snappy-hwe-snaps

easy-openvpn ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)

Bug #1731056 reported by Rafael
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snappy-hwe-snaps
Won't Fix
Undecided
Gary.Wang

Bug Description

On a rpi3, using snappy ubuntu core, with easy-openvpn installed. I'm trying to connect to a openvpn server. I have a .ovpn file.

> snap interfaces

:firewall-control docker,easy-openvpn
:home easy-openvpn
:network-control easy-openvpn

> easy-openvpn.connect-server rpi3snap.ovpn

...
OPTIONS IMPORT: adjusting link_mtu to 1545
ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=xx:xx:xx:xx:xx
ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
Exiting due to fatal error

I have no idea why so. I've tried sudo, also run as root.

Jim Hodapp (jhodapp)
Changed in snappy-hwe-snaps:
assignee: nobody → Gary.Wang (gary-wzl77)
Revision history for this message
Gary.Wang (gary-wzl77) wrote :

Hey Rafael
   Thanks for your reporting.
   Would you mind to check if you can reproduce this issue by going through the following two steps
   1.change the owner of your .ovpn file to 'root' to overcome dac_override denied issue in the snappy.
     $ sudo chown root.root your.ovpn
   2.then connect to the OpenVPN server with sudo
     $ sudo easy-openvpn.connect-server your.ovpn

Thanks
Gary

Revision history for this message
Rafael (rafaelgalrito) wrote :

Hello Gary,

I ran those commands. Not, I'm facing another error. When I run:

> sudo easy-openvpn.connect-server my.ovpn

setgid('nogroup') failed: Operation not permitted (errno=1)
Exiting due to fatal error
/sbin/ip route del ...

So, I've tried:

>egrep "(group|user)" my.ovpn

user nobody
group nogroup

could these two configs be the problem here?

I just commented both lines. Tried again. It works now.

This is related with downgrading privileges after initialization. Any idea why commenting these two lines fix this issue?

Revision history for this message
Gary.Wang (gary-wzl77) wrote :

Hey Rafael
    Thanks for your reply.

    Basically, I'd say changing the owner of your .ovpn file to root and runing the command with sudo resolves your problem. Let me dive deep a bit.
    1. The log message here indicates that you missed sudo in the command line
    "OPTIONS IMPORT: adjusting link_mtu to 1545
ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=xx:xx:xx:xx:xx
ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)"
    2. Then you run the easy-openvpn.connect-server command with sudo, it failed again. The reason here is that your
rpi3snap.ovpn is not owned by root. As you run the command as root, you need to change the ownership of *.ovpn file to overcome the dac_override denial. So the root cause this time is different. If you check the syslog once you encountered the problem, you'll find some denials as following
    http://paste.ubuntu.com/25951837/
    3. It works for you after you commented both lines because you already changed the ownership of rpi3snap.ovpn to root. If you change the ownership of rpi3snap.ovpn back to the original user(non-root), you will see dac_override denial for sure again.

    Could these two configs be the problem here?
    A: Yes, we disabled the user and group setup in config file explicitly due to lack of user and group management in snappy. See more details here
    https://git.launchpad.net/~snappy-hwe-team/snappy-hwe-snaps/+git/easy-openvpn/tree/README.md#n9
    The relevant design can be found here
    https://forum.snapcraft.io/t/multiple-users-and-groups-in-snaps/1461/3

    So I wondered the source of rpi3snap.ovpn file
    a). If the *.ovpn file is generated by the easy-openvpn(server), e.g. you create the *.ovpn file by running the following command.
        sudo easy-openvpn.add-client foo > rpi3snap.ovpn
    You won't hit the above problem as I mentioned above we disable the user/group setup during ovpn file generation.

    b), If you use the *.ovpn file from the other source e.g. download the *.ovpn file from the internet, that could be the problem. You need to remove these two lines manually to remedy this situation.

    To be confirmed, could you please let me know the source of your *.ovpn file?
    Thanks

BR
Gary

Revision history for this message
Rafael (rafaelgalrito) wrote :

Hello,

Many thanks for your full reply!

The *.ovpn file was created by me, in another machine that hosts the openvpn server.

This "bug" is solved.

Best Regards,
Rafael

PS: I wonder how to set the .ovpn file to be used as config file for openvpn service.

Revision history for this message
Gary.Wang (gary-wzl77) wrote :

Hi,
You can follow the instruction here to set up an OpenVPN server on Ubuntu Core.
https://docs.ubuntu.com/core/en/stacks/network/easy-openvpn/docs/openvpn-server-setup
Once the server is up and running, you can run the following command to generate .ovpn file, which can be used by client to connect to the OpenVPN server.
$ sudo easy-openvpn.add-client foo > foo.ovpn

P.S: For the record, we definitely need to support user and group configurable once the management is supported in snapd.

BR
Gary

Revision history for this message
Tony Espy (awe) wrote :

As the easy-openvpn snap will soon be removed from the store (see: https://forum.snapcraft.io/t/easy-openvpn-deprecation/14604), this bug is being closed.

Changed in snappy-hwe-snaps:
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.