Created attachment 246436 [details] Errors indicating lack of permission Openvpn suddenly stops when starting
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=f6ef06771b5a341e91ea38b0d758c4cf614f1b3c commit f6ef06771b5a341e91ea38b0d758c4cf614f1b3c Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2023-11-21 17:03:09 +0000 Commit: Matthias Andree <mandree@FreeBSD.org> CommitDate: 2023-11-21 17:03:09 +0000 security/openvpn: update to 2.6.8 bug-fix release hopefully fixes... PR: 275206 Changelog: https://github.com/OpenVPN/openvpn/blob/v2.6.8/Changes.rst#overview-of-changes-in-268 MFH: 2023Q4 security/openvpn/Makefile | 4 +- security/openvpn/distinfo | 6 +- ...457f468a76f324a14b1236988cc5f5a95f14abf5 (gone) | 89 ---------------------- ...a903ebe9361d451daee71c225e141f4e1b67107d (gone) | 48 ------------ 4 files changed, 5 insertions(+), 142 deletions(-)
Dave, can you please check if v2.6.8 fixes your issues? Else I need to forward this upstream.
Also, OpenVPN on your system complains about pre-existing tun interfaces - is there another process still binding to those?
A commit in branch 2023Q4 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=7120e2cc618b1572f3d7c680e318355395ac2959 commit 7120e2cc618b1572f3d7c680e318355395ac2959 Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2023-11-21 17:03:09 +0000 Commit: Matthias Andree <mandree@FreeBSD.org> CommitDate: 2023-11-21 17:50:12 +0000 security/openvpn: update to 2.6.8 bug-fix release hopefully fixes... PR: 275206 Changelog: https://github.com/OpenVPN/openvpn/blob/v2.6.8/Changes.rst#overview-of-changes-in-268 MFH: 2023Q4 (cherry picked from commit f6ef06771b5a341e91ea38b0d758c4cf614f1b3c) security/openvpn/Makefile | 4 +- security/openvpn/distinfo | 6 +- ...457f468a76f324a14b1236988cc5f5a95f14abf5 (gone) | 89 ---------------------- ...a903ebe9361d451daee71c225e141f4e1b67107d (gone) | 48 ------------ 4 files changed, 5 insertions(+), 142 deletions(-)
Still seeing same problem in 2.6.8
Created attachment 246498 [details] log that shows errors
Comment on attachment 246436 [details] Errors indicating lack of permission appears to be part of the later log, which see
Dave, please help me understand your setup. * is your OpenVPN running in a jail? * are there certain security features enabled on your system, if so, which? * can you please provide your openvpn.conf? Blank sensitive material (passwords, private keys, possibly addresses need to be replaced by server1/client1.example.org or similar) * please show your startup variables from the relevant rc.conf file (or equivalent), too. * when did OpenVPN last work for you, and what has changed since then? Have you upgraded OpenSSL, OpenVPN, FreeBSD? Have you changed to DCO configuration recently? * does adding --disable-dco fix the situation for you? * does recompiling and linking against the base system's OpenSSL 3.0.X fix the situation for you?
after consulting with some OpenVPN developers, please help us to help you. Using OpenVPN 2.6.8 (not 2.6.7 nor 2.6.7_1), * remove --mute or mute from your configuration for debugging, and * please check if you have additional logging (from the kernel) in dmesg output, and if so, provide it * also see these documents (which have no connection to OpenVPN whatsoever, so please continue communication through this Bugzilla system): https://www.chiark.greenend.org.uk/~sgtatham/bugs.html http://www.catb.org/~esr/faqs/smart-questions.html
(In reply to Matthias Andree from comment #8) not in a jail default system configuration ------ start conf ---------- local 192.168.81.1 proto udp dev tun ca /path/to/ca.crt cert /path/to/server.crt key /path/to/server.key dh /papth/to/dh.pem topology subnet server 10.X.0.0 255.255.0.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1" push "dhcp-option DNS 192.168.81.1" push "dhcp-option DNS 192.168.81.3" push "dhcp-option DNS 8.8.8.8" push "dhcp-option DOMAIN nk.ca" push "remote-gateway 192.168.81.2" tls-crypt /path/to/ta.key # 0 # This file is secret cipher AES-256-CBC push "compress lz4-v2" max-clients 60000 user nobody group nobody persist-key persist-tun crl-verify /usr/local/etc/openvpn/easy-rsa/pki/crl.pem status /var/log/openvpn-status.log log-append /var/log/openvpn.log verb 9 mute 20 explicit-exit-notify 1 fast-io auth SHA512 remote-cert-tls client bind --------------- end conf --------- openvpn_enable="YES" openvpn 2.6.8 openssl31+tlsquic FreeBSD 14.0 Will try without dco
(In reply to doctor from comment #10) The dco option was the issue
There are some limitations that come with DCO, for instance, compression is unsupported. Unfortunately the package up to and including 2.6.8 did not ship the relevant documentation, see https://github.com/OpenVPN/openvpn/blob/v2.6.8/README.dco.md#limitations-by-design for an online version, and try changing your OpenVPN successively and iteratively to remove all the incompatible ones and re-add them one by one to see which one breaks. I will add some documentation files to the install.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=d67975600c84a139dea0cc29490273c79eccb564 commit d67975600c84a139dea0cc29490273c79eccb564 Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2023-11-22 22:39:30 +0000 Commit: Matthias Andree <mandree@FreeBSD.org> CommitDate: 2023-11-22 22:42:36 +0000 security/openvpn: add missing 2.6.x documentation, ...for instance, README.dco.md but also others. Update DCO help text to refer to this .md file. Found while debugging PR: 275206 MFH: 2023Q4 security/openvpn/Makefile | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-)
A commit in branch 2023Q4 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=af1c13c593447dd0b5ee7205a97c47f11dbeff25 commit af1c13c593447dd0b5ee7205a97c47f11dbeff25 Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2023-11-22 22:39:30 +0000 Commit: Matthias Andree <mandree@FreeBSD.org> CommitDate: 2023-11-22 22:43:45 +0000 security/openvpn: add missing 2.6.x documentation, ...for instance, README.dco.md but also others. Update DCO help text to refer to this .md file. Found while debugging PR: 275206 MFH: 2023Q4 (cherry picked from commit d67975600c84a139dea0cc29490273c79eccb564) security/openvpn/Makefile | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-)
Thnk you. Feel free to close at your convenience
So I'll leave this open, but this pretty much looks like an upstream issue. For me, I haven't had much luck with DCO, especially with user openvpn (or any other unprivileged user), it goofs up. We will probably need to tweak things.
A workaround for FreeBSD 14 and newer might be to add openvpn_flags=--disable-dco (note that you may need to replace openvpn if you use the rc.d script's multi-instance mode).