Client-connect - Permission denied

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
DimDim35
OpenVpn Newbie
Posts: 1
Joined: Tue Aug 22, 2023 2:20 pm

Client-connect - Permission denied

Post by DimDim35 » Tue Aug 22, 2023 2:48 pm

Hello,

I'm using Rocky Linux 8 (with a Red Hawks 8.8 overlay) and I've installed the packages needed to run it.

Code: Select all

dnf -y install epel-release
dnf -y install openvpn easy-rsa net-tools
Everything works with my user, no problem.

In the desired configuration, we want to implement a script when the connection succeeds, with the "client-connect" parameter.

My Config openvpn-server : /etc/openvpn/server/server.conf

Code: Select all

port 1194
proto tcp
dev tun
mode server

# server as daemon
daemon

# Handle certificates :
# CA Certificate
ca ca.crt
# Server Certificate
cert server.crt
# Server Private key
key server.key
# Diffie-Hellman
dh dh.pem

# Server DHCP range, server will get IP 10.8.0.1
# Use topology subnet or CCD but not combo of them
#push "topology subnet"
server 10.8.0.0 255.255.255.248
# Client config files
client-config-dir /etc/openvpn/ccd
# Max client limit
max-clients 1

# Chiffrement
cipher AES-256-CBC
tls-version-min 1.3

auth SHA512
auth-nocache

# Keep alive which trigger "client-disconnect" hook when timeout is reached
keepalive 5 10

# Compression
comp-lzo

# User root to use "systemctl" command
user root
group root

persist-key
persist-tun

script-security 3
client-connect /etc/openvpn/server/syncho_ntp.sh

# Log & verbosity
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
verb 7
My Script : /etc/openvpn/server/syncho_ntp.sh

Code: Select all

#!/bin/sh
SEUIL=60
# env >> test_dim.log
delta=$(/usr/sbin/chronyd -Q 'server 10.170.254.2 iburst' | sed -n 3p | sed -nE 's/^.*\s([0-9.]+)\s+seconde?s.*$/\1/p' | cut -d '.' -f1)
echo $(/usr/sbin/chronyd -Q 'server 10.170.254.2 iburst' 2>&1) >> test_dim.log
echo $(id) >> test_dimitri.log
if [ -n "${delta}" ]; then
    # Le test doit être affiné car il faut comparer la valeur seuil (définie par défaut à 0) avec la valeur absolue de $delta
    echo "Seuil Value : ${SEUIL}" >> test_dim.log
    if [ $delta -gt $SEUIL ]; then
        logger -t ytxl.chronyd "System clock wrong by $delta seconds"
        chronyd -q 'server 10.170.254.2 iburst' 2>/dev/null
    fi
else
    logger -t ytxl.chronyd "Unable to get a valid NTP server"
fi
My Config Client : /etc/openvpn/server/syncho_ntp.sh

Code: Select all

client
dev tun
proto tcp
remote 10.170.254.6 1194
resolv-retry infinite
nobind
persist-key
persist-tun
key-direction 1
tls-version-min 1.3
auth-nocache
compress lzo
verb 3
auth SHA512
ca /etc/openvpn/client/client/ca.crt
cert /etc/openvpn/client/client/client.crt
key /etc/openvpn/client/client/client.key
log-append  /var/log/openvpn.log
My Log : openvpn.log

Code: Select all

WARNING: file 'server.key' is group or others accessible
OpenVPN 2.4.12 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 17 2022
library versions: OpenSSL 1.1.1k  FIPS 25 Mar 2021, LZO 2.08
NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Diffie-Hellman initialized with 2048 bit key
ROUTE_GATEWAY X/255.255.240.0 IFACE=eth0 HWADDR=X
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
/sbin/ip route add 10.8.0.0/29 via 10.8.0.2
Could not determine IPv4/IPv6 protocol. Using AF_INET
Socket Buffers: R=[131072->131072] S=[16384->16384]
Listening for incoming TCP connection on [AF_INET][undef]:1194
TCPv4_SERVER link local (bound): [AF_INET][undef]:1194
TCPv4_SERVER link remote: [AF_UNSPEC]
GID set to root
UID set to root
MULTI: multi_init called, r=256 v=256
IFCONFIG POOL: base=10.8.0.4 size=1, ipv6=0
MULTI: TCP INIT maxclients=1 maxevents=5
Initialization Sequence Completed
TCP connection established with [AF_INET]:51465
172.31.0.1:51465 TLS: Initial packet from [AF_INET]:51465, sid=5dc33bc7 05a00d77
172.31.0.1:51465 VERIFY OK: depth=1, CN=server-ca
172.31.0.1:51465 VERIFY OK: depth=0, CN=client
172.31.0.1:51465 peer info: IV_VER=3.git::98bf7f7f
172.31.0.1:51465 peer info: IV_PLAT=win
172.31.0.1:51465 peer info: IV_NCP=2
172.31.0.1:51465 peer info: IV_TCPNL=1
172.31.0.1:51465 peer info: IV_PROTO=30
172.31.0.1:51465 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
172.31.0.1:51465 peer info: IV_LZO=1
172.31.0.1:51465 peer info: IV_AUTO_SESS=1
172.31.0.1:51465 peer info: IV_GUI_VER=OCWindows_3.3.1-2222
172.31.0.1:51465 peer info: IV_SSO=openurl,crtext
172.31.0.1:51465 peer info: IV_BS64DL=1
172.31.0.1:51465 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1604', remote='link-mtu 1588'
172.31.0.1:51465 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
172.31.0.1:51465 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
172.31.0.1:51465 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
172.31.0.1:51465 [client] Peer Connection Initiated with [AF_INET]:51465
client/172.31.0.1:51465 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/client
/etc/openvpn/server/syncho_ntp.sh: line 5: /usr/sbin/chronyd: Permission denied
client/172.31.0.1:51465 OPTIONS IMPORT: reading client specific options from: /tmp/openvpn_cc_4660766db05e38a616b4ae2c081d5411.tmp
client/172.31.0.1:51465 MULTI: Learn: 10.8.0.2 -> client/:51465
client/172.31.0.1:51465 MULTI: primary virtual IP for client/:51465: 10.8.0.2
client/172.31.0.1:51465 PUSH: Received control message: 'PUSH_REQUEST'
client/172.31.0.1:51465 SENT CONTROL [client]: 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 5,ping-restart 10,ifconfig 10.8.0.2 10.8.0.2,peer-id 0,cipher AES-256-GCM' (status=1)
client/172.31.0.1:51465 Data Channel: using negotiated cipher 'AES-256-GCM'
client/172.31.0.1:51465 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
client/172.31.0.1:51465 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
client/172.31.0.1:51465 Connection reset, restarting [-1]
client/172.31.0.1:51465 SIGUSR1[soft,connection-reset] received, client-instance restarting
I tested if my client's environment is root, it's ok.

Code: Select all

/etc/openvpn/server/syncho_ntp.sh: line 6: /usr/sbin/chronyd: Permission denied
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:openvpn_t:s0
-rwxr-xr-x. 1 root root 805152 Mar 17 2022 /usr/sbin/openvpn
SELinux is permissive.

I don't understand why I have an access problem when I'm root.

Code: Select all

/etc/openvpn/server/syncho_ntp.sh: line 5: /usr/sbin/chronyd: Permission denied
Do you have any ideas ? please.
Top
Post Reply

Return to “Configuration”