improve the Linux configuration instructions #541
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
It seems strange to me to have the IP address of the VPN server here. It makes it needlessly difficult for Riseup to move that server and makes the configuration more opaque for users. Instead, switch to the domain name which also removes a duplicate configuration.
The VPN server also listens on port 53, but this wasn't documented in the sample configuration.
This is not relevant for users, while the `auth-user-pass` parameter might be.
The sample config file points to the script available in the Debian package (which works), but the documentation says to install it in a different place (which will fail if users are not running Debian and is useless if they are).
We would previously tell people to overwrite a script already provided in the openvpn Debian package.
In my tests, those instructions do not work at all. OpenVPN does switch to the non-root user, but then when it exits, it cannot cleanup after itself: * routes will be left dangling * the tunnel interface might be left * the resolv.conf file will keep the VPN-specific entries While it would be nice to have a working config like this it seems impractical, in my tests, with the provided instructions. Here is the output when exiting as user "nobody": RTNETLINK answers: Operation not permitted Mon Sep 17 12:09:38 2018 ERROR: Linux route delete command failed: external program exited with error status: 2 RTNETLINK answers: Operation not permitted Mon Sep 17 12:09:38 2018 ERROR: Linux route delete command failed: external program exited with error status: 2 RTNETLINK answers: Operation not permitted Mon Sep 17 12:09:38 2018 ERROR: Linux route delete command failed: external program exited with error status: 2 Mon Sep 17 12:09:38 2018 /sbin/ip addr del dev tun0 172.27.100.15/22 RTNETLINK answers: Operation not permitted Mon Sep 17 12:09:38 2018 Linux ip addr del failed: external program exited with error status: 2 Mon Sep 17 12:09:38 2018 /etc/openvpn/update-resolv-conf tun0 1500 1571 172.27.100.15 255.255.252.0 init rm: cannot remove 'tun0.openvpn': Permission denied Mon Sep 17 12:09:38 2018 WARNING: Failed running command (--up/--down): external program exited with error status: 1 Mon Sep 17 12:09:38 2018 Exiting due to fatal error
The script apparently comes from Debian, but it looks really, really old. There were changes done to the script since then including improvements on error handling and refactoring that make the script easier to read and audit. The script content was synchronized with the OpenVPN 2.4.6-1 Debian package, as available here: https://sources.debian.org/data/main/o/openvpn/2.4.6-1/debian/update-resolv-conf
micah
reviewed
Sep 19, 2018
micah
reviewed
Sep 19, 2018
micah
reviewed
Sep 19, 2018
There was a problem hiding this comment.
I think the reason this was changed to the IP address was because people had difficulty connecting to the VPN when they couldn't resolve things properly. For example, OpenDNS has a "family filter" that lists all VPN providers, including ours, and will just return a NXDOMAIN for us. It turns out this filter is used in a lot of locations, especially cafes and other free wifi spots. I've encountered it numerous times.
|
I think the reason this was changed to the IP address was because people had difficulty connecting to the VPN when they couldn't resolve things properly. For example, OpenDNS has a "family filter" that lists all VPN providers, including ours, and will just return a NXDOMAIN for us. It turns out this filter is used in a lot of locations, especially cafes and other free wifi spots. I've encountered it numerous times. I see. Well I think that's rather unusual - what about if that's available as a comment instead? Otherwise if you feel strongly about this, I can fixup that commit to, instead, document why that's an IP address to resolve the WTF I felt when reading the config. :) Thanks for the review! |
|
anarcat <notifications@github.com> writes:
I see. Well I think that's rather unusual - what about if that's
available as a comment instead?
I'd rather leave it as the IP address, because people are more
frequently simply copying and pasting the config file, rather than
reading the options and deciding what to do with them. When people copy
and paste a config file, and it doesn't work then they come to ask us
why not. Defaulting to it working seems to me better than making it a
comment that we have to tell people to uncomment in a weird network
environment.
Otherwise if you feel strongly about this, I can fixup that commit to,
instead, document why that's an IP address to resolve the WTF I felt
when reading the config. :)
Besides making it more difficult for us to move a server, why is the IP
such a WTF?
|
|
On 2018-09-24 07:53:07, micah wrote:
anarcat ***@***.***> writes:
> I see. Well I think that's rather unusual - what about if that's
> available as a comment instead?
I'd rather leave it as the IP address, because people are more
frequently simply copying and pasting the config file, rather than
reading the options and deciding what to do with them. When people copy
and paste a config file, and it doesn't work then they come to ask us
why not. Defaulting to it working seems to me better than making it a
comment that we have to tell people to uncomment in a weird network
environment.
Well, then you'll want to switch to TCP and port 443 by default. ;)
> Otherwise if you feel strongly about this, I can fixup that commit to,
> instead, document why that's an IP address to resolve the WTF I felt
> when reading the config. :)
Besides making it more difficult for us to move a server, why is the IP
such a WTF?
Because those are difficult to read?
I don't have a strong opinion on this - if you prefer, I'll put it back
the way it was. :)
A.
…--
Every time I see an adult on a bicycle I no longer despair for the
future of the human race.
- H. G. Wells
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a bunch of patches to improve the Linux instructions for the
"red" VPN. Each commit has detailed instructions, but here's an
overview: