Page 1 of 1
No OPTIONS IMPORT on one of my two servers
Posted: Tue Sep 13, 2011 4:33 pm
by tbingen
I run two
OpenVPN 2.0.9 servers, one on CentOS, the other on OpenIndiana (OpenSolaris). Both generally work fine EXCEPT that my OpenIndiana-based server does not seem to take into account the remote LAN of its (only) client that has one. I expect to see an "
OPTIONS IMPORT: reading client specific options from: ccd/clientname" message when the connection is established with the client, just as it happens with my CentOS-based server. However I only get the "
Peer Connection Initiated with 194.nn.nnn.228:50962" message, but no sign of taking into account the route defined in the ccd file of that client; it is almost as if that file was never read; I even changed the configuration file to give the absolute path to the ccd directory (instead of its relative path), but to no avail. The status file is coherent: where I would expect a line such as "
192.168.90.0/24,clientname,194.nn.nnn.228:50962,Wed Sep 7 18:41:33 2011", I see nothing on my problematic server.
Everything else works beautifully. I am completely lost...
Thanks for any help. (If necessary, I can furnish config files, logs, snoops, anything...)
Re: No OPTIONS IMPORT on one of my two servers
Posted: Tue Sep 13, 2011 9:20 pm
by janjust
add
to the server log file , reconnect the client.
Another quick&dirty trick is to add
to the server config, then reconnect the client - if the right CCD file is not found the client is refused access. That's a sure-fire method for finding out if the CCD file is picked up
Re: No OPTIONS IMPORT on one of my two servers
Posted: Wed Sep 14, 2011 8:16 am
by tbingen
I included the
ccd-exclusive directive (which I did not know) and it made a real difference. I can now see the following in the log:
Code: Select all
TLS Auth Error: --client-config-dir authentication failed for common name 'clientname' file='/etc/csw/openvpn/ccd/clientname'
[clientname] Peer Connection Initiated with 194.nn.nnn.230:41685
SENT CONTROL [clientname]: 'AUTH_FAILED' (status=1)
Access from the client is thus denied; but the damn' file seems to exist:
Code: Select all
# ls -l /etc/csw/openvpn/ccd/clientname
-rw-r--r-- 1 root root 34 2011-09-12 21:41 /etc/csw/openvpn/ccd/clientname
and its contents are simply:
Many thanks for the recipe, Jan, but I am still puzzled.
Re: No OPTIONS IMPORT on one of my two servers
Posted: Wed Sep 14, 2011 8:46 am
by janjust
most likely your openvpn server is running non-root, e.g. 'nobody' ; check that this user has read+execute rights to the full network path, i.e.
Code: Select all
/etc
/etc/csw
/etc/csw/openvpn
/etc/csw/openvpn/ccd
Re: No OPTIONS IMPORT on one of my two servers
Posted: Wed Sep 14, 2011 11:45 am
by tbingen
BINGO ! 
Yes, the
daemon runs as
nobody (default), and the
/etc/csw/openvpn directory only had read permission for
root (package installation
default !)
A little
chmod a+rx on that directory did the trick.
Thanks A LOT !
P.S. This is worth advertising somewhere...