Menu
▾
▴
Re: [Openvpn-users] Openvpn ERROR:
|
From: Jan J. K. <ja...@ni...> - 2010-06-21 08:01:30
|
Hi Alessandro, Alessandro Baggi wrote: > Hi list. > I've installed OpenVPN on two OpenBSD machine, client side (openbsd > 4.6), server side (Openbsd 4.7). All works very fine but there is an > issue when, after making a valid connection between client and server, > supposing that the server must be reconfigured to include another > network to this vpn, I stop the openvpn server, make modification in > configuration file and restart openvpn server. The client will be try > to reconnect to server and take the error on the client. Then I want > reconfigure only the OpenVPN server and not stopping other vpn client. I > get this error on openvpn client: > > Sun Jun 20 09:55:42 2010 us=66517 Preserving previous TUN/TAP instance: tun0 > Sun Jun 20 09:55:42 2010 us=66783 NOTE: Pulled options changed on > restart, will need to close and reopen TUN/TAP device. > Sun Jun 20 09:55:42 2010 us=66957 /sbin/route delete -net 10.0.8.1 > 10.0.8.2 -netmask 255.255.255.255 > route: must be root to alter routing table > Sun Jun 20 09:55:42 2010 us=71741 ERROR: OpenBSD/NetBSD route delete > command failed: external program exited with error status: 1 > Sun Jun 20 09:55:42 2010 us=72289 /sbin/route delete -net 192.168.8.0 > 10.0.8.2 -netmask 255.255.255.0 > route: must be root to alter routing table > Sun Jun 20 09:55:42 2010 us=79527 ERROR: OpenBSD/NetBSD route delete > command failed: external program exited with error status: 1 > Sun Jun 20 09:55:42 2010 us=80024 /sbin/route delete -net 10.1.0.0 > 10.0.8.2 -netmask 255.255.0.0 > route: must be root to alter routing table > Sun Jun 20 09:55:42 2010 us=85704 ERROR: OpenBSD/NetBSD route delete > command failed: external program exited with error status: 1 > Sun Jun 20 09:55:42 2010 us=85979 Closing TUN/TAP interface > Sun Jun 20 09:55:43 2010 us=94052 ROUTE default_gateway=192.168.1.1 > Sun Jun 20 09:55:43 2010 us=94447 /sbin/ifconfig tun0 destroy > ifconfig: SIOCIFDESTROY: Operation not permitted > Sun Jun 20 09:55:43 2010 us=105830 /sbin/ifconfig tun0 create > ifconfig: SIOCIFCREATE: Operation not permitted > Sun Jun 20 09:55:43 2010 us=115732 NOTE: Tried to delete pre-existing > tun/tap instance -- No Problem if failure > Sun Jun 20 09:55:43 2010 us=116162 /sbin/ifconfig tun0 10.0.8.9 10.0.8.2 > mtu 1500 netmask 255.255.255.255 up > ifconfig: SIOCSIFMTU: Operation not permitted > ifconfig: SIOCSIFFLAGS: Operation not permitted > Sun Jun 20 09:55:43 2010 us=122563 OpenBSD ifconfig failed: external > program exited with error status: 1 > Sun Jun 20 09:55:43 2010 us=122892 Exiting > > > This behaviour is not bad, 'cause there is the privilege drop from root > to _openvpn user. > At this point, to avoid to put hands on the openvpn client, there are > two possible issue in my mind: > > 1) run openvpn client as root (bad thing on a firewall), > 2) configuring sudo to get access to route and ifconfig by _openvpn user. > 3) running openvpn client as _openvpn user e start again the session. > > Then, if I want reconfigure my openvpn server and don't want put my hand > on the client openvpn, then not kill and run openvpn client again (and > of course, in my case, no new configuration on the client are needed, I > think), there are other different solutions over the three solutions > posted by my mind? > this is normal behaviour if openvpn is run as a non-root user ... if your server reconfiguration entails new routes then you will want to push these routes to the clients. To set the routes on the client root/sudo access is required. the thing that I don't fully understand about your setup yet is how you currently run openvpn - if openvpn is run as user _openvpn then how are routes set initially? or is openvpn itself setuid root? HTH, JJK |
