[OpenVPN home]	[Date Prev]	[Date Index]	[Date Next]
[OpenVPN mailing lists]	[Thread Prev]	[Thread Index]	[Thread Next]

Re: [Openvpn-users] OpenVPN & MDK Still struggling

Subject: Re: [Openvpn-users] OpenVPN & MDK Still struggling
From: James Yonan <jim@xxxxxxxxx>
Date: Sun, 3 Oct 2004 10:01:50 -0600 (MDT)

You've observed a problem that has been addressed in the upcoming 
2.0-beta12 release.

Currently , when --up-delay, --pull, or --client options are used, the
opening of the TUN/TAP interface is delayed till after all initialization
steps have been completed, including the application of
--user/--group/--chroot settings.

So the end result is that the TUN/TAP open occurs in the post-chroot 
context rather than the pre-TUN/TAP context.

Beta12 will fix this by delaying --user/--group/--chroot until after the 
TUN/TAP open.

James

On Sun, 3 Oct 2004, Doug Lytle wrote:

> Ok,
> 
> Still trying to figure out what is the cause of not being able to chroot 
> via OpenVPN or user as user/group nobody/nogroup.  This is what I've found.
> 
> If I try just to do the chroot, via openvpn's --chroot /etc/openvpn, I 
> get the following:
> 
> 
> <<snip>>
> Sun Oct  3 10:18:09 2004 us=243817 Current Parameter Settings:
> Sun Oct  3 10:18:09 2004 us=244153   config = '/etc/openvpn/server.conf'
> Sun Oct  3 10:18:10 2004 us=707213 [OpenVPN.Server] Peer Connection 
> Initiated with 12.27.xxx.xxx:50xx
> Sun Oct  3 10:18:11 2004 us=232530 SENT CONTROL [OpenVPN.Server]: 
> 'PUSH_REQUEST' (status=1)
> Sun Oct  3 10:18:11 2004 us=391300 PUSH: Received control message: 
> 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,route 192.168.100.0 255.255.255.0
> Sun Oct  3 10:18:11 2004 us=391663 OPTIONS IMPORT: --ifconfig/up options 
> modified
> Sun Oct  3 10:18:11 2004 us=391700 OPTIONS IMPORT: route options modified
> Sun Oct  3 10:18:11 2004 us=391729 OPTIONS IMPORT: --ip-win32 and/or 
> --dhcp-option options modified
> Sun Oct  3 10:18:11 2004 us=392605 Note: Cannot open TUN/TAP dev 
> /dev/net/tun: No such file or directory (errno=2)
> Sun Oct  3 10:18:11 2004 us=392650 Note: Attempting fallback to kernel 
> 2.2 TUN/TAP interface
> Sun Oct  3 10:18:11 2004 us=393427 Cannot allocate TUN/TAP dev dynamically
> Sun Oct  3 10:18:11 2004 us=393461 Exiting
> <<snip>>
> 
> Notice that the connection is initiated, TLS is verified, routes are 
> pushed, chroot is confirmed.  THEN TUN/TAP is accessed.  At this point, 
> the device is not found.
> 
> Now, if I #remark out the chroot option and enable the user/group 
> option, I get:
> 
> <<snip>>
> Sun Oct  3 10:27:48 2004 us=619303 Current Parameter Settings:
> Sun Oct  3 10:27:48 2004 us=619666   config = '/etc/openvpn/server.conf'
> Sun Oct  3 10:27:48 2004 us=626201 GID set to nogroup
> Sun Oct  3 10:27:48 2004 us=626411 UID set to nobody
> Sun Oct  3 10:27:49 2004 us=864472 [OpenVPN.Server] Peer Connection 
> Initiated with 12.27.8.106:5015
> Sun Oct  3 10:27:51 2004 us=78150 SENT CONTROL [OpenVPN.Server]: 
> 'PUSH_REQUEST' (status=1)
> Sun Oct  3 10:27:51 2004 us=157676 PUSH: Received control message: 
> 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,route 192.168.100.0 255.255.255.0
> Sun Oct  3 10:27:51 2004 us=158030 OPTIONS IMPORT: --ifconfig/up options 
> modified
> Sun Oct  3 10:27:51 2004 us=158093 OPTIONS IMPORT: route options modified
> Sun Oct  3 10:27:51 2004 us=158125 OPTIONS IMPORT: --ip-win32 and/or 
> --dhcp-option options modified
> Sun Oct  3 10:27:51 2004 us=159250 Note: Cannot open TUN/TAP dev 
> /dev/net/tun: Permission denied (errno=13)
> Sun Oct  3 10:27:51 2004 us=159327 Note: Attempting fallback to kernel 
> 2.2 TUN/TAP interface
> Sun Oct  3 10:28:02 2004 us=37338 Cannot allocate TUN/TAP dev dynamically
> Sun Oct  3 10:28:02 2004 us=37461 Exiting
> <<snip>>
> 
> Now, I'm getting the downgrade, the initial connect, the routes are 
> being set.  And, then I get a permissions denied on the TUN/TAP adapter.
> 
> It would appear, at least under Mandrake 10 and 10.1 that the 
> permissions or chroot is happening too early.
> 
> Anybody?
> 
> Doug
> 
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
> Use IT products in your business? Tell us what you think of them. Give us
> Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
> http://productguide.itmanagersjournal.com/guidepromo.tmpl
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Follow-Ups:
- Re: [Openvpn-users] OpenVPN & MDK Still struggling
  - From: Doug Lytle

References:
- [Openvpn-users] OpenVPN & MDK Still struggling
  - From: Doug Lytle

Prev by Date: Re: [Openvpn-users] 2K server logins...
Next by Date: [Openvpn-users] very simple question: 3 computers
Previous by thread: [Openvpn-users] OpenVPN & MDK Still struggling
Next by thread: Re: [Openvpn-users] OpenVPN & MDK Still struggling
Index(es):
- Date
- Thread