OpenVPN
DCO does not work with Ubuntu SystemD unit, if user is set
Describe the bug
If DCO is setup correctly, openvpn uses DCO, if it is started manually. See logs:
DCO device tun0 opened
But if openvpn started with the systemd unit [email protected] and a user is set, DCO is disabled. See logs:
TUN/TAP device tun1 opened
Version information (please complete the following information):
- OS: Ubuntu 22.04
- OpenVPN version: 2.6.8
- OpenVPN from https://build.openvpn.net/debian/openvpn/release/2.6 repository
This is caused by a missing capability in the systemd unit file /etc/systemd/system/[email protected].
[Service]
...
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
The missing capability is CAP_SETPCAP.
The work-around is to create /etc/systemd/system/[email protected]/override.conf with this content:
[Service]
CapabilityBoundingSet=CAP_SETPCAP CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
From the configuration file:
user openvpn
group openvpn
See openvpn-2.6.8/src/openvpn/dco.c:
if (!capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP))
{
msg(msglevel, "--user specified but lacking CAP_SETPCAP. "
"Cannot retain CAP_NET_ADMIN. Disabling data channel offload");
return false;
}
if (!capng_have_capability(CAPNG_PERMITTED, CAP_NET_ADMIN))
{
msg(msglevel, "--user specified but not permitted to retain CAP_NET_ADMIN. "
"Disabling data channel offload");
return false;
}
@dsommers you have more experience on this part. Do you agree with the proposed solution?
2024-11-20 10:04:19 --user specified but lacking CAP_SETPCAP. Cannot retain CAP_NET_ADMIN. Disabling data channel offload
#643
this is a different issue, although they both crossed path at the caps definition
May 24 02:12:53 *** ovpn-server[8874]: Note: Treating option '--ncp-ciphers' as '--data-ciphers' (renamed in OpenVPN 2.5). May 24 02:12:53 *** ovpn-server[8874]: --user specified but lacking CAP_SETPCAP. Cannot retain CAP_NET_ADMIN. Disabling data channel offload May 24 02:12:53 *** ovpn-server[8874]: Options error: --writepid fails with '/run/openvpn/server.pid': No such file or directory (errno=2)
Faced with this problem, I did not find any solutions.(Can you tell me?
*** ovpn-server[8874]: Options error: --writepid fails with '/run/openvpn/server.pid': No such file or directory (errno=2)`
This is the "real" problem in your setup, and it has nothing to do with the issue you're posting to. Without further details on your setup we can't tell you what is wrong - it might be a missing directory (namely /run/openvpn) or a chroot directive getting in the way. We don't even know what OS and OpenVPN version you are using, and how you are starting OpenVPN.
The CAP_SETPCAP sounds "like this problem", but this will not stop openvpn from functioning.
@ordex I think we can close this issue just fine now? This was a 2.6 thing, and both capability handling and unit files have been improved and things are just working fine normally.
hi, I'm still facing the same problem in OpenVPN 2.6.13
openvpn[327322]: --user specified but lacking CAP_SETPCAP. Cannot retain CAP_NET_ADMIN. Disabling data channel offload
openvpn[327322]: OpenVPN 2.6.13 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
openvpn[327322]: library versions: OpenSSL 3.4.1 11 Feb 2025, LZO 2.10
openvpn[327322]: DCO version: N/A
I checked with modinfo and lsmod and see that the module was already loaded.
filename: /lib/modules/6.14.0-15-generic/updates/dkms/ovpn-dco-v2.ko.zst
alias: net-pf-16-proto-16-family-ovpn-dco-v2
alias: rtnl-link-ovpn-dco
version: 0.2.20241216
license: GPL
author: (C) 2020- OpenVPN, Inc.
description: OpenVPN data channel offload (ovpn-dco)
srcversion: 8606CA9B8FA9F8530E8364A
depends: ip6_udp_tunnel,udp_tunnel
name: ovpn_dco_v2
retpoline: Y
vermagic: 6.14.0-15-generic SMP preempt mod_unload modversions
sig_id: PKCS#7
signer: wyse3040-20240714 Secure Boot Module Signature key
sig_key: 33:C5:F1:B9:CC:F1:35:99:83:E5:2B:34:0B:1F:78:EC:0F:0E:ED:86
sig_hashalgo: sha512
signature: 6E:F4:0F:9F:97:56:39:99:15:B0:05:B5:05:E4:23:D0:20:60:F1:D5:
7D:0D:0F:19:F3:95:6E:FB:67:27:A4:F7:2B:4B:5F:A1:F0:C7:F0:D3:
B0:B7:CD:1B:F4:20:DD:2B:1F:5A:30:77:D6:9C:4A:89:B6:50:2D:E7:
A0:8C:0E:52:F7:81:DF:E4:9A:D4:45:DF:54:DC:34:70:82:D2:C3:FD:
2A:3B:9D:8F:03:06:B5:5B:20:37:C6:1A:E9:91:1E:00:B2:D0:C6:04:
BD:C2:A6:F4:B8:54:F0:C4:24:62:09:68:96:21:79:49:26:A9:E1:C3:
B4:E3:98:AA:9E:53:25:07:34:F7:A6:7A:91:51:C7:0F:EE:EF:3D:AA:
49:87:D6:03:1A:ED:29:BF:71:C2:F9:6A:AC:94:7A:5B:A3:40:A4:E9:
34:F8:4E:20:33:0F:A9:79:0B:CE:D1:5E:F7:88:50:71:2C:D1:64:44:
5B:25:E0:29:95:8B:6B:00:21:D2:6B:5C:39:F9:1D:F0:F0:0F:C7:8D:
F8:53:71:EC:54:52:C5:A8:07:1F:39:F4:D9:11:CB:EA:D9:24:A0:DA:
8D:8E:93:EF:DC:8C:30:08:83:D1:E0:74:AC:E3:71:DD:3E:C8:9D:D0:
23:65:B6:5A:7C:F6:1F:5C:26:19:37:BC:04:4C:A1:EB
@giangtnm the answer should be in the first post:
The missing capability is CAP_SETPCAP.
The work-around is to create /etc/systemd/system/[email protected]/override.conf with this content:
[Service] CapabilityBoundingSet=CAP_SETPCAP CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
If you want to use DCO via systemd you need to provide the appropriate capabilities.
@ordex I also provided, but I still get the same problem. Have you ever tested it in your own environment?