On Tue, Aug 21, 2007 at 05:05:20PM +0200, Pierre Berthier wrote:
> Yes I have created a /etc/openvpn/sbin and /etc/openvpn/bin. I copied
> busybox there and made a link named ifconfig. Previously I tried to
> copy the system's ifconfig in sbin and the libraries it was linked
> against (as given by ldd) into /etc/openvpn/lib.
Well, "man openvpn" says on "--chroot":
"... In many cases, the dir parameter can point to an empty
directory, however complications can result when scripts or restarts
are executed after the chroot operation."
and it says on "--user":
"By setting user to nobody or somebody similarly unprivileged, the
hostile party would be limited in what damage they could cause. Of
course once you take away privileges, you cannot return them to an
OpenVPN session. This means, for example, that if you want to reset
an OpenVPN daemon with a SIGUSR1 signal (for example in response to
a DHCP reset), you should make use of one or more of the --persist
options to ensure that OpenVPN doesn't need to execute any
privileged operations in order to restart (such as re-reading key
files or running ifconfig on the TUN device)."
It seems as your get different addresses on your client when you are
connecting - so "--persist-tun" will not help in this case as your need
to reconfigure the interface which is done by ifconfig. But user nobody
has not the proper privileges for this operation.
Description: Digital signature