Summary: | OpenVPN: Gateway is not restored after stopping VPN | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Marc Blumentritt <marc.blumentritt> |
Component: | Current packages | Assignee: | Roy Marples (RETIRED) <uberlord> |
Status: | VERIFIED INVALID | ||
Severity: | normal | CC: | gentoo.org |
Priority: | High | ||
Version: | 2005.1 | ||
Hardware: | x86 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Marc Blumentritt
2006-01-24 03:44:39 UTC
Added emerge info: Portage 2.0.53 (default-linux/x86/2005.1, gcc-3.4.4, glibc-2.3.6-r2, 2.6.12-gent oo-r10 i686) ================================================================= System uname: 2.6.12-gentoo-r10 i686 AMD Athlon(tm) XP 2700+ Gentoo Base System version 1.6.13 ccache version 2.3 [enabled] dev-lang/python: 2.3.5, 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1-r1 sys-devel/libtool: 1.5.20 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=c3-2 -Os -fomit-frame-pointer -pipe -msse -mmmx -mfpmath=sse" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/ X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=c3-2 -Os -fomit-frame-pointer -pipe -msse -mmmx -mfpmath=sse" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache distlocks sandbox sfperms strict userpriv" GENTOO_MIRRORS="ftp://ftp.rz.tu-bs.de/pub/mirror/ftp.gentoo.org/gentoo-distfiles /" LANG="de_DE" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp/portage" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/gentoo-de /usr/local/portage/epios" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="x86 16bit 3dnow X a52 aac aalib accessibility acpi alsa ansi apache2 apm au diofile avi bash-completion berkdb bitmap-fonts bzip2 cdparanoia cdr cjk cle266 crypt cscope curl curlwrappers dbus dga dio directfb divx4linux dri dts dv dvb d vd dvdr dvdread encode expat fbcon ffmpeg flac flash freetds freetype ftp gd gdb m gif glut gnutls gphoto2 gstreamer hal ieee1394 imagemagick imap imlib imon inn odb java javascript joystick jpeg lcms libgda libwww lirc live lm_sensors mad ma ildir matroska mhash mikmod mime mmap mmx mng motif mozilla mp3 mpeg mplayer mys ql mysqli mythtv ncurses nocd nptl ogg oggvorbis opengl pam pcre pda pdflib perl php pic png posix python quicktime readline samba sdl session shorten skey slan g smartcard sndfile socks5 sox speex spl sse ssl streamzap svg sysvipc tcltk tcp d theora tidy tiff tokenizer transcode truetype truetype-fonts type1-fonts udev unichrome unicode usb v4l v4l2 vcd video_cards_via vidix vorbis wifi win32codecs wmf xine xinerama xml xml2 xpm xsl xv xvid xvmc zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LC_ALL, LDFLAGS, LINGUAS I also changed my email (which I thought I did already...). Exact same problem here, using same OpenVPN version. Hi, i solved this issue. When openvpn starts it's running as root and can change routing table, then drops root privileges and run as nobody. As nobody you can't alter the routing table, that's why the original routing table can't be restored. I solved this by commenting out the user nobody group nogroup lines since it's only the client running as root and not the server - i don't consider this a security risk since the client is not always running. Greets. (In reply to comment #3) > I solved this by commenting out the > > user nobody > group nogroup The same for me. The funny thing is, I thought I did not have these line in my openvpn.conf (as shown above in my post), but I had. After commenting them, resetting of routes is working. Could there be another more secure solution? Marc (In reply to comment #4) > Could there be another more secure solution? Use SELinux or grsec kernels for this level of security. Oterwise you have to use root when openvpn needs to change routing or ip. (In reply to comment #5) > (In reply to comment #4) > > Could there be another more secure solution? > > Use SELinux or grsec kernels for this level of security. > Oterwise you have to use root when openvpn needs to change routing or ip. > OK, then I think, this bug is closed. ...closing it... |