[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] restore tunnel after switching over network interfaces

  • Subject: Re: [Openvpn-users] restore tunnel after switching over network interfaces
  • From: Klaus Thielking-Riechert <klaus.thielking-riechert@xxxxxxxxxx>
  • Date: Tue, 21 Aug 2007 17:20:25 +0200

On Tue, Aug 21, 2007 at 05:05:20PM +0200, Pierre Berthier wrote:
> Yes I have created a /etc/openvpn/sbin and /etc/openvpn/bin.  I copied
> busybox there and made a link named ifconfig.  Previously I tried to
> copy the system's ifconfig in sbin and the libraries it was linked
> against (as given by ldd) into /etc/openvpn/lib.

Well, "man openvpn" says on "--chroot":

    "... In many cases, the dir parameter can point to an empty
    directory, however complications can result when scripts or restarts
    are executed after the chroot operation."

and it says on "--user":

    "By setting user to nobody or somebody similarly unprivileged, the
    hostile party would be limited in what damage they could cause. Of
    course once you take away privileges, you cannot return them to an
    OpenVPN session. This means, for example, that if you want to reset
    an OpenVPN daemon with a SIGUSR1 signal (for example in response to
    a DHCP reset), you should make use of one or more of the --persist
    options to ensure that OpenVPN doesn't need to execute any
    privileged operations in order to restart (such as re-reading key
    files or running ifconfig on the TUN device)."

It seems as your get different addresses on your client when you are
connecting - so "--persist-tun" will not help in this case as your need
to reconfigure the interface which is done by ifconfig. But user nobody
has not the proper privileges for this operation.

Best regards,


Attachment: signature.asc
Description: Digital signature