Permission denied on server config file

[addw]

openvpn running nicely since Nov 2020. Installed CentOS 8, updated to Rocky Linux Nov 2021.
Updated to openvpn 2.4.11-1.el8 today - when I first saw this problem. Config not changed other than verb set to 5

Connecting from a Debian 10 system (but I see the same with others). Log lines below (date/time removed), server is bm2020.phcomp.co.uk:

Code: Select all

bm2020.phcomp.co.uk openvpn[440836]: WRR78.32.209.33:45802 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
bm2020.phcomp.co.uk openvpn[440836]: 78.32.209.33:45802 [freshmint.phcomp.co.uk] Peer Connection Initiated with [AF_INET]78.32.209.33:45802
bm2020.phcomp.co.uk openvpn[440836]: freshmint.phcomp.co.uk/78.32.209.33:45802 Could not access file 'vpn-server-ServerClients/freshmint.phcomp.co.uk': Permission denied (errno=13)
bm2020.phcomp.co.uk openvpn[440836]: freshmint.phcomp.co.uk/78.32.209.33:45802 Could not access file 'vpn-server-ServerClients/DEFAULT': Permission denied (errno=13)

Config file:

Code: Select all

local 46.43.0.112
port 1194
proto udp
dev tun
ca ca.crt
cert bm2020.phcomp.co.uk.crt
key bm2020.phcomp.co.uk.key 
dh dh2048.pem
tls-auth ta.key 0
server 10.200.201.0 255.255.255.0
reneg-sec 600
tran-window 300                                                                                                       
keepalive 100 300
ifconfig-pool-persist External-ipp.txt
status openvpn-status.log
comp-lzo
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
verb 5
client-config-dir vpn-server-ServerClients
push "route 10.200.201.0 255.255.255.0 10.200.201.1"

vpn-server-ServerClients/freshmint.phcomp.co.uk contains:

Code: Select all

ifconfig-push 10.200.201.8 10.200.201.1

The file vpn-server-ServerClients/freshmint.phcomp.co.uk is mode 644, directory 755. I have switched selinux off.

The VPN does get set up but the clients have the wrong VPN addressess so ifconfig-push is not being seen.

This all worked until the new version of openvpn today.

What has gone wrong ?

Thanks in advance.

[TinCanTech]

What has gone wrong ?

Remove this:

Code: Select all

user nobody
group nobody

[addw]

Well, I have fixed it but am not 100% happy that I understand why it failed.

Strace tells me that the error comes from:

Code: Select all

openat(AT_FDCWD, "vpn-server-ServerClients/freshmint.phcomp.co.uk", O_RDONLY) = -1 EACCES (Permission denied)

The server CWD is /etc/openvpn/server The client config files are in /etc/openvpn/vpn-server-ServerClients/

/etc/openvpn/server/vpn-server-ServerClients is a symlink to ../vpn-server-ServerClients (ie to /etc/openvpn/vpn-server-ServerClients/) which is where freshmint.phcomp.co.uk exists.

If I replace client-config-dir config line by

Code: Select all

client-config-dir ../vpn-server-ServerClients

it still fails, but if I replace it by

Code: Select all

client-config-dir /etc/openvpn/vpn-server-ServerClients

it works. So following .. fails - for a reason that I cannot fathom.

Anyone any idea ?

[addw]

Thanks for your comment TinCanTech the problem was that the RPM update changed the mode of /etc/openvpn/server/ from 755 to 750.
Resetting that fixed the problem.
But it would just break again the next time than an updating RPM comes in - so I have taken your advice and removed the user & group directives & undone my chmod fix.

[TinCanTech]

Take a look at what --user and --group do when you use them with OpenVPN. See the manual.