173

I'm trying to setup an OpenVPN Access Server in AWS using the market place AMI, but I;m struggling to connect to it.

The access server is up and running. I've also added a user with Auto-Login and generated the relevant client config and certificates.

I then copied said files down to my machine and tried to connect using openvpn client.ovpn but got the following output and error,

Wed Nov 26 12:41:10 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb 4 2014 Wed Nov 26 12:41:10 2014 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file Wed Nov 26 12:41:10 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Nov 26 12:41:10 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Nov 26 12:41:10 2014 Socket Buffers: R=[212992->200000] S=[212992->200000] Wed Nov 26 12:41:10 2014 UDPv4 link local: [undef] Wed Nov 26 12:41:10 2014 UDPv4 link remote: [AF_INET]<REMOVED_IP>:1194 Wed Nov 26 12:41:10 2014 TLS: Initial packet from [AF_INET]<REMOVED_IP>:1194, sid=2a06a918 c4ecc6df Wed Nov 26 12:41:11 2014 VERIFY OK: depth=1, CN=OpenVPN CA Wed Nov 26 12:41:11 2014 VERIFY OK: nsCertType=SERVER Wed Nov 26 12:41:11 2014 VERIFY OK: depth=0, CN=OpenVPN Server Wed Nov 26 12:41:11 2014 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Wed Nov 26 12:41:11 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Nov 26 12:41:11 2014 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Wed Nov 26 12:41:11 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Wed Nov 26 12:41:11 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Wed Nov 26 12:41:11 2014 [OpenVPN Server] Peer Connection Initiated with [AF_INET]54.173.232.46:1194 Wed Nov 26 12:41:14 2014 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1) Wed Nov 26 12:41:14 2014 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,comp-lzo yes,redirect-private def1,redirect-private bypass-dhcp,redirect-private autolocal,redirect-private bypass-dns,route-gateway 172.16.224.129,route 172.16.1.0 255.255.255.0,route 172.16.224.0 255.255.255.0,block-ipv6,ifconfig 172.16.224.131 255.255.255.128' Wed Nov 26 12:41:14 2014 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.3.2) Wed Nov 26 12:41:14 2014 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.3.2) Wed Nov 26 12:41:14 2014 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.3.2) Wed Nov 26 12:41:14 2014 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:18: block-ipv6 (2.3.2) Wed Nov 26 12:41:14 2014 OPTIONS IMPORT: timers and/or timeouts modified Wed Nov 26 12:41:14 2014 OPTIONS IMPORT: explicit notify parm(s) modified Wed Nov 26 12:41:14 2014 OPTIONS IMPORT: LZO parms modified Wed Nov 26 12:41:14 2014 OPTIONS IMPORT: --ifconfig/up options modified Wed Nov 26 12:41:14 2014 OPTIONS IMPORT: route options modified Wed Nov 26 12:41:14 2014 OPTIONS IMPORT: route-related options modified Wed Nov 26 12:41:14 2014 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=wlan0 HWADDR=c4:85:08:c9:14:f4 Wed Nov 26 12:41:14 2014 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1) Wed Nov 26 12:41:14 2014 Exiting due to fatal error

Any idea what the problem is? I assume it's failing to create the tunnel due to the ERROR line?

I'm running server version 2.0.10 and client version,

OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb 4 2014 Originally developed by James Yonan Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <[email protected]> Compile time defines: enable_crypto=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_eurephia=yes enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_ifconfig_path=/sbin/ifconfig with_iproute_path=/sbin/ip with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_route_path=/sbin/route with_sysroot=no
Improve this question
1
  • 6
    // , Why these errors? This seems like a pretty stupid way to detect that you don't have sudo privileges. Commented Feb 14, 2017 at 6:24

4 Answers 4

Reset to default
309

Looks like this is a simple matter of sudo.

sudo openvpn client.ovpn worked a treat.

Improve this answer
5
  • 15
    ** insert hair pulling comment here ** wow this took me a while. Thanks for the reminder. Might also need the --config option depending on the distro. Commented Jul 18, 2016 at 21:01
  • 5
    // , Can you say anything about why this is the case? Commented Feb 14, 2017 at 6:25
  • 2
    But how to run connection from 'Network connection manager' which has no sudo option Commented Jul 9, 2020 at 11:21
  • sudo put me on the right track, but on my ubuntu 22.04 setup i also needed to mv config.ovpn /etc/openvpn/client/, otherwise i got Options error: In [CMD-LINE]:1: Error opening configuration file: config.ovpn, maybe helps someone.. Commented Aug 10, 2022 at 9:11
  • Ok so this is weird because I have a setuid script owned by user root, group root, that fails with the above error - but if I use sudo while the script is already running as root it works! Commented May 10, 2023 at 23:03
7

Creating the TUN or TAP adaptor requires privileges that you possibly don't have - hence the command works with sudo, but not without.

On my system, if the openvpn command is run like this;

sudo openvpn --config file.ovpn

then a device tun0 is created. Almost always, creating devices requires privileges.

Improve this answer
2

Using Linux Mint, and connecting via the Network Manager UI (which does not prompt for a sudo pwd) -- I assumed it wasn't necessary. Turns out, this was the problem for me! Connecting via sudo from a terminal worked perfectly.

Improve this answer
-2

You could always run chmod u+s on the openvpn binary as root (setting uid 0).

sudo chmod u+s $(which openvpn)

This will allow a local user to execute the process as the root user. At this point your network manager/nm-applet stuff will also allow connection establishment.

Improve this answer
5
  • Adding the SUID bit to an application can be a major security violation. Commented Oct 2, 2020 at 11:43
  • I don't fully disagree with you, yet having sudo without password protection is better? , yes one can tweak sudoers to only allow for password less use of a spesific program e.t.c However.. It all depends on the type of exposure the machine is facing right? Normally some applications need the SUID bit set to achieve a good experience, this is why i suggest it under this circumstance. This will also enable the use of NetworkManager e.t.c. Commented Oct 4, 2020 at 20:03
  • sudo should always have password protection and it can be limited in the sudoers file to be a particular application per user. Commented Oct 20, 2020 at 20:39
  • Do you think it depends on circumstances or not? Do you think that some guys desktop require the same level of protection as a public service? Or do you think that a box that does not see exposure can be assumed to be pretty damn safe even if a program has suid 0? Many programs require this and comes with systems by default as suid 0 you know. It all depends on the use of the system, same with sudo, even though i rate sudo more critical as scripts can absuse it. Commented Nov 22, 2020 at 16:12
  • 1
    This is Server Fault, for Professional System Administrators in a business environment. What you are suggesting is bad business and security practice. In a business environment you never assume that any particular system is safe because it can be used as a vector to attack the rest of your network. If you want to do this in a home user situation, then you need to go back over to the Super User stack superuser.com Commented Nov 24, 2020 at 21:25

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.