Bernhard.Linz/openvpn-install
1
0
Fork 0
mirror of https://github.com/angristan/openvpn-install.git synced 2026-02-16 12:27:03 +01:00
Code Issues Projects Releases Wiki Activity

fix: add AppArmor override for management socket on Ubuntu 25.04+ (#1469)

Browse Source 
## Summary

- Ubuntu 25.04+ ships an AppArmor profile (`/etc/apparmor.d/openvpn`)
that blocks the management unix socket in `/run/openvpn-server/`,
causing OpenVPN to fail to start with `Permission denied`
- Add a local AppArmor override (`/etc/apparmor.d/local/openvpn`) during
install to permit access
- Clean up the override on uninstall

Tested on a fresh Ubuntu 25.10 DigitalOcean droplet — install, service
start, and uninstall all work correctly.

Closes #1467 #1449 #1450
This commit is contained in:
Stanislas
2026-02-13 18:36:08 +01:00
committed by GitHub
parent 8e8aeea4d9
commit cad603c484
1 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
openvpn-install.sh
View File

@@ -3133,6 +3133,21 @@ verb 3"
run_cmd "Patching service file (RuntimeDirectory)" sed -i '/\[Service\]/a RuntimeDirectory=openvpn-server' /etc/systemd/system/openvpn-server@.service run_cmd "Patching service file (RuntimeDirectory)" sed -i '/\[Service\]/a RuntimeDirectory=openvpn-server' /etc/systemd/system/openvpn-server@.service
fi fi
# AppArmor: Ubuntu 25.04+ ships an enforcing profile for OpenVPN
# (/etc/apparmor.d/openvpn) that doesn't allow the management unix socket
# in /run/openvpn-server/. Add a local override to permit this.
if [[ -f /etc/apparmor.d/openvpn ]]; then
log_info "Configuring AppArmor for OpenVPN..."
mkdir -p /etc/apparmor.d/local
if [[ ! -f /etc/apparmor.d/local/openvpn ]] || ! grep -q "openvpn-server" /etc/apparmor.d/local/openvpn; then
{
echo "# Allow OpenVPN management socket and status files in openvpn-server directory"
echo "/{,var/}run/openvpn-server/** rw,"
} >>/etc/apparmor.d/local/openvpn
fi
run_cmd "Reloading AppArmor profile" apparmor_parser -r /etc/apparmor.d/openvpn
fi
run_cmd "Reloading systemd" systemctl daemon-reload run_cmd "Reloading systemd" systemctl daemon-reload
run_cmd "Enabling OpenVPN service" systemctl enable openvpn-server@server run_cmd "Enabling OpenVPN service" systemctl enable openvpn-server@server
# In fingerprint mode, delay service start until first client is created # In fingerprint mode, delay service start until first client is created
@@ -4487,6 +4502,14 @@ function removeOpenVPN() {
run_cmd "Removing sysctl config" rm -f /etc/sysctl.d/99-openvpn.conf run_cmd "Removing sysctl config" rm -f /etc/sysctl.d/99-openvpn.conf
run_cmd "Removing OpenVPN logs" rm -rf /var/log/openvpn run_cmd "Removing OpenVPN logs" rm -rf /var/log/openvpn
# AppArmor local override
if [[ -f /etc/apparmor.d/local/openvpn ]]; then
run_cmd "Removing AppArmor local override" rm -f /etc/apparmor.d/local/openvpn
if [[ -f /etc/apparmor.d/openvpn ]]; then
run_cmd "Reloading AppArmor profile" apparmor_parser -r /etc/apparmor.d/openvpn 2>/dev/null || true
fi
fi
# Unbound # Unbound
if [[ -e /etc/unbound/unbound.conf.d/openvpn.conf ]]; then if [[ -e /etc/unbound/unbound.conf.d/openvpn.conf ]]; then
removeUnbound removeUnbound