2019-05-13 06:45:28 |
Christian Ehrhardt |
bug |
|
|
added bug |
2019-05-13 06:45:38 |
Christian Ehrhardt |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868806 |
|
2019-05-13 06:45:38 |
Christian Ehrhardt |
bug task added |
|
openvpn (Debian) |
|
2019-05-13 06:45:49 |
Christian Ehrhardt |
bug |
|
|
added subscriber Ubuntu Server |
2019-05-13 06:45:53 |
Christian Ehrhardt |
tags |
|
server-next |
|
2019-05-13 06:46:35 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Eoan |
|
2019-05-13 06:46:35 |
Christian Ehrhardt |
bug task added |
|
openvpn (Ubuntu Eoan) |
|
2019-05-13 06:46:35 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Bionic |
|
2019-05-13 06:46:35 |
Christian Ehrhardt |
bug task added |
|
openvpn (Ubuntu Bionic) |
|
2019-05-13 06:46:35 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Disco |
|
2019-05-13 06:46:35 |
Christian Ehrhardt |
bug task added |
|
openvpn (Ubuntu Disco) |
|
2019-05-13 06:46:35 |
Christian Ehrhardt |
nominated for series |
|
Ubuntu Cosmic |
|
2019-05-13 06:46:35 |
Christian Ehrhardt |
bug task added |
|
openvpn (Ubuntu Cosmic) |
|
2019-05-13 06:46:43 |
Christian Ehrhardt |
openvpn (Ubuntu Eoan): status |
New |
Triaged |
|
2019-05-13 06:48:35 |
Christian Ehrhardt |
description |
For a while openvpn is haunted by having two sets of services a bunch from upstream and pair from the debian packaging.
Every now and then changes fix one but miss the other.
In this case the fix for bug 1787208 was only applied to the former but not the latter.
Please correct this in the same releases. |
For a while openvpn is haunted by having two sets of services a bunch from upstream and pair from the debian packaging.
Every now and then changes fix one but miss the other.
In this case the fix for bug 1787208 was only applied to the former openvpn@.service but not the latter openvpn-server@.service.
Please correct this in the same releases as the older bug. |
|
2019-05-13 11:38:18 |
Bug Watch Updater |
openvpn (Debian): status |
Unknown |
Fix Released |
|
2019-05-13 14:01:21 |
Christian Ehrhardt |
merge proposal linked |
|
https://code.launchpad.net/~paelzer/ubuntu/+source/openvpn/+git/openvpn/+merge/367349 |
|
2019-05-14 06:16:13 |
Christian Ehrhardt |
openvpn (Ubuntu Eoan): status |
Triaged |
In Progress |
|
2019-05-14 06:48:00 |
Launchpad Janitor |
openvpn (Ubuntu Eoan): status |
In Progress |
Fix Released |
|
2019-05-14 07:58:48 |
Christian Ehrhardt |
description |
For a while openvpn is haunted by having two sets of services a bunch from upstream and pair from the debian packaging.
Every now and then changes fix one but miss the other.
In this case the fix for bug 1787208 was only applied to the former openvpn@.service but not the latter openvpn-server@.service.
Please correct this in the same releases as the older bug. |
For a while openvpn is haunted by having two sets of services a bunch from upstream and pair from the debian packaging.
Every now and then changes fix one but miss the other.
In this case the fix for bug 1787208 was only applied to the former openvpn@.service (Debian packaging) but not the latter openvpn-server@.service (service files from upstream).
Please correct this in the same releases as the older bug. |
|
2019-05-14 08:29:36 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~paelzer/ubuntu/+source/openvpn/+git/openvpn/+merge/367390 |
|
2019-05-14 08:38:03 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~paelzer/ubuntu/+source/openvpn/+git/openvpn/+merge/367393 |
|
2019-05-14 08:39:18 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~paelzer/ubuntu/+source/openvpn/+git/openvpn/+merge/367394 |
|
2019-05-16 11:43:34 |
Christian Ehrhardt |
description |
For a while openvpn is haunted by having two sets of services a bunch from upstream and pair from the debian packaging.
Every now and then changes fix one but miss the other.
In this case the fix for bug 1787208 was only applied to the former openvpn@.service (Debian packaging) but not the latter openvpn-server@.service (service files from upstream).
Please correct this in the same releases as the older bug. |
[Impact]
* non-default but still common openvpn setups use callout scripts with
sudo (if the openvpn user was set up to work with sudo). That breaks in
>=Bionic since CAP_AUDIT_WRITE was dropped which makes pam/sudo denying
the call.
* We brought the change upstream (they have an own .deb package) and want
to backport into B/C/D
[Test Case]
* The following should work for two KVM Guests on the same virtual
network.
* details in https://www.techgrube.de/tutorials/openvpn-server-mit-ipv4-
und-ipv6 which the reporter and I followed (warning: non commands are
german)
* there is no need to do any of the IPV6 stuff in the guide nor the
iptables actions
TL;DR would be:
* apt install openvpn (on client and server)
$ sudo apt install openvpn easy-rsa
Use easy-rsa to create 1 server and 1 client certificate
See the link above for commands to do so if you are unfamiliar
* add "openvpn" user and grant him sudo permission for your test script
$ addgroup --system --no-create-home --disabled-login --group openvpn
$ adduser --system --no-create-home --disabled-login --ingroup openvpn openvpn
* add server/client config (copy and modify from those in /usr/share)
the important bit is to have a sudo call to a helper like:
learn-address "/usr/bin/sudo -u root /etc/openvpn/scripts/test.sh"
client.conf
client
dev tun
proto udp
remote 192.168.122.29 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/guest1.crt
key /etc/openvpn/easy-rsa/pki/private/guest1.key
remote-cert-tls server
cipher AES-256-CBC
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
auth SHA512
comp-lzo
verb 6
explicit-exit-notify
server.conf
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/server.crt
key /etc/openvpn/easy-rsa/pki/private/server.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
script-security 2
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
auth SHA512
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 6
user openvpn
group openvpn
* Create the test script
$ sudo mkdir -p /etc/openvpn/scripts/
$ sudo echo "id" >> /etc/openvpn/scripts/test.sh
$ sudo chmod +x /etc/openvpn/scripts/test.sh
* Start the server service and run journalctl -f
And here is the important part for this sub-bug of bug 1787208.
To use the service files you'd not run openvpn@server which would be
the default Debian/Ubuntu templated service files.
Instead you'd use `systemctl restart openvpn-server@server`
Mind the extra -server
* Let the client connect (you will see the denies on the server)
[Regression Potential]
* It adds one allowed capability (a rather safe one btw) to the service
of openvpn. There should be no regression risk breaking functional
setups.
If anything I'd have security concerns, but since it was this way in
Xenial and already is that way on "the other" set of .service files
that should not matter.
[Other Info]
* This was in Xenial, picked by upstream for their own .deb package but
not integrated in their actual repository. Debian by aligning with
upstream dropped it and we followed. This time we made sure it gets
upstream and therefore hopefully should not reoccur again
* This was already fixed in bug 1787208 , but the package has two sets of
.service files and this change fixes the one that still is affected.
---
For a while openvpn is haunted by having two sets of services a bunch from upstream and pair from the debian packaging.
Every now and then changes fix one but miss the other.
In this case the fix for bug 1787208 was only applied to the former openvpn@.service (Debian packaging) but not the latter openvpn-server@.service (service files from upstream).
Please correct this in the same releases as the older bug. |
|
2019-05-21 18:28:57 |
Brian Murray |
openvpn (Ubuntu Disco): status |
New |
Fix Committed |
|
2019-05-21 18:29:00 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2019-05-21 18:29:01 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2019-05-21 18:29:07 |
Brian Murray |
tags |
server-next |
server-next verification-needed verification-needed-disco |
|
2019-06-07 09:34:00 |
Timo Aaltonen |
openvpn (Ubuntu Cosmic): status |
New |
Fix Committed |
|
2019-06-07 09:34:06 |
Timo Aaltonen |
tags |
server-next verification-needed verification-needed-disco |
server-next verification-needed verification-needed-cosmic verification-needed-disco |
|
2019-06-07 09:35:25 |
Timo Aaltonen |
openvpn (Ubuntu Bionic): status |
New |
Fix Committed |
|
2019-06-07 09:35:32 |
Timo Aaltonen |
tags |
server-next verification-needed verification-needed-cosmic verification-needed-disco |
server-next verification-needed verification-needed-bionic verification-needed-cosmic verification-needed-disco |
|
2019-06-13 11:51:39 |
Christian Ehrhardt |
attachment added |
|
keys.tgz https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1828771/+attachment/5270615/+files/keys.tgz |
|
2019-06-13 12:28:06 |
Christian Ehrhardt |
tags |
server-next verification-needed verification-needed-bionic verification-needed-cosmic verification-needed-disco |
server-next verification-done verification-done-bionic verification-done-cosmic verification-done-disco |
|
2019-06-17 08:34:44 |
Launchpad Janitor |
openvpn (Ubuntu Disco): status |
Fix Committed |
Fix Released |
|
2019-06-17 08:34:49 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2019-06-17 08:43:41 |
Launchpad Janitor |
openvpn (Ubuntu Cosmic): status |
Fix Committed |
Fix Released |
|
2019-06-17 08:44:28 |
Launchpad Janitor |
openvpn (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|