Changes between Version 4 and Version 5 of OpenVPNdirectoryLayout


Ignore:
Timestamp:
05/15/17 17:34:44 (7 years ago)
Author:
David Sommerseth
Comment:

Corrected several minor mistakes, added development headers, some reorganisation

Legend:

Unmodified
Added
Removed
Modified
  • OpenVPNdirectoryLayout

    v4 v5  
    66== Non-Windows environments ==
    77||= =||= =||= =||||= '''Recommended ACL''' =||= =||
    8 ||= '''Directory''' =||= '''Description''' =||= '''Needed by''' =||= '''Owner''' =||= '''Mode''' =||= '''Remarks''' =||
    9 || /etc/openvpn/ || Base configuration directory || All || root:root || `rwxr-xr-x` (0755) || ||
    10 || /etc/openvpn/client/ || Configuration files for OpenVPN clients || systemd distributions || root:root || `rwxr-x---` (0750) || (0) ||
    11 || /etc/openvpn/server/ || Configuration files for OpenVPN servers || systemd distributions || root:root || `rwxr-x---` (0750) || (0) ||
    12 || /usr/sbin/openvpn/ || Main binary || All || root:root || `rwxr-xr-x` (0755) || ||
    13 || /usr/lib/openvpn/plugins [[BR]] /usr/lib64/openvpn/plugins || Directory for OpenVPN plugins || All || root:root || `rwxr-xr-x` (0755) || ||
    14 || /usr/libexec/openvpn || Directory for scripts executed by OpenVPN || All || root:root || `rwxr-xr-x` (0755) || (1) ||
    15 || /var/log/openvpn/ || Main log directory || All || openvpn:openvpn || `rwxrwxr-x` (0775) || (2) ||
    16 || /var/lib/openvpn/ || Various OpenVPN data files || All || openvpn:openvpn || `rwxrwx--x` (0771) || (3) ||
    17 || /var/lib/openvpn/chroot/ || Default chroot directory || All || root:root || `rwxr-xr-x` (0755) || ||
    18 || /var/lib/openvpn/chroot/tmp/ || Default chroot `--tmp-dir` || All || openvpn:openvpn || `rwxrwx---` (0770) || (4) ||
     8||= '''File/Directory''' =||= '''Description''' =||= '''Needed by''' =||= '''Owner''' =||= '''Mode''' =||= '''Remarks''' =||
     9|| [D] /etc/openvpn/ || Base configuration directory || All || root:root || `rwxr-xr-x` (0755) || ||
     10|| [D] /etc/openvpn/client/ || Configuration files for OpenVPN clients || systemd distributions || root:root || `rwxr-x---` (0750) || (0) ||
     11|| [D] /etc/openvpn/server/ || Configuration files for OpenVPN servers || systemd distributions || root:root || `rwxr-x---` (0750) || (0) ||
     12|| [F] /usr/sbin/openvpn || Main binary || All || root:root || `rwxr-xr-x` (0755) || ||
     13|| [F] /usr/include/openvpn-msg.h [[BR]] [F] /usr/include/openvpn-plugin.h || Development headers || All || root:root || `rw-r--r-- (644) || (1) ||
     14|| [D] /usr/lib/openvpn/plugins/ [[BR]] [D] /usr/lib64/openvpn/plugins/ || Directory for OpenVPN plugins || All || root:root || `rwxr-xr-x` (0755) || ||
     15|| [D] /usr/libexec/openvpn/ || Directory for scripts executed by OpenVPN || All || root:root || `rwxr-xr-x` (0755) || (2) ||
     16|| [D] /var/lib/openvpn/ || Various OpenVPN data files || All || openvpn:openvpn || `rwxrwx--x` (0771) || (3) ||
     17|| [D] /var/lib/openvpn/chroot/ || Default chroot directory || All || root:root || `rwxr-xr-x` (0755) || ||
     18|| [D] /var/lib/openvpn/chroot/tmp/ || Default chroot `--tmp-dir` || All || openvpn:openvpn || `rwxrwx---` (0770) || (4) ||
     19|| [D] /var/log/openvpn/ || Main log directory || All || openvpn:openvpn || `rwxrwxr-x` (0775) || (4) ||
    1920
    2021=== Remarks ===
     
    2324
    2425==== Remark 1 ====
     26Development headers may be packaged in a separate development package for distributions providing that
     27
     28==== Remark 2 ====
    2529Especially useful on SELinux enabled systems, where correct security labelling is important
    2630
    27 ==== Remark 2 ====
    28 May not be used by systemd based distributions, but is useful for those not using the systemd-journal
    29 
    3031==== Remark 3 ====
    31 Ideal for `--crl files`, `--ifconfig-pool-persist`.  The reason for providing others entry access to this directory is for other non-openvpn processes to be able to parse or update individual files in this directory.  The ACL on the file itself will be up to the system administrator to set accordingly to their need.  The lack of read access on the directory to others ensures that you non-privileged processes can't retrieve a list of files in this directory.
     32Ideal for `--crl` files, `--ifconfig-pool-persist`.  The reason for providing others entry access to this directory is for other non-openvpn processes to be able to parse or update individual files in this directory.  The ACL on the file itself will be up to the system administrator to set accordingly to their need.  The lack of read access on the directory to others ensures that you non-privileged processes can't retrieve a list of files in this directory.
    3233
    3334==== Remark 4 ====
    3435OpenVPN expects `/tmp` when running, and when using `--chroot` this is the default tmp-directory OpenVPN expects.
    3536
     37==== Remark 5 ====
     38May not be used by systemd based distributions, but is useful for those not using the systemd-journal
     39
    3640
    3741== Windows environments ==