Copy the keys to /etc/openvpn/server / /etc/openvpn/client respectively clients: sudo mv client.conf ca.crt ca.key ta.key client/; sudo mv client1.crt client/client.crt; sudo mv client1.key client/client.key server: sudo mv dh.pem ca.crt server.crt server.key ta.key server
Finally set up the remote IPs in the client.conf and start the servers. Remember to set script-security 2 to call scripts as on "these" service files this isn't the default. Without sudo setup you'll get like: Jun 13 12:20:01 bionic-s openvpn[2633]: sudo: no tty present and no askpass program specified Jun 13 12:20:01 bionic-s sudo[2645]: pam_unix(sudo:auth): conversation failed Jun 13 12:20:01 bionic-s sudo[2645]: pam_unix(sudo:auth): auth could not identify password for [openvpn] Jun 13 12:20:01 bionic-s openvpn[2633]: sudo: unable to send audit message: Operation not permitted Jun 13 12:20:01 bionic-s openvpn[2633]: sudo: unable to send audit message: Operation not permitted Jun 13 12:20:01 bionic-s sudo[2645]: openvpn : user NOT in sudoers ; TTY=unknown ; PWD=/etc/openvpn/server ; USER=root ; COMMAND=/etc/openvpn/scripts/test.sh add 10.8.0.6 client1 so add this to /etc/sudoers: openvpn ALL=(ALL) NOPASSWD:ALL Then you'll get an error: Jun 13 12:22:31 bionic-s sudo[2681]: openvpn : TTY=unknown ; PWD=/etc/openvpn/server ; USER=root ; COMMAND=/etc/openvpn/scripts/test.sh add 10.8.0.6 client1 Jun 13 12:22:31 bionic-s openvpn[2633]: sudo: unable to send audit message Jun 13 12:22:31 bionic-s sudo[2681]: PAM audit_log_acct_message() failed: Operation not permitted Jun 13 12:22:31 bionic-s sudo[2681]: pam_unix(sudo:session): session opened for user root by (uid=0) I "successfully" got this message on Bionic/Cosmic/Disco. Upgrading the server to the fixed version on all three servers. With the new version the issue is fixed: Jun 13 12:26:19 bionic-s sudo[3330]: openvpn : TTY=unknown ; PWD=/etc/openvpn/server ; USER=root ; COMMAND=/etc/openvpn/scripts/test.sh add 10.8.0.6 client1 Jun 13 12:26:19 bionic-s sudo[3330]: pam_unix(sudo:session): session opened for user root by (uid=0) Jun 13 12:26:19 bionic-s openvpn[3316]: uid=0(root) gid=0(root) groups=0(root) Jun 13 12:26:19 bionic-s sudo[3330]: pam_unix(sudo:session): session closed for user root Jun 13 12:26:20 cosmic-s sudo[4156]: openvpn : TTY=unknown ; PWD=/etc/openvpn/server ; USER=root ; COMMAND=/etc/openvpn/scripts/test.sh add 10.8.0.6 client1 Jun 13 12:26:20 cosmic-s sudo[4156]: pam_unix(sudo:session): session opened for user root by (uid=0) Jun 13 12:26:20 cosmic-s openvpn[4138]: uid=0(root) gid=0(root) groups=0(root) Jun 13 12:26:20 cosmic-s sudo[4156]: pam_unix(sudo:session): session closed for user root Jun 13 12:26:22 disco-s sudo[3913]: openvpn : TTY=unknown ; PWD=/etc/openvpn/server ; USER=root ; COMMAND=/etc/openvpn/scripts/test.sh add 10.8.0.6 client1 Jun 13 12:26:22 disco-s sudo[3913]: pam_unix(sudo:session): session opened for user root by (uid=0) Jun 13 12:26:22 disco-s openvpn[3895]: uid=0(root) gid=0(root) groups=0(root) Jun 13 12:26:22 disco-s sudo[3913]: pam_unix(sudo:session): session closed for user root This confirms that sudo (if setup) now can work as the AUDIT cap is no more blocking it. Setting verified ** Tags removed: verification-needed verification-needed-bionic verification-needed-cosmic verification-needed-disco ** Tags added: verification-done verification-done-bionic verification-done-cosmic verification-done-disco -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1828771 Title: Add CAP_AUDIT_WRITE to non-upstream services To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1828771/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
