Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The openvpn client suddenly disconnects #547

Open
yyfyfyang opened this issue Apr 29, 2024 · 3 comments
Open

The openvpn client suddenly disconnects #547

yyfyfyang opened this issue Apr 29, 2024 · 3 comments

Comments

@yyfyfyang
Copy link

yyfyfyang commented Apr 29, 2024
edited 

Apr 28 04:46:01 ubuntu openvpn[740]: SENT CONTROL [p-qcbj7-pe-cs-vpn-02]: 'PUSH_REQUEST' (status=1)
Apr 28 04:46:02 ubuntu openvpn[740]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.132.252.4,dhcp-option DNS 10.132.253.9,compress lz4-v2,route 10.0.0.0 255.0.0.0,route-gateway 172.31.0.1,topology subnet,ping 10,ping-restart 60,ifconfig 172.31.5.35 255.255.0.0,peer-id 198,cipher AES-256-GCM'
Apr 28 04:46:02 ubuntu openvpn[740]: WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
Apr 28 04:46:02 ubuntu openvpn[740]: OPTIONS IMPORT: timers and/or timeouts modified
Apr 28 04:46:02 ubuntu openvpn[740]: OPTIONS IMPORT: compression parms modified
Apr 28 04:46:02 ubuntu openvpn[740]: LZ4v2 compression initializing
Apr 28 04:46:02 ubuntu openvpn[740]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 28 04:46:02 ubuntu openvpn[740]: OPTIONS IMPORT: route options modified
Apr 28 04:46:02 ubuntu openvpn[740]: OPTIONS IMPORT: route-related options modified
Apr 28 04:46:02 ubuntu openvpn[740]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Apr 28 04:46:02 ubuntu openvpn[740]: OPTIONS IMPORT: peer-id set
Apr 28 04:46:02 ubuntu openvpn[740]: OPTIONS IMPORT: adjusting link_mtu to 1625
Apr 28 04:46:02 ubuntu openvpn[740]: OPTIONS IMPORT: data channel crypto options modified
Apr 28 04:46:02 ubuntu openvpn[740]: Data Channel: using negotiated cipher 'AES-256-GCM'
Apr 28 04:46:02 ubuntu openvpn[740]: Data Channel MTU parms [ L:1553 D:1450 EF:53 EB:406 ET:0 EL:3 ]
Apr 28 04:46:02 ubuntu openvpn[740]: Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 28 04:46:02 ubuntu openvpn[740]: Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Apr 28 04:46:02 ubuntu openvpn[740]: Preserving previous TUN/TAP instance: tun0
Apr 28 04:46:02 ubuntu openvpn[740]: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
Apr 28 04:46:02 ubuntu openvpn[740]: net_route_v4_del: 10.0.0.0/8 via 172.31.0.1 dev [NULL] table 0 metric -1
Apr 28 04:46:02 ubuntu openvpn[740]: sitnl_send: rtnl: generic error (-1): Operation not permitted
Apr 28 04:46:02 ubuntu openvpn[740]: ERROR: Linux route delete command failed
Apr 28 04:46:02 ubuntu openvpn[740]: Closing TUN/TAP interface
Apr 28 04:46:02 ubuntu openvpn[740]: net_addr_v4_del: 172.31.4.119 dev tun0
Apr 28 04:46:02 ubuntu openvpn[740]: sitnl_send: rtnl: generic error (-1): Operation not permitted
Apr 28 04:46:02 ubuntu openvpn[740]: Linux can't del IP from iface tun0
Apr 28 04:46:02 ubuntu systemd-networkd[644]: tun0: Link DOWN
Apr 28 04:46:02 ubuntu systemd-networkd[644]: tun0: Lost carrier
Apr 28 04:46:03 ubuntu openvpn[740]: net_route_v4_best_gw query: dst 0.0.0.0
Apr 28 04:46:03 ubuntu openvpn[740]: net_route_v4_best_gw result: via 192.168.1.1 dev eth0
Apr 28 04:46:03 ubuntu openvpn[740]: ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=d8:3a:dd:e6:d1:da
Apr 28 04:46:03 ubuntu openvpn[740]: ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
Apr 28 04:46:03 ubuntu openvpn[740]: Exiting due to fatal error
Apr 28 04:46:03 ubuntu systemd[1]: openvpn-client@nio.service: Main process exited, code=exited, status=1/FAILURE
Apr 28 04:46:03 ubuntu systemd[1]: openvpn-client@nio.service: Failed with result 'exit-code'.
Apr 28 04:46:03 ubuntu systemd[1]: openvpn-client@nio.service: Consumed 10.331s CPU time.

This is my syslog,

power 735 1 0 16:52 ? 00:00:00 /usr/sbin/openvpn

this is Process user
@flichtenheld
Copy link
Member

The important line is probably: NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
So it tried to preserve the TUN but it could not. And then it was missing permissions to close and reopen it. At this point it can do nothing else than give up and some higher layer (like the user or an init system) will need to restart it completely.

@yyfyfyang
Copy link
Author

yyfyfyang commented May 7, 2024
edited

https://community.openvpn.net/openvpn/ticket/649#no1

I found this but my version is 2.5.5,In theory, this problem should not arise

@cron2
Copy link
Contributor

cron2 commented May 7, 2024

This is the same problem area, though trac 649 was ONLY related to peer-id. In your log, we see

Apr 28 04:46:02 ubuntu openvpn[740]: OPTIONS IMPORT: --ifconfig/up options modified
Apr 28 04:46:02 ubuntu openvpn[740]: OPTIONS IMPORT: route options modified

so the server is sending different ifconfig/route statements in its PUSH_REPLY message (we can't check, as the log only shows the second PUSH_REPLY). If that happens, and the client has dropped privileges, there is nothing we can do but "exit".

You could upgrade to 2.6.10 + DCO (where OpenVPN needs to keep network privileges), do not use user in your config (= keep root privs), ensure the server is not changing options, or just make sure OpenVPN gets restarted.

But for this combination "new IP config requested and not enough privileges to do that" there is nothing we can do in the software, except clearly log it (which we do).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@flichtenheld @cron2 @yyfyfyang