Current OpenVPN-related issues and their fix proposals

[vip72-btw]

There are currently multiple minor issues that might prevent users from running a Mysterium Node who prefer to provide OpenVPN service due to TCP support instead of Wireguard that is restricted to UDP only. I have also noticed that you have disabled the openvpn service by default probably to avoid first-launch issues since many users faced them, but it appears nobody tried to debug them and mostly their causes are the incompatibilities I have demonstrated in this report.

I won't create a separate issue for each of them but instead will list most significant of them that once fixed, might allow less complicated node running experience with OpenVPN service enabled.

 

• Problem: OpenVPN service doesn't launch due to old OpenVPN version (< 2.4) without any proper debug information

  • Reason: OpenVPN versions prior to 2.4 don't have the tls-crypt option required by Mysterium Node. I have tried to launch Mysterium Node on my old idling Ubuntu Xenial box with OpenVPN service enabled, but the distribution's packed OpenVPN version doesn't support tls-crypt option used by the node due to its old version (2.3).

  • Solution: Implement OpenVPN version check by calling openvpn --version prior to starting OpenVPN. Shutdown throwing an error indicating the minimal required OpenVPN version (2.4).

 

• Problem: Mysterium Node doesn't launch on Debian 11 (Bullseye) and Debian 12 (Bookworm) with openvpn service enabled

  • Reason: OpenVPN packages on Debian 11 and 12 are compiled without the enable_iproute2 flag enabled (enable_iproute2=no), therefore missing the --iproute option required to run OpenVPN as non-root. Mysterium Node doesn't provide any information on that on shutdown, see log.txt

  • Solutions:

    1. Implement OpenVPN compile flags check by calling openvpn --version prior to starting OpenVPN. Shutdown throwing an error indicating the missing enable_iproute2 compile flag.

    2. Do not include the --iproute option if the node is running as root, since the reason why it is being included only because myst assumes it's always started by a sudoer user and the iproute2 wrapper script is a requirement for running OpenVPN as non-root. (We can run the node as root under some circumstances)

(Note: this was the root cause in #4243 where the user had to disable the openvpn service instead of having the issue resolved properly)

 

• Problem: OpenVPN server start fails with FATAL:Linux ip link set failed: could not execute external program but Mysterium Node continues running

  • Reason: Missing the nonpriv-ip wrapper script for iproute. This may happen when one is unaware that the config folder containing the nonpriv-ip script is required for OpenVPN service and may be missing it for some reason. For example in my case it was not created automatically when I tried Mysterium Node from the release's .tar.gz archive. See log.txt

  • Solution: Check for the nonpriv-ip script existence prior to starting OpenVPN. Shutdown throwing an error indicating the missing script.

 

All the issues above concern the current 1.29.2 release.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically closed because it has not had activity for a long time. If this issue is still valid, please ping a maintainer and ask them to label it as "pinned". Thank you for your contributions.