running OpenVPN as something other than nobody:nobody

I am a big fan of OpenVPN. I’ve been using it since 2008. It’s been extremely reliable and stable.

Out of the box, at least on FreeBSD, it runs as nobody:nobody (not really, but that’s how most people configure it). I can’t point to am immediate security issue with this situation. However, I’d prefer it to run as something else. How, about running it as openvpn:openvpn?

NOTE: In the original version of this post, I used vipw. That choice just came back to bite me today. I now suggest using pw instead.

UID

Let’s start by adding the user openpvn.

pw user add -n openvpn -c "openvpn daemon" -d /nonexistent -s /usr/sbin/nologin
pw lock openvpn

This command gives you:

  • -n : the account name
  • -c : the value in the comment field
  • -d : the home directory
  • -s : the login shell

By not supplying the -m option, the home directory will not be created. This avoids the problem I encountered, and mentioned above, when using vipw.

After running that command, you should see this, but probably with a different UID/GID value.

# grep openvpn /etc/passwd /etc/group
/etc/passwd:openvpn:*:1002:1002:openvpn daemon:/nonexistent:/usr/sbin/nologin
/etc/group:openvpn:*:1002:

If you run vipw, you would see this:

openvpn:*LOCKED**:1002:1002::0:0:openvpn daemon:/nonexistent:/usr/sbin/nologin

The *LOCKED* and a shell of /usr/sbin/nologin should secure this user. They cannot log in.

chown

I changed the permissions on /usr/local/etc/openvpn:

chown -R openvpn:openvpn /usr/local/etc/openvpn

configuration

Now I change the entries in /usr/local/etc/openvpn/openvpn.conf so OpenVPN uses the newly created UID/GID values:

user  openvpn
group openvpn

Restart

Now it’s time to restart OpenVPN:

service openvpn restart

Other files

After the restart, check /var/log/messages for any issues. I found one:

Nov 26 15:12:43 nyi openvpn[76942]: WARNING: file '/usr/local/etc/openvpn/keys/client.key' is group or others accessible

Before:

-rw-r--r--  1 openvpn  openvpn  3243 Jan  3  2013 /usr/local/etc/openvpn/keys/client.key

After:

# chmod go= /usr/local/etc/openvpn/keys/client.key
# ls -l /usr/local/etc/openvpn/keys/client.key
-rw-------  1 openvpn  openvpn  3243 Jan  3  2013 /usr/local/etc/openvpn/keys/client.key

What you should see

If everything has been done correctly, you should see this in /var/log/messages

Nov 26 15:15:37 nyi openvpn[77542]: GID set to openvpn
Nov 26 15:15:37 nyi openvpn[77542]: UID set to openvpn

Here, you can see that openvpn is running as the openvpn user:

# ps auwx | grep openvpn
openvpn 77542  0.0  0.4  11304   3636 ??  Ss    3:15PM     0:00.52 /usr/local/sbin/openvpn --cd /usr/local/etc/openvpn --daemon openvpn --config /usr/local/etc/openvpn/openvpn.conf --writepid /var/run/openvpn.pid
root    77848  0.0  0.2   9676   1552  0  S+    3:16PM     0:00.00 grep openvpn

Hope this helps.

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive

Leave a Comment

Scroll to Top