client-connect script permissions fail in chroot

[br_ds]

I am running an AWS instance with the official Access Server AMI, version 2.1.9

In the "Advanced VPN", "Additional VPN Config Directives", "Server", I have the following

Code: Select all

cipher AES-128-CBC
script-security 2
client-connect "/home/openvpn_as/client_connect.sh"

I get the following error

Code: Select all

OVPN 1 OUT: "Options error: --client-connect script fails with '/run/openvpn_as//home/openvpn_as/client_connect.sh': No such file or directory"

So then I just move the script into /run/openvpn_as, and update the config

Code: Select all

client-connect "/scripts/client_connect.sh"

But now I get a permissions error:

Code: Select all

OVPN 1 OUT: "Options error: --client-connect script fails with '/run/openvpn_as/scripts/client_connect.sh': Permission denied"

So I see that the server is running as "openvpn", not "openvpn_as", so I change the user, but I still get a permission denied error, I 'm assuming because openvpn does not have access to the higher level directory

Code: Select all

root@openvpnas2:/run/openvpn_as# ls -l .
total 0
drwx------ 2 openvpn_as openvpn_as 100 Mar  9 08:34 dev
drwx------ 2 openvpn_as openvpn_as  40 Mar  9 09:21 memstats
drwx------ 2 openvpn_as openvpn_as  40 Mar  9 08:34 pso
drwx------ 2 openvpn    openvpn     60 Mar  9 09:30 scripts
drwx------ 2 openvpn_as openvpn_as  40 Mar  9 08:34 tmp
root@openvpnas2:/run/openvpn_as# ls -lR scripts/
scripts/:
total 4
-rwx------ 1 openvpn openvpn 380 Mar  9 09:30 client_connect.sh

Full log from trying to start the server:

Code: Select all

2018-03-09 11:25:05-0700 [HTTPChannel,397,] License Info {'apc': True, 'concurrent_connections': 5}
2018-03-09 11:25:10-0700 [HTTPChannel,404,] License Info {'apc': True, 'concurrent_connections': 5}
2018-03-09 11:25:18-0700 [HTTPChannel,413,] License Info {'apc': True, 'concurrent_connections': 5}
2018-03-09 11:25:19-0700 [HTTPChannel,427,] License Info {'apc': True, 'concurrent_connections': 5}
2018-03-09 11:25:20-0700 [HTTPChannel,438,] License Info {'apc': True, 'concurrent_connections': 5}
2018-03-09 11:25:20-0700 [-] License Info {'apc': True, 'concurrent_connections': 5}
2018-03-09 11:25:20-0700 [-] <class 'pyovpn.omi.omiauth.OMIServerAuthFactory'> starting on "u'/usr/local/openvpn_as/etc/sock/omisock-NzdgfArUtV08'"
2018-03-09 11:25:20-0700 [-] OVPN 0 OUT: 'Fri Mar  9 11:25:20 2018 DEPRECATED OPTION: --no-name-remapping, please update your configuration'
2018-03-09 11:25:20-0700 [-] OVPN 0 OUT: "Options error: --client-connect script fails with '/run/openvpn_as/scripts/client_connect.sh': Permission denied"
2018-03-09 11:25:20-0700 [-] OVPN 0 ERR: 'Options error: Please correct this error.'
2018-03-09 11:25:20-0700 [-] OVPN 0 OUT: 'Use --help for more information.'
2018-03-09 11:25:20-0700 [-] (Port None Closed)
2018-03-09 11:25:20-0700 [-] License Info {'apc': True, 'concurrent_connections': 5}
2018-03-09 11:25:20-0700 [-] <class 'pyovpn.omi.omiauth.OMIServerAuthFactory'> starting on "u'/usr/local/openvpn_as/etc/sock/omisock-XzDhrdHC5rBY'"
2018-03-09 11:25:20-0700 [-] OVPN 1 OUT: 'Fri Mar  9 11:25:20 2018 DEPRECATED OPTION: --no-name-remapping, please update your configuration'
2018-03-09 11:25:20-0700 [-] OVPN 1 OUT: "Options error: --client-connect script fails with '/run/openvpn_as/scripts/client_connect.sh': Permission denied"
2018-03-09 11:25:20-0700 [-] OVPN 1 ERR: 'Options error: Please correct this error.'
2018-03-09 11:25:20-0700 [-] OVPN 1 OUT: 'Use --help for more information.'

So what am I doing wrong? How is this supposed to work with Access Server and the chroot?

[novaflash]

Pretty damn sure you cannot use this function on access server, sorry.

Try investigating post_auth instead.
https://docs.openvpn.net/configuration/ ... -examples/