client service crashes when pulled options change
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openvpn (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Won't Fix
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
package version: 2.3.10-1ubuntu2.1
Crash logs:
Jun 27 10:51:28 ubuntu-xenial ovpn-client[1182]: Preserving previous TUN/TAP instance: tun0
Jun 27 10:51:28 ubuntu-xenial ovpn-client[1182]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Jun 27 10:51:28 ubuntu-xenial ovpn-client[1182]: Closing TUN/TAP interface
Jun 27 10:51:28 ubuntu-xenial ovpn-client[1182]: /sbin/ip addr del dev tun0 local 10.66.0.32 peer 10.66.0.1
Jun 27 10:51:28 ubuntu-xenial ovpn-client[1182]: Linux ip addr del failed: external program exited with error status: 2
Jun 27 10:51:29 ubuntu-xenial ovpn-client[1182]: ROUTE_GATEWAY 10.20.0.
Jun 27 10:51:29 ubuntu-xenial ovpn-client[1182]: ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
Jun 27 10:51:29 ubuntu-xenial ovpn-client[1182]: Exiting due to fatal error
Jun 27 10:51:29 ubuntu-xenial systemd[1]: <email address hidden>: Main process exited, code=exited, status=1/FAILURE
Jun 27 10:51:29 ubuntu-xenial systemd[1]: <email address hidden>: Unit entered failed state.
Jun 27 10:51:29 ubuntu-xenial systemd[1]: <email address hidden>: Failed with result 'exit-code'.
When the client reconnects after a disconnect and the pulled options change in a way that the client requires an interface reset, it crashes, because it doesn't have the privileges anymore. Privileges are dropped by openvpn after startup for security reason as far as i understood.
This google search shows that this is a common problem of openvpn: https:/
I'm aware that my specific problem might be fixed by bugfixes like this: https:/
But as long as the possibility exists that a change in the pulled options require an interface reset, the service WILL crash and never restart without manual user interaction.
This could be fixed by adding "Restart=
Hi, openvpn@ .service copied from upstream
this was adressed by upstream in [1]
and by adopted by Debian/Ubuntu in version 2.4.4-1
* Further changes to debian/
- Enable Restart=on-failure
- Use KillMode=process
which in releases means Bionic and later is already fixed in regard to your request to consider restarting it automatically.
For Xenial IMHO the SRU [2] policy forbids this change as it could change behavior in an unexpected way without the users noticing. Fortunately users - like you - which conciously want this change to be active on xenial can just add the lines via `systemctl edit <service>`
RestartSec=5s on-failure
Restart=
[1]: https:/ /github. com/OpenVPN/ openvpn/ commit/ a4686e99b047081 f0ef6f794545018 3088464aa5 /wiki.ubuntu. com/StableRelea seUpdates
[2]: https:/