Op 2011-08-27T15:22:53+0000 schreef Jaap van Wingerde
<mailinglists@vanwingerde.net> in bericht
<[🔎] 20110827152253.696dd3f1@jaap.jaap.custard.shrl.nl>, inzake "openvpn
script", het volgende:
> Als ik openvpn restart krijg ik de volgende melding:
> "Aug 27 15:11:54 custard ovpn-custard_to_gaugino[20546]: Route script
> failed: could not execute external program"
>
> Hoe los ik dit op?
De sleutel blijkt op <http://forums.openvpn.net/topic7399.html> te
staan. De scripts moeten door user nobody uitgevoerd kunnen worden.
sudo chmod 755 /etc/openvpn/scripts/gaugino_up.sh
sudo chmod 755 /etc/openvpn/scripts/gaugino_down.sh
Daarna ging /sbin/ip zeuren dat de operatie niet toegestaan was.
Daarom er in de scripts sudo /sbin/ip .... van gemaakt, user ovpn
aangemaakt, aan de betrokken openvpn conf
user ovpn
group nogroup
toegevoegd, en aan sudoers
sudo chmod 755 /etc/openvpn/scripts/gaugino_up.sh
toegevoegd. Nu draait het als gewenst.
Echt duidelijk is dit niet.
<http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html>:
"--route-up
Executed after connection authentication, either immediately after,
or some number of seconds after as defined by the --route-delay option"
"--user user
Change the user ID of the OpenVPN process to user after
initialization, dropping privileges in the process. This option is
useful to protect the system in the event that some hostile party was
able to gain control of an OpenVPN session. Though OpenVPN's security
features make this unlikely, it is provided as a second line of defense.
By setting user to nobody or somebody similarly unprivileged, the
hostile party would be limited in what damage they could cause. Of
course once you take away privileges, you cannot return them to an
OpenVPN session. This means, for example, that if you want to reset
an OpenVPN daemon with a SIGUSR1 signal (for example in response to
a DHCP reset), you should make use of one or more of the --persist
options to ensure that OpenVPN doesn't need to execute any
privileged operations in order to restart (such as re-reading key
files or running ifconfig on the TUN device)"
"--route-up
Executed after connection authentication, either immediately after,
or some number of seconds after as defined by the --route-delay option"
"--up cmd
Shell command to run after successful TUN/TAP device open (pre
--user UID change). The up script is useful for specifying route
commands which route IP traffic destined for private subnets which
exist at the other end of the VPN connection into the tunnel"
Kennelijk wordt "up" wel als root uitgevoerd. Dus user nobody, sudo
verwijderen uit scripts en in plaats van route-up up gebruiken: en ja
hoor: geen foutmeldingen.
Héhé.
--
Jaap van Wingerde
e-mail: 1234567890@vanwingerde.net
web: http://jaap.vanwingerde.net/
Attachment:
signature.asc
Description: PGP signature