[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] openvpn server


  • Subject: Re: [Openvpn-users] openvpn server
  • From: Jean-Pierre Schwickerath <lists@xxxxxxxxxxxx>
  • Date: Tue, 19 Oct 2004 12:45:02 +0200


> hello,
> 
> 
> i put my vpn server on a Debian machine,this server should run
> 24h/day. the server should not run under root, so i created an user
> account. The problem i get is when i run the openvpn server from my
> user account, i get many errors:
> permission denied...
> For example:the server use ifconfig to assign IP address to the
> TUN/TAP device and you need root rights to do that.

You can't do this as a normal user. Imagine your machine if everyone
could manipulate the dns-entries, the ip address and the routing
tables... 

What you could do is use sudo and allow it to run just the specified
commands. 


> What is the best way(the most secure way) to setup the openvpn server?


Look at apache httpd and bind, they all run as root to bind to low ports
and then drop their priviledges, just as openvpn does. 
You shouldn't worry too much about openvpn starting as root and then
dropping its priviledges to a username / group which is not used by
anything else. 
You should put more attention is securing your certificates, your CA and
the services that will be accessed thought the vpn.


Jean-Pierre
-- 
Powered by Linux From Scratch - http://schwicky.net/
PGP Key ID: 0xEE6F49B4 - AIM/Jabber: Schwicky - ICQ: 4690141

Nothing is impossible... Everything is relative!

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users