wknapik / openvpn-unroot Goto Github PK

Specifying a file name for --sudoers-file or --unit-file places them in the same directory as the openvpn config file rather than in /etc/suders.d/ or /etc/systemd/system/

Performing a dry run seems to work

openvpn-unroot -apv linux_laptop.conf
INFO: Adding group openvpn
INFO: Adding user openvpn
INFO: Generating sudoers file /etc/sudoers.d/linux_laptop-unrooted
INFO: Generating iproute file /etc/openvpn/ip-unrooted.sh
INFO: Generating up file /etc/openvpn/update-resolv-conf-unrooted
INFO: Generating down file /etc//openvpn/update-resolv-conf-unrooted
INFO: Adding device tun0-unrooted
INFO: Generating netdev file /etc/systemd/network/tun0-unrooted.netdev
INFO: Generating config file /etc/openvpn/linux_laptop-unrooted.conf
INFO: Generating unit file /etc/systemd/system/openvpn@linux_laptop-unrooted.service

Actually running the code results in this message.

thirdtry openvpn # openvpn-unroot -av linux_laptop.conf
INFO: Adding group openvpn
INFO: Adding user openvpn
INFO: Generating sudoers file /etc/sudoers.d/linux_laptop-unrooted
INFO: Generating iproute file /etc/openvpn/ip-unrooted.sh
INFO: Generating up file /etc/openvpn/update-resolv-conf-unrooted
INFO: Generating down file /etc//openvpn/update-resolv-conf-unrooted
INFO: Adding device tun0-unrooted
INFO: Generating netdev file /etc/systemd/network/tun0-unrooted.netdev
INFO: Generating config file /etc/openvpn/linux_laptop-unrooted.conf
INFO: Generating unit file /etc/systemd/system/openvpn@linux_laptop-unrooted.service
sed: can't read /usr/lib/systemd/system/[email protected]: No such file or directory
/home/rtisdale/bin/openvpn-unroot: line 387: `}' returned 2
ERROR: Reverting all changes
/home/rtisdale/bin/openvpn-unroot: line 132: 1: parameter null or not set
/home/rtisdale/bin/openvpn-unroot: line 499: `local ret; ret=("$("$@")"); readonly ret' returned 1
ERROR: Reverting all changes
thirdtry openvpn # echo $SHELL
/bin/bash
thirdtry openvpn # bash --version
GNU bash, version 4.4.0(1)-release (x86_64-unknown-linux-gnu)
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
thirdtry openvpn # 

This file does appear to exist below

/lib/systemd/system/[email protected]

Systemd supports overrides for unit files. Since it looks like you're just adding two values, you could just modify the existing unit file with a .d file.

ie, create a file: /etc/systemd/system/[email protected]/user.conf containing:
[Service]
User=openvpn
Group=openvpn

That way you'll get any fixes in the unit file for openvpn automatically included when there is an upgrade.

Running on a fresh install of Linux version 5.15.47-1-lts (linux-lts@archlinux) (gcc (GCC) 12.1.0, GNU ld (GNU Binutils) 2.38) gives the following error:

INFO: Adding user nobody to group nobody
INFO: Generating sudoers file /etc/sudoers.d/cyberghost-unrooted
INFO: Generating iproute file /etc/openvpn/client/ip-unrooted.sh
INFO: Adding device tun0-unrooted
./openvpn-unroot: line 397: `testing && echo "${comm[@]}" || "${comm[@]}" >/dev/null' returned 1
ERROR: Reverting all changes
./openvpn-unroot: line 499: `local ret; ret=("$("$@")"); readonly ret' returned 1
ERROR: Reverting all changes

Followed the wiki. Should've thought of this earlier...

Need to consider portability between Linux distros and possibly the BSD family.

If you add the -r flag to the adduser command it will be allocated as a system user and assigned an id in a different range. This seems appropriate for such a user. The -r flag can be passed to groupadd as well

Instead of creating an entry in /etc/systemd/network, you could create the tun device in the unit file (and destroy it after as well). This would keep the list of links less cluttered when it's not running.

To do this, you can delete the systemd-network netdev file and add a file at /etc/systemd/system/openvpn-client@{configname}.service.d/tuntap.conf containing:

[Service]
ExecStartPre=+/usr/bin/ip tuntap del name tun-pia mode tun
ExecStartPre=+/usr/bin/ip tuntap add name tun-vpn mode tun user openvpn group openvpn
ExecStopPost=+/usr/bin/ip tuntap del name tun-vpn mode tun

Replacing tun-vpn and the user/group as needed.

The ip-unrooted.sh and the config file get created with write permissions for the openvpn user.

I would recommend changing the user/group/permissions from:
-rwx------ 1 openvpn openvpn ip-unrooted.sh
-rw------- 1 openvpn openvpn vpn-unrooted.conf

to:
-rwxr-x--- 1 root openvpn ip-unrooted.sh
-rw-r----- 1 root openvpn piagate.conf

So the openvpn user isn't able to alter the script and config.

It appears that the script wants me to create the file foo.conf before anything else, otherwise this error happens:

sed: can't read /etc/openvpn/client/foo.conf: No such file or directory
/bin/openvpn-unroot: line 168: `sed -nr "s/^\s*${key}\s+(\S+)\s*.*/\1/p" "${opt[old_config_file]}"' returned 2
/bin/openvpn-unroot: line 150: `first_line() {' returned 1
/bin/openvpn-unroot: line 204: `} | first_line' returned 1
/bin/openvpn-unroot: line 473: `dev_type="$(get_dev_type)"' returned 1

...And making a empty foo.conf file didn't help:

/sbin/openvpn-unroot: line 150: `first_line() {' returned 1
/sbin/openvpn-unroot: line 204: `} | first_line' returned 1
/sbin/openvpn-unroot: line 473: `dev_type="$(get_dev_type)"' returned 1

I am new to using OpenVPN, and was following the guide on the Arch Linux wiki that mentioned this repository. Everything worked pretty smoothly, so thanks for that :)

After rebooting, I tried systemctl start [email protected] but got the following error message:

ERROR: Cannot set tx queue length on tun0-unrooted: Operation not permitted (errno=1)

It took me some time to figure out where the problem was: in order for the /etc/systemd/network/tun0-unrooted.netdev profile to be activated, I needed to start systemd-networkd. I have no idea if this service is started by default for most users and I somehow disabled it, but if that is not the case, maybe you can mention somewhere in your readme that users have to enable that service for things to keep working through reboots.

I just install the script on ArchLinux with a fresh configuration of openvpn.
After launching the script with the right input (user, group), I am able to start the service with :
# systemctl start [email protected]
But when I reboot the computer, I have this error :
openvpn[22446]: ROUTE_GATEWAY xxx.xxx.1.1/255.255.255.0 IFACE=wlp4s0 HWADDR=xx:xx:xx:xx:xx:xx openvpn[22446]: ERROR: Cannot ioctl TUNSETIFF tun0-unrooted: Operation not permitted (errno=1) openvpn[22446]: Exiting due to fatal error kernel: tun: Universal TUN/TAP device driver, 1.6 ernel: tun: (C) 1999-2004 Max Krasnyansky <[email protected]> systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE systemd[1]: [email protected]: Unit entered failed state. ellypsis systemd[1]: [email protected]: Failed with result 'exit-code'.
I don't really inderstand why there is a problem, because I have the client-unrooted in /etc/sudoers.d/
I just notice that in this file, the path given is /etc/openvpn/update-resolv-conf
Why not /etc/openvpn/update-resolv-conf-unrooted ?

Tried everything (even updating the Bash version to 4.4) but cannot get this script to work. Any ideas how I can adapt the script to macOS?

I don't expect the suders file will be different for different configs, so it would make sense to default to a more generic name (ie /etc/sudoers.d/openvpn-unrooted instead of /etc/sudoers.d/{configname}-unrooted).