Can't start OpenVPN as unprivileged user

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
kimifish
OpenVpn Newbie
Posts: 2
Joined: Wed Dec 07, 2016 6:37 am

Can't start OpenVPN as unprivileged user

Post by kimifish » Wed Dec 07, 2016 7:07 am

Did all the things here and experiencing this:

Code: Select all

…
Wed Dec  7 09:41:31 2016 us=961463 GID set to openvpn
Wed Dec  7 09:41:31 2016 us=961479 setgroups('openvpn') failed: Operation not permitted (errno=1)
Wed Dec  7 09:41:31 2016 us=961489 Exiting due to fatal error
All the output:

Code: Select all

openvpn@kimipc: /etc/openvpn$ openvpn --cd /etc/openvpn --config /etc/openvpn/server.conf
Wed Dec  7 09:41:31 2016 us=908717 Current Parameter Settings:
Wed Dec  7 09:41:31 2016 us=908770   config = '/etc/openvpn/server.conf'
Wed Dec  7 09:41:31 2016 us=908781   mode = 1
Wed Dec  7 09:41:31 2016 us=908788   persist_config = DISABLED
Wed Dec  7 09:41:31 2016 us=908796   persist_mode = 1
Wed Dec  7 09:41:31 2016 us=908803   show_ciphers = DISABLED
Wed Dec  7 09:41:31 2016 us=908810   show_digests = DISABLED
Wed Dec  7 09:41:31 2016 us=908817   show_engines = DISABLED
Wed Dec  7 09:41:31 2016 us=908825   genkey = DISABLED
Wed Dec  7 09:41:31 2016 us=908832   key_pass_file = '[UNDEF]'
Wed Dec  7 09:41:31 2016 us=908839   show_tls_ciphers = DISABLED
Wed Dec  7 09:41:31 2016 us=908846 Connection profiles [default]:
Wed Dec  7 09:41:31 2016 us=908853   proto = udp
Wed Dec  7 09:41:31 2016 us=908860   local = '[UNDEF]'
Wed Dec  7 09:41:31 2016 us=908868   local_port = 1194
Wed Dec  7 09:41:31 2016 us=908875   remote = '[UNDEF]'
Wed Dec  7 09:41:31 2016 us=908882   remote_port = 1194
Wed Dec  7 09:41:31 2016 us=908889   remote_float = DISABLED
Wed Dec  7 09:41:31 2016 us=908896   bind_defined = DISABLED
Wed Dec  7 09:41:31 2016 us=908903   bind_local = ENABLED
Wed Dec  7 09:41:31 2016 us=908909 NOTE: --mute triggered...
Wed Dec  7 09:41:31 2016 us=908922 260 variation(s) on previous 20 message(s) suppressed by --mute
Wed Dec  7 09:41:31 2016 us=908930 OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb  2 2016
Wed Dec  7 09:41:31 2016 us=908943 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Wed Dec  7 09:41:31 2016 us=908968 PKCS#11: pkcs11_initialize - entered
Wed Dec  7 09:41:31 2016 us=909025 PKCS#11: pkcs11_initialize - return 0-'CKR_OK'
Wed Dec  7 09:41:31 2016 us=909095 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Wed Dec  7 09:41:31 2016 us=909634 Diffie-Hellman initialized with 2048 bit key
Wed Dec  7 09:41:31 2016 us=911652 PRNG init md=SHA1 size=36
Wed Dec  7 09:41:31 2016 us=911825 Control Channel Authentication: using '/etc/openvpn/keys/ta.key' as a OpenVPN static key file
Wed Dec  7 09:41:31 2016 us=912436 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec  7 09:41:31 2016 us=912454 Outgoing Control Channel Authentication: HMAC KEY: eaccd2d2 d0959475 c65d21eb 64a11a03 6e2c89ed
Wed Dec  7 09:41:31 2016 us=912462 Outgoing Control Channel Authentication: HMAC size=20 block_size=20
Wed Dec  7 09:41:31 2016 us=912471 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Dec  7 09:41:31 2016 us=912481 Incoming Control Channel Authentication: HMAC KEY: c78c2cc4 afa6ab14 6a92724b 6fa5ebc8 12b2ef76
Wed Dec  7 09:41:31 2016 us=912488 Incoming Control Channel Authentication: HMAC size=20 block_size=20
Wed Dec  7 09:41:31 2016 us=912495 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 40 bytes
Wed Dec  7 09:41:31 2016 us=912503 crypto_adjust_frame_parameters: Adjusting frame parameters for crypto by 28 bytes
Wed Dec  7 09:41:31 2016 us=912517 TLS-Auth MTU parms [ L:1542 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Wed Dec  7 09:41:31 2016 us=912525 MTU DYNAMIC mtu=1450, flags=2, 1542 -> 1450
Wed Dec  7 09:41:31 2016 us=912541 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Dec  7 09:41:31 2016 us=912582 TUN/TAP device tun0 opened
Wed Dec  7 09:41:31 2016 us=912598 Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1)
Wed Dec  7 09:41:31 2016 us=912654 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Dec  7 09:41:31 2016 us=912674 /usr/local/sbin/unpriv-ip link set dev tun0 up mtu 1500
Wed Dec  7 09:41:31 2016 us=912913 PKCS#11: __pkcs11h_forkFixup entry pid=25343, activate_slotevent=1
Wed Dec  7 09:41:31 2016 us=912964 PKCS#11: __pkcs11h_forkFixup return
Wed Dec  7 09:41:31 2016 us=954343 /usr/local/sbin/unpriv-ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Wed Dec  7 09:41:31 2016 us=954605 PKCS#11: __pkcs11h_forkFixup entry pid=25346, activate_slotevent=1
Wed Dec  7 09:41:31 2016 us=954658 PKCS#11: __pkcs11h_forkFixup return
Wed Dec  7 09:41:31 2016 us=961132 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:143 ET:0 EL:3 AF:3/1 ]
Wed Dec  7 09:41:31 2016 us=961463 GID set to openvpn
Wed Dec  7 09:41:31 2016 us=961479 setgroups('openvpn') failed: Operation not permitted (errno=1)
Wed Dec  7 09:41:31 2016 us=961489 Exiting due to fatal error
Wed Dec  7 09:41:31 2016 us=961505 Closing TUN/TAP interface
Wed Dec  7 09:41:31 2016 us=961521 /usr/local/sbin/unpriv-ip addr del dev tun0 10.8.0.1/24
Wed Dec  7 09:41:31 2016 us=961709 PKCS#11: __pkcs11h_forkFixup entry pid=25349, activate_slotevent=1
Wed Dec  7 09:41:31 2016 us=961752 PKCS#11: __pkcs11h_forkFixup return
Don't know, what else data to supply, so in case…
Permissions:

Code: Select all

openvpn@kimipc: /etc/openvpn$ dpkg-query --listfiles openvpn | xargs ls -ldh
drwxr-xr-x   29 root    root    4,0K дек  6 18:24 /.
drwxr-xr-x  197 root    root     12K дек  7 01:57 /etc
drwxr-xr-x    2 root    root    4,0K ноя 26 01:08 /etc/bash_completion.d
-rw-r--r--    1 root    root     553 фев  2  2016 /etc/bash_completion.d/openvpn
drwxr-xr-x    3 root    root    4,0K дек  6 18:30 /etc/default
-rw-r--r--    1 root    root    1,2K июн 30  2015 /etc/default/openvpn
drwxr-xr-x    2 root    root    4,0K дек  6 22:58 /etc/init.d
-rwxr-xr-x    1 root    root     10K янв 21  2016 /etc/init.d/openvpn
drwxr-xr-x    7 root    root    4,0K фев 21  2014 /etc/network
drwxr-xr-x    2 root    root    4,0K сен 24 12:54 /etc/network/if-down.d
-rwxr-xr-x    1 root    root     372 фев  2  2016 /etc/network/if-down.d/openvpn
drwxr-xr-x    2 root    root    4,0K окт  7 02:36 /etc/network/if-up.d
-rwxr-xr-x    1 root    root     385 фев  2  2016 /etc/network/if-up.d/openvpn
drwxr-xr-x    5 openvpn openvpn 4,0K дек  7 09:41 /etc/openvpn
-rwxr-xr-x    1 openvpn openvpn 1,3K фев  2  2016 /etc/openvpn/update-resolv-conf
drwxr-xr-x   28 root    root    4,0K ноя  4 18:56 /lib
drwxr-xr-x    8 root    root    4,0K ноя  6 22:22 /lib/systemd
drwxr-xr-x   29 root    root     36K дек  7 01:51 /lib/systemd/system
drwxr-xr-x    2 root    root    4,0K дек  6 18:23 /lib/systemd/system-generators
-rwxr-xr-x    1 root    root     899 сен 30  2014 /lib/systemd/system-generators/openvpn-generator
-rw-r--r--    1 root    root     320 дек  7 01:51 /lib/systemd/system/openvpn.service
-rw-r--r--    1 root    root     914 фев  2  2016 /lib/systemd/system/openvpn@.service
drwxr-xr-x   15 root    root    4,0K июн 15 07:27 /usr
drwxr-xr-x   64 root    root     20K ноя 28 16:36 /usr/include
drwxr-xr-x    2 root    root    4,0K апр 18  2016 /usr/include/openvpn
-rw-r--r--    1 root    root     28K фев  2  2016 /usr/include/openvpn/openvpn-plugin.h
drwxr-xr-x  216 root    root     36K дек  6 20:35 /usr/lib
drwxr-xr-x    2 root    root    4,0K апр 18  2016 /usr/lib/openvpn
-rw-r--r--    1 root    root     14K фев  2  2016 /usr/lib/openvpn/openvpn-plugin-auth-pam.so
-rw-r--r--    1 root    root    9,9K фев  2  2016 /usr/lib/openvpn/openvpn-plugin-down-root.so
drwxr-xr-x    2 root    root    4,0K ноя  6 22:22 /usr/lib/tmpfiles.d
-rw-r--r--    1 root    root      34 мар 17  2014 /usr/lib/tmpfiles.d/openvpn.conf
drwxr-xr-x    4 root    root     12K дек  6 18:23 /usr/sbin
-rwxr-xr-x    1 root    root    671K фев  2  2016 /usr/sbin/openvpn
drwxr-xr-x  468 root    root     20K дек  6 10:22 /usr/share
drwxr-xr-x 3242 root    root    132K дек  6 18:22 /usr/share/doc
drwxr-xr-x    3 root    root    4,0K апр 18  2016 /usr/share/doc/openvpn
-rw-r--r--    1 root    root      28 май 18  2015 /usr/share/doc/openvpn/AUTHORS
-rw-r--r--    1 root    root    1,7K фев  2  2016 /usr/share/doc/openvpn/changelog.Debian.gz
-rw-r--r--    1 root    root    3,2K фев  2  2016 /usr/share/doc/openvpn/COPYING.gz
-rw-r--r--    1 root    root    2,0K ноя  5  2012 /usr/share/doc/openvpn/copyright
-rw-r--r--    1 root    root    6,7K фев  2  2016 /usr/share/doc/openvpn/COPYRIGHT.GPL.gz
drwxr-xr-x    5 root    root    4,0K апр 18  2016 /usr/share/doc/openvpn/examples
drwxr-xr-x    2 root    root    4,0K апр 18  2016 /usr/share/doc/openvpn/examples/sample-config-files
-rw-r--r--    1 root    root    3,4K фев  2  2016 /usr/share/doc/openvpn/examples/sample-config-files/client.conf
-rwxr-xr-x    1 root    root    3,5K дек 21  2015 /usr/share/doc/openvpn/examples/sample-config-files/firewall.sh
-rwxr-xr-x    1 root    root      62 дек 21  2015 /usr/share/doc/openvpn/examples/sample-config-files/home.up
-rw-r--r--    1 root    root     642 дек 21  2015 /usr/share/doc/openvpn/examples/sample-config-files/loopback-client
-rw-r--r--    1 root    root     645 дек 21  2015 /usr/share/doc/openvpn/examples/sample-config-files/loopback-server
-rwxr-xr-x    1 root    root      62 дек 21  2015 /usr/share/doc/openvpn/examples/sample-config-files/office.up
-rwxr-xr-x    1 root    root      63 дек 21  2015 /usr/share/doc/openvpn/examples/sample-config-files/openvpn-shutdown.sh
-rwxr-xr-x    1 root    root     776 дек 21  2015 /usr/share/doc/openvpn/examples/sample-config-files/openvpn-startup.sh
-rw-r--r--    1 root    root     131 дек 21  2015 /usr/share/doc/openvpn/examples/sample-config-files/README
-rw-r--r--    1 root    root    4,2K фев  2  2016 /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz
-rw-r--r--    1 root    root    1,8K фев  2  2016 /usr/share/doc/openvpn/examples/sample-config-files/static-home.conf
-rw-r--r--    1 root    root    1,7K фев  2  2016 /usr/share/doc/openvpn/examples/sample-config-files/static-office.conf
-rw-r--r--    1 root    root    1,9K фев  2  2016 /usr/share/doc/openvpn/examples/sample-config-files/tls-home.conf
-rw-r--r--    1 root    root    2,0K фев  2  2016 /usr/share/doc/openvpn/examples/sample-config-files/tls-office.conf
-rw-r--r--    1 root    root     199 дек 21  2015 /usr/share/doc/openvpn/examples/sample-config-files/xinetd-client-config
-rw-r--r--    1 root    root     989 дек 21  2015 /usr/share/doc/openvpn/examples/sample-config-files/xinetd-server-config
drwxr-xr-x    2 root    root    4,0K апр 18  2016 /usr/share/doc/openvpn/examples/sample-keys
-rw-r--r--    1 root    root    2,2K дек 21  2015 /usr/share/doc/openvpn/examples/sample-keys/ca.crt
-rw-r--r--    1 root    root    3,2K дек 21  2015 /usr/share/doc/openvpn/examples/sample-keys/ca.key
-rw-r--r--    1 root    root    3,3K дек 21  2015 /usr/share/doc/openvpn/examples/sample-keys/client.crt.gz
-rw-r--r--    1 root    root    2,7K дек 21  2015 /usr/share/doc/openvpn/examples/sample-keys/client-ec.crt.gz
-rw-r--r--    1 root    root     237 дек 21  2015 /usr/share/doc/openvpn/examples/sample-keys/client-ec.key
-rw-r--r--    1 root    root    1,7K дек 21  2015 /usr/share/doc/openvpn/examples/sample-keys/client.key
-rw-r--r--    1 root    root    4,5K дек 21  2015 /usr/share/doc/openvpn/examples/sample-keys/client.p12.gz
-rw-r--r--    1 root    root    1,8K дек 21  2015 /usr/share/doc/openvpn/examples/sample-keys/client-pass.key
-rw-r--r--    1 root    root     424 дек 21  2015 /usr/share/doc/openvpn/examples/sample-keys/dh2048.pem
-rwxr-xr-x    1 root    root    2,9K дек 21  2015 /usr/share/doc/openvpn/examples/sample-keys/gen-sample-keys.sh
-rw-r--r--    1 root    root      11 дек 21  2015 /usr/share/doc/openvpn/examples/sample-keys/.gitignore
-rw-r--r--    1 root    root    4,3K дек 21  2015 /usr/share/doc/openvpn/examples/sample-keys/openssl.cnf
-rw-r--r--    1 root    root     737 дек 21  2015 /usr/share/doc/openvpn/examples/sample-keys/README
-rw-r--r--    1 root    root    3,5K дек 21  2015 /usr/share/doc/openvpn/examples/sample-keys/server.crt.gz
-rw-r--r--    1 root    root    2,9K дек 21  2015 /usr/share/doc/openvpn/examples/sample-keys/server-ec.crt.gz
-rw-r--r--    1 root    root     237 дек 21  2015 /usr/share/doc/openvpn/examples/sample-keys/server-ec.key
-rw-r--r--    1 root    root    1,7K дек 21  2015 /usr/share/doc/openvpn/examples/sample-keys/server.key
drwxr-xr-x    2 root    root    4,0K апр 18  2016 /usr/share/doc/openvpn/examples/sample-scripts
-rwxr-xr-x    1 root    root    2,4K дек 21  2015 /usr/share/doc/openvpn/examples/sample-scripts/auth-pam.pl
-rwxr-xr-x    1 root    root     741 дек 21  2015 /usr/share/doc/openvpn/examples/sample-scripts/bridge-start
-rwxr-xr-x    1 root    root     313 дек 21  2015 /usr/share/doc/openvpn/examples/sample-scripts/bridge-stop
-rwxr-xr-x    1 root    root     339 дек 21  2015 /usr/share/doc/openvpn/examples/sample-scripts/ucn.pl
-rwxr-xr-x    1 root    root    2,2K дек 21  2015 /usr/share/doc/openvpn/examples/sample-scripts/verify-cn
-rw-r--r--    1 root    root     11K фев  2  2016 /usr/share/doc/openvpn/management-notes.txt.gz
-rw-r--r--    1 root    root    1,4K янв 10  2013 /usr/share/doc/openvpn/NEWS.Debian.gz
-rw-r--r--    1 root    root    3,8K май 18  2015 /usr/share/doc/openvpn/PORTS
-rw-r--r--    1 root    root    2,1K дек 21  2015 /usr/share/doc/openvpn/README
-rw-r--r--    1 root    root    2,6K фев  2  2016 /usr/share/doc/openvpn/README.auth-pam
-rw-r--r--    1 root    root    3,5K мар 15  2014 /usr/share/doc/openvpn/README.Debian.gz
-rw-r--r--    1 root    root     866 фев  2  2016 /usr/share/doc/openvpn/README.down-root
-rw-r--r--    1 root    root    2,0K фев  2  2016 /usr/share/doc/openvpn/README.IPv6
-rw-r--r--    1 root    root     789 фев  2  2016 /usr/share/doc/openvpn/README.polarssl
drwxr-xr-x   96 root    root    4,0K окт  9 00:46 /usr/share/man
drwxr-xr-x    2 root    root     52K дек  6 18:23 /usr/share/man/man8
-rw-r--r--    1 root    root     60K фев  2  2016 /usr/share/man/man8/openvpn.8.gz
drwxr-xr-x    2 root    root    4,0K апр 18  2016 /usr/share/openvpn
-rwxr-xr-x    1 root    root    2,2K фев  2  2016 /usr/share/openvpn/verify-cn
Capabilites:

Code: Select all

openvpn@kimipc: /etc/openvpn$ dpkg-query --listfiles openvpn | getcap
openvpn@kimipc: /etc/openvpn$ 		# Nothing here.
Please help. =)

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Can't start OpenVPN as unprivileged user

Post by TinCanTech » Wed Dec 07, 2016 11:32 am

You must start openvpn using root.

kimifish
OpenVpn Newbie
Posts: 2
Joined: Wed Dec 07, 2016 6:37 am

Re: Can't start OpenVPN as unprivileged user

Post by kimifish » Wed Dec 07, 2016 12:52 pm

TinCanTech wrote:You must start openvpn using root.
Then why Unprivileged mode wiki article says:
On Linux OpenVPN can be run completely unprivileged. This configuration is a little more complex, but provides best security.
?
Somebody is definitely wrong here…

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Can't start OpenVPN as unprivileged user

Post by TinCanTech » Wed Dec 07, 2016 4:51 pm

On this occasion it looks like I am wrong ..

Perhaps you have not followed the instructions very carefully because it works on my server.

What OS is your server ?

BaN
OpenVpn Newbie
Posts: 6
Joined: Fri Nov 20, 2015 6:37 am

Re: Can't start OpenVPN as unprivileged user

Post by BaN » Sat Aug 12, 2017 10:21 am

I'm having the same problem, if I just comment out "group openvpn" from the config file then it all starts fine, so the problem is somewhere with the privileges for setting supplementary group IDs for the calling process.
I'm using the Debian 9.1 with the latest openvpn package from backports:

Code: Select all

root@debian:/home/user# openvpn --version
OpenVPN 2.4.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 12 2017
library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
I've edited the default /etc/init.d/openvpn script to start the daemon with the openvpn user and group:

Code: Select all

OPENVPN_USER="openvpn"
OPENVPN_GROUP="openvpn"
...
    start-stop-daemon --start --quiet --oknodo \
        --user $OPENVPN_USER --group $OPENVPN_GROUP \
        --chuid $OPENVPN_USER:$OPENVPN_GROUP \
        --pidfile /run/openvpn/$NAME.pid \
        --exec $DAEMON -- $OPTARGS --writepid /run/openvpn/$NAME.pid \
        $DAEMONARG $STATUSARG --cd $CONFIG_DIR \
        --config $CONFIG_DIR/$NAME.conf || STATUS=1
So am I right, that because I've started the openvpn process as openvpn user and group with the start-stop-daemon, then I don't really need the "group openvpn" line in the openvpn config?

Post Reply