Bug 120162

Summary:	OpenVPN: Gateway is not restored after stopping VPN
Product:	Gentoo Linux	Reporter:	Marc Blumentritt <marc.blumentritt>
Component:	Current packages	Assignee:	Roy Marples (RETIRED) <uberlord>
Status:	VERIFIED INVALID
Severity:	normal	CC:	gentoo.org
Priority:	High
Version:	2005.1
Hardware:	x86
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Marc Blumentritt 2006-01-24 03:44:39 UTC

I connect with openvpn-2.0.5-r2 on Gentoo to a openvpn server running on debian sarge via a routed setup (configs see below). The server redirects the gateway, so that it is used as standard gateway on the client. If I disconnect from the VPN, the route to the former standard gateway is not restored. The only solution is to restart the interface or set the route by hand. The VPN works without any problems, if I connect from a WindowsXP client.

Steps to reproduce:
1.) Use similiar configs:
server.conf:
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/firewall.crt
key keys/firewall.key
dh keys/dh1024.pem
server 10.8.0.0 255.255.255.0
push "route XXX.XXX.aaa.0 255.255.255.0"
push "route XXX.XXX.bbb.0 255.255.255.128"
client-config-dir ccd
push "redirect-gateway"
push "dhcp-option DNS XXX.XXX.ccc.150"
push "dhcp-option DNS XXX.XXX.ccc.151"
push "dhcp-option DNS XXX.XXX.ccc.152"
client-to-client
keepalive 10 120
tls-auth keys/ta.key 0
cipher BF-CBC
comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
log-append   /var/log/openvpn.log
verb 4
mute 20

client.conf:
client
dev tun
proto udp
remote XXX.XXX.aaa.131 1194
float
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert retsina.crt
key retsina.key
ns-cert-type server
tls-auth ta.key 1
cipher BF-CBC
comp-lzo
verb 4

2.) connect and disconnect:
/etc/init.d/openvpn start
/etc/init.d/openvpn stop

3.) check the routes:
route -n

Actual Results:
1.) before connecting to VPN
hive marc # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0       127.0.0.1       255.0.0.0       UG    0      0        0 lo
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 eth0

2.) VPN is stopped:
hive marc # route -n
Kernel IP routing table
Destination      Gateway         Genmask         Flags Metric Ref    Use Iface
XXX.XXX.aaa.131  192.168.0.1     255.255.255.255 UGH   0      0        0 eth0
192.168.0.0      0.0.0.0         255.255.255.0   U     0      0        0 eth0
127.0.0.0        127.0.0.1       255.0.0.0       UG    0      0        0 lo

Expected Results:
1.) and 2.) should be the same.

Comment 1 Marc Blumentritt 2006-01-28 09:01:30 UTC

Added emerge info:
Portage 2.0.53 (default-linux/x86/2005.1, gcc-3.4.4, glibc-2.3.6-r2, 2.6.12-gent                                                                                     
oo-r10 i686)
=================================================================
System uname: 2.6.12-gentoo-r10 i686 AMD Athlon(tm) XP 2700+
Gentoo Base System version 1.6.13
ccache version 2.3 [enabled]
dev-lang/python:     2.3.5, 2.4.2
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1-r1
sys-devel/libtool:   1.5.20
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=c3-2 -Os -fomit-frame-pointer -pipe -msse -mmmx -mfpmath=sse"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/                                                                                     
X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=c3-2 -Os -fomit-frame-pointer -pipe -msse -mmmx -mfpmath=sse"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache distlocks sandbox sfperms strict userpriv"
GENTOO_MIRRORS="ftp://ftp.rz.tu-bs.de/pub/mirror/ftp.gentoo.org/gentoo-distfiles                                                                                     
/"
LANG="de_DE"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp/portage"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/gentoo-de /usr/local/portage/epios"
SYNC="rsync://rsync.de.gentoo.org/gentoo-portage"
USE="x86 16bit 3dnow X a52 aac aalib accessibility acpi alsa ansi apache2 apm au                                                                                     
diofile avi bash-completion berkdb bitmap-fonts bzip2 cdparanoia cdr cjk cle266                                                                                      
crypt cscope curl curlwrappers dbus dga dio directfb divx4linux dri dts dv dvb d                                                                                     
vd dvdr dvdread encode expat fbcon ffmpeg flac flash freetds freetype ftp gd gdb                                                                                     
m gif glut gnutls gphoto2 gstreamer hal ieee1394 imagemagick imap imlib imon inn                                                                                     
odb java javascript joystick jpeg lcms libgda libwww lirc live lm_sensors mad ma                                                                                     
ildir matroska mhash mikmod mime mmap mmx mng motif mozilla mp3 mpeg mplayer mys                                                                                     
ql mysqli mythtv ncurses nocd nptl ogg oggvorbis opengl pam pcre pda pdflib perl                                                                                     
 php pic png posix python quicktime readline samba sdl session shorten skey slan                                                                                     
g smartcard sndfile socks5 sox speex spl sse ssl streamzap svg sysvipc tcltk tcp                                                                                     
d theora tidy tiff tokenizer transcode truetype truetype-fonts type1-fonts udev                                                                                      
unichrome unicode usb v4l v4l2 vcd video_cards_via vidix vorbis wifi win32codecs                                                                                     
 wmf xine xinerama xml xml2 xpm xsl xv xvid xvmc zlib userland_GNU kernel_linux                                                                                      
elibc_glibc"
Unset:  ASFLAGS, CTARGET, LC_ALL, LDFLAGS, LINGUAS

I also changed my email (which I thought I did already...).

Comment 2 Marcel Meckel 2006-02-09 13:28:48 UTC

Exact same problem here, using same OpenVPN version.

Comment 3 Marcel Meckel 2006-02-14 14:31:45 UTC

Hi,

i solved this issue. When openvpn starts it's running as root and can change routing table, then drops root privileges and run as nobody. As nobody you can't alter the routing table, that's why the original routing table can't be restored.

I solved this by commenting out the

  user nobody
  group nogroup

lines since it's only the client running as root and not the server - i don't consider this a security risk since the client is not always running.

Greets.

Comment 4 Marc Blumentritt 2006-02-16 13:33:05 UTC

(In reply to comment #3)
> I solved this by commenting out the
> 
>   user nobody
>   group nogroup

The same for me. The funny thing is, I thought I did not have these line in my openvpn.conf (as shown above in my post), but I had. After commenting them, resetting of routes is working.

Could there be another more secure solution?

Marc

Comment 5 Roy Marples (RETIRED) gentoo-dev

2006-03-15 04:06:09 UTC

(In reply to comment #4)
> Could there be another more secure solution?

Use SELinux or grsec kernels for this level of security.
Oterwise you have to use root when openvpn needs to change routing or ip.

Comment 6 Marc Blumentritt 2006-03-15 05:18:47 UTC

(In reply to comment #5)
> (In reply to comment #4)
> > Could there be another more secure solution?
> 
> Use SELinux or grsec kernels for this level of security.
> Oterwise you have to use root when openvpn needs to change routing or ip.
>

OK, then I think, this bug is closed.

...closing it...