On 5/15/25 14:48, David Sommerseth wrote:
On 15/05/2025 12:04, Stefanie Leisestreichler (Febas) wrote:
On 5/15/25 11:49, David Sommerseth wrote:
Try to change the owner of the key file from root to openvpn.
The openvpn-server@.service and openvpn-client@.service units has been
written to lock down and strip the openvpn process from as many
privileges as possible. Unfortunately, the list of needed privileges is
still fairly long.
chown will make it running.
What I do not understand is: As far as I know, openvpn is started with
root rights to build the context for a running instance. If that is
true, why can't the key been read during that phase and has to be made
available for user openvpn (at least with arch)? Or is my assumption/
understanding wrong?
Not when starting via systemd. In this case, when the `User=openvpn` is
set in the service unit file, systemd will drop to that user and set the
requested capabilities before executing the binary in ExecStart=.
But due to OpenVPN 2.x allowing a lot to happen before it normally drops
privileges, a lot of additional capabilities was needed to grant to it -
otherwise a lot of configurations didn't work as intended.
So when I get you right user openvpn in combination with systemd has a
lot more rights than nobody ever had...
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
