I see tunnel errors

I rebooted ipfire (core 159) this morning and I see a couple of errors in the tunnel ip. Any idea why? Plus why is udevd complaining about those 3 groups? I do not run kvm. thanks.

Oct 25 10:08:19 ipfire openvpnserver[17656]: event_wait : Interrupted system call (code=4)
Oct 25 10:08:19 ipfire openvpnserver[17656]: /sbin/ip route del 10.155.241.0/24
Oct 25 10:08:19 ipfire openvpnserver[17656]: ERROR: Linux route delete command failed: external program exited with error status: 2
Oct 25 10:08:19 ipfire openvpnserver[17656]: Closing TUN/TAP interface
Oct 25 10:08:19 ipfire openvpnserver[17656]: /sbin/ip addr del dev tun0 local 10.155.241.1 peer 10.155.241.2
Oct 25 10:08:19 ipfire openvpnserver[17656]: Linux ip addr del failed: external program exited with error status: 2
Oct 25 10:08:19 ipfire openvpnserver[17656]: SIGTERM[hard,] received, process exiting
Oct 25 10:08:19 ipfire kernel: <27>udevd[481]: specified group 'input' unknown
Oct 25 10:08:19 ipfire kernel: <27>udevd[481]: specified group 'render' unknown
Oct 25 10:08:19 ipfire kernel: <27>udevd[481]: specified group 'kvm' unknown
Oct 25 10:08:20 ipfire vnstatd[32427]: Interface "tun0" disabled.

Hello paul
:thinking:
In the file /var/ipfire/openvpn/server.conf do you have below entries?
group input
group render
group kvm

edit
Deleted not important content.

This should not openvpn related. I they are caused by avahi or dbus because IPFire has no desktop environment that handle user input, screen render of kvm composing so this user groups not exist.

the file is in /var/ipfire/ovpn/server.conf and all I have is user nobody group nobody.

:face_with_hand_over_mouth: Sorry, my bad, I was focusing on openvpn and this is a udevd error.

Fresh installation core 160.

without static IP address pool

Below logs after first start OpenVPN server (without static address pool)

IPFire diagnostics
Section: openvpn
Date: October 26, 2021

14:24:31 openvpnserver[6588]:  Initialization Sequence Completed
14:24:31 openvpnserver[6588]:  IFCONFIG POOL LIST
14:24:31 openvpnserver[6588]:  IFCONFIG POOL IPv4: base=10.45.168.4 size=62
14:24:31 openvpnserver[6588]:  MULTI: multi_init called, r=256 v=256
14:24:31 openvpnserver[6588]:  UID set to nobody
14:24:31 openvpnserver[6588]:  GID set to nobody
14:24:31 openvpnserver[6588]:  UDPv4 link remote: [AF_UNSPEC]
14:24:31 openvpnserver[6588]:  UDPv4 link local (bound): [AF_INET][undef]:1194
14:24:31 openvpnserver[6588]:  Socket Buffers: R=[212992->212992] S=[212992->212992]
14:24:31 openvpnserver[6588]:  Could not determine IPv4/IPv6 protocol. Using AF_INET
14:24:31 openvpnserver[6588]:  /sbin/ip route add 10.45.168.0/24 via 10.45.168.2
14:24:31 openvpnserver[6588]:  /sbin/ip addr add dev tun0 local 10.45.168.1 peer 10.45.168.2
14:24:31 openvpnserver[6588]:  /sbin/ip link set dev tun0 up
14:24:31 openvpnserver[6588]:  /sbin/ip link set dev tun0 up mtu 1500
14:24:31 openvpnserver[6588]:  TUN/TAP device tun0 opened
14:24:31 openvpnserver[6588]:  ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=red0 HWADDR=08:00:27:cd:e2:aa
14:24:31 openvpnserver[6588]:  CRL: loaded 1 CRLs from file /var/ipfire/ovpn/crls/cacrl.pem
14:24:31 openvpnserver[6588]:  Diffie-Hellman initialized with 2048 bit key
14:24:31 openvpnserver[6588]:  NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
14:24:31 openvpnserver[6588]:  WARNING: --keepalive option is missing from server config
14:24:31 openvpnserver[6587]:  library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
14:24:31 openvpnserver[6587]:  OpenVPN 2.5.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Oct  4 2021
14:24:31 openvpnserver[6587]:  WARNING: --topology net30 support for server configs with IPv4 pools will be removed in a future release. Please migrate to --topology subnet as soon as possible.
14:24:31 openvpnserver[6587]:  DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated debug feature that will be removed in OpenVPN 2.6

After click stop OpenVPN server (without static address pool)

14:35:24	openvpnserver[8278]: 	SIGTERM[hard,] received, process exiting
14:35:24	openvpnserver[8278]: 	Linux ip addr del failed: external program exited with error status: 2
14:35:24	openvpnserver[8278]: 	/sbin/ip addr del dev tun0 local 10.45.168.1 peer 10.45.168.2
14:35:24	openvpnserver[8278]: 	Closing TUN/TAP interface
14:35:24	openvpnserver[8278]: 	ERROR: Linux route delete command failed: external program exited with error sta tus: 2
14:35:24	openvpnserver[8278]: 	/sbin/ip route del 10.45.168.0/24
14:35:24	openvpnserver[8278]: 	event_wait : Interrupted system call (code=4)

Below after add static address pool

and after click start OpenVPN server (with static address pool)

14:51:38	openvpnserver[11171]: 	Initialization Sequence Completed
14:51:38	openvpnserver[11171]: 	IFCONFIG POOL LIST
14:51:38	openvpnserver[11171]: 	IFCONFIG POOL IPv4: base=10.45.168.4 size=62
14:51:38	openvpnserver[11171]: 	MULTI: multi_init called, r=256 v=256
14:51:38	openvpnserver[11171]: 	UID set to nobody
14:51:38	openvpnserver[11171]: 	GID set to nobody
14:51:38	openvpnserver[11171]: 	UDPv4 link remote: [AF_UNSPEC]
14:51:38	openvpnserver[11171]: 	UDPv4 link local (bound): [AF_INET][undef]:1194
14:51:38	openvpnserver[11171]: 	Socket Buffers: R=[212992->212992] S=[212992->212992]
14:51:38	openvpnserver[11171]: 	Could not determine IPv4/IPv6 protocol. Using AF_INET
14:51:37	openvpnserver[11171]: 	/sbin/ip route add 10.45.168.0/24 via 10.45.168.2
14:51:37	openvpnserver[11171]: 	/sbin/ip route add 192.168.254.0/24 via 10.45.168.2
14:51:37	openvpnserver[11171]: 	/sbin/ip addr add dev tun0 local 10.45.168.1 peer 10.45.168.2
14:51:37	openvpnserver[11171]: 	/sbin/ip link set dev tun0 up
14:51:37	openvpnserver[11171]: 	/sbin/ip link set dev tun0 up mtu 1500
14:51:37	openvpnserver[11171]: 	TUN/TAP device tun0 opened
14:51:37	openvpnserver[11171]: 	ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=red0 HWADDR=08:00:27:cd:e2:aa
14:51:37	openvpnserver[11171]: 	CRL: loaded 1 CRLs from file /var/ipfire/ovpn/crls/cacrl.pem
14:51:37	openvpnserver[11171]: 	Diffie-Hellman initialized with 2048 bit key
14:51:37	openvpnserver[11171]: 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
14:51:37	openvpnserver[11171]: 	WARNING: --keepalive option is missing from server config
14:51:37	openvpnserver[11170]: 	library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10
14:51:37	openvpnserver[11170]: 	OpenVPN 2.5.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINF O] [AEAD] built on Oct 4 2021
14:51:37	openvpnserver[11170]: 	WARNING: --topology net30 support for server configs with IPv4 pools will be rem oved in a future release. Please migrate to --topology subnet as soon as possibl e.
14:51:37	openvpnserver[11170]: 	DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated deb ug feature that will be removed in OpenVPN 2.6

after click stop OpenVPN server (with static address pool)

14:55:51	openvpnserver[11171]: 	SIGTERM[hard,] received, process exiting
14:55:51	openvpnserver[11171]: 	Linux ip addr del failed: external program exited with error status: 2
14:55:51	openvpnserver[11171]: 	/sbin/ip addr del dev tun0 local 10.45.168.1 peer 10.45.168.2
14:55:51	openvpnserver[11171]: 	Closing TUN/TAP interface
14:55:51	openvpnserver[11171]: 	ERROR: Linux route delete command failed: external program exited with error sta tus: 2
14:55:51	openvpnserver[11171]: 	/sbin/ip route del 10.45.168.0/24
14:55:51	openvpnserver[11171]: 	ERROR: Linux route delete command failed: external program exited with error sta tus: 2
14:55:51	openvpnserver[11171]: 	/sbin/ip route del 192.168.254.0/24
14:55:51	openvpnserver[11171]: 	event_wait : Interrupted system call (code=4

Below after adding routing to subnet same as subnet static address pool (in Advanced client options)
Note: Obviously, such entry is incorrect.

after start OpenVPN server

15:40:37	openvpnserver[19096]: 	Initialization Sequence Completed
15:40:37	openvpnserver[19096]: 	IFCONFIG POOL LIST
15:40:37	openvpnserver[19096]: 	IFCONFIG POOL IPv4: base=10.45.168.4 size=62
15:40:37	openvpnserver[19096]: 	MULTI: multi_init called, r=256 v=256
15:40:37	openvpnserver[19096]: 	UID set to nobody
15:40:37	openvpnserver[19096]: 	GID set to nobody
15:40:37	openvpnserver[19096]: 	UDPv4 link remote: [AF_UNSPEC]
15:40:37	openvpnserver[19096]: 	UDPv4 link local (bound): [AF_INET][undef]:1194
15:40:37	openvpnserver[19096]: 	Socket Buffers: R=[212992->212992] S=[212992->212992]
15:40:37	openvpnserver[19096]: 	Could not determine IPv4/IPv6 protocol. Using AF_INET
15:40:37	openvpnserver[19096]: 	/sbin/ip route add 10.45.168.0/24 via 10.45.168.2
15:40:37	openvpnserver[19096]: 	ERROR: Linux route add command failed: external program exited with error status : 2
15:40:37	openvpnserver[19096]: 	/sbin/ip route add 192.168.254.0/24 via 10.45.168.2
15:40:37	openvpnserver[19096]: 	/sbin/ip route add 192.168.254.0/24 via 10.45.168.2
15:40:37	openvpnserver[19096]: 	/sbin/ip addr add dev tun0 local 10.45.168.1 peer 10.45.168.2
15:40:37	openvpnserver[19096]: 	/sbin/ip link set dev tun0 up
15:40:37	openvpnserver[19096]: 	/sbin/ip link set dev tun0 up mtu 1500
15:40:37	openvpnserver[19096]: 	TUN/TAP device tun0 opened
15:40:37	openvpnserver[19096]: 	ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=red0 HWADDR=08:00:27:cd:e2:aa
15:40:37	openvpnserver[19096]: 	CRL: loaded 1 CRLs from file /var/ipfire/ovpn/crls/cacrl.pem
15:40:37	openvpnserver[19096]: 	Diffie-Hellman initialized with 2048 bit key
15:40:37	openvpnserver[19096]: 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
15:40:37	openvpnserver[19096]: 	WARNING: --keepalive option is missing from server config
15:40:37	openvpnserver[19095]: 	library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10
15:40:37	openvpnserver[19095]: 	OpenVPN 2.5.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINF O] [AEAD] built on Oct 4 2021
15:40:37	openvpnserver[19095]: 	WARNING: --topology net30 support for server configs with IPv4 pools will be rem oved in a future release. Please migrate to --topology subnet as soon as possibl e.
15:40:37	openvpnserver[19095]: 	DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated deb ug feature that will be removed in OpenVPN 2.6

after click stop OpenVPN server

15:42:29	openvpnserver[19096]: 	SIGTERM[hard,] received, process exiting
15:42:29	openvpnserver[19096]: 	Linux ip addr del failed: external program exited with error status: 2
15:42:29	openvpnserver[19096]: 	/sbin/ip addr del dev tun0 local 10.45.168.1 peer 10.45.168.2
15:42:29	openvpnserver[19096]: 	Closing TUN/TAP interface
15:42:29	openvpnserver[19096]: 	ERROR: Linux route delete command failed: external program exited with error sta tus: 2
15:42:29	openvpnserver[19096]: 	/sbin/ip route del 10.45.168.0/24
15:42:29	openvpnserver[19096]: 	ERROR: Linux route delete command failed: external program exited with error sta tus: 2
15:42:29	openvpnserver[19096]: 	/sbin/ip route del 192.168.254.0/24
15:42:29	openvpnserver[19096]: 	ERROR: Linux route delete command failed: external program exited with error sta tus: 2
15:42:29	openvpnserver[19096]: 	/sbin/ip route del 192.168.254.0/24
15:42:29	openvpnserver[19096]: 	event_wait : Interrupted system call (code=4)

I guess the above data explains “when” (When the OpenVPN server stops)
and maybe it will help in the analysis for smarter folks than me, to answer “why”.

Edit
I made another test:
I stopped the OpenVPN server.
I deleted “user nobody”, “group nobody” in /var/ipfire/openvpn/server.conf file.

After start OpenVPN server

16:48:13	openvpnserver[6819]: 	Initialization Sequence Completed
16:48:13	openvpnserver[6819]: 	IFCONFIG POOL LIST
16:48:13	openvpnserver[6819]: 	IFCONFIG POOL IPv4: base=10.45.168.4 size=62
16:48:13	openvpnserver[6819]: 	MULTI: multi_init called, r=256 v=256
16:48:13	openvpnserver[6819]: 	UDPv4 link remote: [AF_UNSPEC]
16:48:13	openvpnserver[6819]: 	UDPv4 link local (bound): [AF_INET][undef]:1194
16:48:13	openvpnserver[6819]: 	Socket Buffers: R=[212992->212992] S=[212992->212992]
16:48:13	openvpnserver[6819]: 	Could not determine IPv4/IPv6 protocol. Using AF_INET
16:48:13	openvpnserver[6819]: 	/sbin/ip route add 10.45.168.0/24 via 10.45.168.2
16:48:13	openvpnserver[6819]: 	/sbin/ip route add 192.168.254.0/24 via 10.45.168.2
16:48:13	openvpnserver[6819]: 	/sbin/ip addr add dev tun0 local 10.45.168.1 peer 10.45.168.2
16:48:13	openvpnserver[6819]: 	/sbin/ip link set dev tun0 up
16:48:13	openvpnserver[6819]: 	/sbin/ip link set dev tun0 up mtu 1500
16:48:13	openvpnserver[6819]: 	TUN/TAP device tun0 opened
16:48:13	openvpnserver[6819]: 	ROUTE_GATEWAY 10.0.2.2/255.255.255.0 IFACE=red0 HWADDR=08:00:27:cd:e2:aa
16:48:13	openvpnserver[6819]: 	CRL: loaded 1 CRLs from file /var/ipfire/ovpn/crls/cacrl.pem
16:48:13	openvpnserver[6819]: 	Diffie-Hellman initialized with 2048 bit key
16:48:13	openvpnserver[6819]: 	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
16:48:13	openvpnserver[6819]: 	WARNING: --keepalive option is missing from server config
16:48:13	openvpnserver[6818]: 	library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10
16:48:13	openvpnserver[6818]: 	OpenVPN 2.5.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINF O] [AEAD] built on Oct 4 2021
16:48:13	openvpnserver[6818]: 	WARNING: --topology net30 support for server configs with IPv4 pools will be rem oved in a future release. Please migrate to --topology subnet as soon as possibl e.
16:48:13	openvpnserver[6818]: 	DEPRECATED OPTION: ncp-disable. Disabling cipher negotiation is a deprecated deb ug feature that will be removed in OpenVPN 2.6

After stop OpenVPN server

16:55:24	openvpnserver[6819]: 	SIGTERM[hard,] received, process exiting
16:55:24	openvpnserver[6819]: 	/sbin/ip addr del dev tun0 local 10.45.168.1 peer 10.45.168.2
16:55:24	openvpnserver[6819]: 	Closing TUN/TAP interface
16:55:24	openvpnserver[6819]: 	/sbin/ip route del 10.45.168.0/24
16:55:24	openvpnserver[6819]: 	/sbin/ip route del 192.168.254.0/24
16:55:24	openvpnserver[6819]: 	event_wait : Interrupted system call (code=4)

No errors :astonished:

:thinking: As I wrote above - I leave the conclusions to those smarter than me.

Not smart individual here. Still I have an hypothesis.

According to the documentation, with “nobody” user/group in the config, after initialization OpenVPN drops the root privilege as a security measure. Maybe when you shut it down it cannot close the connection successfully because after downgrading it does not have the privilege anymore? Anyhow, better leave “nobody” in there and ignore those errors than run the server with root privilege all the time.

Firewall works fine, I just don’t like errors in syslog | messages.

:smiley: And who likes to see errors. :wink: :smiley:

I found a some post on the OpenVPN forum confirming what @csfuso wrote.
https://forums.openvpn.net/viewtopic.php?t=20824

Tried it on 159, commented out the nobody lines, openvpn starts/stops w/o errors.

Thanks @cfusco and @tphz

@pavlos I would leave those line there though. Better an error message than running with superuser privileges.

1 Like

@tphz great finding. I looked in the openvpn installation in IPFire for openvpn-plugin-down-root.so

[root@ipfire cfusco]# find / -name openvpn-plugin-down-root.so
/usr/lib/openvpn/plugins/openvpn-plugin-down-root.so

Should we open a bug report?

I just found that how to use the down-root plugin is already described in the wiki.

https://wiki.ipfire.org/configuration/services/openvpn/extensions/plugins/down

This way people can decide if they want to raise the privileges or not for the shutdown.

2 Likes