[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] invalidate username/password setting via management interface


  • Subject: Re: [Openvpn-users] invalidate username/password setting via management interface
  • From: "Alon Bar-Lev" <alon.barlev@xxxxxxxxx>
  • Date: Mon, 14 Jan 2008 14:59:43 +0200

On 1/14/08, Wilhelm Meier <wilhelm.meier@xxxxxxxx> wrote:
> The distinction must be made upon user-identities, not system
> identities.

You can use my branch for unprivileged mode of OpenVPN.
svn checkout http://svn.openvpn.net/projects/openvpn/contrib/alon/BETA21-unpriv

This adds --user and --group to --mktun so that you can set ownership
to tun device.

Then write a simple script, such as /usr/local/sbin/myip:
#!/bin/sh
sudo /sbin/ip $*

Add the following to sudoers, replacing @@X@@ with correct settings:
@@USER@@ ALL=(ALL)  NOPASSWD: /sbin/ip
or:
%@@GROUP@@ ALL=(ALL)  NOPASSWD: /sbin/ip

Add the following to your openvpn configuration:
iproute /usr/local/sbin/myip
dev @@TUN_WITH_CORRECT_OWNERSHIP@@

And that's it! You can run the OpenVPN daemon as the logged in user,
and kill the process when the users logs out.

Best Regards,
Alon Bar-Lev.
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users