Bug#382470: Own OPENVPN user and group with access to /dev/net/tun

[Christian Michallek]

Package: openvpn
Version: 2.0-1sarge3
Severity: wishlist
In most cases i use the Downgrade privileges to drop openvpn to user nobody.
this can cause problems, because when the push options are changed on 
the server the clients will terminate.

-----------------------------------------------------------------------------------------------
Aug 11 03:11:34 localhost ovpn-client[18092]: Preserving previous 
TUN/TAP instance: tun0
Aug 11 03:11:34 localhost ovpn-client[18092]: NOTE: Pulled options 
changed on restart, will need to close and reopen TUN/TAP device.
Aug 11 03:11:34 localhost ovpn-client[18092]: /sbin/route del -net 
10.8.0.0 netmask 255.255.0.0
Aug 11 03:11:34 localhost ovpn-client[18092]: ERROR: Linux route delete 
command failed: shell command exited with error status: 7
Aug 11 03:11:34 localhost ovpn-client[18092]: /sbin/route del -net 
10.10.0.0 netmask 255.255.0.0
Aug 11 03:11:34 localhost ovpn-client[18092]: ERROR: Linux route delete 
command failed: shell command exited with error status: 7
Aug 11 03:11:34 localhost ovpn-client[18092]: Closing TUN/TAP interface
Aug 11 03:11:35 localhost ovpn-client[18092]: Note: Cannot open TUN/TAP 
dev /dev/net/tun: Permission denied (errno=13)
Aug 11 03:11:35 localhost ovpn-client[18092]: Note: Attempting fallback 
to kernel 2.2 TUN/TAP interface
Aug 11 03:11:35 localhost ovpn-client[18092]: Cannot allocate TUN/TAP 
dev dynamically
Aug 11 03:11:35 localhost ovpn-client[18092]: Exiting
-------------------------------------------------------------------------------------------------


/dev/net/tun is owned by root, so openvpn cant reopen the device.

btw, i havent restarted the server by myself, the connection broke 
because the dsl line disconnected, so this can happen often.

its not very serious, you can run openvpn as root, or create the 
user/group for this yourself, perhaps its even a security problem to 
give the user access to tun, i dont know that.
In case its not a security problem, i would really recommend this to be 
default.

--
Mit freundlichen Grüßen / Best regards

Christian Michallek
IT Management und Integration

DATA CONSULT SYSTEMHAUS GMBH
Bahnhofstraße 26
36037 Fulda

Tel.: 0661- 9339-481
Fax: 0661- 9337-567
eMail: [EMAIL PROTECTED]

http://www.data-consult.com