OpenVPN WARNING: Failed running command (--client-connect): could not execute external programOpenVPN ipv6 working fine until i load ip6table rulesProblems setting up a VPN: can connect but can't ping anyoneOpenVPN connection from within 2nd subnet in office?openvpn multiple instances route issue?pfsense peer-to-peer OpenVPN not connectingConfiguring OpenVPN server (Debian 8) and client (Windows 10)tls error : tls handshake failedOpenVPN and multicast routingOpenVPN Client Local LAN AccessOpenVPN using TAP with a dummy interfaceHow to configure iptables for a dial-up VPN with OpenVPN and two interfaces?

How did NASA Langley end up with the first 737?

My players want to grind XP but we're using milestone advancement

Apt - strange requests to d16r8ew072anqo.cloudfront.net:80

Why does this if-statement combining assignment and an equality check return true?

Why did Theresa May offer a vote on a second Brexit referendum?

Make 24 using exactly three 3s

My employer faked my resume to acquire projects

Best material to absorb as much light as possible

Website returning plaintext password

What is the function of the corrugations on a section of the Space Shuttle's external tank?

Can I summon an otherworldly creature with the Gate spell without knowing its true name?

Is it legal to meet with potential future employers in the UK, whilst visiting from the USA

How can I select seats on Amtrak train?

Where have Brexit voters gone?

Do photons bend spacetime or not?

Is it legal to have an abortion in another state or abroad?

I know that there is a preselected candidate for a position to be filled at my department. What should I do?

A steel cutting sword?

The roles understanding in the agile development / Is the PO always right?

The art of clickbait captions

Count Even Digits In Number

Could a 19.25mm revolver actually exist?

Does a transgender male convert require a Hatafas Dam Bris?

Defining the standard model of PA so that a space alien could understand



OpenVPN WARNING: Failed running command (--client-connect): could not execute external program


OpenVPN ipv6 working fine until i load ip6table rulesProblems setting up a VPN: can connect but can't ping anyoneOpenVPN connection from within 2nd subnet in office?openvpn multiple instances route issue?pfsense peer-to-peer OpenVPN not connectingConfiguring OpenVPN server (Debian 8) and client (Windows 10)tls error : tls handshake failedOpenVPN and multicast routingOpenVPN Client Local LAN AccessOpenVPN using TAP with a dummy interfaceHow to configure iptables for a dial-up VPN with OpenVPN and two interfaces?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








1















I've just configured OpenVPN on my server and it has been working fine till i changed it to work in chroot mode.



This is the main configuration file vpn.example.com.conf:



local w.x.y.z
port 1194
proto udp
proto-force udp
dev tun

ifconfig-ipv6 wwww:xxxx:yyyy:zzzz::1 wwww:xxxx:yyyy:zzzz::2

ca /etc/openvpn/easy-rsa3/easyrsa3/pki/ca.crt
cert /etc/openvpn/easy-rsa3/easyrsa3/pki/issued/vpn.example.com.crt
key /etc/openvpn/easy-rsa3/easyrsa3/pki/private/vpn.example.com.key

dh /etc/openvpn/easy-rsa3/easyrsa3/pki/dh.pem

topology subnet

server 10.8.0.0 255.255.255.0
server-ipv6 wwww:xxxx:yyyy:zzzz::/64

ifconfig-pool-persist ipp.txt


push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS w.x.y.z"
push "dhcp-option DNS z.w.x.y"
push "dhcp-option DNS 8.8.8.8"

push "route-ipv6 wwww:xxxx:yyyy:zzzz::2/64"
push "route-ipv6 wwww::/3"

push "redirect-gateway def1"


tls-crypt /etc/openvpn/easy-rsa3/easyrsa3/ta.key

tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

tls-version-min 1.2

auth SHA512

crl-verify /etc/openvpn/easy-rsa3/easyrsa3/pki/crl.pem

cipher AES-256-GCM

compress lz4

user nobody
group nogroup

verify-client-cert require

remote-cert-tls client

username-as-common-name

plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
script-security 2

client-connect /etc/openvpn/scripts/connect_.sh
client-disconnect /etc/openvpn/scripts/disconnect.sh

management /run/openvpn/openvpn.sock unix pw-management-file

keepalive 10 120

persist-key

persist-tun

status /var/log/openvpn/status.log


log-append /var/log/openvpn/openvpn.log

verb 3

explicit-exit-notify 1

max-clients 5


To configure chroot i just:

1. Created openvpn user by running useradd openvpn -d /etc/openvpn.

2. chown -R openvpn:openvpn /etc/openvpn.

3. Changed all paths in the config file into relatives ones.

4. Added openvpn ALL=(ALL) NOPASSWD: /sbin/ip to /etc/sudoers

5. Added the following directives chroot /etc/openvpn, iproute unpriv-ip, user openvpn, group openvpn.

6. cat unpriv-ip



#!/bin/sh
/usr/bin/sudo /sbin/ip $*


7. Also edited rsyslog config to create an extra socket into openvpn chroot directory.



Lastly simplified connect_.sh script to:



#!/bin/bash
/bin/echo 'a'
exit 0


When i run openvpn --config vpn.example.com.conf and try to connect i see WARNING: Failed running command (--client-connect): could not execute external program but if u run su - openvpn i can successfully run ./scripts/connect_.sh script



The following is the output when running openvpn from command line and before any client tries to connect: 



cd /etc/openvpn/
root@we:/etc/openvpn# /usr/sbin/openvpn --config conf.d/vpn.example.com[easy-rsa3+chroot].conf --verb 3
Fri Dec 8 19:45:01 2017 OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 22 2017
Fri Dec 8 19:45:01 2017 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Fri Dec 8 19:45:01 2017 MANAGEMENT: unix domain socket listening on /run/openvpn/openvpn.sock
Fri Dec 8 19:45:01 2017 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Dec 8 19:45:01 2017 PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY 
Fri Dec 8 19:45:01 2017 Diffie-Hellman initialized with 4096 bit key
Fri Dec 8 19:45:01 2017 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Dec 8 19:45:01 2017 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Dec 8 19:45:01 2017 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Dec 8 19:45:01 2017 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Dec 8 19:45:01 2017 TUN/TAP device tun0 opened
Fri Dec 8 19:45:01 2017 TUN/TAP TX queue length set to 100
Fri Dec 8 19:45:01 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Fri Dec 8 19:45:01 2017 unpriv-ip link set dev tun0 up mtu 1500
Fri Dec 8 19:45:01 2017 unpriv-ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Fri Dec 8 19:45:01 2017 unpriv-ip -6 addr add wwww:xxxx:yyyy:zzzz::1/64 dev tun0
Fri Dec 8 19:45:01 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Dec 8 19:45:01 2017 Socket Buffers: R=[8388608->8388608] S=[212992->212992]
Fri Dec 8 19:45:01 2017 UDPv4 link local (bound): [AF_INET]w.x.y.z:1194
Fri Dec 8 19:45:01 2017 UDPv4 link remote: [AF_UNSPEC]
Fri Dec 8 18:45:01 2017 chroot to '/etc/openvpn' and cd to '/' succeeded
Fri Dec 8 18:45:01 2017 GID set to openvpn
Fri Dec 8 18:45:01 2017 UID set to openvpn
Fri Dec 8 18:45:01 2017 MULTI: multi_init called, r=256 v=256
Fri Dec 8 18:45:01 2017 IFCONFIG POOL IPv6: (IPv4) size=252, size_ipv6=65536, netbits=64, base_ipv6=wwww:xxxx:yyyy:zzzz::1000
Fri Dec 8 18:45:01 2017 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=1
Fri Dec 8 18:45:01 2017 ifconfig_pool_read(), in='client1,10.8.0.2,wwww:xxxx:yyyy:zzzz::1000', TODO: IPv6
Fri Dec 8 18:45:01 2017 succeeded -> ifconfig_pool_set()
Fri Dec 8 18:45:01 2017 IFCONFIG POOL LIST
Fri Dec 8 18:45:01 2017 client1,10.8.0.2,wwww:xxxx:yyyy:zzzz::1000
Fri Dec 8 18:45:01 2017 Initialization Sequence Completed


That's the output when a client tries to connect: 



Fri Dec 8 18:47:44 2017 66.666.66.66:64191 TLS: Initial packet from [AF_INET]66.666.66.66:64191, sid=1c8b367d eb08e85e
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY OK: depth=1, C=FF, ST=ZZZ, L=SomeCity, O=Some Text, OU=String, CN=String CA, emailAddress=user@example.com
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Validating certificate key usage
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 ++ Certificate has key usage 0080, expects 0080
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY KU OK
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Validating certificate extended key usage
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY EKU OK
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY OK: depth=1, C=FF, ST=ZZZ, L=SomeCity, O=Some Text, OU=String, CN=String CA, emailAddress=user@example.com
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_VER=2.4.4
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_PLAT=mac
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_PROTO=2
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_NCP=2
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZ4=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZ4v2=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZO=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_COMP_STUB=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_COMP_STUBv2=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_TCPNL=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_4920_3.7.4a__build_4920)"
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 TLS: Username/Password authentication succeeded for username 'client' [CN SET]
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 [client1] Peer Connection Initiated with [AF_INET]66.666.66.66:64191
Fri Dec 8 18:47:47 2017 client1/66.666.66.66:64191 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=wwww:xxxx:y:zzzz::1000
Fri Dec 8 18:47:47 2017 client1/66.666.66.66:64191 WARNING: Failed running command (--client-connect): could not execute external program
Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 PUSH: Received control message: 'PUSH_REQUEST'
Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 Delayed exit in 5 seconds
Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 SENT CONTROL [client1]: 'AUTH_FAILED' (status=1)
Fri Dec 8 18:47:53 2017 client1/66.666.66.66:64191 SIGTERM[soft,delayed-exit] received, client-instance exiting





linux vpn openvpn







share|improve this question
























  • Check out the script-security configuration option.

    – kostix
    Dec 8 '17 at 17:21











  • As you can see, script-security is set to 2 and the script just execs echo command. Thanks anyway.

    – user846226
    Dec 8 '17 at 18:04












  • Can you include the full log entry in your question?

    – Zoredache
    Dec 8 '17 at 18:33











  • Just did it. :)

    – user846226
    Dec 8 '17 at 19:00

















1















I've just configured OpenVPN on my server and it has been working fine till i changed it to work in chroot mode.



This is the main configuration file vpn.example.com.conf:



local w.x.y.z
port 1194
proto udp
proto-force udp
dev tun

ifconfig-ipv6 wwww:xxxx:yyyy:zzzz::1 wwww:xxxx:yyyy:zzzz::2

ca /etc/openvpn/easy-rsa3/easyrsa3/pki/ca.crt
cert /etc/openvpn/easy-rsa3/easyrsa3/pki/issued/vpn.example.com.crt
key /etc/openvpn/easy-rsa3/easyrsa3/pki/private/vpn.example.com.key

dh /etc/openvpn/easy-rsa3/easyrsa3/pki/dh.pem

topology subnet

server 10.8.0.0 255.255.255.0
server-ipv6 wwww:xxxx:yyyy:zzzz::/64

ifconfig-pool-persist ipp.txt


push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS w.x.y.z"
push "dhcp-option DNS z.w.x.y"
push "dhcp-option DNS 8.8.8.8"

push "route-ipv6 wwww:xxxx:yyyy:zzzz::2/64"
push "route-ipv6 wwww::/3"

push "redirect-gateway def1"


tls-crypt /etc/openvpn/easy-rsa3/easyrsa3/ta.key

tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

tls-version-min 1.2

auth SHA512

crl-verify /etc/openvpn/easy-rsa3/easyrsa3/pki/crl.pem

cipher AES-256-GCM

compress lz4

user nobody
group nogroup

verify-client-cert require

remote-cert-tls client

username-as-common-name

plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
script-security 2

client-connect /etc/openvpn/scripts/connect_.sh
client-disconnect /etc/openvpn/scripts/disconnect.sh

management /run/openvpn/openvpn.sock unix pw-management-file

keepalive 10 120

persist-key

persist-tun

status /var/log/openvpn/status.log


log-append /var/log/openvpn/openvpn.log

verb 3

explicit-exit-notify 1

max-clients 5


To configure chroot i just:

1. Created openvpn user by running useradd openvpn -d /etc/openvpn.

2. chown -R openvpn:openvpn /etc/openvpn.

3. Changed all paths in the config file into relatives ones.

4. Added openvpn ALL=(ALL) NOPASSWD: /sbin/ip to /etc/sudoers

5. Added the following directives chroot /etc/openvpn, iproute unpriv-ip, user openvpn, group openvpn.

6. cat unpriv-ip



#!/bin/sh
/usr/bin/sudo /sbin/ip $*


7. Also edited rsyslog config to create an extra socket into openvpn chroot directory.



Lastly simplified connect_.sh script to:



#!/bin/bash
/bin/echo 'a'
exit 0


When i run openvpn --config vpn.example.com.conf and try to connect i see WARNING: Failed running command (--client-connect): could not execute external program but if u run su - openvpn i can successfully run ./scripts/connect_.sh script



The following is the output when running openvpn from command line and before any client tries to connect: 



cd /etc/openvpn/
root@we:/etc/openvpn# /usr/sbin/openvpn --config conf.d/vpn.example.com[easy-rsa3+chroot].conf --verb 3
Fri Dec 8 19:45:01 2017 OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 22 2017
Fri Dec 8 19:45:01 2017 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Fri Dec 8 19:45:01 2017 MANAGEMENT: unix domain socket listening on /run/openvpn/openvpn.sock
Fri Dec 8 19:45:01 2017 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Dec 8 19:45:01 2017 PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY 
Fri Dec 8 19:45:01 2017 Diffie-Hellman initialized with 4096 bit key
Fri Dec 8 19:45:01 2017 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Dec 8 19:45:01 2017 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Dec 8 19:45:01 2017 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Dec 8 19:45:01 2017 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Dec 8 19:45:01 2017 TUN/TAP device tun0 opened
Fri Dec 8 19:45:01 2017 TUN/TAP TX queue length set to 100
Fri Dec 8 19:45:01 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Fri Dec 8 19:45:01 2017 unpriv-ip link set dev tun0 up mtu 1500
Fri Dec 8 19:45:01 2017 unpriv-ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Fri Dec 8 19:45:01 2017 unpriv-ip -6 addr add wwww:xxxx:yyyy:zzzz::1/64 dev tun0
Fri Dec 8 19:45:01 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Dec 8 19:45:01 2017 Socket Buffers: R=[8388608->8388608] S=[212992->212992]
Fri Dec 8 19:45:01 2017 UDPv4 link local (bound): [AF_INET]w.x.y.z:1194
Fri Dec 8 19:45:01 2017 UDPv4 link remote: [AF_UNSPEC]
Fri Dec 8 18:45:01 2017 chroot to '/etc/openvpn' and cd to '/' succeeded
Fri Dec 8 18:45:01 2017 GID set to openvpn
Fri Dec 8 18:45:01 2017 UID set to openvpn
Fri Dec 8 18:45:01 2017 MULTI: multi_init called, r=256 v=256
Fri Dec 8 18:45:01 2017 IFCONFIG POOL IPv6: (IPv4) size=252, size_ipv6=65536, netbits=64, base_ipv6=wwww:xxxx:yyyy:zzzz::1000
Fri Dec 8 18:45:01 2017 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=1
Fri Dec 8 18:45:01 2017 ifconfig_pool_read(), in='client1,10.8.0.2,wwww:xxxx:yyyy:zzzz::1000', TODO: IPv6
Fri Dec 8 18:45:01 2017 succeeded -> ifconfig_pool_set()
Fri Dec 8 18:45:01 2017 IFCONFIG POOL LIST
Fri Dec 8 18:45:01 2017 client1,10.8.0.2,wwww:xxxx:yyyy:zzzz::1000
Fri Dec 8 18:45:01 2017 Initialization Sequence Completed


That's the output when a client tries to connect: 



Fri Dec 8 18:47:44 2017 66.666.66.66:64191 TLS: Initial packet from [AF_INET]66.666.66.66:64191, sid=1c8b367d eb08e85e
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY OK: depth=1, C=FF, ST=ZZZ, L=SomeCity, O=Some Text, OU=String, CN=String CA, emailAddress=user@example.com
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Validating certificate key usage
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 ++ Certificate has key usage 0080, expects 0080
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY KU OK
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Validating certificate extended key usage
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY EKU OK
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY OK: depth=1, C=FF, ST=ZZZ, L=SomeCity, O=Some Text, OU=String, CN=String CA, emailAddress=user@example.com
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_VER=2.4.4
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_PLAT=mac
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_PROTO=2
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_NCP=2
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZ4=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZ4v2=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZO=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_COMP_STUB=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_COMP_STUBv2=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_TCPNL=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_4920_3.7.4a__build_4920)"
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 TLS: Username/Password authentication succeeded for username 'client' [CN SET]
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 [client1] Peer Connection Initiated with [AF_INET]66.666.66.66:64191
Fri Dec 8 18:47:47 2017 client1/66.666.66.66:64191 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=wwww:xxxx:y:zzzz::1000
Fri Dec 8 18:47:47 2017 client1/66.666.66.66:64191 WARNING: Failed running command (--client-connect): could not execute external program
Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 PUSH: Received control message: 'PUSH_REQUEST'
Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 Delayed exit in 5 seconds
Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 SENT CONTROL [client1]: 'AUTH_FAILED' (status=1)
Fri Dec 8 18:47:53 2017 client1/66.666.66.66:64191 SIGTERM[soft,delayed-exit] received, client-instance exiting





linux vpn openvpn







share|improve this question
























  • Check out the script-security configuration option.

    – kostix
    Dec 8 '17 at 17:21











  • As you can see, script-security is set to 2 and the script just execs echo command. Thanks anyway.

    – user846226
    Dec 8 '17 at 18:04












  • Can you include the full log entry in your question?

    – Zoredache
    Dec 8 '17 at 18:33











  • Just did it. :)

    – user846226
    Dec 8 '17 at 19:00













1












1








1








I've just configured OpenVPN on my server and it has been working fine till i changed it to work in chroot mode.



This is the main configuration file vpn.example.com.conf:



local w.x.y.z
port 1194
proto udp
proto-force udp
dev tun

ifconfig-ipv6 wwww:xxxx:yyyy:zzzz::1 wwww:xxxx:yyyy:zzzz::2

ca /etc/openvpn/easy-rsa3/easyrsa3/pki/ca.crt
cert /etc/openvpn/easy-rsa3/easyrsa3/pki/issued/vpn.example.com.crt
key /etc/openvpn/easy-rsa3/easyrsa3/pki/private/vpn.example.com.key

dh /etc/openvpn/easy-rsa3/easyrsa3/pki/dh.pem

topology subnet

server 10.8.0.0 255.255.255.0
server-ipv6 wwww:xxxx:yyyy:zzzz::/64

ifconfig-pool-persist ipp.txt


push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS w.x.y.z"
push "dhcp-option DNS z.w.x.y"
push "dhcp-option DNS 8.8.8.8"

push "route-ipv6 wwww:xxxx:yyyy:zzzz::2/64"
push "route-ipv6 wwww::/3"

push "redirect-gateway def1"


tls-crypt /etc/openvpn/easy-rsa3/easyrsa3/ta.key

tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

tls-version-min 1.2

auth SHA512

crl-verify /etc/openvpn/easy-rsa3/easyrsa3/pki/crl.pem

cipher AES-256-GCM

compress lz4

user nobody
group nogroup

verify-client-cert require

remote-cert-tls client

username-as-common-name

plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
script-security 2

client-connect /etc/openvpn/scripts/connect_.sh
client-disconnect /etc/openvpn/scripts/disconnect.sh

management /run/openvpn/openvpn.sock unix pw-management-file

keepalive 10 120

persist-key

persist-tun

status /var/log/openvpn/status.log


log-append /var/log/openvpn/openvpn.log

verb 3

explicit-exit-notify 1

max-clients 5


To configure chroot i just:

1. Created openvpn user by running useradd openvpn -d /etc/openvpn.

2. chown -R openvpn:openvpn /etc/openvpn.

3. Changed all paths in the config file into relatives ones.

4. Added openvpn ALL=(ALL) NOPASSWD: /sbin/ip to /etc/sudoers

5. Added the following directives chroot /etc/openvpn, iproute unpriv-ip, user openvpn, group openvpn.

6. cat unpriv-ip



#!/bin/sh
/usr/bin/sudo /sbin/ip $*


7. Also edited rsyslog config to create an extra socket into openvpn chroot directory.



Lastly simplified connect_.sh script to:



#!/bin/bash
/bin/echo 'a'
exit 0


When i run openvpn --config vpn.example.com.conf and try to connect i see WARNING: Failed running command (--client-connect): could not execute external program but if u run su - openvpn i can successfully run ./scripts/connect_.sh script



The following is the output when running openvpn from command line and before any client tries to connect: 



cd /etc/openvpn/
root@we:/etc/openvpn# /usr/sbin/openvpn --config conf.d/vpn.example.com[easy-rsa3+chroot].conf --verb 3
Fri Dec 8 19:45:01 2017 OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 22 2017
Fri Dec 8 19:45:01 2017 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Fri Dec 8 19:45:01 2017 MANAGEMENT: unix domain socket listening on /run/openvpn/openvpn.sock
Fri Dec 8 19:45:01 2017 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Dec 8 19:45:01 2017 PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY 
Fri Dec 8 19:45:01 2017 Diffie-Hellman initialized with 4096 bit key
Fri Dec 8 19:45:01 2017 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Dec 8 19:45:01 2017 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Dec 8 19:45:01 2017 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Dec 8 19:45:01 2017 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Dec 8 19:45:01 2017 TUN/TAP device tun0 opened
Fri Dec 8 19:45:01 2017 TUN/TAP TX queue length set to 100
Fri Dec 8 19:45:01 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Fri Dec 8 19:45:01 2017 unpriv-ip link set dev tun0 up mtu 1500
Fri Dec 8 19:45:01 2017 unpriv-ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Fri Dec 8 19:45:01 2017 unpriv-ip -6 addr add wwww:xxxx:yyyy:zzzz::1/64 dev tun0
Fri Dec 8 19:45:01 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Dec 8 19:45:01 2017 Socket Buffers: R=[8388608->8388608] S=[212992->212992]
Fri Dec 8 19:45:01 2017 UDPv4 link local (bound): [AF_INET]w.x.y.z:1194
Fri Dec 8 19:45:01 2017 UDPv4 link remote: [AF_UNSPEC]
Fri Dec 8 18:45:01 2017 chroot to '/etc/openvpn' and cd to '/' succeeded
Fri Dec 8 18:45:01 2017 GID set to openvpn
Fri Dec 8 18:45:01 2017 UID set to openvpn
Fri Dec 8 18:45:01 2017 MULTI: multi_init called, r=256 v=256
Fri Dec 8 18:45:01 2017 IFCONFIG POOL IPv6: (IPv4) size=252, size_ipv6=65536, netbits=64, base_ipv6=wwww:xxxx:yyyy:zzzz::1000
Fri Dec 8 18:45:01 2017 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=1
Fri Dec 8 18:45:01 2017 ifconfig_pool_read(), in='client1,10.8.0.2,wwww:xxxx:yyyy:zzzz::1000', TODO: IPv6
Fri Dec 8 18:45:01 2017 succeeded -> ifconfig_pool_set()
Fri Dec 8 18:45:01 2017 IFCONFIG POOL LIST
Fri Dec 8 18:45:01 2017 client1,10.8.0.2,wwww:xxxx:yyyy:zzzz::1000
Fri Dec 8 18:45:01 2017 Initialization Sequence Completed


That's the output when a client tries to connect: 



Fri Dec 8 18:47:44 2017 66.666.66.66:64191 TLS: Initial packet from [AF_INET]66.666.66.66:64191, sid=1c8b367d eb08e85e
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY OK: depth=1, C=FF, ST=ZZZ, L=SomeCity, O=Some Text, OU=String, CN=String CA, emailAddress=user@example.com
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Validating certificate key usage
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 ++ Certificate has key usage 0080, expects 0080
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY KU OK
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Validating certificate extended key usage
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY EKU OK
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY OK: depth=1, C=FF, ST=ZZZ, L=SomeCity, O=Some Text, OU=String, CN=String CA, emailAddress=user@example.com
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_VER=2.4.4
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_PLAT=mac
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_PROTO=2
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_NCP=2
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZ4=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZ4v2=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZO=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_COMP_STUB=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_COMP_STUBv2=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_TCPNL=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_4920_3.7.4a__build_4920)"
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 TLS: Username/Password authentication succeeded for username 'client' [CN SET]
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 [client1] Peer Connection Initiated with [AF_INET]66.666.66.66:64191
Fri Dec 8 18:47:47 2017 client1/66.666.66.66:64191 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=wwww:xxxx:y:zzzz::1000
Fri Dec 8 18:47:47 2017 client1/66.666.66.66:64191 WARNING: Failed running command (--client-connect): could not execute external program
Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 PUSH: Received control message: 'PUSH_REQUEST'
Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 Delayed exit in 5 seconds
Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 SENT CONTROL [client1]: 'AUTH_FAILED' (status=1)
Fri Dec 8 18:47:53 2017 client1/66.666.66.66:64191 SIGTERM[soft,delayed-exit] received, client-instance exiting





linux vpn openvpn







share|improve this question
















I've just configured OpenVPN on my server and it has been working fine till i changed it to work in chroot mode.



This is the main configuration file vpn.example.com.conf:



local w.x.y.z
port 1194
proto udp
proto-force udp
dev tun

ifconfig-ipv6 wwww:xxxx:yyyy:zzzz::1 wwww:xxxx:yyyy:zzzz::2

ca /etc/openvpn/easy-rsa3/easyrsa3/pki/ca.crt
cert /etc/openvpn/easy-rsa3/easyrsa3/pki/issued/vpn.example.com.crt
key /etc/openvpn/easy-rsa3/easyrsa3/pki/private/vpn.example.com.key

dh /etc/openvpn/easy-rsa3/easyrsa3/pki/dh.pem

topology subnet

server 10.8.0.0 255.255.255.0
server-ipv6 wwww:xxxx:yyyy:zzzz::/64

ifconfig-pool-persist ipp.txt


push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS w.x.y.z"
push "dhcp-option DNS z.w.x.y"
push "dhcp-option DNS 8.8.8.8"

push "route-ipv6 wwww:xxxx:yyyy:zzzz::2/64"
push "route-ipv6 wwww::/3"

push "redirect-gateway def1"


tls-crypt /etc/openvpn/easy-rsa3/easyrsa3/ta.key

tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

tls-version-min 1.2

auth SHA512

crl-verify /etc/openvpn/easy-rsa3/easyrsa3/pki/crl.pem

cipher AES-256-GCM

compress lz4

user nobody
group nogroup

verify-client-cert require

remote-cert-tls client

username-as-common-name

plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
script-security 2

client-connect /etc/openvpn/scripts/connect_.sh
client-disconnect /etc/openvpn/scripts/disconnect.sh

management /run/openvpn/openvpn.sock unix pw-management-file

keepalive 10 120

persist-key

persist-tun

status /var/log/openvpn/status.log


log-append /var/log/openvpn/openvpn.log

verb 3

explicit-exit-notify 1

max-clients 5


To configure chroot i just:

1. Created openvpn user by running useradd openvpn -d /etc/openvpn.

2. chown -R openvpn:openvpn /etc/openvpn.

3. Changed all paths in the config file into relatives ones.

4. Added openvpn ALL=(ALL) NOPASSWD: /sbin/ip to /etc/sudoers

5. Added the following directives chroot /etc/openvpn, iproute unpriv-ip, user openvpn, group openvpn.

6. cat unpriv-ip



#!/bin/sh
/usr/bin/sudo /sbin/ip $*


7. Also edited rsyslog config to create an extra socket into openvpn chroot directory.



Lastly simplified connect_.sh script to:



#!/bin/bash
/bin/echo 'a'
exit 0


When i run openvpn --config vpn.example.com.conf and try to connect i see WARNING: Failed running command (--client-connect): could not execute external program but if u run su - openvpn i can successfully run ./scripts/connect_.sh script



The following is the output when running openvpn from command line and before any client tries to connect: 



cd /etc/openvpn/
root@we:/etc/openvpn# /usr/sbin/openvpn --config conf.d/vpn.example.com[easy-rsa3+chroot].conf --verb 3
Fri Dec 8 19:45:01 2017 OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 22 2017
Fri Dec 8 19:45:01 2017 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Fri Dec 8 19:45:01 2017 MANAGEMENT: unix domain socket listening on /run/openvpn/openvpn.sock
Fri Dec 8 19:45:01 2017 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Dec 8 19:45:01 2017 PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY 
Fri Dec 8 19:45:01 2017 Diffie-Hellman initialized with 4096 bit key
Fri Dec 8 19:45:01 2017 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Dec 8 19:45:01 2017 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Dec 8 19:45:01 2017 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Dec 8 19:45:01 2017 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Dec 8 19:45:01 2017 TUN/TAP device tun0 opened
Fri Dec 8 19:45:01 2017 TUN/TAP TX queue length set to 100
Fri Dec 8 19:45:01 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Fri Dec 8 19:45:01 2017 unpriv-ip link set dev tun0 up mtu 1500
Fri Dec 8 19:45:01 2017 unpriv-ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Fri Dec 8 19:45:01 2017 unpriv-ip -6 addr add wwww:xxxx:yyyy:zzzz::1/64 dev tun0
Fri Dec 8 19:45:01 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Dec 8 19:45:01 2017 Socket Buffers: R=[8388608->8388608] S=[212992->212992]
Fri Dec 8 19:45:01 2017 UDPv4 link local (bound): [AF_INET]w.x.y.z:1194
Fri Dec 8 19:45:01 2017 UDPv4 link remote: [AF_UNSPEC]
Fri Dec 8 18:45:01 2017 chroot to '/etc/openvpn' and cd to '/' succeeded
Fri Dec 8 18:45:01 2017 GID set to openvpn
Fri Dec 8 18:45:01 2017 UID set to openvpn
Fri Dec 8 18:45:01 2017 MULTI: multi_init called, r=256 v=256
Fri Dec 8 18:45:01 2017 IFCONFIG POOL IPv6: (IPv4) size=252, size_ipv6=65536, netbits=64, base_ipv6=wwww:xxxx:yyyy:zzzz::1000
Fri Dec 8 18:45:01 2017 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=1
Fri Dec 8 18:45:01 2017 ifconfig_pool_read(), in='client1,10.8.0.2,wwww:xxxx:yyyy:zzzz::1000', TODO: IPv6
Fri Dec 8 18:45:01 2017 succeeded -> ifconfig_pool_set()
Fri Dec 8 18:45:01 2017 IFCONFIG POOL LIST
Fri Dec 8 18:45:01 2017 client1,10.8.0.2,wwww:xxxx:yyyy:zzzz::1000
Fri Dec 8 18:45:01 2017 Initialization Sequence Completed


That's the output when a client tries to connect: 



Fri Dec 8 18:47:44 2017 66.666.66.66:64191 TLS: Initial packet from [AF_INET]66.666.66.66:64191, sid=1c8b367d eb08e85e
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY OK: depth=1, C=FF, ST=ZZZ, L=SomeCity, O=Some Text, OU=String, CN=String CA, emailAddress=user@example.com
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Validating certificate key usage
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 ++ Certificate has key usage 0080, expects 0080
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY KU OK
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Validating certificate extended key usage
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY EKU OK
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY OK: depth=1, C=FF, ST=ZZZ, L=SomeCity, O=Some Text, OU=String, CN=String CA, emailAddress=user@example.com
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_VER=2.4.4
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_PLAT=mac
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_PROTO=2
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_NCP=2
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZ4=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZ4v2=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZO=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_COMP_STUB=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_COMP_STUBv2=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_TCPNL=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_4920_3.7.4a__build_4920)"
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 TLS: Username/Password authentication succeeded for username 'client' [CN SET]
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 [client1] Peer Connection Initiated with [AF_INET]66.666.66.66:64191
Fri Dec 8 18:47:47 2017 client1/66.666.66.66:64191 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=wwww:xxxx:y:zzzz::1000
Fri Dec 8 18:47:47 2017 client1/66.666.66.66:64191 WARNING: Failed running command (--client-connect): could not execute external program
Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 PUSH: Received control message: 'PUSH_REQUEST'
Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 Delayed exit in 5 seconds
Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 SENT CONTROL [client1]: 'AUTH_FAILED' (status=1)
Fri Dec 8 18:47:53 2017 client1/66.666.66.66:64191 SIGTERM[soft,delayed-exit] received, client-instance exiting





linux vpn openvpn




linux vpn openvpn






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 8 '17 at 18:56







user846226

















asked Dec 8 '17 at 16:44









user846226user846226

2172522




2172522












  • Check out the script-security configuration option.

    – kostix
    Dec 8 '17 at 17:21











  • As you can see, script-security is set to 2 and the script just execs echo command. Thanks anyway.

    – user846226
    Dec 8 '17 at 18:04












  • Can you include the full log entry in your question?

    – Zoredache
    Dec 8 '17 at 18:33











  • Just did it. :)

    – user846226
    Dec 8 '17 at 19:00

















  • Check out the script-security configuration option.

    – kostix
    Dec 8 '17 at 17:21











  • As you can see, script-security is set to 2 and the script just execs echo command. Thanks anyway.

    – user846226
    Dec 8 '17 at 18:04












  • Can you include the full log entry in your question?

    – Zoredache
    Dec 8 '17 at 18:33











  • Just did it. :)

    – user846226
    Dec 8 '17 at 19:00
















Check out the script-security configuration option.

– kostix
Dec 8 '17 at 17:21





Check out the script-security configuration option.

– kostix
Dec 8 '17 at 17:21













As you can see, script-security is set to 2 and the script just execs echo command. Thanks anyway.

– user846226
Dec 8 '17 at 18:04






As you can see, script-security is set to 2 and the script just execs echo command. Thanks anyway.

– user846226
Dec 8 '17 at 18:04














Can you include the full log entry in your question?

– Zoredache
Dec 8 '17 at 18:33





Can you include the full log entry in your question?

– Zoredache
Dec 8 '17 at 18:33













Just did it. :)

– user846226
Dec 8 '17 at 19:00





Just did it. :)

– user846226
Dec 8 '17 at 19:00










1 Answer
1






active

oldest

votes


















1














As my script was using bash i needed to move bash and all dependencies into chroot: 



cp -v /bin/bash /etc/openvpn/bin


So run ldd /bin/bash and move all dependencies into chroot directory: 



linux-vdso.so.1 => (0x00007fff1fbe5000)
libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f86fcbbc000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f86fc9b8000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f86fc5f1000)
/lib64/ld-linux-x86-64.so.2 (0x000055a1be46b000)





share|improve this answer























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "2"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f887243%2fopenvpn-warning-failed-running-command-client-connect-could-not-execute-ex%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    As my script was using bash i needed to move bash and all dependencies into chroot: 



    cp -v /bin/bash /etc/openvpn/bin


    So run ldd /bin/bash and move all dependencies into chroot directory: 



    linux-vdso.so.1 => (0x00007fff1fbe5000)
    libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f86fcbbc000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f86fc9b8000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f86fc5f1000)
    /lib64/ld-linux-x86-64.so.2 (0x000055a1be46b000)





    share|improve this answer



























      1














      As my script was using bash i needed to move bash and all dependencies into chroot: 



      cp -v /bin/bash /etc/openvpn/bin


      So run ldd /bin/bash and move all dependencies into chroot directory: 



      linux-vdso.so.1 => (0x00007fff1fbe5000)
      libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f86fcbbc000)
      libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f86fc9b8000)
      libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f86fc5f1000)
      /lib64/ld-linux-x86-64.so.2 (0x000055a1be46b000)





      share|improve this answer

























        1












        1








        1







        As my script was using bash i needed to move bash and all dependencies into chroot: 



        cp -v /bin/bash /etc/openvpn/bin


        So run ldd /bin/bash and move all dependencies into chroot directory: 



        linux-vdso.so.1 => (0x00007fff1fbe5000)
        libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f86fcbbc000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f86fc9b8000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f86fc5f1000)
        /lib64/ld-linux-x86-64.so.2 (0x000055a1be46b000)





        share|improve this answer













        As my script was using bash i needed to move bash and all dependencies into chroot: 



        cp -v /bin/bash /etc/openvpn/bin


        So run ldd /bin/bash and move all dependencies into chroot directory: 



        linux-vdso.so.1 => (0x00007fff1fbe5000)
        libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f86fcbbc000)
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f86fc9b8000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f86fc5f1000)
        /lib64/ld-linux-x86-64.so.2 (0x000055a1be46b000)






        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Dec 9 '17 at 13:25









        user846226user846226

        2172522




        2172522



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Server Fault!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f887243%2fopenvpn-warning-failed-running-command-client-connect-could-not-execute-ex%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Wikipedia:Vital articles Мазмуну Biography - Өмүр баян Philosophy and psychology - Философия жана психология Religion - Дин Social sciences - Коомдук илимдер Language and literature - Тил жана адабият Science - Илим Technology - Технология Arts and recreation - Искусство жана эс алуу History and geography - Тарых жана география Навигация менюсу

            Image
            centralized watchlist Wikipedia:Vital articles Wikipedia дан Jump to navigation Jump to search This is a list of basic subjects for which Wikipedia should have a corresponding high-quality article, and ideally a featured article. It also serves as a centralized watchlist and tracks the status of some of Wikipedia's most essential articles. Ideally this page should list approximately 1,000 of the most vital Wikipedia articles. Мазмуну 1 Biography - Өмүр баян 1.1 Actors, dancers and models - Актёрлор, бийчилер жана моделдер 1.2 Artists and architects - Сүрөтчүлөр жана архитекторлор 1.3 Authors, playwrights and poets - Жазуучулар, драматургдар жана акындар 1.4 Composers and musicians - Композиторлор жана музыканттар 1.5 Explorers and travelers - Изилдөөчүлөр менен саякатчылар 1.6 Film directors and screenwriters - Режиссёрлор жана сценаристтер 1.7 Inventors, scientists and mathematicians - Ойлоп табуучулар, окумуштуулар жана математиктер
            Read more

            Bruxelas-Capital Índice Historia | Composición | Situación lingüística | Clima | Cidades irmandadas | Notas | Véxase tamén | Menú de navegacióneO uso das linguas en Bruxelas e a situación do neerlandés"Rexión de Bruxelas Capital"o orixinalSitio da rexiónPáxina de Bruselas no sitio da Oficina de Promoción Turística de Valonia e BruxelasMapa Interactivo da Rexión de Bruxelas-CapitaleeWorldCat332144929079854441105155190212ID28008674080552-90000 0001 0666 3698n94104302ID540940339365017018237

            Image
            AnderlechtCidade de BruxelasIxellesEtterbeekEvereGanshorenJetteKoekelbergAuderghemSchaerbeekBerchem-Sainte-AgatheSaint-GillesMolenbeek-Saint-JeanSaint-Josse-ten-NoodeWoluwe-Saint-LambertWoluwe-Saint-PierreUccleForestWatermaal-Bosvoorde Comunidade Francesa de Bélxica Comunidade Flamenga de Bélxica Comunidade Xermanófona de Bélxica Bruxelas-CapitalRexións de Bélxica francésneerlandésRexiónsBélxicacomunidade francesacomunidade flamengafrancófonaflamengaUnión EuropeaMagrebMarrocosTurquíaAméricaÁfricaRepública Democrática do CongoEuropa central18 de xuño1989FlandresRexión Valoaflamengaséculo XIXClasificación climática de Köppen Bruxelas-Capital Na Galipedia, a Wikipedia en galego. Saltar ata a navegación Saltar á procura Para outras páxinas con títulos homónimos véxase: Bruxelas . Région de Bruxelles-Capitale Brussels Hoofdstedelijk Gewest Bandeira Estado Bélxica Capital Cidade de Bruxelas  • Poboación n/d Lingua oficial As dúas Superficie  • Total 1
            Read more

            What should I write in an apology letter, since I have decided not to join a company after accepting an offer letterShould I keep looking after accepting a job offer?What should I do when I've been verbally told I would get an offer letter, but still haven't gotten one after 4 weeks?Do I accept an offer from a company that I am not likely to join?New job hasn't confirmed starting date and I want to give current employer as much notice as possibleHow should I address my manager in my resignation letter?HR delayed background verification, now jobless as resignedNo email communication after accepting a formal written offer. How should I phrase the call?What should I do if after receiving a verbal offer letter I am informed that my written job offer is put on hold due to some internal issues?Should I inform the current employer that I am about to resign within 1-2 weeks since I have signed the offer letter and waiting for visa?What company will do, if I send their offer letter to another company

            Image
            When is the original BFGS algorithm still better than the Limited-Memory version? How well known and how commonly used was Huffman coding in 1979? Inverse-quotes-quine Can the US president have someone sent to jail? Employer wants to use my work email account after I quit, is this legal under German law? Is this a GDPR waiver? Do French speakers not use the subjunctive informally? Low-gravity Bronze Age fortifications Does ultrasonic bath cleaning damage laboratory volumetric glassware calibration? Why do some games show lights shine through walls? Unusual mail headers, evidence of an attempted attack. Have I been pwned? Smooth Julia set for quadratic polynomials Require advice on power conservation for backpacking trip Dimensions of list used in test C-152 carb heat on before landing in hot weather? Is my Rep in Stack-Exchange Form? What happens when your group is victim of a surprise attack but you can't be surprised? How come I was asked by a CBP
            Read more