CentOS - CCD Directory not being found i think.....

[chrismcv]

Hi,
I'm having a problem with my server config for ccd.....

The error message I receive trying to connect is.....
TLS Auth Error: --client-config-dir authentication failed for common name '14640' file='/var/bz/ovpn/server/ccd/14640'


However, everything seems fine:

Code: Select all

[root@x5-vpn1 openvpn]# ls -alh /var/bz/ovpn/server/ccd/14640
-rw-r--r-- 1 root root 40 Mar 24 14:59 /var/bz/ovpn/server/ccd/14640

Code: Select all

[root@x5-vpn1 openvpn]# cat /var/bz/ovpn/server/ccd/14640
ifconfig-push 10.90.17.110 10.90.17.109

I've tried chroot, but this doesn't seem to have helped - has just affected the path in the error message....

Some other diagnositics:

Code: Select all

[root@x5-vpn1 openvpn]# openvpn --version
OpenVPN 2.1.4 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Dec  2 2010
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>

Code: Select all

[root@x5-vpn1 openvpn]# uname -a
Linux x5-vpn1 2.6.18-194.el5xen #1 SMP Fri Apr 2 15:34:40 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux

Code: Select all

[root@x5-vpn1 openvpn]# cat openvpn.conf
#################################################
# OpenVPN 2.0 config for multi-client server.   #
# Comments are preceded with '#' or ';'         #
#################################################

# listen on? (optional)
;local a.b.c.d
port 1194
proto udp
dev tun
ca /var/bz/ovpn/server/ca.crt
cert /var/bz/ovpn/server/bluezinc.crt
key /var/bz/ovpn/server/bluezinc.key  # This file should be kept secret
dh /var/bz/ovpn/server/dh1024.pem
client-config-dir /var/bz/ovpn/server/ccd
ccd-exclusive
server 10.90.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
push "route 10.10.0.0 255.255.0.0"
keepalive 10 120
comp-lzo
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
script-security 2
log openvpn.log
verb 3

Code: Select all

[root@x5-vpn1 openvpn]# ps -aux | grep openvpn
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ
nobody     385  0.0  0.2  41620  2348 ?        Ss   15:19   0:00 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/openvpn.pid --config openvpn.conf --cd /etc/openvpn

Many thanks,
Chris

[janjust]

is the full directory path accessible to the user 'nobody' ? do a

Code: Select all

ls -ald /var
ls -ald /var/bz
ls -ald /var/bz/ovpn
ls -ald /var/bz/ovpn/server
ls -ald /var/bz/ovpn/server/ccd

and verify that each directory is readable and executable for the user 'nobody'

[gladiatr72]

You're probably bumping up against selinux. I imagine the openvpn package is given permission to access files only within its own config directory (or maybe /etc... I don't know)

from your CLI:

# sestatus

You're probably going to see something like this:

Code: Select all

SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

I'm not an selinux guru, and I tend to run my cent systems in "permissive" mode which keeps all the filesystem tags current and in-place in case I get the bug up my ass to educate myself on the subject.

To put your system into permissive mode, use: /usr/sbin/setenforce 0

To adjust it so its not reenabled on boot, edit /etc/sysconfig/selinux and set the SELINUX variable to "permissive"

[chrismcv]

@janjust

Code: Select all

[root@x5-vpn1 openvpn]# ls -ald /var
drwxr-xr-x 24 root root 4096 Mar  1 15:54 /var
[root@x5-vpn1 openvpn]# ls -ald /var/bz
drwxr-xr-x 4 root root 4096 Mar 24 09:48 /var/bz
[root@x5-vpn1 openvpn]# ls -ald /var/bz/ovpn
drwxr-xr-x 3 root root 4096 Mar 24 09:51 /var/bz/ovpn
[root@x5-vpn1 openvpn]# ls -ald /var/bz/ovpn/server
drwxr-xr-x 3 root root 4096 Mar 24 14:59 /var/bz/ovpn/server

@gladiatr72

Code: Select all

[root@x5-vpn1 openvpn]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 21
Policy from config file:        targeted

So it was already set to permissive. I also disabled SELinux to the same result.

[gladiatr72]

Hrm. Try removing the user/group and running it as root.

[janjust]

the rude way of disabling 'selinux' is to reboot the box using the kernel commandline parameter

Code: Select all

selinux=0

Personally I always permanently disable selinux as I keep getting bitten by it left and right.

[Douglas]

the rude way of disabling 'selinux' is to reboot the box using the kernel commandline parameter

Code: Select all

selinux=0

Personally I always permanently disable selinux as I keep getting bitten by it left and right.

You can 'setenforce 0' for a temporary disable, and set SELINUX=disabled in /etc/selinux/config as well for permanent.