Setting OpenVPN user “nobody” privilage to delete routes

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
OpenVPNuser2934
OpenVpn Newbie
Posts: 1
Joined: Fri Jan 22, 2016 10:25 am

Setting OpenVPN user “nobody” privilage to delete routes

Post by OpenVPNuser2934 » Fri Jan 22, 2016 10:28 am

I have setup OpenVPN server and client successfully. However it all works great when I run it as root but I would like to run them with the reduced privileges of user "nobody" and group "nogroup". These are options in the config files:



Server.conf

Code: Select all

;It's a good idea to reduce the OpenVPN
;daemon's privileges after initialization.
;You can uncomment this out on
;non-Windows systems.
;user nobody
;group nogroup
However when I enable them, I get the following errors in the connection log:

Code: Select all

Thu Jan 21 10:22:52 2016 TUN/TAP device tun0 opened
Thu Jan 21 10:22:52 2016 TUN/TAP TX queue length set to 100
Thu Jan 21 10:22:52 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu Jan 21 10:22:52 2016 /sbin/ip link set dev tun0 up mtu 1500
Thu Jan 21 10:22:52 2016 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
Thu Jan 21 10:22:52 2016 /sbin/ip route add 192.168.1.98/32 via 192.168.1.254
[b]Thu Jan 21 10:22:52 2016 ERROR: Linux route add command failed: external program exited with error status: 2[/b]
Thu Jan 21 10:22:52 2016 /sbin/ip route add 0.0.0.0/1 via 10.8.0.5
Thu Jan 21 10:22:52 2016 /sbin/ip route add 128.0.0.0/1 via 10.8.0.5
Thu Jan 21 10:22:52 2016 /sbin/ip route add 10.8.0.1/32 via 10.8.0.5
Thu Jan 21 10:22:52 2016 GID set to nogroup
Thu Jan 21 10:22:52 2016 UID set to nobody
Thu Jan 21 10:22:52 2016 Initialization Sequence Completed
I know this is because the user "nobody" does not have privileges to delete routes. When I close the connection, I get this:

Code: Select all

Thu Jan 21 10:23:00 2016 event_wait : Interrupted system call (code=4)
Thu Jan 21 10:23:00 2016 /sbin/ip route del 10.8.0.1/32
[b]Thu Jan 21 10:23:00 2016 ERROR: Linux route delete command failed: external program exited with error status: 2[/b]
Thu Jan 21 10:23:00 2016 /sbin/ip route del 192.168.1.98/32
[b]Thu Jan 21 10:23:00 2016 ERROR: Linux route delete command failed: external program exited with error status: 2[/b]
Thu Jan 21 10:23:00 2016 /sbin/ip route del 0.0.0.0/1
[b]Thu Jan 21 10:23:00 2016 ERROR: Linux route delete command failed: external program exited with error status: 2[/b]
Thu Jan 21 10:23:00 2016 /sbin/ip route del 128.0.0.0/1
[b]Thu Jan 21 10:23:00 2016 ERROR: Linux route delete command failed: external program exited with error status: 2[/b]
Thu Jan 21 10:23:00 2016 Closing TUN/TAP interface
Thu Jan 21 10:23:00 2016 /sbin/ip addr del dev tun0 local 10.8.0.6 peer 10.8.0.5
Thu Jan 21 10:23:00 2016 Linux ip addr del failed: external program exited with error status: 2
Thu Jan 21 10:23:00 2016 SIGINT[hard,] received, process exiting
So the question is, how do I give the required permissions to the user "nobody" and group "nogroup" to delete the routes?
Top
User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Setting OpenVPN user “nobody” privilage to delete routes

Post by Traffic » Fri Jan 22, 2016 2:40 pm

OpenVPN provide a plugin called openvpn-plugin-down-root.so which you should find somewhere with your installation. I have not used it so I am not sure how to configure it. Basically, it restores root privileges when the server is taken down in order to delete TAP device and routes.
Top
Post Reply

Return to “Server Administration”