Ubuntu
openvpn package

client service crashes when pulled options change

Bug #1834514 reported by hsngrmpf
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openvpn (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Won't Fix
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned

Bug Description

package version: 2.3.10-1ubuntu2.1

Crash logs:
Jun 27 10:51:28 ubuntu-xenial ovpn-client[1182]: Preserving previous TUN/TAP instance: tun0
Jun 27 10:51:28 ubuntu-xenial ovpn-client[1182]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Jun 27 10:51:28 ubuntu-xenial ovpn-client[1182]: Closing TUN/TAP interface
Jun 27 10:51:28 ubuntu-xenial ovpn-client[1182]: /sbin/ip addr del dev tun0 local 10.66.0.32 peer 10.66.0.1
Jun 27 10:51:28 ubuntu-xenial ovpn-client[1182]: Linux ip addr del failed: external program exited with error status: 2
Jun 27 10:51:29 ubuntu-xenial ovpn-client[1182]: ROUTE_GATEWAY 10.20.0.1/255.255.240.0 IFACE=enp0s8 HWADDR=08:00:27:b0:b7:a9
Jun 27 10:51:29 ubuntu-xenial ovpn-client[1182]: ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
Jun 27 10:51:29 ubuntu-xenial ovpn-client[1182]: Exiting due to fatal error
Jun 27 10:51:29 ubuntu-xenial systemd[1]: <email address hidden>: Main process exited, code=exited, status=1/FAILURE
Jun 27 10:51:29 ubuntu-xenial systemd[1]: <email address hidden>: Unit entered failed state.
Jun 27 10:51:29 ubuntu-xenial systemd[1]: <email address hidden>: Failed with result 'exit-code'.

When the client reconnects after a disconnect and the pulled options change in a way that the client requires an interface reset, it crashes, because it doesn't have the privileges anymore. Privileges are dropped by openvpn after startup for security reason as far as i understood.

This google search shows that this is a common problem of openvpn: https://www.google.com/search?ei=1uIUXeXTM8_N6ATK_p6gCw&q=openvpn+Pulled+options+changed+on+restart%2C+will+need+to+close+and+reopen+TUN%2FTAP+device&oq=openvpn+Pulled+options+changed+on+restart%2C+will+need+to+close+and+reopen+TUN%2FTAP+device

I'm aware that my specific problem might be fixed by bugfixes like this: https://community.openvpn.net/openvpn/ticket/649

But as long as the possibility exists that a change in the pulled options require an interface reset, the service WILL crash and never restart without manual user interaction.

This could be fixed by adding "Restart=on-failure" to the openvpn-client@.service for example.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi,
this was adressed by upstream in [1]
and by adopted by Debian/Ubuntu in version 2.4.4-1
      * Further changes to debian/openvpn@.service copied from upstream
        - Enable Restart=on-failure
        - Use KillMode=process
which in releases means Bionic and later is already fixed in regard to your request to consider restarting it automatically.

For Xenial IMHO the SRU [2] policy forbids this change as it could change behavior in an unexpected way without the users noticing. Fortunately users - like you - which conciously want this change to be active on xenial can just add the lines via `systemctl edit <service>`

  RestartSec=5s
  Restart=on-failure

[1]: https://github.com/OpenVPN/openvpn/commit/a4686e99b047081f0ef6f7945450183088464aa5
[2]: https://wiki.ubuntu.com/StableReleaseUpdates

Changed in openvpn (Ubuntu Xenial):
status: New → Won't Fix
Changed in openvpn (Ubuntu Bionic):
status: New → Triaged
status: Triaged → Fix Released
Changed in openvpn (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.