Rootless VPN-client broken #1194

ersonp · 2022-05-13T06:20:24Z

Describe the bug
When a visor is started as non-root and the vpn-client is given permission via sudo setcap 'cap_net_admin+p' ./apps/vpn-client starting and stopping the vpn-client gives RTNETLINK answers: Operation not permitted error every second try. And works with no issues half the time.

Environment information:

OS: e.g. Linux
Platform: Linux 5.13.0-41-generic x86_64

Steps to Reproduce
Steps to reproduce the behavior:

Run sudo setcap 'cap_net_admin+p' ./apps/vpn-client
Start Visor ./skywire-visor -c skywire-config.json
Start and stop vpn-client multiple times
See error

Actual behavior
on vpn-client start

[2022-05-13T11:49:28+05:30] INFO [proc:vpn-client:b3cd239e8d494e00b2e1870a2f157e99]: Request processed. _elapsed="1.250974264s" _method="Dial" _received="11:49AM" input=022cfaa6aeda9a332d70309424d03c0880d82e3cd104201819d91cc4ad59dd1552:44 output=&{ConnID:2 LocalPort:49154}
[2022-05-13T11:49:28+05:30] INFO (STDOUT) [proc:vpn-client:b3cd239e8d494e00b2e1870a2f157e99]: Dialed 022cfaa6aeda9a332d70309424d03c0880d82e3cd104201819d91cc4ad59dd1552:44
[2022-05-13T11:49:28+05:30] INFO (STDOUT) [proc:vpn-client:b3cd239e8d494e00b2e1870a2f157e99]: Sending client hello: {[192.168.0.116 172.17.0.1 175.0.0.1 174.0.0.1 192.168.0.1] }
2022/05/13 11:49:29 [erson-69/ah1iSB2tme-000009] "GET http://localhost:8000/api/visors/021b09a8563898b6299dba3c90067c2a0fce77e07b52a5ce7f4035321842c97955/summary HTTP/1.1" from [::1]:34390 - 200 3286B in 2.316357ms
2022/05/13 11:49:29 [erson-69/ah1iSB2tme-000010] "GET http://localhost:8000/api/visors/021b09a8563898b6299dba3c90067c2a0fce77e07b52a5ce7f4035321842c97955/apps/vpn-client/connections HTTP/1.1" from [::1]:34392 - 200 125B in 164.211µs
[2022-05-13T11:49:29+05:30] INFO (STDOUT) [proc:vpn-client:b3cd239e8d494e00b2e1870a2f157e99]: Got server hello: {OK 172.16.0.4 172.16.0.3}Performed handshake with 022cfaa6aeda9a332d70309424d03c0880d82e3cd104201819d91cc4ad59dd1552:44
[2022-05-13T11:49:29+05:30] INFO (STDERR) [proc:vpn-client:b3cd239e8d494e00b2e1870a2f157e99]: RTNETLINK answers: Operation not permitted
[2022-05-13T11:49:29+05:30] INFO (STDOUT) [proc:vpn-client:b3cd239e8d494e00b2e1870a2f157e99]: Local TUN IP: 172.16.0.4
[2022-05-13T11:49:29+05:30] INFO (STDOUT) [proc:vpn-client:b3cd239e8d494e00b2e1870a2f157e99]: Local TUN gateway: 172.16.0.3
[2022-05-13T11:49:29+05:30] INFO (STDOUT) [proc:vpn-client:b3cd239e8d494e00b2e1870a2f157e99]: CREATING TUN INTERFACE
[2022-05-13T11:49:29+05:30] INFO (STDOUT) [proc:vpn-client:b3cd239e8d494e00b2e1870a2f157e99]: Allocated TUN utun4: <nil>
[2022-05-13T11:49:29+05:30] INFO (STDOUT) [proc:vpn-client:b3cd239e8d494e00b2e1870a2f157e99]: Setting up TUN device with: 172.16.0.4 and Gateway 172.16.0.3error serving app conn: error setting up TUN utun4: error setting gateway for interface: error running command "ip r add 172.16.0.4 via 172.16.0.3": exit status 2: RTNETLINK answers: Operation not permitted

on vpn-clieent stop

[2022-05-13T11:38:15+05:30] INFO (STDERR) [proc:vpn-client:a9ff9c40ed2f426f8da9115eccea4ee1]: time="2022-05-13T11:38:15+05:30" level=info msg="Closing TUN"
[2022-05-13T11:38:15+05:30] INFO (STDOUT) [proc:vpn-client:a9ff9c40ed2f426f8da9115eccea4ee1]: Error resending traffic from TUN utun4 to VPN server: io: read/write on closed pipe
[2022-05-13T11:38:16+05:30] INFO (STDERR) [proc:vpn-client:a9ff9c40ed2f426f8da9115eccea4ee1]: RTNETLINK answers: Operation not permitted
2022/05/13 11:38:16 [erson-69/ia4Tz9utDB-000490] "PUT http://localhost:8000/api/visors/021b09a8563898b6299dba3c90067c2a0fce77e07b52a5ce7f4035321842c97955/apps/vpn-client HTTP/1.1" from [::1]:34362 - 200 175B in 1.022295419s
2022/05/13 11:38:16 [erson-69/ia4Tz9utDB-000491] "GET http://localhost:8000/api/visors/021b09a8563898b6299dba3c90067c2a0fce77e07b52a5ce7f4035321842c97955/summary HTTP/1.1" from [::1]:34364 - 200 2159B in 2.304324ms
[2022-05-13T11:38:16+05:30] INFO (STDOUT) [proc:vpn-client:a9ff9c40ed2f426f8da9115eccea4ee1]: Error resending traffic from VPN server to TUN utun4: read tun: file already closed
[2022-05-13T11:38:16+05:30] INFO (STDERR) [proc:vpn-client:a9ff9c40ed2f426f8da9115eccea4ee1]: RTNETLINK answers: Operation not permitted
[2022-05-13T11:38:16+05:30] INFO (STDOUT) [proc:vpn-client:a9ff9c40ed2f426f8da9115eccea4ee1]: Removing direct route to 192.53.112.166
[2022-05-13T11:38:16+05:30] INFO (STDERR) [proc:vpn-client:a9ff9c40ed2f426f8da9115eccea4ee1]: 2022/05/13 11:38:15 rpc.Serve: accept:accept tcp 127.0.0.1:35061: use of closed network connection
[2022-05-13T11:38:16+05:30] INFO (STDOUT) [proc:vpn-client:a9ff9c40ed2f426f8da9115eccea4ee1]: Error removing direct route to 192.53.112.166: error running command "ip r del 192.53.112.166/32 via 192.168.0.1": exit status 2: RTNETLINK answers: Operation not permitted
[2022-05-13T11:38:16+05:30] INFO (STDOUT) [proc:vpn-client:a9ff9c40ed2f426f8da9115eccea4ee1]:
[2022-05-13T11:38:16+05:30] INFO (STDOUT) [proc:vpn-client:a9ff9c40ed2f426f8da9115eccea4ee1]: Removing direct route to 192.53.112.61
[2022-05-13T11:38:16+05:30] INFO (STDOUT) [proc:vpn-client:a9ff9c40ed2f426f8da9115eccea4ee1]: Error removing direct route to 192.53.112.61: error running command "ip r del 192.53.112.61/32 via 192.168.0.1": exit status 2: RTNETLINK answers: Operation not permitted
[2022-05-13T11:38:16+05:30] INFO (STDOUT) [proc:vpn-client:a9ff9c40ed2f426f8da9115eccea4ee1]:
[2022-05-13T11:38:16+05:30] INFO (STDOUT) [proc:vpn-client:a9ff9c40ed2f426f8da9115eccea4ee1]: Removing direct route to 192.53.112.183
[2022-05-13T11:38:16+05:30] INFO (STDOUT) [proc:vpn-client:a9ff9c40ed2f426f8da9115eccea4ee1]: Removing direct route to 192.53.112.186
[2022-05-13T11:38:16+05:30] INFO (STDOUT) [proc:vpn-client:a9ff9c40ed2f426f8da9115eccea4ee1]: Removing direct route to 194.5.192.160
[2022-05-13T11:38:16+05:30] INFO (STDOUT) [proc:vpn-client:a9ff9c40ed2f426f8da9115eccea4ee1]: Removing direct route to 139.162.141.220

The text was updated successfully, but these errors were encountered:

ersonp · 2022-05-25T05:04:04Z

This works

sudo chown root ./apps/vpn-client
sudo chmod 4755 ./apps/vpn-client

mrpalide · 2022-06-03T13:39:14Z

Actually same situation reported here as bug, and they decided to solve this by root access to process, same as we do with

sudo chown root ./apps/vpn-client
sudo chmod 4755 ./apps/vpn-client

So, because its bug in fact, we can do same solution and close this issue.

ersonp added the bug Something isn't working label May 13, 2022

ersonp mentioned this issue May 26, 2022

Docs/systray #1228

Merged

jdknives mentioned this issue May 26, 2022

Adapt packages for rootless VPN #1230

Closed

jdknives changed the title ~~Abnormal RTNETLINK behaviour with sudo setcap 'cap_net_admin+p'~~ Rootless VPN-client broken May 27, 2022

mrpalide mentioned this issue Jun 29, 2022

fix cap problem (rootless vpn-client) #1273

Merged

jdknives closed this as completed Jun 30, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Rootless VPN-client broken #1194

Rootless VPN-client broken #1194

ersonp commented May 13, 2022

ersonp commented May 25, 2022

mrpalide commented Jun 3, 2022

Rootless VPN-client broken #1194

Rootless VPN-client broken #1194

Comments

ersonp commented May 13, 2022

ersonp commented May 25, 2022

mrpalide commented Jun 3, 2022