Changes between Version 1 and Version 2 of UnprivilegedUser
- Timestamp:
- 12/05/11 22:41:53 (12 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
UnprivilegedUser
v1 v2 1 = Running Unprivileged = 2 By default, OpenVPN runs as the user who runs the init script. This page seeks to describe how to instead run as an Unprivileged user, "openvpn", instead. This is more secure than the built-in directives(--user and --group) because the openvpn process is never granted root permissions. Additionally, reconnects(including those which push fresh routes and configuration changes) which break when using --user are handled without issue. 1 By default, OpenVPN runs as the root user. This page seeks to describe how to instead run as an unprivileged user, "openvpn", instead. This is more secure than the built-in directives(--user and --group) because the openvpn process is never started with root permissions. Additionally, reconnects(including those which push fresh routes and configuration changes) which normally break after privileges are dropped via --user are handled without issue. 3 2 4 3 = Configuration = … … 57 56 }}} 58 57 59 Some other directories will need to be modified to allow the openvpn user to access them.58 Some other directories will need to be set up so that the openvpn user can write to them. 60 59 61 60 {{{ 61 [root@hostname ~]# mkdir /var/log/openvpn 62 62 [root@hostname ~]# chown openvpn:openvpn /var/run/openvpn /var/log/openvpn /etc/openvpn -R 63 63 [root@hostname ~]# chmod u+w /var/run/openvpn /var/log/openvpn -R 64 64 }}} 65 66 You should also look at permissions/ownership for your keydir and '''/etc/openvpn'''. The openvpn user should be able to read these, but not write to them, and no user but openvpn should be able to read your keys.67 65 68 66 == Config Changes == … … 70 68 71 69 {{{ 70 log /var/log/openvpn/openvpn 72 71 iproute /usr/local/sbin/unpriv-ip 73 72 dev tun0 … … 75 74 }}} 76 75 77 = = Usage ==76 = Usage = 78 77 Now, give it a whirl! 79 78 … … 91 90 92 91 == Troubleshooting == 92 93 === Logs === 94 Since openvpn is no longer being executed as root, it is unable to write to the syslog. Thus you must use '''/var/log/openvpn/''' and the ''--log'' directive. If no files are being created inside this directory, check that the permissions on the directory are correct(it should be owned by the openvpn user, and have a mask of 0755 / drwxr-xr-x). 95 96 === Sudo === 97 98 99 === Permissions === 100 101 You should also look at permissions/ownership for your keydir and '''/etc/openvpn/'''. The openvpn user should be able to read these, but not write to them, and no user but openvpn should be able to read your keys. 102 103