Join Log in
Score:2
Flowneee avatar Server

Openvpn unable to retain capabilities after change uid to nobody

co flag
Flowneee

Today I tried to move my OpenVPN server installation from one machine to another. Both of them are Arch Linux, I copied configs from one to another. But on a new machine I encountered this while starting OpenVPN visa systemd service

Mar 12 17:20:36 hz-vm-flwn-1 openvpn[2042]: capng_change_id('nobody','nobody') failed retaining capabilities: -9: Operation not permitted (errno=1)
Mar 12 17:20:36 hz-vm-flwn-1 openvpn[2042]: Unable to retain capabilities
Mar 12 17:20:36 hz-vm-flwn-1 openvpn[2042]: GID set to nobody
Mar 12 17:20:36 hz-vm-flwn-1 openvpn[2042]: setgroups('nobody') failed: Operation not permitted (errno=1)
Mar 12 17:20:36 hz-vm-flwn-1 openvpn[2042]: Exiting due to fatal error

Difference between machines is basically versions of packages, for OpenVPN which is 2.5.5 vs 2.6.1.

I tried to add different capabilities to service, change user and group to root, nothing works.

Any advice where to look is appreciated.

438
2 + 3
Kaka avatar
ma flag
Kaka
same issue on my end as well, try to open a bug report here https://bugs.archlinux.org/?project=1&string=openvpn
0
Reply
Flowneee avatar
co flag
Flowneee
I'm actually not sure whether this is Arch specific problem or not. I'll do a little digging on the weekend, if unsuccessful, then I'll try to file a bug.
0
Reply
Flowneee avatar
co flag
Flowneee
Also I must say that I am thinking about abandoning OpenVPN completely in favor of Wireguard, it works pretty well, especially for private VPN server and now supported by wide variety of devices, including even budget routers.
0
Reply
Score:3
guest avatar Server
ly flag
guest

For everyone still looking for an answer, look no further.

TLDR: Arch introduced it's own unprivileged user openvpn with group network as default and the --user and --group options can be safely deleted / commented out from the config.

+ 0
Score:0
habibi-hapti avatar Server
cf flag
habibi-hapti

Same problem here on Arch, and it persists in 2.6.2. Downgrading to openvpn-2.6.0-1 worked for me (for now).

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.