openvpn no longer called with "--script-security 2"

Bug #1454725 reported by Nicolas Jungers on 2015-05-13
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
openvpn (Ubuntu)
Medium
Martin Pitt

Bug Description

1) the config in "/etc/default/openvpn" seems to not be respected, specifically the value of the OPTARGS is not used.
 -- it can be set in the vpn config file

2) the package uml-utilities is not installed and tunctl seems to be required by the openvpn start procedure.

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: openvpn 2.3.2-9ubuntu4
ProcVersionSignature: Ubuntu 3.11.0-13.20-generic 3.11.6
Uname: Linux 3.11.0-13-generic x86_64
ApportVersion: 2.17.2-0ubuntu1
Architecture: amd64
CurrentDesktop: Unity
Date: Wed May 13 16:23:29 2015
InstallationDate: Installed on 2013-06-01 (710 days ago)
InstallationMedia: Kubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120423)
ProcEnviron:
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_DK.UTF-8
 SHELL=/bin/bash
SourcePackage: openvpn
UpgradeStatus: Upgraded to vivid on 2015-05-13 (0 days ago)
mtime.conffile..etc.default.openvpn: 2015-05-13T16:08:10.362615

Nicolas Jungers (unbug) wrote :
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openvpn (Ubuntu):
status: New → Confirmed
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

This looks likely to be a consequence of the switch to systemd to me.

tags: added: systemd-boot
Changed in openvpn (Ubuntu):
importance: Undecided → Medium

Openvpn starts ok with sudo openvpn --config /etc/openvpn/<name of profile>.conf
This was my workaround, this bug is very annoying. Will try to modify the script at /etc/init.d as soon as I have the time to do it.

Simon Déziel (sdeziel) wrote :

Nicolas, the journal log shows that the VPN server hostname was not resolvable and eventually when it finally connected, it failed after calling a --up script. Could you provide this --up script and maybe the sanitized configuration of your VPN client?

Changed in openvpn (Ubuntu):
status: Confirmed → Incomplete
Martin Pitt (pitti) on 2016-02-01
summary: - openvpn fails after upgrade from 14.10 to 15.04
+ openvpn does not use OPTARGS from /etc/default/openvpn

On 01/02/16 15:57, Simon Déziel wrote:
> Nicolas, the journal log shows that the VPN server hostname was not
> resolvable and eventually when it finally connected, it failed after
> calling a --up script. Could you provide this --up script and maybe the
> sanitized configuration of your VPN client?
>
> ** Changed in: openvpn (Ubuntu)
> Status: Confirmed => Incomplete
Simon,

The DNS error was a transient one, so not relevant here. The --up script
is the distro standard one and I modified the connection script to
include the "script-security 2" config that was before a OPTARGS from
/etc/default/openvpn.

The /etc/default/openvpn way was the documented way pre-15.04.

I just check on 14.04 and 16.04 and the init script automatically adds "--script-security 2" unless the VPN config contains a script-security directive.

Problem is that since the switch to systemd, the init script is no longer used and the daemon is used like this:

  $ systemctl cat openvpn@.service | grep ^ExecStart
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid

This probably breaks setups relying on "--script-security 2" like yours. Could you try adding "script-security 2" to /etc/openvpn/infra.conf and see if it helps?

On 01/02/16 18:37, Simon Déziel wrote:
> I just check on 14.04 and 16.04 and the init script automatically adds
> "--script-security 2" unless the VPN config contains a script-security
> directive.
>
> Problem is that since the switch to systemd, the init script is no
> longer used and the daemon is used like this:
>
> $ systemctl cat openvpn@.service | grep ^ExecStart
> ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
>
> This probably breaks setups relying on "--script-security 2" like yours.
> Could you try adding "script-security 2" to /etc/openvpn/infra.conf and
> see if it helps?

Yes, it solves the problem. I thought I reported that before. The
problem is the migration mechanism that has to be corrected. The way I
used "--script-security 2" was the one put forward in the official doc.

The problem shall be the same for the migration 14.04 -> 16.04 (I presume).

Simon Déziel (sdeziel) on 2016-02-01
Changed in openvpn (Ubuntu):
status: Incomplete → Confirmed
summary: - openvpn does not use OPTARGS from /etc/default/openvpn
+ openvpn no longer called with "--script-security 2"
Simon Déziel (sdeziel) wrote :

Thanks for the feedback Nicolas.

This is likely going to bite many users upgrading. It's fairly common to push DNS resolvers from the VPN server. For those to be usable on the client side, "script-security 2" is needed otherwise the up/down script update-resolv-conf won't be called.

Since Ubuntu tweaks the init script to add "--script-security 2" for backward compatibility, I believe the same should be done by the systemd file.

@pitti, would that make sense?

Martin Pitt (pitti) wrote :

Yes, I think that makes sense, if that change is still intended/sensible.

Changed in openvpn (Ubuntu):
status: Confirmed → Triaged
assignee: nobody → Martin Pitt (pitti)
milestone: none → ubuntu-16.02
Martin Pitt (pitti) wrote :

Uploaded this. It would be great if you could test 2.3.10-1ubuntu2 and confirm that this works now, as I don't use OpenVPN in that mode.

Changed in openvpn (Ubuntu):
status: Triaged → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openvpn - 2.3.10-1ubuntu2

---------------
openvpn (2.3.10-1ubuntu2) xenial; urgency=medium

  * debian/openvpn@.service: Add --script-security similar to what got added
    to debian/openvpn.init.d ages ago (see LP #260291). (LP: #1454725)

 -- Martin Pitt <email address hidden> Tue, 02 Feb 2016 13:33:39 +0100

Changed in openvpn (Ubuntu):
status: Fix Committed → Fix Released
Simon Déziel (sdeziel) wrote :

It works, thanks Martin.

HonoredMule (honoredmule) wrote :

What about the originally reported issue? OPTARGS is still not supported.

Or put another way, there are other flags some of us need to set (in my case --multihome). If not via OPTARGS, what is the proper way to set them? And why does /etc/default/openvpn still present OPTARGS as supported?

On 2016-11-27 12:44 AM, HonoredMule wrote:
> Or put another way, there are other flags some of us need to set (in my
> case --multihome).

You can add "multihome" in the configuration files /etc/openvpn/*.conf.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers