Hi, On Thu, Oct 26, 2023 at 10:04:18AM +0200, David Sommerseth wrote: > When starting OpenVPN via the openvpn-client@.service or > openvpn-server@.service systemd unit files, some capabilities are granted to > the the OpenVPN process may transition to, like the "openvpn" user. > CAP_SETPCAP and CAP_NET_ADMIN are two of those. The first one is actually > used to allow the OpenVPN process to keep setup certain capabilities as it > transitions to the user provided via the --user option. The CAP_NET_ADMIN > is, not surprisingly, used to setup the virtual network adapter (both tun > and ovpn-dco) and get network routes set up properly.
My guess in this thread here is that the systemd unit files used by
the original poster are not granting these two capabilities. Otherwise,
I fail to come up with a reason why OpenVPN would be able to change
user, but not retain CAP_NET_ADMIN.
(But then, as you know I'm not a big fan of Systemd's overarching
"WE MUST DO THINGS NO MATTER THE COST" tendencies, with private /home,
private /tmp, getting in the way of getting work done in big ways)
> I strongly encourage everyone to start OpenVPN, especially server
> configurations, via the systemd unit files provided by the OpenVPN project.
> This will attempt to reduce the privileges the OpenVPN process needs to do
> its job.
OpenVPN 2 does a pretty good job in doing so :-) - so, the best thing Systemd
can do here is "do not mess with OpenVPN".
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
