Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DCO does not work with Ubuntu SystemD unit, if user is set #486

Open
bjoernv opened this issue Jan 18, 2024 · 4 comments
Open

DCO does not work with Ubuntu SystemD unit, if user is set #486

bjoernv opened this issue Jan 18, 2024 · 4 comments

Comments

@bjoernv
Copy link

bjoernv commented Jan 18, 2024

Describe the bug
If DCO is setup correctly, openvpn uses DCO, if it is started manually. See logs:
DCO device tun0 opened

But if openvpn started with the systemd unit [email protected] and a user is set, DCO is disabled. See logs:
TUN/TAP device tun1 opened

Version information (please complete the following information):

This is caused by a missing capability in the systemd unit file /etc/systemd/system/[email protected].

[Service]
...
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE

The missing capability is CAP_SETPCAP.

The work-around is to create /etc/systemd/system/[email protected]/override.conf with this content:

[Service]
CapabilityBoundingSet=CAP_SETPCAP CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE

From the configuration file:

user openvpn
group openvpn

See openvpn-2.6.8/src/openvpn/dco.c:

        if (!capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP))
        {
            msg(msglevel, "--user specified but lacking CAP_SETPCAP. "
                "Cannot retain CAP_NET_ADMIN. Disabling data channel offload");
            return false;
        }
        if (!capng_have_capability(CAPNG_PERMITTED, CAP_NET_ADMIN))
        {
            msg(msglevel, "--user specified but not permitted to retain CAP_NET_ADMIN. "
                "Disabling data channel offload");
            return false;
        }
@ordex
Copy link
Member

ordex commented May 5, 2024

@dsommers you have more experience on this part. Do you agree with the proposed solution?

@liuxyon
Copy link

liuxyon commented Nov 20, 2024

2024-11-20 10:04:19 --user specified but lacking CAP_SETPCAP. Cannot retain CAP_NET_ADMIN. Disabling data channel offload

@liuxyon
Copy link

liuxyon commented Nov 20, 2024

#643

@ordex
Copy link
Member

ordex commented Nov 20, 2024

#643

this is a different issue, although they both crossed path at the caps definition

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ordex @bjoernv @liuxyon