Issues running OpenVPN client as non-root

Z

Zaragon

I'm currently in the process of "cloning" an existing OpenBSD machine (that functioned as both an OpenVPN server, and an OpenVPN client), but with FreeBSD (14.3-RELEASE-p2) instead. The main reason for this is the new machine needs ZFS support, which means either Linux or FreeBSD, and I much prefer FreeBSD (plus I prefer pf over pretty much every Linux firewall option, even if it has diverged significantly from OpenBSD).

Anyway the server configuration ported over with zero issues, just pkg install openvpn, set openvpn_enable="YES" in /etc/rc.conf, and copy over all of the files. Started right up, clients able to connect without any issue, no problems. The client setup however has not been as smooth. I copied over the existing configuration and it technically works, as long as I remove the 'user openvpn' and 'group openvpn' lines from the configuration. If I leave them in, the tunnel works, but I get repeated "Failed to poll for packets: Operation not permitted (errno=1)" messages to syslog, and eventually the tunnel goes down. When it does go down (or if I stop the process before then) it fails to destroy the tunnel it created, and leaves all of the added routes in the routing table. This is a bit of a problem--the tunnel interface isn't really important, but leaving the routes in the routing table means I'm unable to reach them at all (instead of it going back to routing them out the default gateway), like I want.

So out of curiosity I thought I'd monitor the logs and stop the server process, and I see similar errors, they just don't really matter much (because leaving the tunnel and routes in place when it exits is okay). The errors look like this:
Code: 
Sep 13 20:42:43 fw openvpn[22826]: ERROR: FreeBSD route delete command failed: external program exited with error status: 77
Sep 13 20:42:43 fw syslogd: last message repeated 3 times
Sep 13 20:42:43 fw openvpn[22826]: /sbin/ifconfig tun0 192.168.128.1 -alias
Sep 13 20:42:43 fw openvpn[22826]: FreeBSD ip addr del failed: external program exited with error status: 1
Sep 13 20:42:43 fw openvpn[22826]: /sbin/ifconfig tun0 destroy
Sep 13 20:42:43 fw kernel: tun0: link state changed to DOWN
Sep 13 20:42:43 fw openvpn[22826]: FreeBSD 'destroy tun interface' failed (non-critical): external program exited with error status: 1

Anyone know why this happens? And is this expected normal behavior on FreeBSD?
 
Can you post the client config? Mark out anything important like passwords or actual server/client IP addresses. I have both client and server with user openvpn etc. And have zero problems. So I'm wondering what's different.

(Moved it to "Web and Network services", this is more about configuration of the client/server than a networking issue).
 
SirDice said:
Can you post the client config? Mark out anything important like passwords or actual server/client IP addresses. I have both client and server with user openvpn etc. And have zero problems. So I'm wondering what's different.

(Moved it to "Web and Network services", this is more about configuration of the client/server than a networking issue).
Click to expand...

Client config:
Code: 
client
dev tun1
proto udp
user openvpn
group openvpn
daemon openvpn

remote <redacted>
remote <redacted>
...
remote <redacted>
remote <redacted>
server-poll-timeout 20

remote-random
resolv-retry infinite
nobind

cipher AES-256-GCM

setenv CLIENT_CERT 0
tun-mtu 1500
mssfix 0
persist-key
persist-tun

reneg-sec 0

remote-cert-tls server

# VPN username/password.
<auth-user-pass>
<redacted>
<redacted>
</auth-user-pass>

script-security 2
auth-retry nointeract

# Disable IPv6
pull-filter ignore "add_route_ipv6"

# Don't redirect all traffic across the VPN.
pull-filter ignore redirect-gateway

# Always route <redacted> hosts/networks across the VPN.
route <redacted> 255.255.255.255
route <redacted> 255.255.255.255
...
route <redacted> 255.255.255.255
route <redacted> 255.255.255.255

<ca>
-----BEGIN CERTIFICATE-----
<redacted>
-----END CERTIFICATE-----
</ca>

<tls-crypt>
-----BEGIN OpenVPN Static key V1-----
<redacted>
-----END OpenVPN Static key V1-----
</tls-crypt>

covacat said:
if your server pushes routes and other stuff that requires root it wont work as user
Click to expand...

I'm starting it with `service`, which starts it as root and then drops to the specified user/group after initialization. The routes get installed properly, but the tunnel gives those "failed to poll for packet" errors, which eventually cause the tunnel to go down. And when it does, it can't remove the routes nor destroy the tunnel interface (if I comment out persist-tun). There seems to be a plugin that would run the down script as root, but I'm not using a down script (or an up script), I'm just relying on OpenVPN to clean up its own changes. And even if I did use those scripts, nothing would keep the "failed to poll" issue from taking down the tunnel repeatedly.

This method worked fine on OpenBSD. I'm assuming it used some sort of privilege separation there; it doesn't look like it does here even though it seems to be something FreeBSD supports (I can see dhclient using it, for example). It's fine if it doesn't work that way on FreeBSD, I just need to know if it's expected behavior, a bug, or a misconfiguration.
 
privilege separation sounds about right. I have a script the runs my openvpn as a client (to work servers) that has to run as root so it can create the tun interface. I may be able to get around that by suid stuff or adding my user to specific groups with enough permissions to create tun, but I'm good with doas/sudo/su
 
Huh, I don't think that's something the OpenBSD client supports, is it? If not it would explain the issue moving the config file to FreeBSD since it appears it is enabled by default here. How big of a security hole do you think that is, for something that is sending network traffic but not listening for remote clients? Acceptable risk?

Leaves me with one question though: why does the server work? I'm not explicitly disabling it there, either. The only issue with the server is it can't remove the routes or destroy the tun interface. Not destroying the interface doesn't matter (I normally use persist-tun for the server) and leaving the routes installed doesn't matter either (since the routes are to another RFC 1918 network unreachable when the VPN is down).

Maybe I need to connect some clients to it for more than a few minutes of testing and watch the logs and see if there's any issues there that don't show up with a brief test from the windows client side.
 
for me it's not absolutely clear how/when will be dco triggered but see
RypPn

Solved Thread 'OpenVPN DCO'

Bamboozled by how to implement this on FreeBSD 14, enabled if_ovpn_load="YES" in /boot/loader.conf but the correct syntax for the server.conf eludes me. Searching the internet is proving less than fruitful this morning for configuration settings to make this work. If I unset DCO in my poudriere build the package works fine as before, I'd just like to enjoy a bit better performance like wireguard manages to do. Any guidance gratefully received.
  • Thanks
  • Like
maybe the server does not run in "dco" mode ?
 
I do not have if_ovpn_load in my /boot/loader.conf at all but it looks like it loaded it anyway. Not sure what triggered it, maybe openvpn itself caused the module to load. I looked through the required list and I meet two of three requirements--I do not have topology set to subnet, it's whatever is default (which looks like net30). So I would assume DCO is therefore not active for my OpenVPN server based on that.

For the client seems like there's less required for it to turn on.
 
You must log in or register to reply here.
Back
Top