Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 [transmission-openvpn] Addon fails to start due to new permission requirements #1666

Open
santaryan opened this issue Dec 13, 2024 · 3 comments
Open

🐛 [transmission-openvpn] Addon fails to start due to new permission requirements #1666

santaryan opened this issue Dec 13, 2024 · 3 comments
Labels
bug Something isn't working stale Element will be closed automatically

Comments

@santaryan
Copy link

santaryan commented Dec 13, 2024
edited
Loading

Description

The openvpn fails to start. See similar issues below.

See:
haugene/docker-transmission-openvpn#2883
haugene/docker-transmission-openvpn#2894
haugene/docker-transmission-openvpn#2900

Reproduction steps

Just try to start the container with a valid openvpn config.

Addon Logs

+ CONFIG_STATUS=
+ [[ '' == \u\n\k\n\o\w\n ]]
+ [[ '' != \f\a\i\l\u\r\e ]]
+ CONFIG_STATUS=unknown
+ sed -i '/^; status.*$/d' /etc/openvpn/pia/default.ovpn
+ sed -i '$q' /etc/openvpn/pia/default.ovpn
+ echo '; status unknown'
+ [[ unknown == \f\a\i\l\u\r\e ]]
+ [[ -x /scripts/openvpn-post-config.sh ]]
+ mkdir -p /config
+ [[ -f /run/secrets/openvpn_creds ]]
Setting OpenVPN credentials...
+ [[ * == \*\*\N\o\n\e\*\* ]]
+ [[ N0t3p@D!! == \*\*\N\o\n\e\*\* ]]
+ echo 'Setting OpenVPN credentials...'
+ echo -e '*\*'
+ chmod 600 /config/openvpn-credentials.txt
+ [[ -f /run/secrets/rpc_creds ]]
�
'

'
+ export CONFIG=/etc/openvpn/pia/default.ovpn
+ CONFIG=/etc/openvpn/pia/default.ovpn
+ python3 /etc/openvpn/persistEnvironment.py /etc/transmission/environment-variables.sh
+ TRANSMISSION_CONTROL_OPTS='--script-security 2 --route-up /etc/openvpn/tunnelUp.sh --route-pre-down /etc/openvpn/tunnelDown.sh'
+ [[ false == \t\r\u\e ]]
+ [[ -n *.*.*.*/* ]]
++ /sbin/ip route list match *.*.*.*
++ awk '{if($5!="tun0"){print "GW="$3"\nINT="$5; exit}}'
+ eval GW=*.*.*.* INT=eth0
++ GW=*.*.*.*
++ INT=eth0
+ [[ false == \t\r\u\e ]]
+ [[ false == \t\r\u\e ]]
+ [[ -n *.*.*.*/* ]]
+ [[ -n *.*.*.* ]]
+ [[ -n eth0 ]]
+ for localNet in ${LOCAL_NETWORK//,/ }
+ echo 'adding route to local network *.*.*.*/* via *.*.*.* dev eth0'
adding route to local network *.*.*.*/* via *.*.*.* dev eth0
+ /sbin/ip route replace *.*.*.*/* via *.*.*.* dev eth0
+ [[ false == \t\r\u\e ]]
+ [[ -x /scripts/routes-post-start.sh ]]
+ [[ false != \f\a\l\s\e ]]
+ exec openvpn --script-security 2 --route-up /etc/openvpn/tunnelUp.sh --route-pre-down /etc/openvpn/tunnelDown.sh --config /etc/openvpn/pia/default.ovpn
2024-12-13 01:50:46 DEPRECATED OPTION: --cipher set to 'aes-128-cbc' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'aes-128-cbc' to --data-ciphers or change --cipher 'aes-128-cbc' to --data-ciphers-fallback 'aes-128-cbc' to silence this warning.
2024-12-13 01:50:46 OpenVPN 2.5.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 29 2023
2024-12-13 01:50:46 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2024-12-13 01:50:46 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-12-13 01:50:46 CRL: loaded 1 CRLs from file -----BEGIN X509 CRL-----
******
-----END X509 CRL-----
2024-12-13 01:50:46 TCP/UDP: Preserving recently used remote address: [AF_INET]*.*.*.*:*
2024-12-13 01:50:46 Socket Buffers: R=[*->*] S=[*->*]
2024-12-13 01:50:46 UDP link local: (not bound)
2024-12-13 01:50:46 UDP link remote: [AF_INET]*.*.*.*:*
2024-12-13 01:50:46 TLS: Initial packet from [AF_INET]*.*.*.*:*, sid=* *
2024-12-13 01:50:46 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2024-12-13 01:50:46 VERIFY OK: depth=1, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=Private Internet Access, name=Private Internet Access, [email protected]
2024-12-13 01:50:46 VERIFY KU OK
2024-12-13 01:50:46 Validating certificate extended key usage
2024-12-13 01:50:46 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2024-12-13 01:50:46 VERIFY EKU OK
2024-12-13 01:50:46 VERIFY OK: depth=0, C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=*, name=*
2024-12-13 01:50:47 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA512
2024-12-13 01:50:47 [*] Peer Connection Initiated with [AF_INET]*.*.*.*:*
2024-12-13 01:50:47 PUSH: Received control message: 'PUSH_REPLY,comp-lzo no,redirect-gateway def1,route-ipv6 *,dhcp-option DNS *.*.*.*,route-gateway *.*.*.*,topology subnet,ping 10,ping-restart 60,ifconfig *.*.*.* *.*.*.*,peer-id 11,cipher AES-128-GCM'
2024-12-13 01:50:47 OPTIONS IMPORT: timers and/or timeouts modified
2024-12-13 01:50:47 OPTIONS IMPORT: compression parms modified
2024-12-13 01:50:47 OPTIONS IMPORT: --ifconfig/up options modified
2024-12-13 01:50:47 OPTIONS IMPORT: route options modified
2024-12-13 01:50:47 OPTIONS IMPORT: route-related options modified
2024-12-13 01:50:47 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2024-12-13 01:50:47 OPTIONS IMPORT: peer-id set
2024-12-13 01:50:47 OPTIONS IMPORT: adjusting link_mtu to 1625
2024-12-13 01:50:47 OPTIONS IMPORT: data channel crypto options modified
2024-12-13 01:50:47 Data Channel: using negotiated cipher 'AES-128-GCM'
2024-12-13 01:50:47 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
2024-12-13 01:50:47 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
2024-12-13 01:50:47 net_route_v4_best_gw query: dst *.*.*.*
2024-12-13 01:50:47 net_route_v4_best_gw result: via *.*.*.* dev eth0
2024-12-13 01:50:47 ROUTE_GATEWAY *.*.*.*/*.*.*.* IFACE=eth0 HWADDR=00:00:00:00:00:00
2024-12-13 01:50:47 GDG6: remote_host_ipv6=n/a
2024-12-13 01:50:47 net_route_v6_best_gw query: dst ::
2024-12-13 01:50:47 sitnl_send: rtnl: generic error (-101): Network is unreachable
2024-12-13 01:50:47 ROUTE6: default_gateway=UNDEF
2024-12-13 01:50:47 ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)
2024-12-13 01:50:47 Exiting due to fatal error

Architecture

amd64

OS

Virtual Machine
@santaryan santaryan added the bug Something isn't working label Dec 13, 2024
@alexbelgium
Copy link
Owner

Hi, both options are already set in the add-on config file. I think it is a bug with HA as someone reported the same error on qbittorrent

@santaryan
Copy link
Author

Yeah I realized that after looking through the config.json.

I forked and enabled full_access (and subsequently disabled protection in HA). This allowed everything to start up and works for me for now. This is obviously not the correct solution and something else is going wrong.

@github-actions GitHub Actions
Copy link
Contributor

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the stale Element will be closed automatically label Dec 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working stale Element will be closed automatically
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@santaryan @alexbelgium