Community Support Forum
 
  OpenVPN.net  •  Forum Index  •  FAQ  

It is currently Sat Nov 01, 2014 11:29 am


Forum rules


If you would like help, here is a few things you will want to do in order to help us help you.

**Post your configs from client and server, without comments. you can strip comments in linux/bsd with something like this:
grep -vE '^#|^;|^$' server.conf
**Tell us your goal.
**If you are having problems connecting, post your logfiles from server and client after using verb 4 in both configs


Also, there are 2 things you should be aware of:

**Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html
**You ONLY want to use dev tap if you are tunneling layer2 traffic, if you are using IP traffic you want tun. If you are using tap only for windows file sharing, look into running a WINS server instead.



Post new topic Reply to topic  [ 5 posts ] 
 how to get ifconfig-push from client-connect 
Author Message
 Post subject: how to get ifconfig-push from client-connect
PostPosted: Fri Nov 05, 2010 7:54 am 
OpenVpn Newbie

Joined: Fri Nov 05, 2010 7:39 am
Posts: 4
I'm running openvpn-2.1.1 on fedora 13. I have a custom client-connect shell script which is supposed to generate ip addresses for clients. It works ok. But how do I pass generated ip back to daemon? The manual says "If the script wants to generate a dynamic config file to be applied on the server when the client connects, it should write it to the file named by $1.". So essentially I do
Code:
echo "ifconfig-push $server_virtual_ip $client_virtual_ip" > $1
at the end of the script. This results in
Quote:
/opt/scripts/openvpn/10.client-connect.sh: line 26: openvpn_cc_2d513fe0c128eba25815d8080769e959.tmp: Permission denied
I added 'cd /opt/scripts/openvpn' and chowned this dir to nobody:nobody, but still no go. What else do I do?

Code:
local xx.xx.xx.xx
port 33333
proto udp
dev tun
ca /etc/ca/keys/qwerty-ca.crt
cert /etc/ca/keys/qwerty-s.crt
key /etc/ca/keys/qwerty-s.key
dh /etc/ca/keys/dh2048.pem
server 10.10.10.0 255.255.255.0
duplicate-cn
push "redirect-gateway"
comp-lzo
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/10.status 120
log-append  /var/log/openvpn/10.log
verb 4
mute 10
no-replay
client-connect /opt/scripts/openvpn/10.client-connect.sh
nice -5
cd /opt/scripts/openvpn


Code:
# ll /opt/scripts/ | grep openvpn
drwxr-xr-x 2 nobody nobody 4096 Nov  4 22:16 openvpn


Offline
 Profile  
 
 Post subject: Re: how to get ifconfig-push from client-connect
PostPosted: Mon Nov 08, 2010 3:32 pm 
OpenVpn Newbie

Joined: Fri Nov 05, 2010 7:39 am
Posts: 4
ended up using sudo, for the lack of a better option


Offline
 Profile  
 
 Post subject: Re: how to get ifconfig-push from client-connect
PostPosted: Thu Nov 11, 2010 5:32 pm 
OpenVpn Newbie

Joined: Fri Nov 05, 2010 7:39 am
Posts: 4
ok, that's no good either. /etc/openvpn/ gets flooded with "openvpn_cc_xxxxxxxxxxxxxxxxxx.tmp" files, which it cannot delete. Does anyone at all succesfully use 'client-connect' option?


Offline
 Profile  
 
 Post subject: Re: how to get ifconfig-push from client-connect
PostPosted: Tue Nov 16, 2010 11:53 am 
Developer

Joined: Mon Jan 11, 2010 10:14 am
Posts: 70
Location: dazo :: #openvpn-devel @ irc.freenode.net
If you are sure the permissions are correct on the directory, I'm guessing this is related to SELinux - especially if you are starting the daemon via the 'service' command or /etc/init.d script.

You can check the status by running the command 'getenforce', If that returns 'Enforcing', you most likely have SELinux issues. If it returns 'Permissive' or 'Disabled', it is something else.

If SELinux is set to 'Enforcing', try temporarily to switch to 'Permissive' by doing 'setenforce 0'. Verify with 'getenforce' that it is not 'Enforcing'. Try now to run OpenVPN and see how it behaves. If it now works, you know for sure it is SELinux which denies this access. I suggest that you do not consider running in 'Permissive' or disable SELinux as a solution. Rather try to let SELinux allow OpenVPN to write these files. So do a 'setenforce 1' now, to move back to 'Enforcing'.

I'd suggest you to use /var/lib/openvpn for this stuff. Give the --user and --group you define in the config also the ownership of this directory. Then the tricky part. OpenVPN runs in a SELinux domain called openvpn_t. This domain should have read/write access to files with a SELinux type called openvpn_tmp_t. This should be used by OpenVPN for such stuff. To check if this is the right solution, do this:

Code:
   [root@host: ~] mkdir -m 770 -p /var/lib/openvpn
   [root@host: ~] chown openvpn:openvpn /var/lib/openvpn
   [root@host: ~] chcon -t openvpn_tmp_t /var/lib/openvpn

Now modify your config file to use /var/lib/openvpn for these temp files and see how it works. If this solves it, then you should write a little OpenVPN SELinux module so that the /var/lib/openvpn directory keeps the proper SELinux context, even when the filesystem is relabelled (using the 'restorecon' command).


Update: Please note that this is very Fedora/RHEL/CentOS specific. The security context of OpenVPN runs under and which SELinux types are available may differ in other distributions.


Offline
 Profile  
 
 Post subject: Re: how to get ifconfig-push from client-connect
PostPosted: Tue Nov 16, 2010 6:13 pm 
OpenVpn Newbie

Joined: Fri Nov 05, 2010 7:39 am
Posts: 4
nah, I already figured it out. I never use selinux, it just complicates anything. The thing is that openvpn init.d script for Fedora includes "--cd $work", where $work is /etc/openvpn, and that command line parameter overrides the value in the config. So what one need to do to get it to work is
Code:
chmod 0775 /etc/openvpn
chown root:nobody /etc/openvpn

or whatever your openvpn user is.


Offline
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 


 Who is online 

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  


phpBB SEO
[ Time : 0.080s | 14 Queries | GZIP : On ]

 
Index  |  FAQ


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group