I have a server (Debian 11, OpenVPN 2.5.1) in TCP on port 443 configured in static key mode:
Server
port 443
dev tun
proto tcp-server
ifconfig 10.3.4.1 10.3.4.2
secret /etc/openvpn/server-tcp/static.key
cipher AES-256-CBC
user openvpn
group openvpn
persist-local-ip
persist-key
persist-tun
status-version 1
mute 20
status /var/log/openvpn/openvpn-tcp-status.log 1
status-version 3
verb 3
This configuration works perfectly in general. But since I use unprivileged openvpn:openvpn - there is an issue with restart on SIGUSR1.
Here are the logs:
Code: Select all
Apr 26 14:14:08 vps systemd[1]: Starting OpenVPN connection to server-tcp...
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Cipher negotiation is disabled since neither P2MP client nor server mode is enabled
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10
Apr 26 14:14:08 vps systemd[1]: Started OpenVPN connection to server-tcp.
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Outgoing Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Incoming Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: TUN/TAP device tun1 opened
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: net_iface_mtu_set: mtu 1500 for tun1
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: net_iface_up: set tun1 up
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: net_addr_ptp_v4_add: 10.3.4.1 peer 10.3.4.2 dev tun1
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Listening for incoming TCP connection on [AF_INET][undef]:443
Apr 26 14:23:05 vps ovpn-server-tcp[112347]: TCP connection established with [AF_INET]127.0.0.1:52630
Apr 26 14:23:05 vps ovpn-server-tcp[112347]: TCPv4_SERVER link local (bound): [AF_INET][undef]:443
### Here openvpn waits for incomming connections ###
### Then I send bad package with nc localhost 443 ###
Apr 26 14:23:05 vps ovpn-server-tcp[112347]: TCPv4_SERVER link remote: [AF_INET]127.0.0.1:52630
Apr 26 14:23:05 vps ovpn-server-tcp[112347]: GID set to openvpn
Apr 26 14:23:05 vps ovpn-server-tcp[112347]: UID set to openvpn
Apr 26 14:23:07 vps ovpn-server-tcp[112347]: WARNING: Bad encapsulated packet length from peer (24947), which must be > 0 and <= 1565 -- please ensure that --tun-mtu or --link-mtu is equal on bot>
Apr 26 14:23:07 vps ovpn-server-tcp[112347]: Connection reset, restarting [0]
Apr 26 14:23:07 vps ovpn-server-tcp[112347]: SIGUSR1[soft,connection-reset] received, process restarting
Apr 26 14:23:07 vps ovpn-server-tcp[112347]: Restart pause, 1 second(s)
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Re-using pre-shared static key
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Preserving previous TUN/TAP instance: tun1
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: TCP/UDP: Socket bind failed on local address [AF_INET][undef]:443: Permission denied (errno=13)
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Exiting due to fatal error
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Closing TUN/TAP interface
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: net_addr_ptp_v4_del: 10.3.4.1 dev tun1
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: sitnl_send: rtnl: generic error (-1): Operation not permitted
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Linux can't del IP from iface tun1
Apr 26 14:23:08 vps systemd[1]: openvpn@server-tcp.service: Main process exited, code=exited, status=1/FAILURE
Apr 26 14:23:08 vps systemd[1]: openvpn@server-tcp.service: Failed with result 'exit-code'.
Apr 26 14:23:14 vps systemd[1]: openvpn@server-tcp.service: Scheduled restart job, restart counter is at 84.
Apr 26 14:23:14 vps systemd[1]: Stopped OpenVPN connection to server-tcp.
I expected the option persist-local-ip should resolve this according to man page:
Code: Select all
--persist-local-ip
Preserve initially resolved local IP address and port number across SIGUSR1 or --ping-restart
restarts.
Am I misunderstanding some concept behind persist-local-ip and this issue must be resolved in some different way?
Or is it a bug?
A few more experiments in short:
* running ovpn as root works fine on tcp:443
* switching port to unprevileged works fine
* currently I configure authbind to workaround this (authbind --deep openvpn --config /etc/openvpn/server-tcp.conf)