Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] Openvpn client-connect causes auth failure
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Kresp
n00b
n00b


Joined: 17 Oct 2016
Posts: 73

PostPosted: Mon Sep 25, 2017 11:41 am    Post subject: [SOLVED] Openvpn client-connect causes auth failure Reply with quote

I want Openvpn to send an email every time somebody connects.

However, if I set client-connect option in openvpn.conf on the server, it causes auth failure:
Code:

[server] Peer Connection Initiated with [AF_INET]10.18.0.1:25250
SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
AUTH: Received control message: AUTH_FAILED
SIGTERM[soft,auth-failure] received, process exiting

This is if I run openvpn manually with sudo.
When starting it as OpenRC service, it stays inactive indefinitely.

Config option goes like this:
Code:

client-connect /etc/openvpn/notify.sh

I checked permissions, and tested with different paths, including /tmp , 777 permissions, and by using /bin/true as the program to run.
Script just contains exit 0 .

Without this option everything works flawlessly.
OpenVPN is 2.4.3.


Last edited by Kresp on Thu Sep 28, 2017 4:34 am; edited 1 time in total
Back to top
View user's profile Send private message
Maxxx
Guru
Guru


Joined: 12 Jan 2016
Posts: 525
Location: Italia

PostPosted: Mon Sep 25, 2017 2:21 pm    Post subject: Reply with quote

Try to add this line:

Code:
script-security 3 system

in yuor openvpn.conf
Back to top
View user's profile Send private message
Kresp
n00b
n00b


Joined: 17 Oct 2016
Posts: 73

PostPosted: Tue Sep 26, 2017 1:40 pm    Post subject: Reply with quote

Maxxx wrote:
Try to add this line:

Code:
script-security 3 system

in yuor openvpn.conf

"Method" is removed past 2.3 version.


script-security 3 and script-security 2 works well with client-connect /bin/true but returns auth failure with client-connect /path/to/script.sh even with valid permissions for the file.

Getting there.
Will check it out further later. It probably needs to be client-connect /bin/sh /path/to/script.sh or something like that.
Back to top
View user's profile Send private message
Kresp
n00b
n00b


Joined: 17 Oct 2016
Posts: 73

PostPosted: Wed Sep 27, 2017 11:25 pm    Post subject: Reply with quote

Shebang was missing in my script. It all works now.

However, there's another problem:
My script will contain e-mail/password, but OpenVpn does not run as root, but as nobody.
I obsiously don't want to give o+r permission.
Is chown'ning file to nobody:nobody bad practice? Like this:
Code:

$ ls -lah /etc/openvpn/
total 88K
drwxr-xr-x  2 root   root   4.0K Sep 28 09:17 .
drwxr-xr-x 60 root   root   4.0K Sep 24 11:29 ..
-rwxr-xr-x  1 root   root    943 Sep  5 20:44 down.sh
-rwx------  1 nobody nobody   55 Sep 28 09:16 notify.sh
-rw-r--r--  1 root   root    881 Sep 28 09:17 openvpn.conf
-rwxr-xr-x  1 root   root   2.8K Sep  5 20:44 up.sh
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14295

PostPosted: Thu Sep 28, 2017 1:10 am    Post subject: Reply with quote

In general, nobody should be able to read sensitive passwords.

As I interpret the ebuild, the VPN server should be running as the dedicated openvpn user, not as the generic nobody user. Are you seeing different results? If so, was that the default or did you change it?
Back to top
View user's profile Send private message
Kresp
n00b
n00b


Joined: 17 Oct 2016
Posts: 73

PostPosted: Thu Sep 28, 2017 1:24 am    Post subject: Reply with quote

Well, I have
Code:

user nobody
group nobody

in my server config - that's what developers recommend:
https://community.openvpn.net/openvpn/wiki/HOWTO#usergroupnon-Windowsonly
https://community.openvpn.net/openvpn/wiki/HOWTO#Editingtheserverconfigurationfile
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 14295

PostPosted: Thu Sep 28, 2017 4:25 am    Post subject: Reply with quote

That recommendation was popular a decade ago. Recent security practice recognizes that running all the servers as the same faceless user means that a problem in any server exposes every server. The developers are right to recommend that you drop privileges, but wrong to recommend that you drop to a widely used faceless account. You should use a dedicated faceless account. Gentoo creates for you the openvpn faceless user for this purpose. You should use that, not nobody.
Back to top
View user's profile Send private message
Kresp
n00b
n00b


Joined: 17 Oct 2016
Posts: 73

PostPosted: Thu Sep 28, 2017 4:33 am    Post subject: Reply with quote

Hu wrote:
That recommendation was popular a decade ago. Recent security practice recognizes that running all the servers as the same faceless user means that a problem in any server exposes every server. The developers are right to recommend that you drop privileges, but wrong to recommend that you drop to a widely used faceless account. You should use a dedicated faceless account. Gentoo creates for you the openvpn faceless user for this purpose. You should use that, not nobody.


Ah, OK... That actually makes sense.
I'll switch to default openvpn user then.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum