DRAFT: Recommended OpenVPN directory layout

This page aims to describe a recommended directory layout for all the files and directories OpenVPN may need for successful operation. In the past OpenVPN have not had any clear guideline here, mostly because the operating systems where extremely flexible and tolerant in the past. With the introduction of newer security regimes and requirements, it helps to have a unified understanding of the various needs across the various operating systems and their distribution variants.

Non-Windows environments

Recommended ACL
File/Directory? Description Needed by Owner Mode Remarks
[D] /etc/openvpn/ Base configuration directory All root:root rwxr-xr-x (0755)
[D] /etc/openvpn/client/ Configuration files for OpenVPN clients systemd distributions root:root rwxr-x--- (0750) (0)
[D] /etc/openvpn/server/ Configuration files for OpenVPN servers systemd distributions root:root rwxr-x--- (0750) (0)
[F] /usr/sbin/openvpn Main binary All root:root rwxr-xr-x (0755)
[F] /usr/include/openvpn-msg.h
[F] /usr/include/openvpn-plugin.h
Development headers All root:root rw-r--r-- (644) (1)
[D] /usr/lib/openvpn/plugins/
[D] /usr/lib64/openvpn/plugins/
Directory for OpenVPN plugins All root:root rwxr-xr-x (0755)
[D] /usr/libexec/openvpn/ Directory for scripts executed by OpenVPN All root:root rwxr-xr-x (0755) (2)
[D] /var/lib/openvpn/ Various OpenVPN data files All openvpn:openvpn rwxrwx--x (0771) (3)
[D] /var/lib/openvpn/chroot/ Default chroot directory All root:root rwxr-xr-x (0755)
[D] /var/lib/openvpn/chroot/tmp/ Default chroot --tmp-dir All openvpn:openvpn rwxrwx--- (0770) (4)
[D] /var/log/openvpn/ Main log directory All openvpn:openvpn rwxrwxr-x (0775) (4)


Remark 0

This is fairly strict. The intention is that keying material should be well protected by most users. In most cases, OpenVPN runs with --user and --group where OpenVPN will recommend the use of --persist-key. This will secure these files even from the OpenVPN process after the initialization has completed - including third party scripts and plug-ins from reading or otherwise manipulating keying material.

Remark 1

Development headers may be packaged in a separate development package for distributions providing that

Remark 2

Especially useful on SELinux enabled systems, where correct security labelling is important

Remark 3

Ideal for --crl files, --ifconfig-pool-persist. The reason for providing others entry access to this directory is for other non-openvpn processes to be able to parse or update individual files in this directory. The ACL on the file itself will be up to the system administrator to set accordingly to their need. The lack of read access on the directory to others ensures that you non-privileged processes can't retrieve a list of files in this directory.

Remark 4

OpenVPN expects /tmp when running, and when using --chroot this is the default tmp-directory OpenVPN expects.

Remark 5

May not be used by systemd based distributions, but is useful for those not using the systemd-journal

Windows environments


Last modified 8 months ago Last modified on 05/15/17 17:35:39