[Solved] Run route-up/down scripts as specific user

How to customize and extend your OpenVPN installation.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
jogo
OpenVpn Newbie
Posts: 4
Joined: Sat Oct 13, 2018 9:58 am

[Solved] Run route-up/down scripts as specific user

Post by jogo » Sat Oct 13, 2018 10:11 am

Hi,

I've got openvpn working mostly fine on a pi running Raspbian but I've got some issues when the route-up/down scripts are run as root. I'm looking to run my route-up and down scripts as a specific user instead, is this possible?

The issue I'm having is that when the scripts run I keep getting issues with user limits, e.g:
unable to execute [process]: Resource temporarily unavailable

I've tried to increase the process limit for all users, as this looks like the issue below but it doesn't seem to have any effect. If anyone has any ideas how to increase these limits too I'm open to that option instead, although I've tried a few things.

Changing my route-up script to:

Code: Select all

#!/bin/sh
id
ulimit -a
Will log the following:
uid=0(root) gid=0(root) groups=0(root)
time(seconds) unlimited
file(blocks) unlimited
data(kbytes) unlimited
stack(kbytes) 8192
coredump(blocks) 0
memory(kbytes) unlimited
locked memory(kbytes) 64
process 10
nofiles 1048576
vmemory(kbytes) unlimited
locks unlimited
rtprio 0
Thanks

jogo
OpenVpn Newbie
Posts: 4
Joined: Sat Oct 13, 2018 9:58 am

Re: Run route-up/down scripts as specific user

Post by jogo » Thu Nov 01, 2018 12:37 pm

Bump. Any ideas on this would be really appreciated. I'm really stumped and haven't been able to get past this issue

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Run route-up/down scripts as specific user

Post by TinCanTech » Thu Nov 01, 2018 12:39 pm


jogo
OpenVpn Newbie
Posts: 4
Joined: Sat Oct 13, 2018 9:58 am

Re: Run route-up/down scripts as specific user

Post by jogo » Sun Nov 11, 2018 10:54 am

Thanks for replying, I've included all of the info below.

OS:

Code: Select all

Linux pi2 4.9.59-v7+ #1047 SMP Sun Oct 29 12:19:23 GMT 2017 armv7l GNU/Linux
Network setup:

Code: Select all

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.15  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::8399:77d9:ca9:d3db  prefixlen 64  scopeid 0x20<link>
        inet6 fdaa:bbcc:ddee:0:b0e2:3840:385d:e90b  prefixlen 64  scopeid 0x0<global>
        ether b8:27:eb:c9:bc:78  txqueuelen 1000  (Ethernet)
        RX packets 3857  bytes 438699 (428.4 KiB)
        RX errors 0  dropped 45  overruns 0  frame 0
        TX packets 1865  bytes 434806 (424.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 96  bytes 10120 (9.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 96  bytes 10120 (9.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
Client config:

Code: Select all

client
auth-user-pass /etc/openvpn/userpass.data
management 127.0.0.1 5001
management-log-cache 50
dev tun
proto udp
#user pi
comp-lzo
fast-io
script-security 2
#mtu-disc yes
verb 4
#mute 5
cipher bf-cbc
auth sha1
tun-mtu 1500
resolv-retry infinite
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
log-append /var/log/vpn.log
ca /etc/openvpn/ca.crt
status-version 3
status status
daemon
route-up /etc/openvpn/route-up.sh
down-pre
down /etc/openvpn/down.sh
remote x.x.x.x [port]
Log:

Code: Select all

Sat Nov 10 12:25:05 2018 us=502734 Current Parameter Settings:
Sat Nov 10 12:25:05 2018 us=502928   config = '/etc/openvpn/client.conf'
Sat Nov 10 12:25:05 2018 us=502971   mode = 0
Sat Nov 10 12:25:05 2018 us=503014   persist_config = DISABLED
Sat Nov 10 12:25:05 2018 us=503047   persist_mode = 1
Sat Nov 10 12:25:05 2018 us=503089   show_ciphers = DISABLED
Sat Nov 10 12:25:05 2018 us=503121   show_digests = DISABLED
Sat Nov 10 12:25:05 2018 us=503152   show_engines = DISABLED
Sat Nov 10 12:25:05 2018 us=503185   genkey = DISABLED
Sat Nov 10 12:25:05 2018 us=503218   key_pass_file = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=503253   show_tls_ciphers = DISABLED
Sat Nov 10 12:25:05 2018 us=503286   connect_retry_max = 0
Sat Nov 10 12:25:05 2018 us=503322 Connection profiles [0]:
Sat Nov 10 12:25:05 2018 us=503355   proto = udp
Sat Nov 10 12:25:05 2018 us=503391   local = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=503424   local_port = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=503457   remote = '[ my server name ]'
Sat Nov 10 12:25:05 2018 us=503489   remote_port = '[ portno ]'
Sat Nov 10 12:25:05 2018 us=503528   remote_float = DISABLED
Sat Nov 10 12:25:05 2018 us=503579   bind_defined = DISABLED
Sat Nov 10 12:25:05 2018 us=503627   bind_local = DISABLED
Sat Nov 10 12:25:05 2018 us=503676   bind_ipv6_only = DISABLED
Sat Nov 10 12:25:05 2018 us=503711   connect_retry_seconds = 5
Sat Nov 10 12:25:05 2018 us=503742   connect_timeout = 120
Sat Nov 10 12:25:05 2018 us=503778   socks_proxy_server = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=503828   socks_proxy_port = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=503866   tun_mtu = 1500
Sat Nov 10 12:25:05 2018 us=503908   tun_mtu_defined = ENABLED
Sat Nov 10 12:25:05 2018 us=503951   link_mtu = 1500
Sat Nov 10 12:25:05 2018 us=503983   link_mtu_defined = DISABLED
Sat Nov 10 12:25:05 2018 us=504015   tun_mtu_extra = 0
Sat Nov 10 12:25:05 2018 us=504047   tun_mtu_extra_defined = DISABLED
Sat Nov 10 12:25:05 2018 us=504080   mtu_discover_type = -1
Sat Nov 10 12:25:05 2018 us=504112   fragment = 0
Sat Nov 10 12:25:05 2018 us=504144   mssfix = 1450
Sat Nov 10 12:25:05 2018 us=504183   explicit_exit_notification = 0
Sat Nov 10 12:25:05 2018 us=504216 Connection profiles END
Sat Nov 10 12:25:05 2018 us=504248   remote_random = DISABLED
Sat Nov 10 12:25:05 2018 us=504280   ipchange = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=504312   dev = 'tun'
Sat Nov 10 12:25:05 2018 us=504344   dev_type = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=504375   dev_node = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=504407   lladdr = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=504440   topology = 1
Sat Nov 10 12:25:05 2018 us=504472   ifconfig_local = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=504505   ifconfig_remote_netmask = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=504537   ifconfig_noexec = DISABLED
Sat Nov 10 12:25:05 2018 us=504570   ifconfig_nowarn = DISABLED
Sat Nov 10 12:25:05 2018 us=504605   ifconfig_ipv6_local = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=504638   ifconfig_ipv6_netbits = 0
Sat Nov 10 12:25:05 2018 us=504676   ifconfig_ipv6_remote = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=504722   shaper = 0
Sat Nov 10 12:25:05 2018 us=504765   mtu_test = 0
Sat Nov 10 12:25:05 2018 us=504815   mlock = DISABLED
Sat Nov 10 12:25:05 2018 us=504848   keepalive_ping = 0
Sat Nov 10 12:25:05 2018 us=504893   keepalive_timeout = 0
Sat Nov 10 12:25:05 2018 us=504936   inactivity_timeout = 0
Sat Nov 10 12:25:05 2018 us=504969   ping_send_timeout = 0
Sat Nov 10 12:25:05 2018 us=505002   ping_rec_timeout = 0
Sat Nov 10 12:25:05 2018 us=505034   ping_rec_timeout_action = 0
Sat Nov 10 12:25:05 2018 us=505067   ping_timer_remote = DISABLED
Sat Nov 10 12:25:05 2018 us=505099   remap_sigusr1 = 0
Sat Nov 10 12:25:05 2018 us=505131   persist_tun = ENABLED
Sat Nov 10 12:25:05 2018 us=505163   persist_local_ip = DISABLED
Sat Nov 10 12:25:05 2018 us=505196   persist_remote_ip = DISABLED
Sat Nov 10 12:25:05 2018 us=505231   persist_key = ENABLED
Sat Nov 10 12:25:05 2018 us=505269   passtos = DISABLED
Sat Nov 10 12:25:05 2018 us=505311   resolve_retry_seconds = 1000000000
Sat Nov 10 12:25:05 2018 us=505380   resolve_in_advance = DISABLED
Sat Nov 10 12:25:05 2018 us=505413   username = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=505446   groupname = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=505480   chroot_dir = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=505516   cd_dir = '/etc/openvpn'
Sat Nov 10 12:25:05 2018 us=505550   writepid = '/run/openvpn/client.pid'
Sat Nov 10 12:25:05 2018 us=505582   up_script = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=505620   down_script = '/etc/openvpn/down.sh'
Sat Nov 10 12:25:05 2018 us=505659   down_pre = ENABLED
Sat Nov 10 12:25:05 2018 us=505691   up_restart = DISABLED
Sat Nov 10 12:25:05 2018 us=505726   up_delay = DISABLED
Sat Nov 10 12:25:05 2018 us=505770   daemon = ENABLED
Sat Nov 10 12:25:05 2018 us=505803   inetd = 0
Sat Nov 10 12:25:05 2018 us=505836   log = ENABLED
Sat Nov 10 12:25:05 2018 us=505867   suppress_timestamps = DISABLED
Sat Nov 10 12:25:05 2018 us=505899   machine_readable_output = DISABLED
Sat Nov 10 12:25:05 2018 us=505932   nice = 0
Sat Nov 10 12:25:05 2018 us=505964   verbosity = 4
Sat Nov 10 12:25:05 2018 us=505996   mute = 0
Sat Nov 10 12:25:05 2018 us=506027   gremlin = 0
Sat Nov 10 12:25:05 2018 us=506060   status_file = 'status'
Sat Nov 10 12:25:05 2018 us=506092   status_file_version = 3
Sat Nov 10 12:25:05 2018 us=506128   status_file_update_freq = 10
Sat Nov 10 12:25:05 2018 us=506161   occ = ENABLED
Sat Nov 10 12:25:05 2018 us=506193   rcvbuf = 0
Sat Nov 10 12:25:05 2018 us=506225   sndbuf = 0
Sat Nov 10 12:25:05 2018 us=506267   mark = 0
Sat Nov 10 12:25:05 2018 us=506320   sockflags = 0
Sat Nov 10 12:25:05 2018 us=506369   fast_io = ENABLED
Sat Nov 10 12:25:05 2018 us=506419   comp.alg = 2
Sat Nov 10 12:25:05 2018 us=506463   comp.flags = 1
Sat Nov 10 12:25:05 2018 us=506495   route_script = '/etc/openvpn/route-up.sh'
Sat Nov 10 12:25:05 2018 us=506528   route_default_gateway = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=506575   route_default_metric = 0
Sat Nov 10 12:25:05 2018 us=506625   route_noexec = DISABLED
Sat Nov 10 12:25:05 2018 us=506662   route_delay = 0
Sat Nov 10 12:25:05 2018 us=506707   route_delay_window = 30
Sat Nov 10 12:25:05 2018 us=506743   route_delay_defined = DISABLED
Sat Nov 10 12:25:05 2018 us=506776   route_nopull = DISABLED
Sat Nov 10 12:25:05 2018 us=506808   route_gateway_via_dhcp = DISABLED
Sat Nov 10 12:25:05 2018 us=506841   allow_pull_fqdn = DISABLED
Sat Nov 10 12:25:05 2018 us=506874   management_addr = '127.0.0.1'
Sat Nov 10 12:25:05 2018 us=506907   management_port = '5001'
Sat Nov 10 12:25:05 2018 us=506941   management_user_pass = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=506985   management_log_history_cache = 50
Sat Nov 10 12:25:05 2018 us=507018   management_echo_buffer_size = 100
Sat Nov 10 12:25:05 2018 us=507050   management_write_peer_info_file = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=507083   management_client_user = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=507116   management_client_group = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=507149   management_flags = 0
Sat Nov 10 12:25:05 2018 us=507182   shared_secret_file = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=507215   key_direction = 0
Sat Nov 10 12:25:05 2018 us=507247   ciphername = 'bf-cbc'
Sat Nov 10 12:25:05 2018 us=507280   ncp_enabled = ENABLED
Sat Nov 10 12:25:05 2018 us=507314   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Sat Nov 10 12:25:05 2018 us=507346   authname = 'sha1'
Sat Nov 10 12:25:05 2018 us=507378   prng_hash = 'SHA1'
Sat Nov 10 12:25:05 2018 us=507414   prng_nonce_secret_len = 16
Sat Nov 10 12:25:05 2018 us=507448   keysize = 0
Sat Nov 10 12:25:05 2018 us=507487   engine = DISABLED
Sat Nov 10 12:25:05 2018 us=507528   replay = ENABLED
Sat Nov 10 12:25:05 2018 us=507570   mute_replay_warnings = DISABLED
Sat Nov 10 12:25:05 2018 us=507620   replay_window = 64
Sat Nov 10 12:25:05 2018 us=507652   replay_time = 15
Sat Nov 10 12:25:05 2018 us=507699   packet_id_file = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=507744   use_iv = ENABLED
Sat Nov 10 12:25:05 2018 us=507777   test_crypto = DISABLED
Sat Nov 10 12:25:05 2018 us=507810   tls_server = DISABLED
Sat Nov 10 12:25:05 2018 us=507871   tls_client = ENABLED
Sat Nov 10 12:25:05 2018 us=507904   key_method = 2
Sat Nov 10 12:25:05 2018 us=507936   ca_file = '/etc/openvpn/ca.crt'
Sat Nov 10 12:25:05 2018 us=507969   ca_path = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=508001   dh_file = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=508035   cert_file = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=508077   extra_certs_file = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=508120   priv_key_file = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=508156   pkcs12_file = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=508190   cipher_list = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=508223   tls_verify = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=508254   tls_export_cert = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=508292   verify_x509_type = 0
Sat Nov 10 12:25:05 2018 us=508327   verify_x509_name = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=508359   crl_file = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=508392   ns_cert_type = 0
Sat Nov 10 12:25:05 2018 us=508481   remote_cert_ku[i] = 160
Sat Nov 10 12:25:05 2018 us=508524   remote_cert_ku[i] = 136
Sat Nov 10 12:25:05 2018 us=508557   remote_cert_ku[i] = 0
Sat Nov 10 12:25:05 2018 us=508592   remote_cert_ku[i] = 0
Sat Nov 10 12:25:05 2018 us=508634   remote_cert_ku[i] = 0
Sat Nov 10 12:25:05 2018 us=508669   remote_cert_ku[i] = 0
Sat Nov 10 12:25:05 2018 us=508712   remote_cert_ku[i] = 0
Sat Nov 10 12:25:05 2018 us=508744   remote_cert_ku[i] = 0
Sat Nov 10 12:25:05 2018 us=508776   remote_cert_ku[i] = 0
Sat Nov 10 12:25:05 2018 us=508809   remote_cert_ku[i] = 0
Sat Nov 10 12:25:05 2018 us=508840   remote_cert_ku[i] = 0
Sat Nov 10 12:25:05 2018 us=508872   remote_cert_ku[i] = 0
Sat Nov 10 12:25:05 2018 us=508904   remote_cert_ku[i] = 0
Sat Nov 10 12:25:05 2018 us=508936   remote_cert_ku[i] = 0
Sat Nov 10 12:25:05 2018 us=508968   remote_cert_ku[i] = 0
Sat Nov 10 12:25:05 2018 us=509000   remote_cert_ku[i] = 0
Sat Nov 10 12:25:05 2018 us=509038   remote_cert_eku = 'TLS Web Server Authentication'
Sat Nov 10 12:25:05 2018 us=509072   ssl_flags = 0
Sat Nov 10 12:25:05 2018 us=509104   tls_timeout = 2
Sat Nov 10 12:25:05 2018 us=509136   renegotiate_bytes = -1
Sat Nov 10 12:25:05 2018 us=509187   renegotiate_packets = 0
Sat Nov 10 12:25:05 2018 us=509244   renegotiate_seconds = 3600
Sat Nov 10 12:25:05 2018 us=509291   handshake_window = 60
Sat Nov 10 12:25:05 2018 us=509334   transition_window = 3600
Sat Nov 10 12:25:05 2018 us=509366   single_session = DISABLED
Sat Nov 10 12:25:05 2018 us=509399   push_peer_info = DISABLED
Sat Nov 10 12:25:05 2018 us=509450   tls_exit = DISABLED
Sat Nov 10 12:25:05 2018 us=509488   tls_auth_file = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=509530   tls_crypt_file = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=509576   pkcs11_protected_authentication = DISABLED
Sat Nov 10 12:25:05 2018 us=509609   pkcs11_protected_authentication = DISABLED
Sat Nov 10 12:25:05 2018 us=509642   pkcs11_protected_authentication = DISABLED
Sat Nov 10 12:25:05 2018 us=509674   pkcs11_protected_authentication = DISABLED
Sat Nov 10 12:25:05 2018 us=509708   pkcs11_protected_authentication = DISABLED
Sat Nov 10 12:25:05 2018 us=509740   pkcs11_protected_authentication = DISABLED
Sat Nov 10 12:25:05 2018 us=509773   pkcs11_protected_authentication = DISABLED
Sat Nov 10 12:25:05 2018 us=509817   pkcs11_protected_authentication = DISABLED
Sat Nov 10 12:25:05 2018 us=509850   pkcs11_protected_authentication = DISABLED
Sat Nov 10 12:25:05 2018 us=509882   pkcs11_protected_authentication = DISABLED
Sat Nov 10 12:25:05 2018 us=509914   pkcs11_protected_authentication = DISABLED
Sat Nov 10 12:25:05 2018 us=509947   pkcs11_protected_authentication = DISABLED
Sat Nov 10 12:25:05 2018 us=509979   pkcs11_protected_authentication = DISABLED
Sat Nov 10 12:25:05 2018 us=510012   pkcs11_protected_authentication = DISABLED
Sat Nov 10 12:25:05 2018 us=510045   pkcs11_protected_authentication = DISABLED
Sat Nov 10 12:25:05 2018 us=510079   pkcs11_protected_authentication = DISABLED
Sat Nov 10 12:25:05 2018 us=510114   pkcs11_private_mode = 00000000
Sat Nov 10 12:25:05 2018 us=510147   pkcs11_private_mode = 00000000
Sat Nov 10 12:25:05 2018 us=510212   pkcs11_private_mode = 00000000
Sat Nov 10 12:25:05 2018 us=510246   pkcs11_private_mode = 00000000
Sat Nov 10 12:25:05 2018 us=510285   pkcs11_private_mode = 00000000
Sat Nov 10 12:25:05 2018 us=510331   pkcs11_private_mode = 00000000
Sat Nov 10 12:25:05 2018 us=510382   pkcs11_private_mode = 00000000
Sat Nov 10 12:25:05 2018 us=510425   pkcs11_private_mode = 00000000
Sat Nov 10 12:25:05 2018 us=510462   pkcs11_private_mode = 00000000
Sat Nov 10 12:25:05 2018 us=510496   pkcs11_private_mode = 00000000
Sat Nov 10 12:25:05 2018 us=510529   pkcs11_private_mode = 00000000
Sat Nov 10 12:25:05 2018 us=510561   pkcs11_private_mode = 00000000
Sat Nov 10 12:25:05 2018 us=510594   pkcs11_private_mode = 00000000
Sat Nov 10 12:25:05 2018 us=510626   pkcs11_private_mode = 00000000
Sat Nov 10 12:25:05 2018 us=510659   pkcs11_private_mode = 00000000
Sat Nov 10 12:25:05 2018 us=510693   pkcs11_private_mode = 00000000
Sat Nov 10 12:25:05 2018 us=510726   pkcs11_cert_private = DISABLED
Sat Nov 10 12:25:05 2018 us=510759   pkcs11_cert_private = DISABLED
Sat Nov 10 12:25:05 2018 us=510809   pkcs11_cert_private = DISABLED
Sat Nov 10 12:25:05 2018 us=510850   pkcs11_cert_private = DISABLED
Sat Nov 10 12:25:05 2018 us=510884   pkcs11_cert_private = DISABLED
Sat Nov 10 12:25:05 2018 us=510916   pkcs11_cert_private = DISABLED
Sat Nov 10 12:25:05 2018 us=510949   pkcs11_cert_private = DISABLED
Sat Nov 10 12:25:05 2018 us=510983   pkcs11_cert_private = DISABLED
Sat Nov 10 12:25:05 2018 us=511019   pkcs11_cert_private = DISABLED
Sat Nov 10 12:25:05 2018 us=511051   pkcs11_cert_private = DISABLED
Sat Nov 10 12:25:05 2018 us=511084   pkcs11_cert_private = DISABLED
Sat Nov 10 12:25:05 2018 us=511120   pkcs11_cert_private = DISABLED
Sat Nov 10 12:25:05 2018 us=511160   pkcs11_cert_private = DISABLED
Sat Nov 10 12:25:05 2018 us=511193   pkcs11_cert_private = DISABLED
Sat Nov 10 12:25:05 2018 us=511228   pkcs11_cert_private = DISABLED
Sat Nov 10 12:25:05 2018 us=511274   pkcs11_cert_private = DISABLED
Sat Nov 10 12:25:05 2018 us=511311   pkcs11_pin_cache_period = -1
Sat Nov 10 12:25:05 2018 us=511343   pkcs11_id = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=511375   pkcs11_id_management = DISABLED
Sat Nov 10 12:25:05 2018 us=511436   server_network = 0.0.0.0
Sat Nov 10 12:25:05 2018 us=511482   server_netmask = 0.0.0.0
Sat Nov 10 12:25:05 2018 us=511543   server_network_ipv6 = ::
Sat Nov 10 12:25:05 2018 us=511578   server_netbits_ipv6 = 0
Sat Nov 10 12:25:05 2018 us=511614   server_bridge_ip = 0.0.0.0
Sat Nov 10 12:25:05 2018 us=511656   server_bridge_netmask = 0.0.0.0
Sat Nov 10 12:25:05 2018 us=511693   server_bridge_pool_start = 0.0.0.0
Sat Nov 10 12:25:05 2018 us=511728   server_bridge_pool_end = 0.0.0.0
Sat Nov 10 12:25:05 2018 us=511768   ifconfig_pool_defined = DISABLED
Sat Nov 10 12:25:05 2018 us=511824   ifconfig_pool_start = 0.0.0.0
Sat Nov 10 12:25:05 2018 us=511885   ifconfig_pool_end = 0.0.0.0
Sat Nov 10 12:25:05 2018 us=511941   ifconfig_pool_netmask = 0.0.0.0
Sat Nov 10 12:25:05 2018 us=511975   ifconfig_pool_persist_filename = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=512008   ifconfig_pool_persist_refresh_freq = 600
Sat Nov 10 12:25:05 2018 us=512045   ifconfig_ipv6_pool_defined = DISABLED
Sat Nov 10 12:25:05 2018 us=512098   ifconfig_ipv6_pool_base = ::
Sat Nov 10 12:25:05 2018 us=512134   ifconfig_ipv6_pool_netbits = 0
Sat Nov 10 12:25:05 2018 us=512179   n_bcast_buf = 256
Sat Nov 10 12:25:05 2018 us=512220   tcp_queue_limit = 64
Sat Nov 10 12:25:05 2018 us=512253   real_hash_size = 256
Sat Nov 10 12:25:05 2018 us=512286   virtual_hash_size = 256
Sat Nov 10 12:25:05 2018 us=512320   client_connect_script = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=512353   learn_address_script = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=512394   client_disconnect_script = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=512431   client_config_dir = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=512464   ccd_exclusive = DISABLED
Sat Nov 10 12:25:05 2018 us=512496   tmp_dir = '/tmp'
Sat Nov 10 12:25:05 2018 us=512529   push_ifconfig_defined = DISABLED
Sat Nov 10 12:25:05 2018 us=512600   push_ifconfig_local = 0.0.0.0
Sat Nov 10 12:25:05 2018 us=512637   push_ifconfig_remote_netmask = 0.0.0.0
Sat Nov 10 12:25:05 2018 us=512673   push_ifconfig_ipv6_defined = DISABLED
Sat Nov 10 12:25:05 2018 us=512713   push_ifconfig_ipv6_local = ::/0
Sat Nov 10 12:25:05 2018 us=512748   push_ifconfig_ipv6_remote = ::
Sat Nov 10 12:25:05 2018 us=512781   enable_c2c = DISABLED
Sat Nov 10 12:25:05 2018 us=512816   duplicate_cn = DISABLED
Sat Nov 10 12:25:05 2018 us=512849   cf_max = 0
Sat Nov 10 12:25:05 2018 us=512882   cf_per = 0
Sat Nov 10 12:25:05 2018 us=512929   max_clients = 1024
Sat Nov 10 12:25:05 2018 us=512974   max_routes_per_client = 256
Sat Nov 10 12:25:05 2018 us=513023   auth_user_pass_verify_script = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=513061   auth_user_pass_verify_script_via_file = DISABLED
Sat Nov 10 12:25:05 2018 us=513095   auth_token_generate = DISABLED
Sat Nov 10 12:25:05 2018 us=513129   auth_token_lifetime = 0
Sat Nov 10 12:25:05 2018 us=513161   port_share_host = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=513195   port_share_port = '[UNDEF]'
Sat Nov 10 12:25:05 2018 us=513228   client = ENABLED
Sat Nov 10 12:25:05 2018 us=513259   pull = ENABLED
Sat Nov 10 12:25:05 2018 us=513293   auth_user_pass_file = '/etc/openvpn/userpass.data'
Sat Nov 10 12:25:05 2018 us=513332 OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
Sat Nov 10 12:25:05 2018 us=513380 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.08
Sat Nov 10 12:25:05 2018 us=515105 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:5001
Sat Nov 10 12:25:05 2018 us=516205 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Nov 10 12:25:05 2018 us=521188 LZO compression initializing
Sat Nov 10 12:25:05 2018 us=521669 Control Channel MTU parms [ L:1622 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Sat Nov 10 12:25:05 2018 us=540933 Data Channel MTU parms [ L:1622 D:1450 EF:122 EB:406 ET:0 EL:3 ]
Sat Nov 10 12:25:05 2018 us=541128 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sat Nov 10 12:25:05 2018 us=541170 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sat Nov 10 12:25:05 2018 us=541255 TCP/UDP: Preserving recently used remote address: [AF_INET]Server_ip_address:PORTNO
Sat Nov 10 12:25:05 2018 us=541315 Socket Buffers: R=[163840->163840] S=[163840->163840]
Sat Nov 10 12:25:05 2018 us=541368 UDP link local: (not bound)
Sat Nov 10 12:25:05 2018 us=541409 UDP link remote: [AF_INET]Server_ip_address:PORTNO
Sat Nov 10 12:25:05 2018 us=556367 TLS: Initial packet from [AF_INET]Server_ip_address:PORTNO, sid=1f542161 9a190302
Sat Nov 10 12:25:05 2018 us=556671 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Nov 10 12:25:05 2018 us=580321 VERIFY OK: [ cert details ]
Sat Nov 10 12:25:05 2018 us=581475 Validating certificate key usage
Sat Nov 10 12:25:05 2018 us=581524 ++ Certificate has key usage  00a0, expects 00a0
Sat Nov 10 12:25:05 2018 us=581558 VERIFY KU OK
Sat Nov 10 12:25:05 2018 us=581602 Validating certificate extended key usage
Sat Nov 10 12:25:05 2018 us=581645 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sat Nov 10 12:25:05 2018 us=581680 VERIFY EKU OK
Sat Nov 10 12:25:05 2018 us=581713 VERIFY OK: [ cert details ]
Sat Nov 10 12:25:05 2018 us=790080 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Sat Nov 10 12:25:05 2018 us=790240 [790bdc3fe236222129407734e906b872] Peer Connection Initiated with [AF_INET]Server_ip_address:PORTNO
Sat Nov 10 12:25:07 2018 us=10759 SENT CONTROL [790bdc3fe236222129407734e906b872]: 'PUSH_REQUEST' (status=1)
Sat Nov 10 12:25:07 2018 us=25815 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS [ dns ],dhcp-option DNS [ dns ],ping 10,comp-lzo no,route 10.31.10.1,topology net30,ifconfig 10.31.10.6 10.31.10.5,auth-token'
Sat Nov 10 12:25:07 2018 us=26318 OPTIONS IMPORT: timers and/or timeouts modified
Sat Nov 10 12:25:07 2018 us=26396 OPTIONS IMPORT: compression parms modified
Sat Nov 10 12:25:07 2018 us=26471 OPTIONS IMPORT: --ifconfig/up options modified
Sat Nov 10 12:25:07 2018 us=26538 OPTIONS IMPORT: route options modified
Sat Nov 10 12:25:07 2018 us=26606 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sat Nov 10 12:25:07 2018 us=26717 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:406 ET:0 EL:3 ]
Sat Nov 10 12:25:07 2018 us=27603 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 10 12:25:07 2018 us=27688 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Sat Nov 10 12:25:07 2018 us=27774 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 10 12:25:07 2018 us=28078 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sat Nov 10 12:25:07 2018 us=28157 WARNING: INSECURE cipher with block size less than 128 bit (64 bit).  This allows attacks like SWEET32.  Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Sat Nov 10 12:25:07 2018 us=28243 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sat Nov 10 12:25:07 2018 us=28318 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Sat Nov 10 12:25:07 2018 us=28908 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=b8:27:eb:c9:bc:78
Sat Nov 10 12:25:07 2018 us=33651 TUN/TAP device tun0 opened
Sat Nov 10 12:25:07 2018 us=33843 TUN/TAP TX queue length set to 100
Sat Nov 10 12:25:07 2018 us=33956 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Nov 10 12:25:07 2018 us=34082 /sbin/ip link set dev tun0 up mtu 1500
Sat Nov 10 12:25:07 2018 us=45386 /sbin/ip addr add dev tun0 local 10.31.10.6 peer 10.31.10.5
Sat Nov 10 12:25:07 2018 us=54072 /sbin/ip route add Server_ip_address/32 via 192.168.1.1
Sat Nov 10 12:25:07 2018 us=60447 /sbin/ip route add 0.0.0.0/1 via 10.31.10.5
Sat Nov 10 12:25:07 2018 us=66669 /sbin/ip route add 128.0.0.0/1 via 10.31.10.5
Sat Nov 10 12:25:07 2018 us=75032 /sbin/ip route add 10.31.10.1/32 via 10.31.10.5
uid=0(root) gid=0(root) groups=0(root)
time(seconds)        unlimited
file(blocks)         unlimited
data(kbytes)         unlimited
stack(kbytes)        8192
coredump(blocks)     0
memory(kbytes)       unlimited
locked memory(kbytes) 64
process              10
nofiles              1048576
vmemory(kbytes)      unlimited
locks                unlimited
rtprio               0
Sat Nov 10 12:25:09 2018 us=182330 Initialization Sequence Completed
terminate called after throwing an instance of 'boost::system::system_error'
  what():  thread: Resource temporarily unavailable
route-up.sh:

Code: Select all

#!/bin/sh
id
ulimit -a

iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE
sudo -u pi deluged

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Run route-up/down scripts as specific user

Post by TinCanTech » Sun Nov 11, 2018 12:47 pm

jogo wrote:
Sun Nov 11, 2018 10:54 am
OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
This is old, is there an upgrade available for your distro?
jogo wrote:
Sun Nov 11, 2018 10:54 am
route-up.sh
Openvpn does not search your $PATH so all these commands need to be in full, eg: "/sbin/iptables" (Not sure how your script is running)
jogo wrote:
Sat Oct 13, 2018 10:11 am
process 10
I presume this by systemd, if so you can edit the openvpn*.service file (Which ever you are using)

jogo
OpenVpn Newbie
Posts: 4
Joined: Sat Oct 13, 2018 9:58 am

Re: Run route-up/down scripts as specific user

Post by jogo » Tue Nov 13, 2018 9:12 pm

Thanks so much! I managed to find/fix the process limit by editing the service file (as below in my case).

/run/systemd/generator/openvpn.service.wants/openvpn@client.service

Code: Select all

[Service]
...
LimitNPROC=10
Fixed that script up too and checked for updates and I'm on the latest.

Thanks again, really saved me from so much frustration!

Post Reply