ERROR exiting openvpn, resolv.conf doesn't go back to its initial state

How to customize and extend your OpenVPN installation.
Post Reply
Ftagn
OpenVpn Newbie
Posts: 2
Joined: Tue Dec 11, 2018 8:34 pm

ERROR exiting openvpn, resolv.conf doesn't go back to its initial state

Post by Ftagn » Tue Dec 11, 2018 8:41 pm

Hello,

i'm working with Ubuntu 16.04 LTS and i use an openvpn connection to reach my EC2 network

Here is my client side vpn file :

Code: Select all

    client
    dev tun
    proto udp
    resolv-retry infinite
    nobind
    user nobody
    group nogroup
    persist-key
    persist-tun
    remote-cert-tls server
    key-direction 1
    cipher AES-256-CBC
    auth SHA512
    comp-lzo
    verb 3
    tls-version-min 1.2
    reneg-sec 60
    up /etc/openvpn/update-resolv-conf
    down /etc/openvpn/update-resolv-conf
    script-security 2

    <ca>
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    </ca>
    <cert>
    ...
    </cert>
    <key>
    -----BEGIN PRIVATE KEY-----
    ...
    -----END PRIVATE KEY-----
    </key>
    <tls-auth>
    -----BEGIN OpenVPN Static key V1-----
    ...
    -----END OpenVPN Static key V1-----
    </tls-auth>

The connection works fine
The update-resolv script too, feeding my /etc/resolv.conf file (which is a link to /run/resolvconf/resolv.conf)

Here my resolv.conf before connection :

Code: Select all

    ➜  ~ cat /etc/resolv.conf
    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
    #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
    nameserver 127.0.1.1
    ➜  ~ 

My ip route before vpn

Code: Select all

    ➜  ~ sudo /sbin/ip route
    default via 192.168.43.1 dev wlp4s0  proto static  metric 600 
    169.254.0.0/16 dev wlp4s0  scope link  metric 1000 
    172.16.121.0/24 dev br-e1d8d398de05  proto kernel  scope link  src 172.16.121.1 linkdown 
    172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1 linkdown 
    172.18.0.0/16 dev br-dd6b294340ae  proto kernel  scope link  src 172.18.0.1 linkdown 
    172.19.0.0/16 dev br-a623726dc9bd  proto kernel  scope link  src 172.19.0.1 linkdown 
    192.168.43.0/24 dev wlp4s0  proto kernel  scope link  src 192.168.43.109  metric 600 
Here my resolv.conf during vpn session :

Code: Select all

    ➜  ~ cat /etc/resolv.conf
    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
    #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
    nameserver 172.20.32.42
    nameserver 172.20.0.2
    nameserver 127.0.1.1
    ➜  ~ 

ip route :

Code: Select all

    ➜  ~ sudo /sbin/ip route
    default via 192.168.43.1 dev wlp4s0  proto static  metric 600 
    10.8.0.1 via 10.8.0.5 dev tun0 
    10.8.0.5 dev tun0  proto kernel  scope link  src 10.8.0.6 
    169.254.0.0/16 dev wlp4s0  scope link  metric 1000 
    172.16.121.0/24 dev br-e1d8d398de05  proto kernel  scope link  src 172.16.121.1 linkdown 
    172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1 linkdown 
    172.18.0.0/16 dev br-dd6b294340ae  proto kernel  scope link  src 172.18.0.1 linkdown 
    172.19.0.0/16 dev br-a623726dc9bd  proto kernel  scope link  src 172.19.0.1 linkdown 
    172.20.0.0/16 via 10.8.0.5 dev tun0 
    192.168.43.0/24 dev wlp4s0  proto kernel  scope link  src 192.168.43.109  metric 600 
All access and dns work fine

The problem appear when i shutdown the vpn with ctrl+c

openvpn log shows :

Code: Select all

    ^CTue Dec 11 18:43:52 2018 event_wait : Interrupted system call (code=4)
    Tue Dec 11 18:43:52 2018 /sbin/ip route del 10.8.0.1/32
    RTNETLINK answers: Operation not permitted
    Tue Dec 11 18:43:52 2018 ERROR: Linux route delete command failed: external program exited with error status: 2
    Tue Dec 11 18:43:52 2018 /sbin/ip route del 172.20.0.0/16
    RTNETLINK answers: Operation not permitted
    Tue Dec 11 18:43:52 2018 ERROR: Linux route delete command failed: external program exited with error status: 2
    Tue Dec 11 18:43:52 2018 Closing TUN/TAP interface
    Tue Dec 11 18:43:52 2018 /sbin/ip addr del dev tun0 local 10.8.0.10 peer 10.8.0.9
    RTNETLINK answers: Operation not permitted
    Tue Dec 11 18:43:52 2018 Linux ip addr del failed: external program exited with error status: 2
    Tue Dec 11 18:43:52 2018 /etc/openvpn/update-resolv-conf tun0 1500 1602 10.8.0.10 10.8.0.9 init
    rm: cannot remove 'tun0.openvpn': Permission denied
    Tue Dec 11 18:43:52 2018 WARNING: Failed running command (--up/--down): external program exited with error status: 1
    Tue Dec 11 18:43:52 2018 Exiting due to fatal error
and the resolv.conf doesn't go back to its previous state, keeping

Code: Select all

    nameserver 172.20.32.42
    nameserver 172.20.0.2
that are not required anymore

I have to manually edit my resolv.conf to delete the 2 lines each time i quit the vpn

The problem appears 3 days ago, and i can't find why ???
I temporary had a local docker-compose on ly own lan 172.20.0.0 during these 3 days (locally), but is no longer registered, and no trace remains on ip route, so i don't know if it was the origin of the problem.

Thanks for your help

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5728
Joined: Fri Jun 03, 2016 1:17 pm

Re: ERROR exiting openvpn, resolv.conf doesn't go back to its initial state

Post by TinCanTech » Tue Dec 11, 2018 10:09 pm

Your client has dropped privileges and can no longer successfully execute the script ..

Try without --user/--group options.

Ftagn
OpenVpn Newbie
Posts: 2
Joined: Tue Dec 11, 2018 8:34 pm

Re: ERROR exiting openvpn, resolv.conf doesn't go back to its initial state

Post by Ftagn » Wed Dec 12, 2018 9:08 am

Thanks very much
it works with

Code: Select all

    #user nobody
    #group nogroup
You said it dropped privileges
But it seems to have privileges to do the "up" of the script, not the "down"

Is it possible ?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5728
Joined: Fri Jun 03, 2016 1:17 pm

Re: ERROR exiting openvpn, resolv.conf doesn't go back to its initial state

Post by TinCanTech » Wed Dec 12, 2018 12:01 pm

That is correct ..

User avatar
Pippin
OpenVPN Expert
Posts: 446
Joined: Wed Jul 01, 2015 8:03 am

Re: ERROR exiting openvpn, resolv.conf doesn't go back to its initial state

Post by Pippin » Wed Dec 12, 2018 1:44 pm

Related to this:
--user user and --group group in manual 2.4,
https://community.openvpn.net/openvpn/w ... nPage#lbAX
and The Script Order of Execution:
https://community.openvpn.net/openvpn/w ... nPage#lbAT

Post Reply