Ubuntu
openvpn package

openvpn does not work with ecryptfs setup

Bug #1787801 reported by Nikolay Borisov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openvpn (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

I have an ecryptfs in which my decrypted mount point is /home/$user/Private . Additionally my openvpn setup is such that under /etc/openvpn I have symlinks to the actual files which are located in /home/$user/Private/openvpn. When I try to start openvpn (bear in mind that this setup worked on 16.04, I upgraded the machine) I get an error :

fisk-mobile ovpn-CONF-FILE[25710]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/CONF-FILE.conf

Needless to say that manually running openvpn --config /etc/openvpn/CONF-FILE.conf (which is a symlink ) worked flawlessly.

After a bit of headbanging it turned out the issue is caused by the ProtectHome directive of the openvpn service file under: /lib/systemd/system/openvpn@.service - the same directive also applies to openvpn-client@.service service as well. Changing the value from 'true' to 'read-only' resolved the issue.

In my opinion having the config files on an encrypted partition under /home/$USER is not that uncommon and so the unit file should be changed to at least allow RO permissions. Additionally, this setup worked on ubuntu 16.04 and I just performed an upgrade which broke the existing setup so I consider this a regression as well.

Revision history for this message
Simon Déziel (sdeziel) wrote :

Since upstream uses ProtectHome=true, I'd tend to think that having the config files in home directories is not that common even if it's certainly a valid use case. IMHO, this is a perfect case for using drop-in snippets:

 $ sudo systemctl edit openvpn@

Then enter the following:

 [Service]
 ProtectHome=read-only

This will override just the ProtectHome directive to account for your local needs and it will also survive any package upgrade. Directly editing /lib/systemd/system/$unit@.service doesn't survive package upgrades which is why drop-ins are nice.

Revision history for this message
Nikolay Borisov (n-borisov-lkml) wrote :

Ok, thanks for the tip I didn't know that. If this is then coming from upstream I guess a bug report is warranted there as well.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I believe that since you changed the location of the config file, changing the systemd service file is just a continuation of your local configuration. Simon's tip in comment #1 was spot on, as was your investigation of the config setting that needed changing.

Regarding the regression aspect of this, I believe we can sort that out via a release notes entry on openvpn.

Changed in openvpn (Ubuntu):
status: New → Won't Fix
Brian Murray (brian-murray)
no longer affects: ubuntu-release-notes
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.