Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

macOS needs admin/sudo for ovpncli and cannot run ovpncliagent with ovpnagent from /Applications/OpenVPN Connect.app due to OVPNAGENT_NAME_STRING discrepancy #310

Open
JohnDDuncanIII opened this issue May 21, 2024 · 2 comments
Open

macOS needs admin/sudo for ovpncli and cannot run ovpncliagent with ovpnagent from /Applications/OpenVPN Connect.app due to OVPNAGENT_NAME_STRING discrepancy #310

JohnDDuncanIII opened this issue May 21, 2024 · 2 comments

Comments

@JohnDDuncanIII
Copy link

JohnDDuncanIII commented May 21, 2024
edited
Loading

Hello,

I am working on a script for our devops team that will allow us to connect to openvpn from the command line and authenticate using SSO.

tl;dr: is there a way to compile the ovpnagent server alongside the ovpncli and ovpncliagent clients on macOS? There is a discrepancy between the OVPNAGENT_NAME_STRING in the OpenVPN Connect.app ovpnagent (agent_ovpnconnect.sock) and the one that ovpncliagent (ovpnagent.sock) from openvpn3 expects.

For some background, we are using macOS 14.5 and have installed:

  • the commercial OpenVPN connect app Version 3.4.9 (4830) with /Library/Frameworks/OpenVPNConnect.framework/Versions/Current/usr/sbin/ovpnagent OpenVPN Agent (Mac) 0.1.1 [OpenSSL]
    • we would like to delete the OpenVPN connect app since it is written using Electron and bloats its .app size to 241.5MB
  • openvpn2 OpenVPN 2.6.10 command line client from homebrew
    • we are unable to use this at all since it does not seem to support the --sso-methods command line argument
  • openvpn3 OpenVPN cli 1.0/OpenVPN core 3.9_git:master mac arm64 64-bit command line client (as described in the README.rst of this repo) since it does not exist as a formula in homebrew

Ideally, we only want to have openvpn3 installed and used from the command line, but have run into a couple of issues:

  1. ./ovpncli ~/profile.ovpn --sso-methods openurl,webauth,crtext --auto-sess --auth-retry --persist-tun --timeout=-1 does not work due to the following errors:

# TUN Error: utun_error: cannot open available utun device
# EVENT: TUN_IFACE_CREATE utun_error: cannot open available utun device

  1. sudo ./ovpncli ~/profile.ovpn --sso-methods openurl,webauth,crtext --auto-sess --auth-retry --persist-tun --timeout=-1 works as expected and fixes the issue described in 1), but, ideally, we don't want engineers to have to type their sudo password every day when they connect, so we then tried using the ovpncliagent which does not require administrator privileges since it taps into the ovpnagent which is started on login from the root user.

See:

  1. ./ovpncliagent ~/profile.ovpn --sso-methods openurl,webauth,crtext --auto-sess --auth-retry --persist-tun --timeout=-1 fails due to error

Transport Error: socket_protect error (UDP)
Client terminated, restarting in 2000 ms...
EVENT: RECONNECTING
Contacting via UDP
EVENT: WAIT
UnixCommandAgent: transmitting bypass route to /var/run/ovpnagent.sock
{
"host" : "",
"ipv6" : false,
"pid" : 1605
}

From the issue linked below, it seems like the above error seems to occur when the ovpnagent from the commercial OpenVPN connect app is not running, but macOS begins this process for us automatically at login, so that's not our problem. I also tried manually terminating ovpnagent and then running sudo /Library/Frameworks/OpenVPNConnect.framework/Versions/Current/usr/sbin/ovpnagent, but that leads to the same issue as described above.

See:

Something interesting I noticed is that the OpenVPN connect app Version 3.4.9 ovpnagent uses

  • HTTP Listen: http-listen /var/run/agent_ovpnconnect.sock UnixStream 1

While the openvpn3 uses

  • UnixCommandAgent: transmitting bypass route to /var/run/ovpnagent.sock

Perhaps the discrepancy here is the fact that openvpn3 uses /var/run/ovpnagent.sock and the OpenVPN Connect.app ovpnagent uses /var/run/agent_ovpnconnect.sock? I think this might be the problem which is preventing the ovpncliagent compiled from this project to work correctly.

$ stat /var/run/agent_ovpnconnect.sock
16777234 164137969 srwxrwxrwx 1 root daemon 0 0 "May 21 11:03:20 2024" "May 21 11:03:20 2024" "May 21 11:03:20 2024" "May 21 11:03:20 2024" 4096 0 0 /var/run/agent_ovpnconnect.sock

$ stat /var/run/ovpnagent.sock                                                                   
stat: /var/run/ovpnagent.sock: stat: No such file or directory

In openvpn3, this string is defined in openvpn3/openvpn/ovpnagent/mac/ovpnagent.cpp:

ret = ovpnagent("/var/run/" OVPNAGENT_NAME_STRING ".sock", logfile, append, pidfile, user, group);

It seems like the likely source of this discrepancy is that OVPNAGENT_NAME_STRING is agent_ovpnconnect in the commercial OpenVPN Connect.app and ovpnagent in this repo.

Should I be manually compiling the ovpnagent from this repo and use it alongside the ovpncliagent? As far as I can tell, the ~/src/build-openvpn3/test/ovpncli directory only includes ovpncli and ovpncliagent, which are both the clients, but not the ovpnagent http web server which comes from the OpenVPN Connect.app and runs as root on login.

It sounds like, to fix this, I will probably also need to compile the ovpnagent and add it as a launch item that is invoked by root; are there instructions for this anywhere in the repo?

Thanks!
@JohnDDuncanIII
Copy link
Author

JohnDDuncanIII commented May 29, 2024
edited
Loading

We decided to keep the commercial OpenVPN Connect app installed since some engineers prefer to use the visual interface, so the fix here for our command line script is to run

# you only have to do this once on initial setup
$ sudo ln -s /var/run/agent_ovpnconnect.sock /var/run/ovpnagent.sock
# this is invoked w/ admin privileges by OpenVPN Connect.app automatically upon login, so most users will not need to do this
$ sudo /Library/Frameworks/OpenVPNConnect.framework/Versions/Current/usr/sbin/ovpnagent &
# now we can start openvpn3 from our script without using sudo!
$ ./ovpncliagent ~/profile.ovpn --sso-methods openurl,webauth,crtext --auto-sess --auth-retry --persist-tun --timeout=-1

@savely-krasovsky
Copy link

savely-krasovsky commented Jul 4, 2024
edited
Loading

@JohnDDuncanIII we've built custom OpenVPN3 based client with SSO support and GUI using ovpnagent, but we didn't use ovpncli. In our case it was enough to build library and ovpnagent with custom build flags. Library was later linked to Go-based client using SWIG.

openvpn\ovpnagent\mac\CMakeLists.txt file:

target_compile_definitions(agent_macos PRIVATE OVPNAGENT_NAME=our_custom_agent_name_to_avoid_collisions)

client\CMakeLists.txt file:

target_compile_definitions(ovpnclilib PRIVATE OPENVPN_COMMAND_AGENT OVPNAGENT_NAME=our_custom_agent_name_to_avoid_collisions)

Basically that's it. For development build you can also add OVPNAGENT_DISABLE_PATH_CHECK to temporary disable path check (for the sake of debugging simplicity).

In your case it means you can build openvpn3 with OVPNAGENT_NAME=agent_ovpnconnect to mimic OpenVPN Connect behavior and reuse it's own agent. User will need to install OpenVPN Connect and then you custom built client.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@savely-krasovsky @JohnDDuncanIII