keys/ta.key tls-version-min 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 auth SHA512 cipher AES-256-GCM #compress lz4 comp-lzo persist-key persist-tun status openvpn-status.log #verb 6 user openvpn group openvpn
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1787208 Title: Openvpn routing issue To manage notifications about this bug go to: https://bugs.launchpad.net/openvpn/+bug/1787208/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
