On 31.03.2022 13:02, Gert Doering wrote:
Hi,
On Thu, Mar 31, 2022 at 12:06:06PM +0200, David Sommerseth wrote:
There is however another related challenge in OpenVPN 2.x, which became
even clearer than be fore with the sitnl implementation we switched over
to on Linux by default with v2.5. When using --user/--group without
--persist-tun, a reconnect would tear down the interface but could not
recover again and the connection dies. Using --persist-tun, it could
work a bit better *unless* it needs to change the IP address of the tun
interface. I'm not sure how well, OpenVPN 2.x works if new routes are
being pushed (OpenVPN 3 supports that as well). This challenge is also
resolved by granting the process CAP_NET_ADMIN capabilities.
For most non-trivial stuff, OpenVPN with --user will run into problems,
be it route teardown, installing of new routes at renegotiation time,
...
So most people today just run 2.x as root, not getting any security
benefits.
For now, my opinion is that it is currently acceptable to have
CAP_NET_ADMIN available when running with ovpn-dco; to have a smooth
user experience. OpenVPN is after all a network related process.
I'd even go for "keep CAP_NET_ADMIN for DCO and sitnl" - because it
means "all the route/interface manipulation *and cleanup* stuff can
be done properly, without having to carry root privileges".
That's exactly what the patch does.
Only difference is that for sitnl, to avoid breaking existing setups, it
will fall back to the old approach of switching user if the capability
retaining approach failed.
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
