From 7a8f5f53d54c530ef29e1042831853958db330b3 Mon Sep 17 00:00:00 2001 From: Quentin McGaw Date: Thu, 27 Jan 2022 23:34:19 +0000 Subject: [PATCH] feat(openvpn): `OPENVPN_PROCESS_USER` and deprecates `OPENVPN_ROOT` --- Dockerfile | 2 +- cmd/gluetun/main.go | 2 +- internal/configuration/settings/openvpn.go | 34 +++++-------------- internal/configuration/sources/env/openvpn.go | 24 ++++++++++--- internal/provider/custom/openvpnconf.go | 4 +-- internal/provider/custom/openvpnconf_test.go | 16 ++++----- internal/provider/cyberghost/openvpnconf.go | 4 +-- internal/provider/expressvpn/openvpnconf.go | 4 +-- internal/provider/fastestvpn/openvpnconf.go | 4 +-- internal/provider/hidemyass/openvpnconf.go | 4 +-- internal/provider/ipvanish/openvpnconf.go | 4 +-- internal/provider/ivpn/openvpnconf.go | 4 +-- internal/provider/mullvad/openvpnconf.go | 4 +-- internal/provider/nordvpn/openvpnconf.go | 4 +-- .../provider/perfectprivacy/openvpnconf.go | 4 +-- internal/provider/privado/openvpnconf.go | 4 +-- .../privateinternetaccess/openvpnconf.go | 4 +-- internal/provider/privatevpn/openvpnconf.go | 4 +-- internal/provider/protonvpn/openvpnconf.go | 4 +-- internal/provider/purevpn/openvpnconf.go | 4 +-- internal/provider/surfshark/openvpnconf.go | 4 +-- internal/provider/torguard/openvpnconf.go | 4 +-- internal/provider/vpnunlimited/openvpnconf.go | 4 +-- internal/provider/vyprvpn/openvpnconf.go | 4 +-- internal/provider/wevpn/openvpnconf.go | 4 +-- internal/provider/windscribe/openvpnconf.go | 4 +-- 26 files changed, 80 insertions(+), 82 deletions(-) diff --git a/Dockerfile b/Dockerfile index e9d6d624..695b4da4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -79,7 +79,7 @@ ENV VPNSP=pia \ OPENVPN_FLAGS= \ OPENVPN_CIPHER= \ OPENVPN_AUTH= \ - OPENVPN_ROOT=yes \ + OPENVPN_PROCESS_USER= \ OPENVPN_TARGET_IP= \ OPENVPN_IPV6=off \ OPENVPN_CUSTOM_CONFIG= \ diff --git a/cmd/gluetun/main.go b/cmd/gluetun/main.go index de9ff2b8..f72dd51d 100644 --- a/cmd/gluetun/main.go +++ b/cmd/gluetun/main.go @@ -244,7 +244,7 @@ func _main(ctx context.Context, buildInfo models.BuildInformation, // set it for Unbound // TODO remove this when migrating to qdm12/dns v2 allSettings.DNS.DoT.Unbound.Username = nonRootUsername - allSettings.VPN.OpenVPN.ProcUser = nonRootUsername + allSettings.VPN.OpenVPN.ProcessUser = nonRootUsername if err := os.Chown("/etc/unbound", puid, pgid); err != nil { return err diff --git a/internal/configuration/settings/openvpn.go b/internal/configuration/settings/openvpn.go index f2374a74..c4456f7c 100644 --- a/internal/configuration/settings/openvpn.go +++ b/internal/configuration/settings/openvpn.go @@ -61,15 +61,10 @@ type OpenVPN struct { // Interface is the OpenVPN device interface name. // It cannot be an empty string in the internal state. Interface string - // Root is true if OpenVPN is to be run as root, - // and false otherwise. It cannot be nil in the - // internal state. - Root *bool - // ProcUser is the OpenVPN process OS username - // to use. It cannot be nil in the internal state. - // This is set and injected at runtime. - // TODO only use ProcUser and not Root field. - ProcUser string + // ProcessUser is the OpenVPN process OS username + // to use. It cannot be empty in the internal state. + // It defaults to 'root'. + ProcessUser string // Verbosity is the OpenVPN verbosity level from 0 to 6. // It cannot be nil in the internal state. Verbosity *int @@ -175,8 +170,7 @@ func (o *OpenVPN) copy() (copied OpenVPN) { IPv6: helpers.CopyBoolPtr(o.IPv6), MSSFix: helpers.CopyUint16Ptr(o.MSSFix), Interface: o.Interface, - Root: helpers.CopyBoolPtr(o.Root), - ProcUser: o.ProcUser, + ProcessUser: o.ProcessUser, Verbosity: helpers.CopyIntPtr(o.Verbosity), Flags: helpers.CopyStringSlice(o.Flags), } @@ -197,8 +191,7 @@ func (o *OpenVPN) mergeWith(other OpenVPN) { o.IPv6 = helpers.MergeWithBool(o.IPv6, other.IPv6) o.MSSFix = helpers.MergeWithUint16(o.MSSFix, other.MSSFix) o.Interface = helpers.MergeWithString(o.Interface, other.Interface) - o.Root = helpers.MergeWithBool(o.Root, other.Root) - o.ProcUser = helpers.MergeWithString(o.ProcUser, other.ProcUser) + o.ProcessUser = helpers.MergeWithString(o.ProcessUser, other.ProcessUser) o.Verbosity = helpers.MergeWithIntPtr(o.Verbosity, other.Verbosity) o.Flags = helpers.MergeStringSlices(o.Flags, other.Flags) } @@ -219,8 +212,7 @@ func (o *OpenVPN) overrideWith(other OpenVPN) { o.IPv6 = helpers.OverrideWithBool(o.IPv6, other.IPv6) o.MSSFix = helpers.OverrideWithUint16(o.MSSFix, other.MSSFix) o.Interface = helpers.OverrideWithString(o.Interface, other.Interface) - o.Root = helpers.OverrideWithBool(o.Root, other.Root) - o.ProcUser = helpers.OverrideWithString(o.ProcUser, other.ProcUser) + o.ProcessUser = helpers.OverrideWithString(o.ProcessUser, other.ProcessUser) o.Verbosity = helpers.OverrideWithIntPtr(o.Verbosity, other.Verbosity) o.Flags = helpers.OverrideWithStringSlice(o.Flags, other.Flags) } @@ -245,8 +237,7 @@ func (o *OpenVPN) setDefaults(vpnProvider string) { o.IPv6 = helpers.DefaultBool(o.IPv6, false) o.MSSFix = helpers.DefaultUint16(o.MSSFix, 0) o.Interface = helpers.DefaultString(o.Interface, "tun0") - o.Root = helpers.DefaultBool(o.Root, true) - o.ProcUser = helpers.DefaultString(o.ProcUser, "root") + o.ProcessUser = helpers.DefaultString(o.ProcessUser, "root") o.Verbosity = helpers.DefaultInt(o.Verbosity, 1) } @@ -294,14 +285,7 @@ func (o OpenVPN) toLinesNode() (node *gotree.Node) { node.Appendf("Network interface: %s", o.Interface) } - processUser := "root" - if !*o.Root { - processUser = "some non root user" // TODO - if o.ProcUser != "" { - processUser = o.ProcUser - } - } - node.Appendf("Run OpenVPN as: %s", processUser) + node.Appendf("Run OpenVPN as: %s", o.ProcessUser) node.Appendf("Verbosity level: %d", *o.Verbosity) diff --git a/internal/configuration/sources/env/openvpn.go b/internal/configuration/sources/env/openvpn.go index db1a3c66..b5cdc759 100644 --- a/internal/configuration/sources/env/openvpn.go +++ b/internal/configuration/sources/env/openvpn.go @@ -52,13 +52,11 @@ func (r *Reader) readOpenVPN() ( openVPN.Interface = os.Getenv("OPENVPN_INTERFACE") - openVPN.Root, err = envToBoolPtr("OPENVPN_ROOT") + openVPN.ProcessUser, err = r.readOpenVPNProcessUser() if err != nil { - return openVPN, fmt.Errorf("environment variable OPENVPN_ROOT: %w", err) + return openVPN, err } - // TODO ProcUser once Root is deprecated. - openVPN.Verbosity, err = envToIntPtr("OPENVPN_VERBOSITY") if err != nil { return openVPN, fmt.Errorf("environment variable OPENVPN_VERBOSITY: %w", err) @@ -123,3 +121,21 @@ func (r *Reader) readPIAEncryptionPreset() (presetPtr *string) { return nil } + +func (r *Reader) readOpenVPNProcessUser() (processUser string, err error) { + // Retro-compatibility + root, err := envToBoolPtr("OPENVPN_ROOT") + if err != nil { + r.onRetroActive("OPENVPN_ROOT", "OPENVPN_PROCESS_USER") + return "", fmt.Errorf("environment variable OPENVPN_ROOT: %w", err) + } else if root != nil { + r.onRetroActive("OPENVPN_ROOT", "OPENVPN_PROCESS_USER") + if *root { + return "root", nil + } + const defaultNonRootUser = "nonrootuser" + return defaultNonRootUser, nil + } + + return os.Getenv("OPENVPN_PROCESS_USER"), nil +} diff --git a/internal/provider/custom/openvpnconf.go b/internal/provider/custom/openvpnconf.go index d835eaa7..16fff5f0 100644 --- a/internal/provider/custom/openvpnconf.go +++ b/internal/provider/custom/openvpnconf.go @@ -88,8 +88,8 @@ func modifyConfig(lines []string, connection models.Connection, modified = append(modified, `pull-filter ignore "route-ipv6"`) modified = append(modified, `pull-filter ignore "ifconfig-ipv6"`) } - if !*settings.Root { - modified = append(modified, "user "+settings.ProcUser) + if settings.ProcessUser != "root" { + modified = append(modified, "user "+settings.ProcessUser) modified = append(modified, "persist-tun") modified = append(modified, "persist-key") } diff --git a/internal/provider/custom/openvpnconf_test.go b/internal/provider/custom/openvpnconf_test.go index 86034b91..b3062576 100644 --- a/internal/provider/custom/openvpnconf_test.go +++ b/internal/provider/custom/openvpnconf_test.go @@ -10,7 +10,6 @@ import ( "github.com/stretchr/testify/assert" ) -func boolPtr(b bool) *bool { return &b } func intPtr(n int) *int { return &n } func uint16Ptr(n uint16) *uint16 { return &n } func stringPtr(s string) *string { return &s } @@ -36,14 +35,13 @@ func Test_modifyConfig(t *testing.T) { "auth bla", }, settings: settings.OpenVPN{ - User: "user", - Ciphers: []string{"cipher"}, - Auth: stringPtr("auth"), - MSSFix: uint16Ptr(1000), - Root: boolPtr(false), - ProcUser: "procuser", - Interface: "tun3", - Verbosity: intPtr(0), + User: "user", + Ciphers: []string{"cipher"}, + Auth: stringPtr("auth"), + MSSFix: uint16Ptr(1000), + ProcessUser: "procuser", + Interface: "tun3", + Verbosity: intPtr(0), }.WithDefaults(constants.Custom), connection: models.Connection{ IP: net.IPv4(1, 2, 3, 4), diff --git a/internal/provider/cyberghost/openvpnconf.go b/internal/provider/cyberghost/openvpnconf.go index eaca7676..5c021eaa 100644 --- a/internal/provider/cyberghost/openvpnconf.go +++ b/internal/provider/cyberghost/openvpnconf.go @@ -57,8 +57,8 @@ func (c *Cyberghost) BuildConf(connection models.Connection, lines = append(lines, "explicit-exit-notify") } - if !*settings.Root { - lines = append(lines, "user "+settings.ProcUser) + if settings.ProcessUser != "root" { + lines = append(lines, "user "+settings.ProcessUser) lines = append(lines, "persist-tun") lines = append(lines, "persist-key") } diff --git a/internal/provider/expressvpn/openvpnconf.go b/internal/provider/expressvpn/openvpnconf.go index 328218e9..424a3adb 100644 --- a/internal/provider/expressvpn/openvpnconf.go +++ b/internal/provider/expressvpn/openvpnconf.go @@ -62,8 +62,8 @@ func (p *Provider) BuildConf(connection models.Connection, lines = append(lines, "explicit-exit-notify") } - if !*settings.Root { - lines = append(lines, "user "+settings.ProcUser) + if settings.ProcessUser != "root" { + lines = append(lines, "user "+settings.ProcessUser) lines = append(lines, "persist-tun") lines = append(lines, "persist-key") } diff --git a/internal/provider/fastestvpn/openvpnconf.go b/internal/provider/fastestvpn/openvpnconf.go index c589d21b..d76c558e 100644 --- a/internal/provider/fastestvpn/openvpnconf.go +++ b/internal/provider/fastestvpn/openvpnconf.go @@ -61,8 +61,8 @@ func (f *Fastestvpn) BuildConf(connection models.Connection, lines = append(lines, "ping 15") // FastestVPN specific } - if !*settings.Root { - lines = append(lines, "user "+settings.ProcUser) + if settings.ProcessUser != "root" { + lines = append(lines, "user "+settings.ProcessUser) lines = append(lines, "persist-tun") lines = append(lines, "persist-key") } diff --git a/internal/provider/hidemyass/openvpnconf.go b/internal/provider/hidemyass/openvpnconf.go index 27e28c51..38407857 100644 --- a/internal/provider/hidemyass/openvpnconf.go +++ b/internal/provider/hidemyass/openvpnconf.go @@ -53,8 +53,8 @@ func (h *HideMyAss) BuildConf(connection models.Connection, lines = append(lines, "explicit-exit-notify") } - if !*settings.Root { - lines = append(lines, "user "+settings.ProcUser) + if settings.ProcessUser != "root" { + lines = append(lines, "user "+settings.ProcessUser) lines = append(lines, "persist-tun") lines = append(lines, "persist-key") } diff --git a/internal/provider/ipvanish/openvpnconf.go b/internal/provider/ipvanish/openvpnconf.go index 4dff7eb6..87085f41 100644 --- a/internal/provider/ipvanish/openvpnconf.go +++ b/internal/provider/ipvanish/openvpnconf.go @@ -54,8 +54,8 @@ func (i *Ipvanish) BuildConf(connection models.Connection, lines = append(lines, "explicit-exit-notify") } - if !*settings.Root { - lines = append(lines, "user "+settings.ProcUser) + if settings.ProcessUser != "root" { + lines = append(lines, "user "+settings.ProcessUser) lines = append(lines, "persist-tun") lines = append(lines, "persist-key") } diff --git a/internal/provider/ivpn/openvpnconf.go b/internal/provider/ivpn/openvpnconf.go index b51e5e15..22166eed 100644 --- a/internal/provider/ivpn/openvpnconf.go +++ b/internal/provider/ivpn/openvpnconf.go @@ -59,8 +59,8 @@ func (i *Ivpn) BuildConf(connection models.Connection, lines = append(lines, "explicit-exit-notify") } - if !*settings.Root { - lines = append(lines, "user "+settings.ProcUser) + if settings.ProcessUser != "root" { + lines = append(lines, "user "+settings.ProcessUser) lines = append(lines, "persist-tun") lines = append(lines, "persist-key") } diff --git a/internal/provider/mullvad/openvpnconf.go b/internal/provider/mullvad/openvpnconf.go index 1047ad9f..5b9252e9 100644 --- a/internal/provider/mullvad/openvpnconf.go +++ b/internal/provider/mullvad/openvpnconf.go @@ -58,8 +58,8 @@ func (m *Mullvad) BuildConf(connection models.Connection, lines = append(lines, `pull-filter ignore "ifconfig-ipv6"`) } - if !*settings.Root { - lines = append(lines, "user "+settings.ProcUser) + if settings.ProcessUser != "root" { + lines = append(lines, "user "+settings.ProcessUser) lines = append(lines, "persist-tun") lines = append(lines, "persist-key") } diff --git a/internal/provider/nordvpn/openvpnconf.go b/internal/provider/nordvpn/openvpnconf.go index 3be3d561..3d80c4de 100644 --- a/internal/provider/nordvpn/openvpnconf.go +++ b/internal/provider/nordvpn/openvpnconf.go @@ -62,8 +62,8 @@ func (n *Nordvpn) BuildConf(connection models.Connection, lines = append(lines, "explicit-exit-notify") } - if !*settings.Root { - lines = append(lines, "user "+settings.ProcUser) + if settings.ProcessUser != "root" { + lines = append(lines, "user "+settings.ProcessUser) lines = append(lines, "persist-tun") lines = append(lines, "persist-key") } diff --git a/internal/provider/perfectprivacy/openvpnconf.go b/internal/provider/perfectprivacy/openvpnconf.go index 42e7caa8..6849f18c 100644 --- a/internal/provider/perfectprivacy/openvpnconf.go +++ b/internal/provider/perfectprivacy/openvpnconf.go @@ -61,8 +61,8 @@ func (p *Perfectprivacy) BuildConf(connection models.Connection, lines = append(lines, "explicit-exit-notify") } - if !*settings.Root { - lines = append(lines, "user "+settings.ProcUser) + if settings.ProcessUser != "root" { + lines = append(lines, "user "+settings.ProcessUser) lines = append(lines, "persist-tun") lines = append(lines, "persist-key") } diff --git a/internal/provider/privado/openvpnconf.go b/internal/provider/privado/openvpnconf.go index 02c0e5a1..4334c6da 100644 --- a/internal/provider/privado/openvpnconf.go +++ b/internal/provider/privado/openvpnconf.go @@ -48,8 +48,8 @@ func (p *Privado) BuildConf(connection models.Connection, lines = append(lines, utils.CipherLines(settings.Ciphers, settings.Version)...) - if !*settings.Root { - lines = append(lines, "user "+settings.ProcUser) + if settings.ProcessUser != "root" { + lines = append(lines, "user "+settings.ProcessUser) lines = append(lines, "persist-tun") lines = append(lines, "persist-key") } diff --git a/internal/provider/privateinternetaccess/openvpnconf.go b/internal/provider/privateinternetaccess/openvpnconf.go index 3af246cb..43507306 100644 --- a/internal/provider/privateinternetaccess/openvpnconf.go +++ b/internal/provider/privateinternetaccess/openvpnconf.go @@ -72,8 +72,8 @@ func (p *PIA) BuildConf(connection models.Connection, lines = append(lines, "explicit-exit-notify") } - if !*settings.Root { - lines = append(lines, "user "+settings.ProcUser) + if settings.ProcessUser != "root" { + lines = append(lines, "user "+settings.ProcessUser) lines = append(lines, "persist-tun") lines = append(lines, "persist-key") } diff --git a/internal/provider/privatevpn/openvpnconf.go b/internal/provider/privatevpn/openvpnconf.go index a36c3b34..928d65da 100644 --- a/internal/provider/privatevpn/openvpnconf.go +++ b/internal/provider/privatevpn/openvpnconf.go @@ -51,8 +51,8 @@ func (p *Privatevpn) BuildConf(connection models.Connection, lines = append(lines, "explicit-exit-notify") } - if !*settings.Root { - lines = append(lines, "user "+settings.ProcUser) + if settings.ProcessUser != "root" { + lines = append(lines, "user "+settings.ProcessUser) lines = append(lines, "persist-tun") lines = append(lines, "persist-key") } diff --git a/internal/provider/protonvpn/openvpnconf.go b/internal/provider/protonvpn/openvpnconf.go index 2518d40d..ce9480ec 100644 --- a/internal/provider/protonvpn/openvpnconf.go +++ b/internal/provider/protonvpn/openvpnconf.go @@ -61,8 +61,8 @@ func (p *Protonvpn) BuildConf(connection models.Connection, lines = append(lines, "explicit-exit-notify") } - if !*settings.Root { - lines = append(lines, "user "+settings.ProcUser) + if settings.ProcessUser != "root" { + lines = append(lines, "user "+settings.ProcessUser) lines = append(lines, "persist-tun") lines = append(lines, "persist-key") } diff --git a/internal/provider/purevpn/openvpnconf.go b/internal/provider/purevpn/openvpnconf.go index 89a35d06..cb3f7c18 100644 --- a/internal/provider/purevpn/openvpnconf.go +++ b/internal/provider/purevpn/openvpnconf.go @@ -54,8 +54,8 @@ func (p *Purevpn) BuildConf(connection models.Connection, lines = append(lines, "mssfix "+strconv.Itoa(int(*settings.MSSFix))) } - if !*settings.Root { - lines = append(lines, "user "+settings.ProcUser) + if settings.ProcessUser != "root" { + lines = append(lines, "user "+settings.ProcessUser) lines = append(lines, "persist-tun") lines = append(lines, "persist-key") } diff --git a/internal/provider/surfshark/openvpnconf.go b/internal/provider/surfshark/openvpnconf.go index 14db847e..a078c742 100644 --- a/internal/provider/surfshark/openvpnconf.go +++ b/internal/provider/surfshark/openvpnconf.go @@ -61,8 +61,8 @@ func (s *Surfshark) BuildConf(connection models.Connection, lines = append(lines, "explicit-exit-notify") } - if !*settings.Root { - lines = append(lines, "user "+settings.ProcUser) + if settings.ProcessUser != "root" { + lines = append(lines, "user "+settings.ProcessUser) lines = append(lines, "persist-tun") lines = append(lines, "persist-key") } diff --git a/internal/provider/torguard/openvpnconf.go b/internal/provider/torguard/openvpnconf.go index a64bf7e5..53000406 100644 --- a/internal/provider/torguard/openvpnconf.go +++ b/internal/provider/torguard/openvpnconf.go @@ -59,8 +59,8 @@ func (t *Torguard) BuildConf(connection models.Connection, lines = append(lines, utils.CipherLines(settings.Ciphers, settings.Version)...) - if !*settings.Root { - lines = append(lines, "user "+settings.ProcUser) + if settings.ProcessUser != "root" { + lines = append(lines, "user "+settings.ProcessUser) lines = append(lines, "persist-tun") lines = append(lines, "persist-key") } diff --git a/internal/provider/vpnunlimited/openvpnconf.go b/internal/provider/vpnunlimited/openvpnconf.go index 5658cc82..36492762 100644 --- a/internal/provider/vpnunlimited/openvpnconf.go +++ b/internal/provider/vpnunlimited/openvpnconf.go @@ -54,8 +54,8 @@ func (p *Provider) BuildConf(connection models.Connection, lines = append(lines, "explicit-exit-notify") } - if !*settings.Root { - lines = append(lines, "user "+settings.ProcUser) + if settings.ProcessUser != "root" { + lines = append(lines, "user "+settings.ProcessUser) lines = append(lines, "persist-tun") lines = append(lines, "persist-key") } diff --git a/internal/provider/vyprvpn/openvpnconf.go b/internal/provider/vyprvpn/openvpnconf.go index dbf86bbf..c1f26cc6 100644 --- a/internal/provider/vyprvpn/openvpnconf.go +++ b/internal/provider/vyprvpn/openvpnconf.go @@ -54,8 +54,8 @@ func (v *Vyprvpn) BuildConf(connection models.Connection, lines = append(lines, "explicit-exit-notify") } - if !*settings.Root { - lines = append(lines, "user "+settings.ProcUser) + if settings.ProcessUser != "root" { + lines = append(lines, "user "+settings.ProcessUser) lines = append(lines, "persist-tun") lines = append(lines, "persist-key") } diff --git a/internal/provider/wevpn/openvpnconf.go b/internal/provider/wevpn/openvpnconf.go index 52ea8ac5..5e4f8a41 100644 --- a/internal/provider/wevpn/openvpnconf.go +++ b/internal/provider/wevpn/openvpnconf.go @@ -55,8 +55,8 @@ func (w *Wevpn) BuildConf(connection models.Connection, lines = append(lines, utils.CipherLines(settings.Ciphers, settings.Version)...) - if !*settings.Root { - lines = append(lines, "user "+settings.ProcUser) + if settings.ProcessUser != "root" { + lines = append(lines, "user "+settings.ProcessUser) lines = append(lines, "persist-tun") lines = append(lines, "persist-key") } diff --git a/internal/provider/windscribe/openvpnconf.go b/internal/provider/windscribe/openvpnconf.go index 608a7e65..cbe8d03f 100644 --- a/internal/provider/windscribe/openvpnconf.go +++ b/internal/provider/windscribe/openvpnconf.go @@ -58,8 +58,8 @@ func (w *Windscribe) BuildConf(connection models.Connection, lines = append(lines, "explicit-exit-notify") } - if !*settings.Root { - lines = append(lines, "user "+settings.ProcUser) + if settings.ProcessUser != "root" { + lines = append(lines, "user "+settings.ProcessUser) lines = append(lines, "persist-tun") lines = append(lines, "persist-key") }