From cb0ef7b1c28261366badf7750819b5e0005e4e45 Mon Sep 17 00:00:00 2001 From: Stanislas Date: Sun, 14 Dec 2025 00:23:43 +0100 Subject: [PATCH] fix: use /etc/openvpn/server/ for tls-crypt-v2 temp files (#1393) ## Summary - Fix tls-crypt-v2 client key generation failing on Ubuntu 25.04+ with "Permission denied" - Add Ubuntu 25.10 to CI test matrix ## Root Cause Ubuntu 25.04 introduced an AppArmor profile for openvpn (`/etc/apparmor.d/openvpn`) that restricts where the binary can write. The allowed paths are: - `/etc/openvpn/{,**}` - `@{HOME}/**` (owner only) The script was using `mktemp` which creates files in `/tmp`, causing the error: ``` Cannot open file '/tmp/tmp.XXX' for write: Permission denied (errno=13) ``` ## Fix Changed the temp file location from `/tmp` to `/etc/openvpn/server/`: ```bash # Before tls_crypt_v2_tmpfile=$(mktemp) # After tls_crypt_v2_tmpfile=$(mktemp /etc/openvpn/server/tls-crypt-v2-client.XXXXXX) ``` Fixes #1391 --- .github/workflows/docker-test.yml | 2 ++ openvpn-install.sh | 14 ++++++++++---- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/.github/workflows/docker-test.yml b/.github/workflows/docker-test.yml index c8cd01a..df4b3be 100644 --- a/.github/workflows/docker-test.yml +++ b/.github/workflows/docker-test.yml @@ -30,6 +30,8 @@ jobs: image: ubuntu:22.04 - name: ubuntu-24.04 image: ubuntu:24.04 + - name: ubuntu-25.10 + image: ubuntu:25.10 - name: debian-11 image: debian:11 - name: debian-12 diff --git a/openvpn-install.sh b/openvpn-install.sh index b79ace5..2ba4464 100755 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -1140,9 +1140,10 @@ function installOpenVPN() { esac # Generate a random, alphanumeric identifier of 16 characters for CN and one for server name - SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" + # Note: 2>/dev/null suppresses "Broken pipe" errors from fold when head exits early + SERVER_CN="cn_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 2>/dev/null | head -n 1)" echo "$SERVER_CN" >SERVER_CN_GENERATED - SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" + SERVER_NAME="server_$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 2>/dev/null | head -n 1)" echo "$SERVER_NAME" >SERVER_NAME_GENERATED # Create the PKI, set up the CA, the DH params and the server certificate @@ -1707,8 +1708,13 @@ function generateClientConfig() { case $tls_sig in 1) - # Generate per-client tls-crypt-v2 key using secure temp file - tls_crypt_v2_tmpfile=$(mktemp) + # Generate per-client tls-crypt-v2 key in /etc/openvpn/server/ + # Using /tmp would fail on Ubuntu 25.04+ due to AppArmor restrictions + tls_crypt_v2_tmpfile=$(mktemp /etc/openvpn/server/tls-crypt-v2-client.XXXXXX) + if [[ -z "$tls_crypt_v2_tmpfile" ]] || [[ ! -f "$tls_crypt_v2_tmpfile" ]]; then + log_error "Failed to create temporary file for tls-crypt-v2 client key" + exit 1 + fi if ! openvpn --tls-crypt-v2 /etc/openvpn/server/tls-crypt-v2.key \ --genkey tls-crypt-v2-client "$tls_crypt_v2_tmpfile"; then rm -f "$tls_crypt_v2_tmpfile"