Ubuntu
openvpn package

openvpn no longer called with "--script-security 2"

Bug #1454725 reported by Nicolas Jungers
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
openvpn (Ubuntu)
Fix Released
Medium
Martin Pitt
Ubuntu ubuntu-16.02

Bug Description

1) the config in "/etc/default/openvpn" seems to not be respected, specifically the value of the OPTARGS is not used.
 -- it can be set in the vpn config file

2) the package uml-utilities is not installed and tunctl seems to be required by the openvpn start procedure.

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: openvpn 2.3.2-9ubuntu4
ProcVersionSignature: Ubuntu 3.11.0-13.20-generic 3.11.6
Uname: Linux 3.11.0-13-generic x86_64
ApportVersion: 2.17.2-0ubuntu1
Architecture: amd64
CurrentDesktop: Unity
Date: Wed May 13 16:23:29 2015
InstallationDate: Installed on 2013-06-01 (710 days ago)
InstallationMedia: Kubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120423)
ProcEnviron:
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_DK.UTF-8
 SHELL=/bin/bash
SourcePackage: openvpn
UpgradeStatus: Upgraded to vivid on 2015-05-13 (0 days ago)
mtime.conffile..etc.default.openvpn: 2015-05-13T16:08:10.362615

Revision history for this message
Nicolas Jungers (unbug) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openvpn (Ubuntu):
status: New → Confirmed
Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

This looks likely to be a consequence of the switch to systemd to me.

tags: added: systemd-boot
Changed in openvpn (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Antonio J. de Oliveira (ajoliveira-z) wrote :

Openvpn starts ok with sudo openvpn --config /etc/openvpn/<name of profile>.conf
This was my workaround, this bug is very annoying. Will try to modify the script at /etc/init.d as soon as I have the time to do it.

Revision history for this message
Simon Déziel (sdeziel) wrote :

Nicolas, the journal log shows that the VPN server hostname was not resolvable and eventually when it finally connected, it failed after calling a --up script. Could you provide this --up script and maybe the sanitized configuration of your VPN client?

Changed in openvpn (Ubuntu):
status: Confirmed → Incomplete
Martin Pitt (pitti)
summary: - openvpn fails after upgrade from 14.10 to 15.04
+ openvpn does not use OPTARGS from /etc/default/openvpn
Revision history for this message
Nicolas Jungers (nicolas-jungers) wrote : Re: [Bug 1454725] Re: openvpn fails after upgrade from 14.10 to 15.04

On 01/02/16 15:57, Simon Déziel wrote:
> Nicolas, the journal log shows that the VPN server hostname was not
> resolvable and eventually when it finally connected, it failed after
> calling a --up script. Could you provide this --up script and maybe the
> sanitized configuration of your VPN client?
>
> ** Changed in: openvpn (Ubuntu)
> Status: Confirmed => Incomplete
 Simon,

The DNS error was a transient one, so not relevant here. The --up script
is the distro standard one and I modified the connection script to
include the "script-security 2" config that was before a OPTARGS from
/etc/default/openvpn.

The /etc/default/openvpn way was the documented way pre-15.04.

Revision history for this message
Simon Déziel (sdeziel) wrote : Re: openvpn does not use OPTARGS from /etc/default/openvpn

I just check on 14.04 and 16.04 and the init script automatically adds "--script-security 2" unless the VPN config contains a script-security directive.

Problem is that since the switch to systemd, the init script is no longer used and the daemon is used like this:

  $ systemctl cat openvpn@.service | grep ^ExecStart
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid

This probably breaks setups relying on "--script-security 2" like yours. Could you try adding "script-security 2" to /etc/openvpn/infra.conf and see if it helps?

Revision history for this message
Nicolas Jungers (nicolas-jungers) wrote : Re: [Bug 1454725] Re: openvpn does not use OPTARGS from /etc/default/openvpn

On 01/02/16 18:37, Simon Déziel wrote:
> I just check on 14.04 and 16.04 and the init script automatically adds
> "--script-security 2" unless the VPN config contains a script-security
> directive.
>
> Problem is that since the switch to systemd, the init script is no
> longer used and the daemon is used like this:
>
> $ systemctl cat openvpn@.service | grep ^ExecStart
> ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
>
> This probably breaks setups relying on "--script-security 2" like yours.
> Could you try adding "script-security 2" to /etc/openvpn/infra.conf and
> see if it helps?

Yes, it solves the problem. I thought I reported that before. The
problem is the migration mechanism that has to be corrected. The way I
used "--script-security 2" was the one put forward in the official doc.

The problem shall be the same for the migration 14.04 -> 16.04 (I presume).

Simon Déziel (sdeziel)
Changed in openvpn (Ubuntu):
status: Incomplete → Confirmed
summary: - openvpn does not use OPTARGS from /etc/default/openvpn
+ openvpn no longer called with "--script-security 2"
Revision history for this message
Simon Déziel (sdeziel) wrote :

Thanks for the feedback Nicolas.

This is likely going to bite many users upgrading. It's fairly common to push DNS resolvers from the VPN server. For those to be usable on the client side, "script-security 2" is needed otherwise the up/down script update-resolv-conf won't be called.

Since Ubuntu tweaks the init script to add "--script-security 2" for backward compatibility, I believe the same should be done by the systemd file.

@pitti, would that make sense?

Revision history for this message
Martin Pitt (pitti) wrote :

Yes, I think that makes sense, if that change is still intended/sensible.

Changed in openvpn (Ubuntu):
status: Confirmed → Triaged
assignee: nobody → Martin Pitt (pitti)
milestone: none → ubuntu-16.02
Revision history for this message
Martin Pitt (pitti) wrote :

Uploaded this. It would be great if you could test 2.3.10-1ubuntu2 and confirm that this works now, as I don't use OpenVPN in that mode.

Changed in openvpn (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openvpn - 2.3.10-1ubuntu2

---------------
openvpn (2.3.10-1ubuntu2) xenial; urgency=medium

  * debian/openvpn@.service: Add --script-security similar to what got added
    to debian/openvpn.init.d ages ago (see LP #260291). (LP: #1454725)

 -- Martin Pitt <email address hidden> Tue, 02 Feb 2016 13:33:39 +0100

Changed in openvpn (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Simon Déziel (sdeziel) wrote :

It works, thanks Martin.

Revision history for this message
HonoredMule (honoredmule) wrote :

What about the originally reported issue? OPTARGS is still not supported.

Or put another way, there are other flags some of us need to set (in my case --multihome). If not via OPTARGS, what is the proper way to set them? And why does /etc/default/openvpn still present OPTARGS as supported?

Revision history for this message
Simon Déziel (sdeziel) wrote : Re: [Bug 1454725] Re: openvpn no longer called with "--script-security 2"

On 2016-11-27 12:44 AM, HonoredMule wrote:
> Or put another way, there are other flags some of us need to set (in my
> case --multihome).

You can add "multihome" in the configuration files /etc/openvpn/*.conf.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.