OpenVPN 'Operation not permitted' when destroying tun device

[mumu]

Hi, I'm seeing this in my openvpn logs. First some info:

OS: FreeBSD 13.0-RELEASE amd64
OpenVPN: 2.5.3 (installed via ports)

Output from the log:

2021-08-02 05:30:31 event_wait : Interrupted system call (code=4)
2021-08-02 05:30:33 Closing TUN/TAP interface
2021-08-02 05:30:33 /sbin/ifconfig tun0 destroy
ifconfig: SIOCIFDESTROY: Operation not permitted
2021-08-02 05:30:33 FreeBSD 'destroy tun interface' failed (non-critical): external program exited with error status: 1
2021-08-02 05:30:33 SIGTERM[hard,] received, process exiting

Is this normal ?

 

[fbsd_]

Try it with root.
If you dont set root account while installing FreeBSD, you can install sudo or add user to wheel group by going to recovery and mounting root fs.

 

[mumu]

If you dont set root account while installing FreeBSD, you can install sudo or add user to wheel group by going to recovery and mounting root fs.

The error I got was when I ran /usr/local/etc/rc.d/openvpn restart as user root.

 

[SirDice]

Are you running OpenVPN in a jail perhaps?

 

[mumu]

Are you running OpenVPN in a jail perhaps?

Nope.

 

[SirDice]

Can you post your openvpn.conf? (Make sure to remove any identifying addresses or accounts).

 

[covacat]

its probably the expected behaviour if you run it as a non privileged user;. once it does its init stuff it switches to openvpn/nobody/whatever

 

[mumu]

its probably the expected behaviour if you run it as a non privileged user;. once it does its init stuff it switches to openvpn/nobody/whatever

It's probably this. I have it running as nobody:nobody

 

[jamie]

Yep, it's expected behaviour.

As you say, it drops privs once the network is configured.

To "Mumu", you can use the "persist-tun" option so that openvpn can recover from a restart caused by SIGUSR1 or a network interruption by never trying to close/open the tunnel.

You can also configure it to not attempt to destroy the interface on exit - that will stop the error message, but it's in itself harmless.

All this info is in "man openvpn"

Personally, I run openvpn entirely from a non-privileged user right from the start, but allow it to use a privileged wrapper to alter the network settings.

 

[mumu]

To "Mumu", you can use the "persist-tun" option so that openvpn can recover from a restart caused by SIGUSR1 or a network interruption by never trying to close/open the tunnel.

Yep I have this already in the server config.

You can also configure it to not attempt to destroy the interface on exit - that will stop the error message, but it's in itself harmless.

Can't find this in the man page. What's the keyword to search for ?