2

I've just configured OpenVPN on my server and it has been working fine till i changed it to work in chroot mode.

This is the main configuration file vpn.example.com.conf:

local w.x.y.z port 1194 proto udp proto-force udp dev tun ifconfig-ipv6 wwww:xxxx:yyyy:zzzz::1 wwww:xxxx:yyyy:zzzz::2 ca /etc/openvpn/easy-rsa3/easyrsa3/pki/ca.crt cert /etc/openvpn/easy-rsa3/easyrsa3/pki/issued/vpn.example.com.crt key /etc/openvpn/easy-rsa3/easyrsa3/pki/private/vpn.example.com.key dh /etc/openvpn/easy-rsa3/easyrsa3/pki/dh.pem topology subnet server 10.8.0.0 255.255.255.0 server-ipv6 wwww:xxxx:yyyy:zzzz::/64 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS w.x.y.z" push "dhcp-option DNS z.w.x.y" push "dhcp-option DNS 8.8.8.8" push "route-ipv6 wwww:xxxx:yyyy:zzzz::2/64" push "route-ipv6 wwww::/3" push "redirect-gateway def1" tls-crypt /etc/openvpn/easy-rsa3/easyrsa3/ta.key tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 tls-version-min 1.2 auth SHA512 crl-verify /etc/openvpn/easy-rsa3/easyrsa3/pki/crl.pem cipher AES-256-GCM compress lz4 user nobody group nogroup verify-client-cert require remote-cert-tls client username-as-common-name plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn script-security 2 client-connect /etc/openvpn/scripts/connect_.sh client-disconnect /etc/openvpn/scripts/disconnect.sh management /run/openvpn/openvpn.sock unix pw-management-file keepalive 10 120 persist-key persist-tun status /var/log/openvpn/status.log log-append /var/log/openvpn/openvpn.log verb 3 explicit-exit-notify 1 max-clients 5

To configure chroot i just:

  1. Created openvpn user by running useradd openvpn -d /etc/openvpn.

  2. chown -R openvpn:openvpn /etc/openvpn.

  3. Changed all paths in the config file into relatives ones.

  4. Added openvpn ALL=(ALL) NOPASSWD: /sbin/ip to /etc/sudoers

  5. Added the following directives chroot /etc/openvpn, iproute unpriv-ip, user openvpn, group openvpn.

  6. cat unpriv-ip

    #!/bin/sh /usr/bin/sudo /sbin/ip $*

  7. Also edited rsyslog config to create an extra socket into openvpn chroot directory.

Lastly simplified connect_.sh script to:

#!/bin/bash /bin/echo 'a' exit 0

When i run openvpn --config vpn.example.com.conf and try to connect i see WARNING: Failed running command (--client-connect): could not execute external program but if u run su - openvpn i can successfully run ./scripts/connect_.sh script

The following is the output when running openvpn from command line and before any client tries to connect:

cd /etc/openvpn/ root@we:/etc/openvpn# /usr/sbin/openvpn --config conf.d/vpn.example.com\[easy-rsa3+chroot\].conf --verb 3 Fri Dec 8 19:45:01 2017 OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 22 2017 Fri Dec 8 19:45:01 2017 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08 Fri Dec 8 19:45:01 2017 MANAGEMENT: unix domain socket listening on /run/openvpn/openvpn.sock Fri Dec 8 19:45:01 2017 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Fri Dec 8 19:45:01 2017 PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY Fri Dec 8 19:45:01 2017 Diffie-Hellman initialized with 4096 bit key Fri Dec 8 19:45:01 2017 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Fri Dec 8 19:45:01 2017 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Fri Dec 8 19:45:01 2017 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key Fri Dec 8 19:45:01 2017 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication Fri Dec 8 19:45:01 2017 TUN/TAP device tun0 opened Fri Dec 8 19:45:01 2017 TUN/TAP TX queue length set to 100 Fri Dec 8 19:45:01 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=1 Fri Dec 8 19:45:01 2017 unpriv-ip link set dev tun0 up mtu 1500 Fri Dec 8 19:45:01 2017 unpriv-ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255 Fri Dec 8 19:45:01 2017 unpriv-ip -6 addr add wwww:xxxx:yyyy:zzzz::1/64 dev tun0 Fri Dec 8 19:45:01 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET Fri Dec 8 19:45:01 2017 Socket Buffers: R=[8388608->8388608] S=[212992->212992] Fri Dec 8 19:45:01 2017 UDPv4 link local (bound): [AF_INET]w.x.y.z:1194 Fri Dec 8 19:45:01 2017 UDPv4 link remote: [AF_UNSPEC] Fri Dec 8 18:45:01 2017 chroot to '/etc/openvpn' and cd to '/' succeeded Fri Dec 8 18:45:01 2017 GID set to openvpn Fri Dec 8 18:45:01 2017 UID set to openvpn Fri Dec 8 18:45:01 2017 MULTI: multi_init called, r=256 v=256 Fri Dec 8 18:45:01 2017 IFCONFIG POOL IPv6: (IPv4) size=252, size_ipv6=65536, netbits=64, base_ipv6=wwww:xxxx:yyyy:zzzz::1000 Fri Dec 8 18:45:01 2017 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=1 Fri Dec 8 18:45:01 2017 ifconfig_pool_read(), in='client1,10.8.0.2,wwww:xxxx:yyyy:zzzz::1000', TODO: IPv6 Fri Dec 8 18:45:01 2017 succeeded -> ifconfig_pool_set() Fri Dec 8 18:45:01 2017 IFCONFIG POOL LIST Fri Dec 8 18:45:01 2017 client1,10.8.0.2,wwww:xxxx:yyyy:zzzz::1000 Fri Dec 8 18:45:01 2017 Initialization Sequence Completed

That's the output when a client tries to connect:

Fri Dec 8 18:47:44 2017 66.666.66.66:64191 TLS: Initial packet from [AF_INET]66.666.66.66:64191, sid=1c8b367d eb08e85e Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY OK: depth=1, C=FF, ST=ZZZ, L=SomeCity, O=Some Text, OU=String, CN=String CA, [email protected] Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Validating certificate key usage Fri Dec 8 18:47:47 2017 66.666.66.66:64191 ++ Certificate has key usage 0080, expects 0080 Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY KU OK Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Validating certificate extended key usage Fri Dec 8 18:47:47 2017 66.666.66.66:64191 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY EKU OK Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY OK: depth=1, C=FF, ST=ZZZ, L=SomeCity, O=Some Text, OU=String, CN=String CA, [email protected] Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_VER=2.4.4 Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_PLAT=mac Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_PROTO=2 Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_NCP=2 Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZ4=1 Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZ4v2=1 Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZO=1 Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_COMP_STUB=1 Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_COMP_STUBv2=1 Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_TCPNL=1 Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_4920_3.7.4a__build_4920)" Fri Dec 8 18:47:47 2017 66.666.66.66:64191 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0 Fri Dec 8 18:47:47 2017 66.666.66.66:64191 TLS: Username/Password authentication succeeded for username 'client' [CN SET] Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA Fri Dec 8 18:47:47 2017 66.666.66.66:64191 [client1] Peer Connection Initiated with [AF_INET]66.666.66.66:64191 Fri Dec 8 18:47:47 2017 client1/66.666.66.66:64191 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=wwww:xxxx:y:zzzz::1000 Fri Dec 8 18:47:47 2017 client1/66.666.66.66:64191 WARNING: Failed running command (--client-connect): could not execute external program Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 PUSH: Received control message: 'PUSH_REQUEST' Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 Delayed exit in 5 seconds Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 SENT CONTROL [client1]: 'AUTH_FAILED' (status=1) Fri Dec 8 18:47:53 2017 client1/66.666.66.66:64191 SIGTERM[soft,delayed-exit] received, client-instance exiting
Improve this question
4
  • Check out the script-security configuration option. Commented Dec 8, 2017 at 17:21
  • As you can see, script-security is set to 2 and the script just execs echo command. Thanks anyway. Commented Dec 8, 2017 at 18:04
  • Can you include the full log entry in your question? Commented Dec 8, 2017 at 18:33
  • Just did it. :) Commented Dec 8, 2017 at 19:00

2 Answers 2

Reset to default
2

As my script was using bash i needed to move bash and all dependencies into chroot: 

cp -v /bin/bash /etc/openvpn/bin

So run ldd /bin/bash and move all dependencies into chroot directory: 

linux-vdso.so.1 => (0x00007fff1fbe5000) libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f86fcbbc000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f86fc9b8000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f86fc5f1000) /lib64/ld-linux-x86-64.so.2 (0x000055a1be46b000)
Improve this answer
0

In my case, the problem was simple: I didn't have the shebang in my script:

#~/bin/bash
Improve this answer
1
  • You mean #!/bin/bash or better #!/usr/bin/env bash. Commented Apr 6, 2022 at 20:20

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.