OpenVPN Support Forum

I'm running openvpn-2.1.1 on fedora 13. I have a custom client-connect shell script which is supposed to generate ip addresses for clients. It works ok. But how do I pass generated ip back to daemon? The manual says "If the script wants to generate a dynamic config file to be applied on the server when the client connects, it should write it to the file named by $1.". So essentially I do at the end of the script. This results in

/opt/scripts/openvpn/10.client-connect.sh: line 26: openvpn_cc_2d513fe0c128eba25815d8080769e959.tmp: Permission denied

I added 'cd /opt/scripts/openvpn' and chowned this dir to nobody:nobody, but still no go. What else do I do?

ended up using sudo, for the lack of a better option

ok, that's no good either. /etc/openvpn/ gets flooded with "openvpn_cc_xxxxxxxxxxxxxxxxxx.tmp" files, which it cannot delete. Does anyone at all succesfully use 'client-connect' option?

If you are sure the permissions are correct on the directory, I'm guessing this is related to SELinux - especially if you are starting the daemon via the 'service' command or /etc/init.d script.

You can check the status by running the command 'getenforce', If that returns 'Enforcing', you most likely have SELinux issues. If it returns 'Permissive' or 'Disabled', it is something else.

If SELinux is set to 'Enforcing', try temporarily to switch to 'Permissive' by doing 'setenforce 0'. Verify with 'getenforce' that it is not 'Enforcing'. Try now to run OpenVPN and see how it behaves. If it now works, you know for sure it is SELinux which denies this access. I suggest that you do not consider running in 'Permissive' or disable SELinux as a solution. Rather try to let SELinux allow OpenVPN to write these files. So do a 'setenforce 1' now, to move back to 'Enforcing'.

I'd suggest you to use /var/lib/openvpn for this stuff. Give the --user and --group you define in the config also the ownership of this directory. Then the tricky part. OpenVPN runs in a SELinux domain called openvpn_t. This domain should have read/write access to files with a SELinux type called openvpn_tmp_t. This should be used by OpenVPN for such stuff. To check if this is the right solution, do this:
Now modify your config file to use /var/lib/openvpn for these temp files and see how it works. If this solves it, then you should write a little OpenVPN SELinux module so that the /var/lib/openvpn directory keeps the proper SELinux context, even when the filesystem is relabelled (using the 'restorecon' command).


Update: Please note that this is very Fedora/RHEL/CentOS specific. The security context of OpenVPN runs under and which SELinux types are available may differ in other distributions.

nah, I already figured it out. I never use selinux, it just complicates anything. The thing is that openvpn init.d script for Fedora includes "--cd $work", where $work is /etc/openvpn, and that command line parameter overrides the value in the config. So what one need to do to get it to work is or whatever your openvpn user is.