View previous topic :: View next topic |
Author |
Message |
Kresp Tux's lil' helper
Joined: 17 Oct 2016 Posts: 77
|
Posted: Mon Sep 25, 2017 11:41 am Post subject: [SOLVED] Openvpn client-connect causes auth failure |
|
|
I want Openvpn to send an email every time somebody connects.
However, if I set client-connect option in openvpn.conf on the server, it causes auth failure:
Code: |
[server] Peer Connection Initiated with [AF_INET]10.18.0.1:25250
SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
AUTH: Received control message: AUTH_FAILED
SIGTERM[soft,auth-failure] received, process exiting
|
This is if I run openvpn manually with sudo.
When starting it as OpenRC service, it stays inactive indefinitely.
Config option goes like this:
Code: |
client-connect /etc/openvpn/notify.sh
|
I checked permissions, and tested with different paths, including /tmp , 777 permissions, and by using /bin/true as the program to run.
Script just contains exit 0 .
Without this option everything works flawlessly.
OpenVPN is 2.4.3.
Last edited by Kresp on Thu Sep 28, 2017 4:34 am; edited 1 time in total |
|
Back to top |
|
|
Maxxx Guru
Joined: 12 Jan 2016 Posts: 595 Location: Italia
|
Posted: Mon Sep 25, 2017 2:21 pm Post subject: |
|
|
Try to add this line:
Code: | script-security 3 system |
in yuor openvpn.conf |
|
Back to top |
|
|
Kresp Tux's lil' helper
Joined: 17 Oct 2016 Posts: 77
|
Posted: Tue Sep 26, 2017 1:40 pm Post subject: |
|
|
Maxxx wrote: | Try to add this line:
Code: | script-security 3 system |
in yuor openvpn.conf |
"Method" is removed past 2.3 version.
script-security 3 and script-security 2 works well with client-connect /bin/true but returns auth failure with client-connect /path/to/script.sh even with valid permissions for the file.
Getting there.
Will check it out further later. It probably needs to be client-connect /bin/sh /path/to/script.sh or something like that. |
|
Back to top |
|
|
Kresp Tux's lil' helper
Joined: 17 Oct 2016 Posts: 77
|
Posted: Wed Sep 27, 2017 11:25 pm Post subject: |
|
|
Shebang was missing in my script. It all works now.
However, there's another problem:
My script will contain e-mail/password, but OpenVpn does not run as root, but as nobody.
I obsiously don't want to give o+r permission.
Is chown'ning file to nobody:nobody bad practice? Like this:
Code: |
$ ls -lah /etc/openvpn/
total 88K
drwxr-xr-x 2 root root 4.0K Sep 28 09:17 .
drwxr-xr-x 60 root root 4.0K Sep 24 11:29 ..
-rwxr-xr-x 1 root root 943 Sep 5 20:44 down.sh
-rwx------ 1 nobody nobody 55 Sep 28 09:16 notify.sh
-rw-r--r-- 1 root root 881 Sep 28 09:17 openvpn.conf
-rwxr-xr-x 1 root root 2.8K Sep 5 20:44 up.sh
|
|
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21635
|
Posted: Thu Sep 28, 2017 1:10 am Post subject: |
|
|
In general, nobody should be able to read sensitive passwords.
As I interpret the ebuild, the VPN server should be running as the dedicated openvpn user, not as the generic nobody user. Are you seeing different results? If so, was that the default or did you change it? |
|
Back to top |
|
|
Kresp Tux's lil' helper
Joined: 17 Oct 2016 Posts: 77
|
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21635
|
Posted: Thu Sep 28, 2017 4:25 am Post subject: |
|
|
That recommendation was popular a decade ago. Recent security practice recognizes that running all the servers as the same faceless user means that a problem in any server exposes every server. The developers are right to recommend that you drop privileges, but wrong to recommend that you drop to a widely used faceless account. You should use a dedicated faceless account. Gentoo creates for you the openvpn faceless user for this purpose. You should use that, not nobody. |
|
Back to top |
|
|
Kresp Tux's lil' helper
Joined: 17 Oct 2016 Posts: 77
|
Posted: Thu Sep 28, 2017 4:33 am Post subject: |
|
|
Hu wrote: | That recommendation was popular a decade ago. Recent security practice recognizes that running all the servers as the same faceless user means that a problem in any server exposes every server. The developers are right to recommend that you drop privileges, but wrong to recommend that you drop to a widely used faceless account. You should use a dedicated faceless account. Gentoo creates for you the openvpn faceless user for this purpose. You should use that, not nobody. |
Ah, OK... That actually makes sense.
I'll switch to default openvpn user then. |
|
Back to top |
|
|
|