Last active
April 11, 2024 17:03
-
-
Save queler/0d1a5c41981c61b231522c523b3a00f5 to your computer and use it in GitHub Desktop.
Openvpn DCO kernel module with NetworkManager
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# To enable use of the DCO kernel module in openvpn connections from networkmanager | |
# run from sudo su | |
# only tested with Mint 21.3 so far. | |
# https://community.openvpn.net/openvpn/wiki/OpenvpnSoftwareRepos | |
mkdir -p /etc/apt/keyrings # directory does not exist on older releases | |
# fail fast, silent, show errors, location (follow redirect?) | |
curl -fsSL https://swupdate.openvpn.net/repos/repo-public.gpg | gpg --dearmor > /etc/apt/keyrings/openvpn-repo-public.gpg | |
arch=$(dpkg --print-architecture) | |
uver=` ( . /etc/os-release ; echo $UBUNTU_CODENAME)` | |
dver=`dpkg --status tzdata|grep Provides|cut -f2 -d'-'` | |
if [ -z "$uver" ] | |
then | |
ver=$dver | |
else | |
ver=$uver | |
fi | |
echo "deb [arch=${arch} signed-by=/etc/apt/keyrings/openvpn-repo-public.gpg] https://build.openvpn.net/debian/openvpn/stable ${ver} main" > /etc/apt/sources.list.d/openvpn-aptrepo.list | |
apt-get update && apt-get install openvpn openvpn-dco-dkms | |
#activate the kernel module and always load | |
modprobe ovpn_dco_v2 | |
mkdir -p /etc/systemd/system/NetworkManager.service.d/ | |
echo ovpn_dco_v2 > /etc/modules-load.d/ovpn_dco_v2.conf | |
# add overrides so that networkmanager can create the DCO device | |
# adapted from https://github.com/OpenVPN/openvpn/issues/486 | |
# I have no idea if there is a better way to do this nor exactly what this does for security | |
# Given that the normal way to open a connection would be sudo openvpn... I can't imagine it's that bad? | |
printf "[Service]\nCapabilityBoundingSet=cap_setpcap">/etc/systemd/system/NetworkManager.service.d/override.conf | |
# not exactly sure which combination of starting and stopping worked | |
systemctl stop NetworkManager | |
systemctl daemon-reload | |
systemctl start NetworkManager | |
# don't think it's necessary and I'd have to pause to wait for the the service to start | |
# nmcli general reload | |
# to verify make a connection then run: | |
# journalctl -u NetworkManager.service -b --full --no-pager | |
# you should see "DCO device tun0 opened" | |
# if it says ""TUN/TAP device tun0 opened" it didn't work | |
# you can up the logging by "sudo nmcli general logging level KEEP domains VPN_PLUGIN:debug" | |
# and then look for a line "--user specified but lacking CAP_SETPCAP. Cannot retain CAP_NET_ADMIN. Disabling data channel offload" | |
# this means NetworkManager didn't grab the new Capabilities, try restarting? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks!
For Fedora 39, I also need to add this selinux rule:
my-openvpn.te
And compile and install it as: