Op 2011-08-27T15:22:53+0000 schreef Jaap van Wingerde <mailinglists@vanwingerde.net> in bericht <[🔎] 20110827152253.696dd3f1@jaap.jaap.custard.shrl.nl>, inzake "openvpn script", het volgende: > Als ik openvpn restart krijg ik de volgende melding: > "Aug 27 15:11:54 custard ovpn-custard_to_gaugino[20546]: Route script > failed: could not execute external program" > > Hoe los ik dit op? De sleutel blijkt op <http://forums.openvpn.net/topic7399.html> te staan. De scripts moeten door user nobody uitgevoerd kunnen worden. sudo chmod 755 /etc/openvpn/scripts/gaugino_up.sh sudo chmod 755 /etc/openvpn/scripts/gaugino_down.sh Daarna ging /sbin/ip zeuren dat de operatie niet toegestaan was. Daarom er in de scripts sudo /sbin/ip .... van gemaakt, user ovpn aangemaakt, aan de betrokken openvpn conf user ovpn group nogroup toegevoegd, en aan sudoers sudo chmod 755 /etc/openvpn/scripts/gaugino_up.sh toegevoegd. Nu draait het als gewenst. Echt duidelijk is dit niet. <http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html>: "--route-up Executed after connection authentication, either immediately after, or some number of seconds after as defined by the --route-delay option" "--user user Change the user ID of the OpenVPN process to user after initialization, dropping privileges in the process. This option is useful to protect the system in the event that some hostile party was able to gain control of an OpenVPN session. Though OpenVPN's security features make this unlikely, it is provided as a second line of defense. By setting user to nobody or somebody similarly unprivileged, the hostile party would be limited in what damage they could cause. Of course once you take away privileges, you cannot return them to an OpenVPN session. This means, for example, that if you want to reset an OpenVPN daemon with a SIGUSR1 signal (for example in response to a DHCP reset), you should make use of one or more of the --persist options to ensure that OpenVPN doesn't need to execute any privileged operations in order to restart (such as re-reading key files or running ifconfig on the TUN device)" "--route-up Executed after connection authentication, either immediately after, or some number of seconds after as defined by the --route-delay option" "--up cmd Shell command to run after successful TUN/TAP device open (pre --user UID change). The up script is useful for specifying route commands which route IP traffic destined for private subnets which exist at the other end of the VPN connection into the tunnel" Kennelijk wordt "up" wel als root uitgevoerd. Dus user nobody, sudo verwijderen uit scripts en in plaats van route-up up gebruiken: en ja hoor: geen foutmeldingen. Héhé. -- Jaap van Wingerde e-mail: 1234567890@vanwingerde.net web: http://jaap.vanwingerde.net/
Attachment:
signature.asc
Description: PGP signature