openvpn deescalates privileges which causes a hard failure on reconnect to different endpoint #1779
Comments
|
[xginn8] This issue has attached support thread https://jel.ly.fish/#/support-thread~b16dd5c1-4ef9-4972-8dac-ce50ea9dcaf6 |
|
[saintaardvark] This issue has attached support thread https://jel.ly.fish/38ab2df4-55c2-4171-8ac0-485ba067438d |
|
This issue occurred overnight last night on my RPI3 - strangely enough it was at 41 minutes past the hour as previously reported. Log file here --> openvpn-unit-journal.txt Don't know why the network is dropping, but managed to recreate the openvpn behaviour by temporarily blocking incoming traffic from port 443 using an iptables rule. |
|
[xginn8] This issue has attached support thread https://jel.ly.fish/50a38ebb-7b5d-4708-ae46-5230910ec13e |
|
This should have been fixed with the merge of #2014 in v2.60. Please only re-open if this same problem is reported above that version. |
|
The merge of #2014 will only fix this for instantaneous reboots where the outage time is <60 seconds |
|
[majorz] This issue has attached support thread https://jel.ly.fish/1b57a2f7-e2b2-4658-94ef-0a35bef04f4b |
|
[majorz] This issue has attached support thread https://jel.ly.fish/78547810-74ac-4ae3-b854-60727ac077c0 |
|
I investigated a couple of instances of the |
|
Found a rpi4 with Host OS version balenaOS 2.95.8 exhibiting this issue restarting the vpn service does not resolve this issue. |
|
[rhampt] This issue has attached support thread https://jel.ly.fish/c550cc88-af96-4e61-b5e8-a81dd0f47f07 |
|
Note that this issue is probably causing balena-io/open-balena-vpn#313, so it is more severe than initially thought. When OpenVPN is started it starts as If for some reason the VPN connection stales and a server ping is not received for 60 seconds, the client will try to reestablish connection to the server after 5 seconds: As the process itself is not really restarted and does not exit, it fails in recreating the The If such a change could not be made on the server side currently, the alternative to this is to remap the SIGUSR1 signal to SIGTERM by passing If the change is done on the server side, currently deployed devices will no longer incorrectly report heartbeat only mode. If the change is done on the OS side, the problem will be solved for devices running newer OS version. Other methods also exist for addressing this problem (https://community.openvpn.net/openvpn/wiki/UnprivilegedUser), but will require a lot more substantial changes both on the client and server side, which includes adjusting |
|
[thgreasi] This has attached https://jel.ly.fish/e7abfa7a-59e7-4326-ae22-1d5c77ef7348 |
|
Resolved by balena-io/open-balena-vpn#314 open-balena-vpn v11.19.0 is now in balenaCloud production |
|
We have seen a new instance of this error - this time not as severe, but we will have to fix it on the OS side this time. The VPN connection was reset for some unknown reason (previously we did not receive ping messages from the server). The solution for fixing this scenario was explained in the previous message: |
|
Encountered another instance of this, but this time leading the VPN unavailability, so I will look into fixing this with more priority: |
|
[majorz] This has attached https://jel.ly.fish/3b115ca6-f2ab-4ffc-a11c-54811547eb15 |
|
We may attempt to do a |
|
Remapping this may have possible side-effects, so may or may not be a good solution. Probably not. |
In 12205bf we configured openvpn to de-escalate privileges and run as the
openvpnuser & group.As noted in the openvpn docs, this de-escalation causes a hard failure (https://openvpn.net/community-resources/reference-manual-for-openvpn-2-0/):
The daemon crashes with the following error after it receives a different address PUSHed to it from the openvpn server:
Specifically, this issue is related to #1776 as upon the ping-restart described in the ticket, the remote PUSHes a new address which the daemon cannot apply.
cc @wrboyce @afitzek
The text was updated successfully, but these errors were encountered: