Skip to content

Instantly share code, notes, and snippets.

@queler

queler/openvpn-dco.sh

Last active April 11, 2024 17:03
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save queler/0d1a5c41981c61b231522c523b3a00f5 to your computer and use it in GitHub Desktop.
Save queler/0d1a5c41981c61b231522c523b3a00f5 to your computer and use it in GitHub Desktop.
Download ZIP
Openvpn DCO kernel module with NetworkManager
Raw
openvpn-dco.sh
# To enable use of the DCO kernel module in openvpn connections from networkmanager
# run from sudo su
# only tested with Mint 21.3 so far.
# https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos
mkdir -p /etc/apt/keyrings # directory does not exist on older releases
# fail fast, silent, show errors, location (follow redirect?)
curl -fsSL https://swupdate.openvpn.net/repos/repo-public.gpg | gpg --dearmor > /etc/apt/keyrings/openvpn-repo-public.gpg
arch=$(dpkg --print-architecture)
uver=` ( . /etc/os-release ; echo $UBUNTU_CODENAME)`
dver=`dpkg --status tzdata|grep Provides|cut -f2 -d'-'`
if [ -z "$uver" ]
then
ver=$dver
else
ver=$uver
fi
echo "deb [arch=${arch} signed-by=/etc/apt/keyrings/openvpn-repo-public.gpg] https://build.openvpn.net/debian/openvpn/stable ${ver} main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
apt-get update && apt-get install openvpn openvpn-dco-dkms
#activate the kernel module and always load
modprobe ovpn_dco_v2
mkdir -p /etc/systemd/system/NetworkManager.service.d/
echo ovpn_dco_v2 > /etc/modules-load.d/ovpn_dco_v2.conf
# add overrides so that networkmanager can create the DCO device
# adapted from https://github.com/OpenVPN/openvpn/issues/486
# I have no idea if there is a better way to do this nor exactly what this does for security
# Given that the normal way to open a connection would be sudo openvpn... I can't imagine it's that bad?
printf "[Service]\nCapabilityBoundingSet=cap_setpcap">/etc/systemd/system/NetworkManager.service.d/override.conf
# not exactly sure which combination of starting and stopping worked
systemctl stop NetworkManager
systemctl daemon-reload
systemctl start NetworkManager
# don't think it's necessary and I'd have to pause to wait for the the service to start
# nmcli general reload
# to verify make a connection then run:
# journalctl -u NetworkManager.service -b --full --no-pager
# you should see "DCO device tun0 opened"
# if it says ""TUN/TAP device tun0 opened" it didn't work
# you can up the logging by "sudo nmcli general logging level KEEP domains VPN_PLUGIN:debug"
# and then look for a line "--user specified but lacking CAP_SETPCAP. Cannot retain CAP_NET_ADMIN. Disabling data channel offload"
# this means NetworkManager didn't grab the new Capabilities, try restarting?
@ValdikSS
Copy link

ValdikSS commented Apr 11, 2024
edited

Thanks!

For Fedora 39, I also need to add this selinux rule:

my-openvpn.te

module my-openvpn 1.0;

require {
        type openvpn_t;
        class netlink_generic_socket { bind create getattr read setopt write };
}

#============= openvpn_t ==============

allow openvpn_t self:netlink_generic_socket { bind create getattr setopt read write };

And compile and install it as:

checkmodule -M -m -o my-openvpn.mod my-openvpn.te
semodule_package -o my-openvpn.pp -m my-openvpn.mod
semodule -X 300 -i my-openvpn.pp

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment