No OPTIONS IMPORT on one of my two servers

tbingen · Post by **tbingen** » Tue Sep 13, 2011 4:33 pm

I run two OpenVPN 2.0.9 servers, one on CentOS, the other on OpenIndiana (OpenSolaris). Both generally work fine EXCEPT that my OpenIndiana-based server does not seem to take into account the remote LAN of its (only) client that has one. I expect to see an "OPTIONS IMPORT: reading client specific options from: ccd/clientname" message when the connection is established with the client, just as it happens with my CentOS-based server. However I only get the "Peer Connection Initiated with 194.nn.nnn.228:50962" message, but no sign of taking into account the route defined in the ccd file of that client; it is almost as if that file was never read; I even changed the configuration file to give the absolute path to the ccd directory (instead of its relative path), but to no avail. The status file is coherent: where I would expect a line such as "192.168.90.0/24,clientname,194.nn.nnn.228:50962,Wed Sep 7 18:41:33 2011", I see nothing on my problematic server.
Everything else works beautifully. I am completely lost...

Thanks for any help. (If necessary, I can furnish config files, logs, snoops, anything...)

Post by **janjust** » Tue Sep 13, 2011 9:20 pm

add

Code: Select all

verb 6

to the server log file , reconnect the client.

Another quick&dirty trick is to add

Code: Select all

ccd-exclusive

to the server config, then reconnect the client - if the right CCD file is not found the client is refused access. That's a sure-fire method for finding out if the CCD file is picked up

tbingen · Post by **tbingen** » Wed Sep 14, 2011 8:16 am

I included the ccd-exclusive directive (which I did not know) and it made a real difference. I can now see the following in the log:

Code: Select all

TLS Auth Error: --client-config-dir authentication failed for common name 'clientname' file='/etc/csw/openvpn/ccd/clientname'
[clientname] Peer Connection Initiated with 194.nn.nnn.230:41685
SENT CONTROL [clientname]: 'AUTH_FAILED' (status=1)

Access from the client is thus denied; but the damn' file seems to exist:

Code: Select all

# ls -l /etc/csw/openvpn/ccd/clientname
-rw-r--r-- 1 root root 34 2011-09-12 21:41 /etc/csw/openvpn/ccd/clientname

and its contents are simply:

Code: Select all

iroute 192.168.90.0 255.255.255.0

Many thanks for the recipe, Jan, but I am still puzzled.

Post by **janjust** » Wed Sep 14, 2011 8:46 am

most likely your openvpn server is running non-root, e.g. 'nobody' ; check that this user has read+execute rights to the full network path, i.e.

Code: Select all

/etc
/etc/csw
/etc/csw/openvpn
/etc/csw/openvpn/ccd

tbingen · Post by **tbingen** » Wed Sep 14, 2011 11:45 am

BINGO !

Yes, the daemon runs as nobody (default), and the /etc/csw/openvpn directory only had read permission for root (package installation default !)

A little chmod a+rx on that directory did the trick.

Thanks A LOT !

P.S. This is worth advertising somewhere...

OpenVPN Support Forum

No OPTIONS IMPORT on one of my two servers

No OPTIONS IMPORT on one of my two servers

Re: No OPTIONS IMPORT on one of my two servers

Re: No OPTIONS IMPORT on one of my two servers

Re: No OPTIONS IMPORT on one of my two servers

Re: No OPTIONS IMPORT on one of my two servers