Menu
▾
▴
openvpn-users
|
From: Alessandro B. <ale...@gm...> - 2010-06-20 11:09:52
|
Hi list. I've installed OpenVPN on two OpenBSD machine, client side (openbsd 4.6), server side (Openbsd 4.7). All works very fine but there is an issue when, after making a valid connection between client and server, supposing that the server must be reconfigured to include another network to this vpn, I stop the openvpn server, make modification in configuration file and restart openvpn server. The client will be try to reconnect to server and take the error on the client. Then I want reconfigure only the OpenVPN server and not stopping other vpn client. I get this error on openvpn client: Sun Jun 20 09:55:42 2010 us=66517 Preserving previous TUN/TAP instance: tun0 Sun Jun 20 09:55:42 2010 us=66783 NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device. Sun Jun 20 09:55:42 2010 us=66957 /sbin/route delete -net 10.0.8.1 10.0.8.2 -netmask 255.255.255.255 route: must be root to alter routing table Sun Jun 20 09:55:42 2010 us=71741 ERROR: OpenBSD/NetBSD route delete command failed: external program exited with error status: 1 Sun Jun 20 09:55:42 2010 us=72289 /sbin/route delete -net 192.168.8.0 10.0.8.2 -netmask 255.255.255.0 route: must be root to alter routing table Sun Jun 20 09:55:42 2010 us=79527 ERROR: OpenBSD/NetBSD route delete command failed: external program exited with error status: 1 Sun Jun 20 09:55:42 2010 us=80024 /sbin/route delete -net 10.1.0.0 10.0.8.2 -netmask 255.255.0.0 route: must be root to alter routing table Sun Jun 20 09:55:42 2010 us=85704 ERROR: OpenBSD/NetBSD route delete command failed: external program exited with error status: 1 Sun Jun 20 09:55:42 2010 us=85979 Closing TUN/TAP interface Sun Jun 20 09:55:43 2010 us=94052 ROUTE default_gateway=192.168.1.1 Sun Jun 20 09:55:43 2010 us=94447 /sbin/ifconfig tun0 destroy ifconfig: SIOCIFDESTROY: Operation not permitted Sun Jun 20 09:55:43 2010 us=105830 /sbin/ifconfig tun0 create ifconfig: SIOCIFCREATE: Operation not permitted Sun Jun 20 09:55:43 2010 us=115732 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure Sun Jun 20 09:55:43 2010 us=116162 /sbin/ifconfig tun0 10.0.8.9 10.0.8.2 mtu 1500 netmask 255.255.255.255 up ifconfig: SIOCSIFMTU: Operation not permitted ifconfig: SIOCSIFFLAGS: Operation not permitted Sun Jun 20 09:55:43 2010 us=122563 OpenBSD ifconfig failed: external program exited with error status: 1 Sun Jun 20 09:55:43 2010 us=122892 Exiting This behaviour is not bad, 'cause there is the privilege drop from root to _openvpn user. At this point, to avoid to put hands on the openvpn client, there are two possible issue in my mind: 1) run openvpn client as root (bad thing on a firewall), 2) configuring sudo to get access to route and ifconfig by _openvpn user. 3) running openvpn client as _openvpn user e start again the session. Then, if I want reconfigure my openvpn server and don't want put my hand on the client openvpn, then not kill and run openvpn client again (and of course, in my case, no new configuration on the client are needed, I think), there are other different solutions over the three solutions posted by my mind? thanks in advance. |
|
From: Jan J. K. <ja...@ni...> - 2010-06-21 08:01:30
|
Hi Alessandro, Alessandro Baggi wrote: > Hi list. > I've installed OpenVPN on two OpenBSD machine, client side (openbsd > 4.6), server side (Openbsd 4.7). All works very fine but there is an > issue when, after making a valid connection between client and server, > supposing that the server must be reconfigured to include another > network to this vpn, I stop the openvpn server, make modification in > configuration file and restart openvpn server. The client will be try > to reconnect to server and take the error on the client. Then I want > reconfigure only the OpenVPN server and not stopping other vpn client. I > get this error on openvpn client: > > Sun Jun 20 09:55:42 2010 us=66517 Preserving previous TUN/TAP instance: tun0 > Sun Jun 20 09:55:42 2010 us=66783 NOTE: Pulled options changed on > restart, will need to close and reopen TUN/TAP device. > Sun Jun 20 09:55:42 2010 us=66957 /sbin/route delete -net 10.0.8.1 > 10.0.8.2 -netmask 255.255.255.255 > route: must be root to alter routing table > Sun Jun 20 09:55:42 2010 us=71741 ERROR: OpenBSD/NetBSD route delete > command failed: external program exited with error status: 1 > Sun Jun 20 09:55:42 2010 us=72289 /sbin/route delete -net 192.168.8.0 > 10.0.8.2 -netmask 255.255.255.0 > route: must be root to alter routing table > Sun Jun 20 09:55:42 2010 us=79527 ERROR: OpenBSD/NetBSD route delete > command failed: external program exited with error status: 1 > Sun Jun 20 09:55:42 2010 us=80024 /sbin/route delete -net 10.1.0.0 > 10.0.8.2 -netmask 255.255.0.0 > route: must be root to alter routing table > Sun Jun 20 09:55:42 2010 us=85704 ERROR: OpenBSD/NetBSD route delete > command failed: external program exited with error status: 1 > Sun Jun 20 09:55:42 2010 us=85979 Closing TUN/TAP interface > Sun Jun 20 09:55:43 2010 us=94052 ROUTE default_gateway=192.168.1.1 > Sun Jun 20 09:55:43 2010 us=94447 /sbin/ifconfig tun0 destroy > ifconfig: SIOCIFDESTROY: Operation not permitted > Sun Jun 20 09:55:43 2010 us=105830 /sbin/ifconfig tun0 create > ifconfig: SIOCIFCREATE: Operation not permitted > Sun Jun 20 09:55:43 2010 us=115732 NOTE: Tried to delete pre-existing > tun/tap instance -- No Problem if failure > Sun Jun 20 09:55:43 2010 us=116162 /sbin/ifconfig tun0 10.0.8.9 10.0.8.2 > mtu 1500 netmask 255.255.255.255 up > ifconfig: SIOCSIFMTU: Operation not permitted > ifconfig: SIOCSIFFLAGS: Operation not permitted > Sun Jun 20 09:55:43 2010 us=122563 OpenBSD ifconfig failed: external > program exited with error status: 1 > Sun Jun 20 09:55:43 2010 us=122892 Exiting > > > This behaviour is not bad, 'cause there is the privilege drop from root > to _openvpn user. > At this point, to avoid to put hands on the openvpn client, there are > two possible issue in my mind: > > 1) run openvpn client as root (bad thing on a firewall), > 2) configuring sudo to get access to route and ifconfig by _openvpn user. > 3) running openvpn client as _openvpn user e start again the session. > > Then, if I want reconfigure my openvpn server and don't want put my hand > on the client openvpn, then not kill and run openvpn client again (and > of course, in my case, no new configuration on the client are needed, I > think), there are other different solutions over the three solutions > posted by my mind? > this is normal behaviour if openvpn is run as a non-root user ... if your server reconfiguration entails new routes then you will want to push these routes to the clients. To set the routes on the client root/sudo access is required. the thing that I don't fully understand about your setup yet is how you currently run openvpn - if openvpn is run as user _openvpn then how are routes set initially? or is openvpn itself setuid root? HTH, JJK |
|
From: Alessandro B. <ale...@gm...> - 2010-06-21 14:30:54
|
Jan Just Keijser wrote: > Hi Alessandro, > > Alessandro Baggi wrote: >> Hi list. >> I've installed OpenVPN on two OpenBSD machine, client side (openbsd >> 4.6), server side (Openbsd 4.7). All works very fine but there is an >> issue when, after making a valid connection between client and >> server, supposing that the server must be reconfigured to include >> another network to this vpn, I stop the openvpn server, make >> modification in configuration file and restart openvpn server. The >> client will be try to reconnect to server and take the error on the >> client. Then I want reconfigure only the OpenVPN server and not >> stopping other vpn client. I get this error on openvpn client: >> >> Sun Jun 20 09:55:42 2010 us=66517 Preserving previous TUN/TAP >> instance: tun0 >> Sun Jun 20 09:55:42 2010 us=66783 NOTE: Pulled options changed on >> restart, will need to close and reopen TUN/TAP device. >> Sun Jun 20 09:55:42 2010 us=66957 /sbin/route delete -net 10.0.8.1 >> 10.0.8.2 -netmask 255.255.255.255 >> route: must be root to alter routing table >> Sun Jun 20 09:55:42 2010 us=71741 ERROR: OpenBSD/NetBSD route delete >> command failed: external program exited with error status: 1 >> Sun Jun 20 09:55:42 2010 us=72289 /sbin/route delete -net 192.168.8.0 >> 10.0.8.2 -netmask 255.255.255.0 >> route: must be root to alter routing table >> Sun Jun 20 09:55:42 2010 us=79527 ERROR: OpenBSD/NetBSD route delete >> command failed: external program exited with error status: 1 >> Sun Jun 20 09:55:42 2010 us=80024 /sbin/route delete -net 10.1.0.0 >> 10.0.8.2 -netmask 255.255.0.0 >> route: must be root to alter routing table >> Sun Jun 20 09:55:42 2010 us=85704 ERROR: OpenBSD/NetBSD route delete >> command failed: external program exited with error status: 1 >> Sun Jun 20 09:55:42 2010 us=85979 Closing TUN/TAP interface >> Sun Jun 20 09:55:43 2010 us=94052 ROUTE default_gateway=192.168.1.1 >> Sun Jun 20 09:55:43 2010 us=94447 /sbin/ifconfig tun0 destroy >> ifconfig: SIOCIFDESTROY: Operation not permitted >> Sun Jun 20 09:55:43 2010 us=105830 /sbin/ifconfig tun0 create >> ifconfig: SIOCIFCREATE: Operation not permitted >> Sun Jun 20 09:55:43 2010 us=115732 NOTE: Tried to delete pre-existing >> tun/tap instance -- No Problem if failure >> Sun Jun 20 09:55:43 2010 us=116162 /sbin/ifconfig tun0 10.0.8.9 >> 10.0.8.2 mtu 1500 netmask 255.255.255.255 up >> ifconfig: SIOCSIFMTU: Operation not permitted >> ifconfig: SIOCSIFFLAGS: Operation not permitted >> Sun Jun 20 09:55:43 2010 us=122563 OpenBSD ifconfig failed: external >> program exited with error status: 1 >> Sun Jun 20 09:55:43 2010 us=122892 Exiting >> >> >> This behaviour is not bad, 'cause there is the privilege drop from >> root to _openvpn user. >> At this point, to avoid to put hands on the openvpn client, there are >> two possible issue in my mind: >> >> 1) run openvpn client as root (bad thing on a firewall), >> 2) configuring sudo to get access to route and ifconfig by _openvpn >> user. >> 3) running openvpn client as _openvpn user e start again the session. >> >> Then, if I want reconfigure my openvpn server and don't want put my >> hand on the client openvpn, then not kill and run openvpn client >> again (and of course, in my case, no new configuration on the client >> are needed, I think), there are other different solutions over the >> three solutions posted by my mind? >> > this is normal behaviour if openvpn is run as a non-root user ... > > if your server reconfiguration entails new routes then you will want > to push these routes to the clients. To set the routes on the client > root/sudo access is required. > > the thing that I don't fully understand about your setup yet is how > you currently run openvpn - if openvpn is run as user _openvpn then > how are routes set initially? or is openvpn itself setuid root? > > HTH, > > JJK > > Hi JJK, my is a normal configuration, on a firewall but for security reason I want not to start with root privileges. If I set the _openvpn user, openvpn, at start, create the tun device, connect to server, add the routing directive and after the drops privileges. My question is only to not put my hand other times in a large vpn when I must include another network segment with a client. Running openvpn with root privilege is not proponible and also the sudo option is not, only root can modify a routing option or a ifconfig statement. Then my only issue is to rerun openvpn when I add another client. Thanks for the reply. |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X