easy-openvpn-server icon indicating copy to clipboard operation
easy-openvpn-server copied to clipboard
verified publisher icon IBCNServices

URGENT: Latest update - Access Denied

Open miili opened this issue 5 months ago • 5 comments

Since yesterday's update the configs are confined, preventing clients to connect.

Nov 04 10:06:10 hostname easy-openvpn-server.udp-server[1356]: 2025-11-04 10:06:10 XXX/xx.xx.xx.xx:42974 Could not access file '/root/snap/easy-openvpn-server/136/client-configs/XXX Permission denied (errno=13)

miili avatar Nov 04 '25 10:11 miili

That is very weird.

  • Do you have apparmor "deny" messages from easy-openvpn-server? We run a large VPN server and it's not experiencing any issues.
  • Can you show the permissions of some of the files in that folder?
  • Have you tried rebooting the server?

Note that you can simply run snap revert easy-openvpn-server to run the previous version. Does that fix the issue?

merlijn-sebrechts avatar Nov 04 '25 20:11 merlijn-sebrechts

BTW; This is what the file permissions should look like:

-rw-r--r-- 1 root root 2.0K Nov  3 10:30 mrtester.crt
-rw------- 1 root root 3.2K Nov  3 10:30 mrtester.key
-rw-r--r-- 1 root root 9.3K Nov  3 10:30 mrtester.ovpn

merlijn-sebrechts avatar Nov 04 '25 20:11 merlijn-sebrechts

BTW: The "could not access file" error is probably meaningless. It should not require accessing those files during operation. It's always giving this error. It's simply checking to see if there's a user-specific server-side configuration in that folder and it gives the could not access file error because that file doesn't exist.

If connections are not working, then there's a different issue afoot.

merlijn-sebrechts avatar Nov 04 '25 20:11 merlijn-sebrechts

Hi @merlijn-sebrechts , the. Yes the server side client configs cannot be read at runtime.

I disabled the privilege (uid,gid) de-escalation in the open on config to fix the problem.

These problems started with the update published this week.

Thank you for this handy snap! Great to see maintenance.

miili avatar Nov 06 '25 08:11 miili

@miili Did you manually change server side client configs? Normally, these are not used by the snap.

Second question, how did you disable this de-escalation?

This can help me figure out if I can fix this on the snap side itself. I won't disable de-escalation, but I might be able to change the permissions of the config files.

merlijn-sebrechts avatar Nov 07 '25 08:11 merlijn-sebrechts

@miili I now have official support for your use-case. The snap in the edge channel should have your changes. You can now put user-specific config in /var/snap/easy-openvpn-server/common/ccd/. This should work without turning off the de-escalation. This should now persist between updates. Can you test this (snap refresh easy-openvpn-server --edge) and let me know if that works for you?

for more info, see https://github.com/idlab-discover/easy-openvpn-server?tab=readme-ov-file#client-specific-rules-and-access-policies

merlijn-sebrechts avatar Nov 17 '25 16:11 merlijn-sebrechts

Awesome! Thanks a bunch. This will enable static IPs!

miili avatar Nov 20 '25 19:11 miili