I am a big fan of OpenVPN. I’ve been using it since 2008. It’s been extremely reliable and stable.
Out of the box, at least on FreeBSD, it runs as nobody:nobody (not really, but that’s how most people configure it). I can’t point to am immediate security issue with this situation. However, I’d prefer it to run as something else. How, about running it as openvpn:openvpn?
NOTE: In the original version of this post, I used vipw. That choice just came back to bite me today. I now suggest using pw instead.
Let’s start by adding the user openpvn.
pw user add -n openvpn -c "openvpn daemon" -d /nonexistent -s /usr/sbin/nologin pw lock openvpn
This command gives you:
- -n : the account name
- -c : the value in the comment field
- -d : the home directory
- -s : the login shell
By not supplying the -m option, the home directory will not be created. This avoids the problem I encountered, and mentioned above, when using vipw.
After running that command, you should see this, but probably with a different UID/GID value.
# grep openvpn /etc/passwd /etc/group /etc/passwd:openvpn:*:1002:1002:openvpn daemon:/nonexistent:/usr/sbin/nologin /etc/group:openvpn:*:1002:
If you run vipw, you would see this:
The *LOCKED* and a shell of /usr/sbin/nologin should secure this user. They cannot log in.
I changed the permissions on /usr/local/etc/openvpn:
chown -R openvpn:openvpn /usr/local/etc/openvpn
Now I change the entries in /usr/local/etc/openvpn/openvpn.conf so OpenVPN uses the newly created UID/GID values:
user openvpn group openvpn
Now it’s time to restart OpenVPN:
service openvpn restart
After the restart, check /var/log/messages for any issues. I found one:
Nov 26 15:12:43 nyi openvpn: WARNING: file '/usr/local/etc/openvpn/keys/client.key' is group or others accessible
-rw-r--r-- 1 openvpn openvpn 3243 Jan 3 2013 /usr/local/etc/openvpn/keys/client.key
# chmod go= /usr/local/etc/openvpn/keys/client.key # ls -l /usr/local/etc/openvpn/keys/client.key -rw------- 1 openvpn openvpn 3243 Jan 3 2013 /usr/local/etc/openvpn/keys/client.key
What you should see
If everything has been done correctly, you should see this in /var/log/messages
Nov 26 15:15:37 nyi openvpn: GID set to openvpn Nov 26 15:15:37 nyi openvpn: UID set to openvpn
Here, you can see that openvpn is running as the openvpn user:
# ps auwx | grep openvpn openvpn 77542 0.0 0.4 11304 3636 ?? Ss 3:15PM 0:00.52 /usr/local/sbin/openvpn --cd /usr/local/etc/openvpn --daemon openvpn --config /usr/local/etc/openvpn/openvpn.conf --writepid /var/run/openvpn.pid root 77848 0.0 0.2 9676 1552 0 S+ 3:16PM 0:00.00 grep openvpn
Hope this helps.