Option persist-local-ip usage

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
mk3pq28
OpenVpn Newbie
Posts: 4
Joined: Tue Oct 13, 2020 3:08 pm

Option persist-local-ip usage

Post by mk3pq28 » Tue Apr 26, 2022 1:10 pm

Hello!

I have a server (Debian 11, OpenVPN 2.5.1) in TCP on port 443 configured in static key mode:
Server

port 443
dev tun
proto tcp-server
ifconfig 10.3.4.1 10.3.4.2
secret /etc/openvpn/server-tcp/static.key
cipher AES-256-CBC

user openvpn
group openvpn
persist-local-ip
persist-key
persist-tun

status-version 1
mute 20
status /var/log/openvpn/openvpn-tcp-status.log 1
status-version 3
verb 3


This configuration works perfectly in general. But since I use unprivileged openvpn:openvpn - there is an issue with restart on SIGUSR1.
Here are the logs:

Code: Select all

Apr 26 14:14:08 vps systemd[1]: Starting OpenVPN connection to server-tcp...
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Cipher negotiation is disabled since neither P2MP client nor server mode is enabled
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: OpenVPN 2.5.1 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
Apr 26 14:14:08 vps systemd[1]: Started OpenVPN connection to server-tcp.
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Outgoing Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Outgoing Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Incoming Static Key Encryption: Cipher 'AES-256-CBC' initialized with 256 bit key
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Incoming Static Key Encryption: Using 160 bit message hash 'SHA1' for HMAC authentication
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: TUN/TAP device tun1 opened
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: net_iface_mtu_set: mtu 1500 for tun1
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: net_iface_up: set tun1 up
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: net_addr_ptp_v4_add: 10.3.4.1 peer 10.3.4.2 dev tun1
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Apr 26 14:14:08 vps ovpn-server-tcp[112347]: Listening for incoming TCP connection on [AF_INET][undef]:443
Apr 26 14:23:05 vps ovpn-server-tcp[112347]: TCP connection established with [AF_INET]127.0.0.1:52630
Apr 26 14:23:05 vps ovpn-server-tcp[112347]: TCPv4_SERVER link local (bound): [AF_INET][undef]:443
### Here openvpn waits for incomming connections ###

### Then I send bad package with nc localhost 443 ###
Apr 26 14:23:05 vps ovpn-server-tcp[112347]: TCPv4_SERVER link remote: [AF_INET]127.0.0.1:52630
Apr 26 14:23:05 vps ovpn-server-tcp[112347]: GID set to openvpn
Apr 26 14:23:05 vps ovpn-server-tcp[112347]: UID set to openvpn
Apr 26 14:23:07 vps ovpn-server-tcp[112347]: WARNING: Bad encapsulated packet length from peer (24947), which must be > 0 and <= 1565 -- please ensure that --tun-mtu or --link-mtu is equal on bot>
Apr 26 14:23:07 vps ovpn-server-tcp[112347]: Connection reset, restarting [0]
Apr 26 14:23:07 vps ovpn-server-tcp[112347]: SIGUSR1[soft,connection-reset] received, process restarting
Apr 26 14:23:07 vps ovpn-server-tcp[112347]: Restart pause, 1 second(s)
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Re-using pre-shared static key
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Preserving previous TUN/TAP instance: tun1
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Could not determine IPv4/IPv6 protocol. Using AF_INET
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Socket Buffers: R=[131072->131072] S=[16384->16384]
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: TCP/UDP: Socket bind failed on local address [AF_INET][undef]:443: Permission denied (errno=13)
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Exiting due to fatal error
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Closing TUN/TAP interface
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: net_addr_ptp_v4_del: 10.3.4.1 dev tun1
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: sitnl_send: rtnl: generic error (-1): Operation not permitted
Apr 26 14:23:08 vps ovpn-server-tcp[112347]: Linux can't del IP from iface tun1
Apr 26 14:23:08 vps systemd[1]: openvpn@server-tcp.service: Main process exited, code=exited, status=1/FAILURE
Apr 26 14:23:08 vps systemd[1]: openvpn@server-tcp.service: Failed with result 'exit-code'.
Apr 26 14:23:14 vps systemd[1]: openvpn@server-tcp.service: Scheduled restart job, restart counter is at 84.
Apr 26 14:23:14 vps systemd[1]: Stopped OpenVPN connection to server-tcp.
The issue appears when ovpn receive a package it cannot recognize (i connect with nc to simulate this). The privileges are then dropped to openvpn:openvpn and since privileged port is used - ovpn cannot bind it once again on connection reset.
I expected the option persist-local-ip should resolve this according to man page:

Code: Select all

       --persist-local-ip
              Preserve initially resolved local IP  address  and  port  number  across  SIGUSR1  or  --ping-restart
              restarts.
, but it is not.

Am I misunderstanding some concept behind persist-local-ip and this issue must be resolved in some different way?
Or is it a bug?

A few more experiments in short:
* running ovpn as root works fine on tcp:443
* switching port to unprevileged works fine
* currently I configure authbind to workaround this (authbind --deep openvpn --config /etc/openvpn/server-tcp.conf)

TinCanTech
OpenVPN Protagonist
Posts: 11138
Joined: Fri Jun 03, 2016 1:17 pm

Re: Option persist-local-ip usage

Post by TinCanTech » Tue Apr 26, 2022 4:58 pm

This does look like a bug to me.

Probably best to report it here: https://community.openvpn.net/openvpn/report

mk3pq28
OpenVpn Newbie
Posts: 4
Joined: Tue Oct 13, 2020 3:08 pm

Re: Option persist-local-ip usage

Post by mk3pq28 » Wed Apr 27, 2022 8:04 am

TinCanTech wrote:
Tue Apr 26, 2022 4:58 pm
This does look like a bug to me.

Probably best to report it here: https://community.openvpn.net/openvpn/report
Thanks for your reply, TinCanTech!
Done: https://community.openvpn.net/openvpn/t ... 464#ticket

A bit more about workaround with authbind if someone faced the same.
Don`t expect it work on long-term, use it at your own risk and take caution for updates of openvpn package!
Adopt commands below for your particular use-case:

Code: Select all

# apt install authbind
# touch /etc/authbind/byport/443
# chown openvpn: /etc/authbind/byport/443
# chmod u+x /etc/authbind/byport/443
# systemctl edit openvpn@server-tcp

[Service]
ExecStart=
ExecStart=/usr/bin/authbind --deep /usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc    /openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid

mk3pq28
OpenVpn Newbie
Posts: 4
Joined: Tue Oct 13, 2020 3:08 pm

Re: Option persist-local-ip usage

Post by mk3pq28 » Fri May 27, 2022 1:06 pm

Gert Döring (thanks a lot for his reply!) had clarified the documentation for the option. Let me quote his reply here:
---persist-local-ip does not what you think it does - what it does is

Preserve initially resolved local IP address and port number
across SIGUSR1 or --ping-restart restarts.

so this translates to "do not do another DNS lookup if --local is used with a hostname".
In other words, if you want to bind to a privileged port AND want to use p2p mode, then you can not use a non-root account today. This will change in 2.6, which brings options to keep linux network capabilities around, but not in 2.5 or earlier.
So the given behaviour is correct. Find another ways to run such a setup as unprivileged.

Post Reply