Changes between Version 1 and Version 2 of UnprivilegedUser


Ignore:
Timestamp:
12/05/11 22:41:53 (12 years ago)
Author:
eugenekay
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • UnprivilegedUser

    v1 v2  
    1 = Running Unprivileged =
    2 By default, OpenVPN runs as the user who runs the init script. This page seeks to describe how to instead run as an Unprivileged user, "openvpn", instead. This is more secure than the built-in directives(--user and --group) because the openvpn process is never granted root permissions. Additionally, reconnects(including those which push fresh routes and configuration changes) which break when using --user are handled without issue.
     1By default, OpenVPN runs as the root user. This page seeks to describe how to instead run as an unprivileged user, "openvpn", instead. This is more secure than the built-in directives(--user and --group) because the openvpn process is never started with root permissions. Additionally, reconnects(including those which push fresh routes and configuration changes) which normally break after privileges are dropped via --user are handled without issue.
    32
    43= Configuration =
     
    5756}}}
    5857
    59 Some other directories will need to be modified to allow the openvpn user to access them.
     58Some other directories will need to be set up so that the openvpn user can write to them.
    6059
    6160{{{
     61[root@hostname ~]# mkdir /var/log/openvpn
    6262[root@hostname ~]# chown openvpn:openvpn /var/run/openvpn /var/log/openvpn /etc/openvpn -R
    6363[root@hostname ~]# chmod u+w /var/run/openvpn /var/log/openvpn -R
    6464}}}
    65 
    66 You should also look at permissions/ownership for your keydir and '''/etc/openvpn'''. The openvpn user should be able to read these, but not write to them, and no user but openvpn should be able to read your keys.
    6765
    6866== Config Changes ==
     
    7068
    7169{{{
     70log /var/log/openvpn/openvpn
    7271iproute /usr/local/sbin/unpriv-ip
    7372dev tun0
     
    7574}}}
    7675
    77 == Usage ==
     76= Usage =
    7877Now, give it a whirl!
    7978
     
    9190
    9291== Troubleshooting ==
     92
     93=== Logs ===
     94Since openvpn is no longer being executed as root, it is unable to write to the syslog. Thus you must use '''/var/log/openvpn/''' and the ''--log'' directive. If no files are being created inside this directory, check that the permissions on the directory are correct(it should be owned by the openvpn user, and have a mask of 0755 / drwxr-xr-x).
     95
     96=== Sudo ===
     97
     98
     99=== Permissions ===
     100
     101You should also look at permissions/ownership for your keydir and '''/etc/openvpn/'''. The openvpn user should be able to read these, but not write to them, and no user but openvpn should be able to read your keys.
     102
     103