Re: [Openvpn-users] no group nobody: an issue?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/06/15 04:35, Douglas D Germann Sr wrote: [...snip...] Thu Jun 4 22:23:45 2015 setgid('nobody') failed: Operation not permitted (errno=1) Hi, I'm just so puzzled by this error message. Can you please do these two commands and provide the result? $ id nobody $ getent group nobody - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlVxdLoACgkQDC186MBRfrohqgCcCKYSQp+rOvKxRhg1uxYfaA6w av4An0XwzxVAP0RKW+yiIRX+cW68z1vW =T/O9 -END PGP SIGNATURE- -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] any way to get local network details to flow through to the server?
Message: 1 Date: Tue, 2 Jun 2015 23:43:39 +0200 From: Gert Doering g...@greenie.muc.de Subject: Re: [Openvpn-users] any way to get local network details to flow through to the server? To: Jason Haar jason_h...@trimble.com Cc: openvpn-users@lists.sourceforge.net openvpn-users@lists.sourceforge.net Message-ID: 20150602214339.gc...@greenie.muc.de Content-Type: text/plain; charset=us-ascii Hi, On Wed, Jun 03, 2015 at 08:05:21AM +1200, Jason Haar wrote: In this case using the openvpn tunnel as the default gw should have solved the problem - but normal people can't figure that out - so I'd like to solve it dynamically at the server end. However, to do that, the server would need to know in advance the routing table of the client - so that it could do something like if 10.anything is local, then disable split tunnel and push all traffic through openvpn; else do split tunnel. I'm not exactly sure what options the client sends to the server in the peer-info handshake (IV_...), but I'm afraid that routing data is not part of it... What you could *try* is a magic option I just discovered recently :-) - push redirect-private, and then push routes for 10.0.0.0/8 (and maybe a few /25s for the really important stuff, to override whatever 10.x netmask the hotel might use). --redirect-private is the bit of --redirect-gateway that figures out the local default gateway, and installs a host route vpn server - this gateway, so after that, you're fairly safe to redirect about anything... (As a side note, you're screwed in any case if the hotel gateway happens to use an ip address also used by one of your servers - but to fix *that*, you'd have to go down the use NAT on the server tun route...) gert Can you further explain the use NAT on the server tun? How would you solve the issue if the server has the same ip address as the hotel gateway? Please post examples. -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] no group nobody: an issue?
Hi, On Fri, Jun 05, 2015 at 11:03:58AM -0400, Douglas D Germann Sr wrote: OTOH, if this is screwed up, might there be some other bug that could affect operations or security of this production nas? I worry Of course there could be bugs overall :-) - but generally speaking, if they did not mess too much with our sources, and (this is the more important bit) user nobody still works, I do not see a high risk here. Generally, OpenVPN's track record in regard to externally exploitable bugs is very good. Worst thing so far was you can make the server exit cleanly - which is totally annoying, but no lever to break into a system. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de pgpayeUiYghE3.pgp Description: PGP signature -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] no group nobody: an issue?
On 06/05/2015 11:10 AM, Gert Doering wrote: Hi, On Fri, Jun 05, 2015 at 11:03:58AM -0400, Douglas D Germann Sr wrote: OTOH, if this is screwed up, might there be some other bug that could affect operations or security of this production nas? I worry Of course there could be bugs overall :-) - but generally speaking, if they did not mess too much with our sources, and (this is the more important bit) user nobody still works, I do not see a high risk here. Generally, OpenVPN's track record in regard to externally exploitable bugs is very good. Worst thing so far was you can make the server exit cleanly - which is totally annoying, but no lever to break into a system. gert Thanks, Gert! You ease my worries. :- Doug. -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] no group nobody: an issue?
David-- On 06/05/2015 06:06 AM, David Sommerseth wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/06/15 04:35, Douglas D Germann Sr wrote: [...snip...] Thu Jun 4 22:23:45 2015 setgid('nobody') failed: Operation not permitted (errno=1) Hi, I'm just so puzzled by this error message. Can you please do these two commands and provide the result? $ id nobody $ getent group nobody - -- kind regards, David Sommerseth -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlVxdLoACgkQDC186MBRfrohqgCcCKYSQp+rOvKxRhg1uxYfaA6w av4An0XwzxVAP0RKW+yiIRX+cW68z1vW =T/O9 -END PGP SIGNATURE- mariah id nobody uid=99(nobody) gid=99(nobody) groups=99(nobody) mariah getent group nobody -ash: getent: not found mariah Synology has a very slimmed down version of linux, based I think on busybox. Thanks for helping, David! -- ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users