OpenVPN Support Forum

I installed OpenVPN on the latest OpenWrt 21.02.1

The client config and server conf files both have these lines at the top:
I installed the OpenVPN for Android app on my Android phone. When entering the client config file... am I supposed to comment out or delete the first two lines since there is no user called: nobody and no group called nogroup in my Android. At least I didn't see anything in /etc/group and /etc/passwd in Android OS.

I see in the OpenVPN manual that the --user option lets you:
"Change the user ID of the OpenVPN process to user after initialization, dropping privileges in the process. This option is useful to protect the system in the event that some hostile party was able to gain control of an OpenVPN session."

I can connect from the Android client to OpenVPN server by commenting out those two lines but is there a way to obtain the benefit of running as user "nobody" and group "nogroup", or some such unpriviledged user, when connecting to OpenVPN server on OpenWrt from an Android phone? From a Terminal to my phones Android OS if I do ls -l I can see user and group of all files is: u0_a252 so should I make a user an group of u0_a252 on the server running OpenVPN and then use that as the user and group inyou are dropping root privileges on the client with --user and/or --group the client and server config files? My phone is not rooted so I guess running as user u0_a252 will be the same thing as running OpenVPN unpriviledged?

Lastly do I NEED to define a user AND a group or is one or the other enough? The OpenVPN manual is a bit ambiguous on this point because it also states: "[if] you are dropping root privileges on the client with --user and/or --group.."

Cheers,

Flex

I believe the Android app ignores those options..

Thanks @TinCanTech.
I am using the OpenVPN for Android app. If it ignores the "user" and "group" options then is the OpenVPN connection from my phone is being run as an unpriviledged user or as root user then? My phone is not rooted.

When I open Termux in the phone and try commands like ps, top, htop, pstree I am unable to see what user is running the openvpn for android app process. Maybe that is because my phone is not rooted.
On the OpenVPN server side I run this command and get that result: So OpenVPN server is running as the root user anyway. But I am interested to know if the OpenVPN connection from my phone is being run as an unpriviledged user or as root user.

Cheers,

Flex

You read your client log, right ?

My client is the OpenVPN for Android App. In the app I can view the OpenVPN log and change the verbosity level.. with the verbosity level set to the max I still don't see any mention of a user or a UID.

On the server side in OpenWrt I run this command: In OpenWrt that command gives a real time read out of logging information as clients connect to the server and do things. But it also doesn't mention anything about what user is initiating the OpenVPN connection.

I found a way which I think gives me the information:

I installed ADB in Manjaro using these instructions then used these commands to see that user u0_a253 was running the OpenVPN for Android App.
So when connecting to OpenVPN Server from the OpenVPN for Android App the connecting user in this case is called: u0_a253. I was glad to satisfy myself that it is not being run as the root user.

I don't know how else to view a client side log when the client is the OpenVPN for Android App, running on an Android phone, that might confirm the user that is in control of the connection. If you know this then please let me know?

Cheers,

Flex

I may be confusing the app you are using with this one: https://github.com/schwabe/ics-openvpn

That version clearly states which options are being ignored.

Yes that is the app that I am using and I know it ignores those options...

Now because you suggested it to me I am curious about how to use the client side log to identify the user that IS connecting to the server. But I don't see any mention of a username in the client side log when I look at it, even when turned up to maximum verbosity, in the app. Maybe that type of information is not actually available in a client side log after all?

Any further advice much appreciated.

Cheers.

Openvpn 'username' is only a variable set for openvpn.

It is not like the actual user name on the client in anyway.

That is unless, you go specifically out-of-your-way to do so.

Alright, I meant if it is possible to see the UID of the client side process that is connecting to the OpenVPN server. I'm talking about unix/linux stuff.

I just got a bit obsessed with confirming that it is not the "Root" user so I could see for myself that the client side connection is indeed running as an unprivileged user. I guess I already answered this by using the ADB tools I mentioned above. If you cannot double confirm that the user is: u0_a253 using a client side log than OK I can let this go!

Flex

flexmcmurphy wrote: ↑

Mon Jan 10, 2022 11:42 pm

I meant if it is possible to see the UID of the client side process that is connecting to the OpenVPN server. I'm talking about unix/linux stuff

I know what you mean .. Openvpn is fairly smart ginger!

Imagine if OpenVPN were as insidious as Windblows!?

If you know what I mean that why did you suggest I look in the client side logs when the UID of the connecting process doesn't appear to be recorded there and you didn't confirm if you were able or not able to see that information yourself in your own set up and come back to me and acknowledge your findings either way... as a beginner with OpenVPN that's the kind of support I was hoping for.

But thank you for your time.

flexmcmurphy wrote: ↑

Thu Jan 13, 2022 12:03 am

as a beginner with OpenVPN that's the kind of support I was hoping for

TinCanTech wrote: ↑

Tue Jan 11, 2022 12:32 am

I meant if it is possible to see the UID of the client side process that is connecting to the OpenVPN server. I'm talking about unix/linux stuff

This stuff is not shared by openvpn-ce server and client.

In order to share the sort of information which you are concerned, literally does take Windblows and Anti-T-h-rust..

The development of Openvpn is an open process, which you are very welcome to take a part in.h

Well that's the answer you should have given me back on Sat Jan 08, 2022 3:16 pm so instead of suggesting I search the client log.
Thank you kindly.

You should have read the manual and the howto by now ...