| | 1 | = Running Unprivileged = |
| | 2 | By default, OpenVPN runs as the user who runs the init script. This page seeks to describe how to instead run as an Unprivileged user, "openvpn", instead. This is more secure than the built-in directives(--user and --group) because the openvpn process is never granted root permissions. Additionally, reconnects(including those which push fresh routes and configuration changes) which break when using --user are handled without issue. |
| | 3 | |
| | 4 | = Configuration = |
| | 5 | == Init Script == |
| | 6 | The init script is modifed to invoke the ''openvpn'' command via ''su'' instead of calling it directly(as root). It is recommended to copy the default init script to a new one('''/etc/rc.d/init.d/openvpn-su''')before making these changes. Otherwise, package updates will wipe them out. |
| | 7 | |
| | 8 | First, we must tell the init script which user to run as; insert the following near the top of the init script: |
| | 9 | {{{ |
| | 10 | OPENVPN_USER="openvpn" |
| | 11 | }}} |
| | 12 | Next, remove the following line: |
| | 13 | {{{ |
| | 14 | $openvpn --daemon --writepid $piddir/$bn.pid --config $c --cd $work $script_security |
| | 15 | }}} |
| | 16 | ....and replace it with: |
| | 17 | {{{ |
| | 18 | if [ -z "$OPENVPN_USER" ] |
| | 19 | then |
| | 20 | $openvpn --daemon --writepid $piddir/$bn.pid --config $c --cd $work $script_security |
| | 21 | else |
| | 22 | su $OPENVPN_USER --command="$openvpn --daemon --writepid $piddir/$bn.pid --cd $work --config $c $script_security" |
| | 23 | fi |
| | 24 | }}} |
| | 25 | |
| | 26 | Optional: If you would like, you could move the OPENVPN_USER variable definition into a sysconfig file, and source that instead of defining it directly. This is more in line with typical init script behavior, where a different user may be desirable. The usage of the ''if'' block in the init script is meant to accommodate the possibility of the variable being undefined(in which case, openvpn will be executed as root). |
| | 27 | |
| | 28 | == Wrapper for ''ip'' == |
| | 29 | Because openvpn will be running unprivileged, it can't execute the ''ip'' command directly. Create a wrapper script, '''/usr/local/sbin/unpriv-ip''' (remember to chmod this to 755): |
| | 30 | {{{ |
| | 31 | #!/bin/sh |
| | 32 | sudo /sbin/ip $* |
| | 33 | }}} |
| | 34 | |
| | 35 | Next, grant sudo access to the openvpn user so it can use the wrapper script. Use ''visudo'' to edit your sudoers list, and insert the first line where convenient(at the end works well). NOTE: If you have previously specified "Defaults requiretty" in your sudoers(a useful additional security measure), you will need the second line as well. |
| | 36 | |
| | 37 | {{{ |
| | 38 | openvpn ALL=(ALL) NOPASSWD: /sbin/ip |
| | 39 | Defaults:openvpn !requiretty |
| | 40 | }}} |
| | 41 | |
| | 42 | == TUN/TAP Device == |
| | 43 | Because openvpn will be running as an unprivileged user, a static tun/tap device is needed. The init script already supports running a shell script before executing openvpn, so create one to handle this task('''/etc/openvpn/openvpn.sh'''): |
| | 44 | |
| | 45 | {{{ |
| | 46 | #!/bin/sh |
| | 47 | openvpn --mktun --dev tun0 --dev-type tun --user openvpn --group openvpn |
| | 48 | }}} |
| | 49 | |
| | 50 | == User == |
| | 51 | If you are using openvpn from a binary distribution(such as that provided by EPEL), there should already be an openvpn user created, but it will need to be modified slightly. If it does not exist, create it. |
| | 52 | |
| | 53 | {{{ |
| | 54 | [root@hostname ~]# mkdir /var/lib/openvpn |
| | 55 | [root@hostname ~]# chown openvpn:openvpn /var/lib/openvpn |
| | 56 | [root@hostname ~]# usermod -d /var/lib/openvpn -s /bin/sh openvpn |
| | 57 | }}} |
| | 58 | |
| | 59 | Some other directories will need to be modified to allow the openvpn user to access them. |
| | 60 | |
| | 61 | {{{ |
| | 62 | [root@hostname ~]# chown openvpn:openvpn /var/run/openvpn /var/log/openvpn /etc/openvpn -R |
| | 63 | [root@hostname ~]# chmod u+w /var/run/openvpn /var/log/openvpn -R |
| | 64 | }}} |
| | 65 | |
| | 66 | You should also look at permissions/ownership for your keydir and '''/etc/openvpn'''. The openvpn user should be able to read these, but not write to them, and no user but openvpn should be able to read your keys. |
| | 67 | |
| | 68 | == Config Changes == |
| | 69 | Lastly, you need to modify your openvpn config files to take advantage of all of these changes. Add the following directives to your openvpn configuration file('''/etc/openvpn/openvpn.conf'''): |
| | 70 | |
| | 71 | {{{ |
| | 72 | iproute /usr/local/sbin/unpriv-ip |
| | 73 | dev tun0 |
| | 74 | persist-tun |
| | 75 | }}} |
| | 76 | |
| | 77 | == Usage == |
| | 78 | Now, give it a whirl! |
| | 79 | |
| | 80 | {{{ |
| | 81 | [root@hostname ~]# service openvpn-su restart |
| | 82 | Shutting down openvpn: [ OK ] |
| | 83 | Starting openvpn: Sun Dec 4 03:42:19 2011 TUN/TAP device tun0 opened |
| | 84 | Sun Dec 4 03:42:19 2011 Persist state set to: ON |
| | 85 | [ OK ] |
| | 86 | [root@hostname ~]# ps -ef |grep openvpn |
| | 87 | openvpn 25557 1 0 03:42 ? 00:00:00 /usr/sbin/openvpn --daemon --wri |
| | 88 | root 25560 25499 0 03:42 pts/0 00:00:00 grep openvpn |
| | 89 | [root@hostname ~]# |
| | 90 | }}} |
| | 91 | |
| | 92 | == Troubleshooting == |
