Openwrt OPENVPN connection issue - apparmor=“DENIED” operation

Hi,

I’ve been trying to connect OpenVPN as a client for a while now

Docker/Syn720+ V20.10.3.-1239
OpenWrt SNAPSHOT r18285-dd681838d3 / LuCI Master git-21.336.35676-ff4f529

I get the error message

Mon Dec  6 11:16:08 2021 kern.info kernel: [2405195.805821] Synotify use 16384 event queue size
Mon Dec  6 11:16:08 2021 daemon.err openvpn(test)[1340]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/test.ovpn
Mon Dec  6 11:16:08 2021 daemon.warn openvpn(test)[1340]: Use --help for more information.
Mon Dec  6 11:16:08 2021 kern.notice kernel: [2405196.306197] audit: type=1400 audit(1638789368.802:590201): apparmor="DENIED" operation="open" profile="/usr/sbin/openvpn" name="/etc/openvpn/test.ovpn" pid=16189 comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Mon Dec  6 11:16:13 2021 daemon.err openvpn(test)[1347]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/test.ovpn
Mon Dec  6 11:16:13 2021 daemon.warn openvpn(test)[1347]: Use --help for more information.
Mon Dec  6 11:16:13 2021 kern.notice kernel: [2405201.332861] audit: type=1400 audit(1638789373.830:590202): apparmor="DENIED" operation="open" profile="/usr/sbin/openvpn" name="/etc/openvpn/test.ovpn" pid=16246 comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Mon Dec  6 11:16:18 2021 daemon.err openvpn(test)[1350]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/test.ovpn
Mon Dec  6 11:16:18 2021 daemon.warn openvpn(test)[1350]: Use --help for more information.
Mon Dec  6 11:16:18 2021 kern.notice kernel: [2405206.361522] audit: type=1400 audit(1638789378.860:590203): apparmor="DENIED" operation="open" profile="/usr/sbin/openvpn" name="/etc/openvpn/test.ovpn" pid=16359 comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Mon Dec  6 11:16:23 2021 kern.notice kernel: [2405211.390690] audit: type=1400 audit(1638789383.893:590204): apparmor="DENIED" operation="open" profile="/usr/sbin/openvpn" name="/etc/openvpn/test.ovpn" pid=16493 comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Mon Dec  6 11:16:23 2021 daemon.err openvpn(test)[1353]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/test.ovpn
Mon Dec  6 11:16:23 2021 daemon.warn openvpn(test)[1353]: Use --help for more information.
Mon Dec  6 11:16:24 2021 daemon.info procd: Instance sysntpd::instance1 s in a crash loop 6 crashes, 0 seconds since last crash
Mon Dec  6 11:16:28 2021 daemon.err openvpn(test)[1356]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/test.ovpn
Mon Dec  6 11:16:28 2021 daemon.warn openvpn(test)[1356]: Use --help for more information.
Mon Dec  6 11:16:28 2021 kern.notice kernel: [2405216.416908] audit: type=1400 audit(1638789388.921:590205): apparmor="DENIED" operation="open" profile="/usr/sbin/openvpn" name="/etc/openvpn/test.ovpn" pid=16539 comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Mon Dec  6 11:16:33 2021 daemon.err openvpn(test)[1434]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/test.ovpn
Mon Dec  6 11:16:33 2021 daemon.warn openvpn(test)[1434]: Use --help for more information.
Mon Dec  6 11:16:33 2021 kern.notice kernel: [2405220.835815] audit: type=1400 audit(1638789393.342:590206): apparmor="DENIED" operation="open" profile="/usr/sbin/openvpn" name="/etc/openvpn/test.ovpn" pid=16724 comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Mon Dec  6 11:16:38 2021 daemon.err openvpn(test)[1493]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/test.ovpn
Mon Dec  6 11:16:38 2021 daemon.warn openvpn(test)[1493]: Use --help for more information.
Mon Dec  6 11:16:38 2021 kern.notice kernel: [2405225.864697] audit: type=1400 audit(1638789398.372:590207): apparmor="DENIED" operation="open" profile="/usr/sbin/openvpn" name="/etc/openvpn/test.ovpn" pid=16859 comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Exactly the same OpenVPN configuration that I’m using on an RPI with no issues
/etc/config /etc/openvpn

Unfortunately, I’m not very familiar with the area yet

advice in an OPENWRT forum

Looks like the issue is unrelated to OpenWrt.
Follow to the support channel for your host system.
This is likely where AppArmor denials are coming from.

What could be the reason?

Thx for help

Is this openvpn client running inside a Docker container?

Yes, docker image
https://hub.docker.com/r/openwrtorg/rootfs

This is openwrt image not openvpn client, but no problem because I relized I saw daemon errors not the client.

Do you try to bind mount /etc/openvpn/test.ovpn from your host into the container?

I just ried this… same problem

ue Dec  7 10:02:57 2021 kern.notice kernel: [2483587.755145] audit: type=1400 audit(1638867777.734:622715): apparmor="DENIED" operation="open" profile="/usr/sbin/openvpn" name="/etc/openvpn/se.ovpn" pid=719 comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=1026
Tue Dec  7 10:03:01 2021 kern.notice kernel: [2483591.149089] audit: type=1101 audit(1638867781.130:622716): pid=790 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix acct="mva" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Tue Dec  7 10:03:01 2021 kern.notice kernel: [2483591.150172] audit: type=1101 audit(1638867781.131:622717): pid=789 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix acct="mva" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Tue Dec  7 10:03:01 2021 kern.notice kernel: [2483591.150275] audit: type=1103 audit(1638867781.131:622718): pid=789 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="mva" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Tue Dec  7 10:03:01 2021 kern.notice kernel: [2483591.150623] audit: type=1105 audit(1638867781.131:622719): pid=789 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits acct="mva" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Tue Dec  7 10:03:01 2021 kern.notice kernel: [2483591.150842] audit: type=1110 audit(1638867781.131:622720): pid=789 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="mva" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Tue Dec  7 10:03:01 2021 kern.notice kernel: [2483591.193011] audit: type=1104 audit(1638867781.173:622721): pid=789 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="mva" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Tue Dec  7 10:03:01 2021 kern.notice kernel: [2483591.193117] audit: type=1106 audit(1638867781.174:622722): pid=789 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits acct="mva" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Tue Dec  7 10:03:01 2021 kern.notice kernel: [2483591.314353] audit: type=1103 audit(1638867781.295:622723): pid=790 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="mva" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Tue Dec  7 10:03:01 2021 kern.notice kernel: [2483591.337532] audit: type=1105 audit(1638867781.318:622724): pid=790 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits acct="mva" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Tue Dec  7 10:03:02 2021 daemon.err openvpn(se)[734]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/se.ovpn
Tue Dec  7 10:03:02 2021 daemon.warn openvpn(se)[734]: Use --help for more information.
Tue Dec  7 10:03:07 2021 kern.warn kernel: [2483597.783516] audit_printk_skb: 12 callbacks suppressed
Tue Dec  7 10:03:07 2021 kern.notice kernel: [2483597.789363] audit: type=1400 audit(1638867787.765:622729): apparmor="DENIED" operation="open" profile="/usr/sbin/openvpn" name="/etc/openvpn/se.ovpn" pid=886 comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=1026
Tue Dec  7 10:03:07 2021 daemon.err openvpn(se)[736]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/se.ovpn
Tue Dec  7 10:03:07 2021 daemon.warn openvpn(se)[736]: Use --help for more information.
Tue Dec  7 10:03:12 2021 daemon.err openvpn(se)[737]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/se.ovpn
Tue Dec  7 10:03:12 2021 daemon.warn openvpn(se)[737]: Use --help for more information.
Tue Dec  7 10:03:12 2021 kern.notice kernel: [2483602.817303] audit: type=1400 audit(1638867792.801:622730): apparmor="DENIED" operation="open" profile="/usr/sbin/openvpn" name="/etc/openvpn/se.ovpn" pid=979 comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=1026
Tue Dec  7 10:03:17 2021 daemon.err openvpn(se)[738]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/se.ovpn
Tue Dec  7 10:03:17 2021 daemon.warn openvpn(se)[738]: Use --help for more information.
Tue Dec  7 10:03:17 2021 kern.notice kernel: [2483607.844556] audit: type=1400 audit(1638867797.829:622731): apparmor="DENIED" operation="open" profile="/usr/sbin/openvpn" name="/etc/openvpn/se.ovpn" pid=1042 comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=1026
Tue Dec  7 10:03:22 2021 daemon.err openvpn(se)[746]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/se.ovpn
Tue Dec  7 10:03:22 2021 daemon.warn openvpn(se)[746]: Use --help for more information.
Tue Dec  7 10:03:22 2021 kern.notice kernel: [2483612.870271] audit: type=1400 audit(1638867802.857:622732): apparmor="DENIED" operation="open" profile="/usr/sbin/openvpn" name="/etc/openvpn/se.ovpn" pid=1123 comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=1026
Tue Dec  7 10:03:24 2021 daemon.err uhttpd[468]: luci: accepted login on / for root from 192.168.178.68
Tue Dec  7 10:03:27 2021 daemon.err openvpn(se)[838]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/se.ovpn
Tue Dec  7 10:03:27 2021 daemon.warn openvpn(se)[838]: Use --help for more information.
Tue Dec  7 10:03:27 2021 kern.notice kernel: [2483617.894119] audit: type=1400 audit(1638867807.882:622733): apparmor="DENIED" operation="open" profile="/usr/sbin/openvpn" name="/etc/openvpn/se.ovpn" pid=1350 comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=1026
Tue Dec  7 10:03:29 2021 daemon.err openvpn(se)[866]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/se.ovpn
Tue Dec  7 10:03:29 2021 daemon.warn openvpn(se)[866]: Use --help for more information.
Tue Dec  7 10:03:29 2021 kern.notice kernel: [2483619.181333] audit: type=1400 audit(1638867809.168:622734): apparmor="DENIED" operation="open" profile="/usr/sbin/openvpn" name="/etc/openvpn/se.ovpn" pid=1393 comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=1026
Tue Dec  7 10:03:30 2021 daemon.err openvpn(se)[1045]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/se.ovpn
Tue Dec  7 10:03:30 2021 daemon.warn openvpn(se)[1045]: Use --help for more information.
Tue Dec  7 10:03:30 2021 kern.notice kernel: [2483620.825785] audit: type=1400 audit(1638867810.813:622735): apparmor="DENIED" operation="open" profile="/usr/sbin/openvpn" name="/etc/openvpn/se.ovpn" pid=1587 comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=1026
Tue Dec  7 10:03:35 2021 daemon.err openvpn(se)[1197]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/se.ovpn
Tue Dec  7 10:03:35 2021 daemon.warn openvpn(se)[1197]: Use --help for more information.
Tue Dec  7 10:03:35 2021 kern.notice kernel: [2483625.854678] audit: type=1400 audit(1638867815.845:622736): apparmor="DENIED" operation="open" profile="/usr/sbin/openvpn" name="/etc/openvpn/se.ovpn" pid=1920 comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=1026

Tried what? I didn’t suggest, I asked about the current solution. I would not like to figure everything out from the error log. It is better if you describe what you do.

Sorry, I will try to write full sentences.
Sorry also for my english,…

I 've bind mount /etc/openvpn to my docker volume.
There are no problems accessing the area. I can also create new configurations there.

The log shows the same apparmor=“DENIED” operation=“open” profile=“/usr/sbin/openvpn” name=“/etc/openvpn/se.ovpn”

Tue Dec  7 15:35:08 2021 kern.notice kernel: [2503514.225944] audit: type=1400 audit(1638887708.125:631145): apparmor="DENIED" operation="open" profile="/usr/sbin/openvpn" name="/etc/openvpn/se.ovpn" pid=32456 comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=1026
Tue Dec  7 15:35:08 2021 daemon.err openvpn(se)[5787]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/se.ovpn
Tue Dec  7 15:35:08 2021 daemon.warn openvpn(se)[5787]: Use --help for more information.
Tue Dec  7 15:35:13 2021 daemon.err openvpn(se)[5788]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/se.ovpn
Tue Dec  7 15:35:13 2021 daemon.warn openvpn(se)[5788]: Use --help for more information.
Tue Dec  7 15:35:13 2021 kern.notice kernel: [2503519.256114] audit: type=1400 audit(1638887713.162:631146): apparmor="DENIED" operation="open" profile="/usr/sbin/openvpn" name="/etc/openvpn/se.ovpn" pid=32494 comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=1026
Tue Dec  7 15:35:18 2021 daemon.err openvpn(se)[5789]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/se.ovpn
Tue Dec  7 15:35:18 2021 daemon.warn openvpn(se)[5789]: Use --help for more information.
Tue Dec  7 15:35:18 2021 kern.notice kernel: [2503524.285211] audit: type=1400 audit(1638887718.192:631147): apparmor="DENIED" operation="open" profile="/usr/sbin/openvpn" name="/etc/openvpn/se.ovpn" pid=32561 comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=1026
Tue Dec  7 15:35:23 2021 daemon.err openvpn(se)[5790]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/se.ovpn
Tue Dec  7 15:35:23 2021 daemon.warn openvpn(se)[5790]: Use --help for more information.
Tue Dec  7 15:35:23 2021 kern.notice kernel: [2503529.313435] audit: type=1400 audit(1638887723.221:631148): apparmor="DENIED" operation="open" profile="/usr/sbin/openvpn" name="/etc/openvpn/se.ovpn" pid=32594 comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=1026
Tue Dec  7 15:35:28 2021 daemon.err openvpn(se)[5791]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/se.ovpn
Tue Dec  7 15:35:28 2021 daemon.warn openvpn(se)[5791]: Use --help for more information.
Tue Dec  7 15:35:28 2021 kern.notice kernel: [2503534.341892] audit: type=1400 audit(1638887728.250:631149): apparmor="DENIED" operation="open" profile="/usr/sbin/openvpn" name="/etc/openvpn/se.ovpn" pid=334 comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=1026
Tue Dec  7 15:35:33 2021 daemon.err openvpn(se)[5792]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/se.ovpn
Tue Dec  7 15:35:33 2021 daemon.warn openvpn(se)[5792]: Use --help for more information.
Tue Dec  7 15:35:33 2021 kern.notice kernel: [2503539.369807] audit: type=1400 audit(1638887733.279:631150): apparmor="DENIED" operation="open" profile="/usr/sbin/openvpn" name="/etc/openvpn/se.ovpn" pid=392 comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=1026
Tue Dec  7 15:35:38 2021 daemon.err openvpn(se)[5793]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/se.ovpn
Tue Dec  7 15:35:38 2021 daemon.warn openvpn(se)[5793]: Use --help for more information.
Tue Dec  7 15:35:38 2021 kern.notice kernel: [2503544.398021] audit: type=1400 audit(1638887738.308:631151): apparmor="DENIED" operation="open" profile="/usr/sbin/openvpn" name="/etc/openvpn/se.ovpn" pid=483 comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=1026
Tue Dec  7 15:35:43 2021 daemon.err openvpn(se)[5794]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/se.ovpn
Tue Dec  7 15:35:43 2021 daemon.warn openvpn(se)[5794]: Use --help for more information.
Tue Dec  7 15:35:43 2021 kern.notice kernel: [2503549.426008] audit: type=1400 audit(1638887743.337:631152): apparmor="DENIED" operation="open" profile="/usr/sbin/openvpn" name="/etc/openvpn/se.ovpn" pid=539 comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=1026
Tue Dec  7 15:35:48 2021 daemon.err openvpn(se)[5795]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/se.ovpn
Tue Dec  7 15:35:48 2021 daemon.warn openvpn(se)[5795]: Use --help for more information.
Tue Dec  7 15:35:48 2021 kern.notice kernel: [2503554.451228] audit: type=1400 audit(1638887748.363:631153): apparmor="DENIED" operation="open" profile="/usr/sbin/openvpn" name="/etc/openvpn/se.ovpn" pid=651 comm="openvpn" requested_mask="r" denied_mask="r" fsuid=0 ouid=1026
Tue Dec  7 15:35:53 2021 daemon.err openvpn(se)[5796]: Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/se.ovpn

Is there something that I can do to disable apparmor for profile /usr/sbin/openvpn
It would ne nice if someone can help me to solve the issue…

Thx!

If you search for “disable apparmor” you will find this:

https://help.ubuntu.com/community/AppArmor

I would try “put a profile in complain mode”

1 Like

Thx for the link.
I have found similar pages, but I hoped for an esay solution. e.g. a flag or something else
I don’t want to risk a security problem for my synology NAS

Next time share those pages, please :slight_smile: It really helps us to see what you tried and where we need to start looking for other solutions or telling you that you found the best way. Personally I don’t think this is the best way but this is I could find in a short time I had based on what I understood. I would also try to use another configuration (if that is possible on your synology) not under /etc since accessing that system folder is a bigger security risk than mounting.a volume from your user’s home.

1 Like