On 15/05/2025 12:04, Stefanie Leisestreichler (Febas) wrote: > On 5/15/25 11:49, David Sommerseth wrote: > >> >> Try to change the owner of the key file from root to openvpn. >> >> The openvpn-server@.service and openvpn-client@.service units has been >> written to lock down and strip the openvpn process from as many >> privileges as possible. Unfortunately, the list of needed privileges is >> still fairly long. >> >> > chown will make it running. > > What I do not understand is: As far as I know, openvpn is started with > root rights to build the context for a running instance. If that is > true, why can't the key been read during that phase and has to be made > available for user openvpn (at least with arch)? Or is my assumption/ > understanding wrong?
Not when starting via systemd. In this case, when the `User=openvpn` is set in the service unit file, systemd will drop to that user and set the requested capabilities before executing the binary in ExecStart=. But due to OpenVPN 2.x allowing a lot to happen before it normally drops privileges, a lot of additional capabilities was needed to grant to it - otherwise a lot of configurations didn't work as intended. -- kind regards, David Sommerseth OpenVPN Inc _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
