On 24/10/2023 07:46, Peter Davis via Openvpn-users wrote:
Hi,
I see the same message. Linux capabilities? Should I install any package or...?
Linux capabilities is a security feature provided by the kernel. For
OpenVPN (or any other tunneling software, in fact), certain capabilities
(such as CAP_NET_ADMIN) are required to modify network settings,
changing network routes or creating and removing virtual network
interfaces. Other capabilities gives other privileges on the system.
The root user, by default, is granted all capabilities. Ordinary users
on the system does not have any capabilities enabled by default.
When starting OpenVPN via the openvpn-client@.service or
openvpn-server@.service systemd unit files, some capabilities are
granted to the the OpenVPN process may transition to, like the "openvpn"
user. CAP_SETPCAP and CAP_NET_ADMIN are two of those. The first one is
actually used to allow the OpenVPN process to keep setup certain
capabilities as it transitions to the user provided via the --user
option. The CAP_NET_ADMIN is, not surprisingly, used to setup the
virtual network adapter (both tun and ovpn-dco) and get network routes
set up properly.
I strongly encourage everyone to start OpenVPN, especially server
configurations, via the systemd unit files provided by the OpenVPN
project. This will attempt to reduce the privileges the OpenVPN process
needs to do its job.
If you want an OpenVPN client setup running with the least privileges
possible, you could have a look at the OpenVPN 3 Linux project [0].
This project attempts to go even further by splitting up the
responsibility of the client connection (keeping the link to the server,
encrypting/decrypting traffic) and the network configuration (creating
the virtual interface, configuring VPN IP addresses, network routes and
DNS) into separate components. The client connection component runs
completely unprivileged while the network configuration component runs
as a separate process without any root privileges, just CAP_NET_ADMIN
and a few other selected ones (depending on the host configuration).
This ensures the privileged network configuration process can only do a
set of limited operations on the host, while the unprivileged client
process can only pass traffic to and from the server, do the needed
crypto operations on that traffic and send that traffic to/from the
local virtual interface.
[0] <https://community.openvpn.net/openvpn/wiki/OpenVPN3Linux>
--
kind regards,
David Sommerseth
OpenVPN Inc
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
