how to get ifconfig-push from client-connect

[burn]

I'm running openvpn-2.1.1 on fedora 13. I have a custom client-connect shell script which is supposed to generate ip addresses for clients. It works ok. But how do I pass generated ip back to daemon? The manual says "If the script wants to generate a dynamic config file to be applied on the server when the client connects, it should write it to the file named by $1.". So essentially I do

Code: Select all

echo "ifconfig-push $server_virtual_ip $client_virtual_ip" > $1

at the end of the script. This results in

/opt/scripts/openvpn/10.client-connect.sh: line 26: openvpn_cc_2d513fe0c128eba25815d8080769e959.tmp: Permission denied

I added 'cd /opt/scripts/openvpn' and chowned this dir to nobody:nobody, but still no go. What else do I do?

Code: Select all

local xx.xx.xx.xx
port 33333
proto udp
dev tun
ca /etc/ca/keys/qwerty-ca.crt
cert /etc/ca/keys/qwerty-s.crt
key /etc/ca/keys/qwerty-s.key
dh /etc/ca/keys/dh2048.pem
server 10.10.10.0 255.255.255.0
duplicate-cn
push "redirect-gateway"
comp-lzo
max-clients 100
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/10.status 120
log-append  /var/log/openvpn/10.log
verb 4
mute 10
no-replay
client-connect /opt/scripts/openvpn/10.client-connect.sh
nice -5
cd /opt/scripts/openvpn

Code: Select all

# ll /opt/scripts/ | grep openvpn
drwxr-xr-x 2 nobody nobody 4096 Nov  4 22:16 openvpn

[burn]

ended up using sudo, for the lack of a better option

[burn]

ok, that's no good either. /etc/openvpn/ gets flooded with "openvpn_cc_xxxxxxxxxxxxxxxxxx.tmp" files, which it cannot delete. Does anyone at all succesfully use 'client-connect' option?

[dazo]

If you are sure the permissions are correct on the directory, I'm guessing this is related to SELinux - especially if you are starting the daemon via the 'service' command or /etc/init.d script.

You can check the status by running the command 'getenforce', If that returns 'Enforcing', you most likely have SELinux issues. If it returns 'Permissive' or 'Disabled', it is something else.

If SELinux is set to 'Enforcing', try temporarily to switch to 'Permissive' by doing 'setenforce 0'. Verify with 'getenforce' that it is not 'Enforcing'. Try now to run OpenVPN and see how it behaves. If it now works, you know for sure it is SELinux which denies this access. I suggest that you do not consider running in 'Permissive' or disable SELinux as a solution. Rather try to let SELinux allow OpenVPN to write these files. So do a 'setenforce 1' now, to move back to 'Enforcing'.

I'd suggest you to use /var/lib/openvpn for this stuff. Give the --user and --group you define in the config also the ownership of this directory. Then the tricky part. OpenVPN runs in a SELinux domain called openvpn_t. This domain should have read/write access to files with a SELinux type called openvpn_tmp_t. This should be used by OpenVPN for such stuff. To check if this is the right solution, do this:

Code: Select all

   [root@host: ~] mkdir -m 770 -p /var/lib/openvpn
   [root@host: ~] chown openvpn:openvpn /var/lib/openvpn
   [root@host: ~] chcon -t openvpn_tmp_t /var/lib/openvpn

Now modify your config file to use /var/lib/openvpn for these temp files and see how it works. If this solves it, then you should write a little OpenVPN SELinux module so that the /var/lib/openvpn directory keeps the proper SELinux context, even when the filesystem is relabelled (using the 'restorecon' command).


Update: Please note that this is very Fedora/RHEL/CentOS specific. The security context of OpenVPN runs under and which SELinux types are available may differ in other distributions.

[burn]

nah, I already figured it out. I never use selinux, it just complicates anything. The thing is that openvpn init.d script for Fedora includes "--cd $work", where $work is /etc/openvpn, and that command line parameter overrides the value in the config. So what one need to do to get it to work is

Code: Select all

chmod 0775 /etc/openvpn
chown root:nobody /etc/openvpn

or whatever your openvpn user is.