From cad603c484acab3cfeb53d322e9590d7ff75fe96 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Fri, 13 Feb 2026 18:36:08 +0100 Subject: [PATCH] fix: add AppArmor override for management socket on Ubuntu 25.04+ (#1469) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary - Ubuntu 25.04+ ships an AppArmor profile (`/etc/apparmor.d/openvpn`) that blocks the management unix socket in `/run/openvpn-server/`, causing OpenVPN to fail to start with `Permission denied` - Add a local AppArmor override (`/etc/apparmor.d/local/openvpn`) during install to permit access - Clean up the override on uninstall Tested on a fresh Ubuntu 25.10 DigitalOcean droplet — install, service start, and uninstall all work correctly. Closes #1467 #1449 #1450 --- openvpn-install.sh | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/openvpn-install.sh b/openvpn-install.sh index 6229427..a59c90d 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -3133,6 +3133,21 @@ verb 3" run_cmd "Patching service file (RuntimeDirectory)" sed -i '/\[Service\]/a RuntimeDirectory=openvpn-server' /etc/systemd/system/openvpn-server@.service fi + # AppArmor: Ubuntu 25.04+ ships an enforcing profile for OpenVPN + # (/etc/apparmor.d/openvpn) that doesn't allow the management unix socket + # in /run/openvpn-server/. Add a local override to permit this. + if [[ -f /etc/apparmor.d/openvpn ]]; then + log_info "Configuring AppArmor for OpenVPN..." + mkdir -p /etc/apparmor.d/local + if [[ ! -f /etc/apparmor.d/local/openvpn ]] || ! grep -q "openvpn-server" /etc/apparmor.d/local/openvpn; then + { + echo "# Allow OpenVPN management socket and status files in openvpn-server directory" + echo "/{,var/}run/openvpn-server/** rw," + } >>/etc/apparmor.d/local/openvpn + fi + run_cmd "Reloading AppArmor profile" apparmor_parser -r /etc/apparmor.d/openvpn + fi + run_cmd "Reloading systemd" systemctl daemon-reload run_cmd "Enabling OpenVPN service" systemctl enable openvpn-server@server # In fingerprint mode, delay service start until first client is created @@ -4487,6 +4502,14 @@ function removeOpenVPN() { run_cmd "Removing sysctl config" rm -f /etc/sysctl.d/99-openvpn.conf run_cmd "Removing OpenVPN logs" rm -rf /var/log/openvpn + # AppArmor local override + if [[ -f /etc/apparmor.d/local/openvpn ]]; then + run_cmd "Removing AppArmor local override" rm -f /etc/apparmor.d/local/openvpn + if [[ -f /etc/apparmor.d/openvpn ]]; then + run_cmd "Reloading AppArmor profile" apparmor_parser -r /etc/apparmor.d/openvpn 2>/dev/null || true + fi + fi + # Unbound if [[ -e /etc/unbound/unbound.conf.d/openvpn.conf ]]; then removeUnbound