OpenVPN WARNING: Failed running command (--client-connect): could not execute external programOpenVPN ipv6 working fine until i load ip6table rulesProblems setting up a VPN: can connect but can't ping anyoneOpenVPN connection from within 2nd subnet in office?openvpn multiple instances route issue?pfsense peer-to-peer OpenVPN not connectingConfiguring OpenVPN server (Debian 8) and client (Windows 10)tls error : tls handshake failedOpenVPN and multicast routingOpenVPN Client Local LAN AccessOpenVPN using TAP with a dummy interfaceHow to configure iptables for a dial-up VPN with OpenVPN and two interfaces?
How did NASA Langley end up with the first 737?
My players want to grind XP but we're using milestone advancement
Apt - strange requests to d16r8ew072anqo.cloudfront.net:80
Why does this if-statement combining assignment and an equality check return true?
Why did Theresa May offer a vote on a second Brexit referendum?
Make 24 using exactly three 3s
My employer faked my resume to acquire projects
Best material to absorb as much light as possible
Website returning plaintext password
What is the function of the corrugations on a section of the Space Shuttle's external tank?
Can I summon an otherworldly creature with the Gate spell without knowing its true name?
Is it legal to meet with potential future employers in the UK, whilst visiting from the USA
How can I select seats on Amtrak train?
Where have Brexit voters gone?
Do photons bend spacetime or not?
Is it legal to have an abortion in another state or abroad?
I know that there is a preselected candidate for a position to be filled at my department. What should I do?
A steel cutting sword?
The roles understanding in the agile development / Is the PO always right?
The art of clickbait captions
Count Even Digits In Number
Could a 19.25mm revolver actually exist?
Does a transgender male convert require a Hatafas Dam Bris?
Defining the standard model of PA so that a space alien could understand
OpenVPN WARNING: Failed running command (--client-connect): could not execute external program
OpenVPN ipv6 working fine until i load ip6table rulesProblems setting up a VPN: can connect but can't ping anyoneOpenVPN connection from within 2nd subnet in office?openvpn multiple instances route issue?pfsense peer-to-peer OpenVPN not connectingConfiguring OpenVPN server (Debian 8) and client (Windows 10)tls error : tls handshake failedOpenVPN and multicast routingOpenVPN Client Local LAN AccessOpenVPN using TAP with a dummy interfaceHow to configure iptables for a dial-up VPN with OpenVPN and two interfaces?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
1
I've just configured OpenVPN on my server and it has been working fine till i changed it to work in chroot mode.
This is the main configuration file vpn.example.com.conf:
local w.x.y.z
port 1194
proto udp
proto-force udp
dev tun
ifconfig-ipv6 wwww:xxxx:yyyy:zzzz::1 wwww:xxxx:yyyy:zzzz::2
ca /etc/openvpn/easy-rsa3/easyrsa3/pki/ca.crt
cert /etc/openvpn/easy-rsa3/easyrsa3/pki/issued/vpn.example.com.crt
key /etc/openvpn/easy-rsa3/easyrsa3/pki/private/vpn.example.com.key
dh /etc/openvpn/easy-rsa3/easyrsa3/pki/dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 wwww:xxxx:yyyy:zzzz::/64
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS w.x.y.z"
push "dhcp-option DNS z.w.x.y"
push "dhcp-option DNS 8.8.8.8"
push "route-ipv6 wwww:xxxx:yyyy:zzzz::2/64"
push "route-ipv6 wwww::/3"
push "redirect-gateway def1"
tls-crypt /etc/openvpn/easy-rsa3/easyrsa3/ta.key
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
tls-version-min 1.2
auth SHA512
crl-verify /etc/openvpn/easy-rsa3/easyrsa3/pki/crl.pem
cipher AES-256-GCM
compress lz4
user nobody
group nogroup
verify-client-cert require
remote-cert-tls client
username-as-common-name
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
script-security 2
client-connect /etc/openvpn/scripts/connect_.sh
client-disconnect /etc/openvpn/scripts/disconnect.sh
management /run/openvpn/openvpn.sock unix pw-management-file
keepalive 10 120
persist-key
persist-tun
status /var/log/openvpn/status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
max-clients 5
To configure chroot i just:
1. Created openvpn user by running useradd openvpn -d /etc/openvpn.
2. chown -R openvpn:openvpn /etc/openvpn.
3. Changed all paths in the config file into relatives ones.
4. Added openvpn ALL=(ALL) NOPASSWD: /sbin/ip to /etc/sudoers
5. Added the following directives chroot /etc/openvpn, iproute unpriv-ip, user openvpn, group openvpn.
6. cat unpriv-ip
#!/bin/sh
/usr/bin/sudo /sbin/ip $*
7. Also edited rsyslog config to create an extra socket into openvpn chroot directory.
Lastly simplified connect_.sh script to:
#!/bin/bash
/bin/echo 'a'
exit 0
When i run openvpn --config vpn.example.com.conf and try to connect i see WARNING: Failed running command (--client-connect): could not execute external program but if u run su - openvpn i can successfully run ./scripts/connect_.sh script
The following is the output when running openvpn from command line and before any client tries to connect:
cd /etc/openvpn/
root@we:/etc/openvpn# /usr/sbin/openvpn --config conf.d/vpn.example.com[easy-rsa3+chroot].conf --verb 3
Fri Dec 8 19:45:01 2017 OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 22 2017
Fri Dec 8 19:45:01 2017 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Fri Dec 8 19:45:01 2017 MANAGEMENT: unix domain socket listening on /run/openvpn/openvpn.sock
Fri Dec 8 19:45:01 2017 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Dec 8 19:45:01 2017 PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Fri Dec 8 19:45:01 2017 Diffie-Hellman initialized with 4096 bit key
Fri Dec 8 19:45:01 2017 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Dec 8 19:45:01 2017 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Dec 8 19:45:01 2017 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Dec 8 19:45:01 2017 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Dec 8 19:45:01 2017 TUN/TAP device tun0 opened
Fri Dec 8 19:45:01 2017 TUN/TAP TX queue length set to 100
Fri Dec 8 19:45:01 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Fri Dec 8 19:45:01 2017 unpriv-ip link set dev tun0 up mtu 1500
Fri Dec 8 19:45:01 2017 unpriv-ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Fri Dec 8 19:45:01 2017 unpriv-ip -6 addr add wwww:xxxx:yyyy:zzzz::1/64 dev tun0
Fri Dec 8 19:45:01 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Dec 8 19:45:01 2017 Socket Buffers: R=[8388608->8388608] S=[212992->212992]
Fri Dec 8 19:45:01 2017 UDPv4 link local (bound): [AF_INET]w.x.y.z:1194
Fri Dec 8 19:45:01 2017 UDPv4 link remote: [AF_UNSPEC]
Fri Dec 8 18:45:01 2017 chroot to '/etc/openvpn' and cd to '/' succeeded
Fri Dec 8 18:45:01 2017 GID set to openvpn
Fri Dec 8 18:45:01 2017 UID set to openvpn
Fri Dec 8 18:45:01 2017 MULTI: multi_init called, r=256 v=256
Fri Dec 8 18:45:01 2017 IFCONFIG POOL IPv6: (IPv4) size=252, size_ipv6=65536, netbits=64, base_ipv6=wwww:xxxx:yyyy:zzzz::1000
Fri Dec 8 18:45:01 2017 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=1
Fri Dec 8 18:45:01 2017 ifconfig_pool_read(), in='client1,10.8.0.2,wwww:xxxx:yyyy:zzzz::1000', TODO: IPv6
Fri Dec 8 18:45:01 2017 succeeded -> ifconfig_pool_set()
Fri Dec 8 18:45:01 2017 IFCONFIG POOL LIST
Fri Dec 8 18:45:01 2017 client1,10.8.0.2,wwww:xxxx:yyyy:zzzz::1000
Fri Dec 8 18:45:01 2017 Initialization Sequence Completed
That's the output when a client tries to connect:
Fri Dec 8 18:47:44 2017 66.666.66.66:64191 TLS: Initial packet from [AF_INET]66.666.66.66:64191, sid=1c8b367d eb08e85e
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY OK: depth=1, C=FF, ST=ZZZ, L=SomeCity, O=Some Text, OU=String, CN=String CA, emailAddress=user@example.com
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Validating certificate key usage
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 ++ Certificate has key usage 0080, expects 0080
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY KU OK
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Validating certificate extended key usage
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY EKU OK
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY OK: depth=1, C=FF, ST=ZZZ, L=SomeCity, O=Some Text, OU=String, CN=String CA, emailAddress=user@example.com
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_VER=2.4.4
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_PLAT=mac
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_PROTO=2
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_NCP=2
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZ4=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZ4v2=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZO=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_COMP_STUB=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_COMP_STUBv2=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_TCPNL=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_4920_3.7.4a__build_4920)"
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 TLS: Username/Password authentication succeeded for username 'client' [CN SET]
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 [client1] Peer Connection Initiated with [AF_INET]66.666.66.66:64191
Fri Dec 8 18:47:47 2017 client1/66.666.66.66:64191 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=wwww:xxxx:y:zzzz::1000
Fri Dec 8 18:47:47 2017 client1/66.666.66.66:64191 WARNING: Failed running command (--client-connect): could not execute external program
Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 PUSH: Received control message: 'PUSH_REQUEST'
Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 Delayed exit in 5 seconds
Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 SENT CONTROL [client1]: 'AUTH_FAILED' (status=1)
Fri Dec 8 18:47:53 2017 client1/66.666.66.66:64191 SIGTERM[soft,delayed-exit] received, client-instance exiting
linux vpn openvpn
asked Dec 8 '17 at 16:44
user846226user846226
2172522
add a comment |
1
I've just configured OpenVPN on my server and it has been working fine till i changed it to work in chroot mode.
This is the main configuration file vpn.example.com.conf:
local w.x.y.z
port 1194
proto udp
proto-force udp
dev tun
ifconfig-ipv6 wwww:xxxx:yyyy:zzzz::1 wwww:xxxx:yyyy:zzzz::2
ca /etc/openvpn/easy-rsa3/easyrsa3/pki/ca.crt
cert /etc/openvpn/easy-rsa3/easyrsa3/pki/issued/vpn.example.com.crt
key /etc/openvpn/easy-rsa3/easyrsa3/pki/private/vpn.example.com.key
dh /etc/openvpn/easy-rsa3/easyrsa3/pki/dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 wwww:xxxx:yyyy:zzzz::/64
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS w.x.y.z"
push "dhcp-option DNS z.w.x.y"
push "dhcp-option DNS 8.8.8.8"
push "route-ipv6 wwww:xxxx:yyyy:zzzz::2/64"
push "route-ipv6 wwww::/3"
push "redirect-gateway def1"
tls-crypt /etc/openvpn/easy-rsa3/easyrsa3/ta.key
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
tls-version-min 1.2
auth SHA512
crl-verify /etc/openvpn/easy-rsa3/easyrsa3/pki/crl.pem
cipher AES-256-GCM
compress lz4
user nobody
group nogroup
verify-client-cert require
remote-cert-tls client
username-as-common-name
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
script-security 2
client-connect /etc/openvpn/scripts/connect_.sh
client-disconnect /etc/openvpn/scripts/disconnect.sh
management /run/openvpn/openvpn.sock unix pw-management-file
keepalive 10 120
persist-key
persist-tun
status /var/log/openvpn/status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
max-clients 5
To configure chroot i just:
1. Created openvpn user by running useradd openvpn -d /etc/openvpn.
2. chown -R openvpn:openvpn /etc/openvpn.
3. Changed all paths in the config file into relatives ones.
4. Added openvpn ALL=(ALL) NOPASSWD: /sbin/ip to /etc/sudoers
5. Added the following directives chroot /etc/openvpn, iproute unpriv-ip, user openvpn, group openvpn.
6. cat unpriv-ip
#!/bin/sh
/usr/bin/sudo /sbin/ip $*
7. Also edited rsyslog config to create an extra socket into openvpn chroot directory.
Lastly simplified connect_.sh script to:
#!/bin/bash
/bin/echo 'a'
exit 0
When i run openvpn --config vpn.example.com.conf and try to connect i see WARNING: Failed running command (--client-connect): could not execute external program but if u run su - openvpn i can successfully run ./scripts/connect_.sh script
The following is the output when running openvpn from command line and before any client tries to connect:
cd /etc/openvpn/
root@we:/etc/openvpn# /usr/sbin/openvpn --config conf.d/vpn.example.com[easy-rsa3+chroot].conf --verb 3
Fri Dec 8 19:45:01 2017 OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 22 2017
Fri Dec 8 19:45:01 2017 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Fri Dec 8 19:45:01 2017 MANAGEMENT: unix domain socket listening on /run/openvpn/openvpn.sock
Fri Dec 8 19:45:01 2017 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Dec 8 19:45:01 2017 PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Fri Dec 8 19:45:01 2017 Diffie-Hellman initialized with 4096 bit key
Fri Dec 8 19:45:01 2017 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Dec 8 19:45:01 2017 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Dec 8 19:45:01 2017 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Dec 8 19:45:01 2017 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Dec 8 19:45:01 2017 TUN/TAP device tun0 opened
Fri Dec 8 19:45:01 2017 TUN/TAP TX queue length set to 100
Fri Dec 8 19:45:01 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Fri Dec 8 19:45:01 2017 unpriv-ip link set dev tun0 up mtu 1500
Fri Dec 8 19:45:01 2017 unpriv-ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Fri Dec 8 19:45:01 2017 unpriv-ip -6 addr add wwww:xxxx:yyyy:zzzz::1/64 dev tun0
Fri Dec 8 19:45:01 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Dec 8 19:45:01 2017 Socket Buffers: R=[8388608->8388608] S=[212992->212992]
Fri Dec 8 19:45:01 2017 UDPv4 link local (bound): [AF_INET]w.x.y.z:1194
Fri Dec 8 19:45:01 2017 UDPv4 link remote: [AF_UNSPEC]
Fri Dec 8 18:45:01 2017 chroot to '/etc/openvpn' and cd to '/' succeeded
Fri Dec 8 18:45:01 2017 GID set to openvpn
Fri Dec 8 18:45:01 2017 UID set to openvpn
Fri Dec 8 18:45:01 2017 MULTI: multi_init called, r=256 v=256
Fri Dec 8 18:45:01 2017 IFCONFIG POOL IPv6: (IPv4) size=252, size_ipv6=65536, netbits=64, base_ipv6=wwww:xxxx:yyyy:zzzz::1000
Fri Dec 8 18:45:01 2017 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=1
Fri Dec 8 18:45:01 2017 ifconfig_pool_read(), in='client1,10.8.0.2,wwww:xxxx:yyyy:zzzz::1000', TODO: IPv6
Fri Dec 8 18:45:01 2017 succeeded -> ifconfig_pool_set()
Fri Dec 8 18:45:01 2017 IFCONFIG POOL LIST
Fri Dec 8 18:45:01 2017 client1,10.8.0.2,wwww:xxxx:yyyy:zzzz::1000
Fri Dec 8 18:45:01 2017 Initialization Sequence Completed
That's the output when a client tries to connect:
Fri Dec 8 18:47:44 2017 66.666.66.66:64191 TLS: Initial packet from [AF_INET]66.666.66.66:64191, sid=1c8b367d eb08e85e
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY OK: depth=1, C=FF, ST=ZZZ, L=SomeCity, O=Some Text, OU=String, CN=String CA, emailAddress=user@example.com
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Validating certificate key usage
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 ++ Certificate has key usage 0080, expects 0080
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY KU OK
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Validating certificate extended key usage
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY EKU OK
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY OK: depth=1, C=FF, ST=ZZZ, L=SomeCity, O=Some Text, OU=String, CN=String CA, emailAddress=user@example.com
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_VER=2.4.4
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_PLAT=mac
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_PROTO=2
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_NCP=2
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZ4=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZ4v2=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZO=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_COMP_STUB=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_COMP_STUBv2=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_TCPNL=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_4920_3.7.4a__build_4920)"
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 TLS: Username/Password authentication succeeded for username 'client' [CN SET]
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 [client1] Peer Connection Initiated with [AF_INET]66.666.66.66:64191
Fri Dec 8 18:47:47 2017 client1/66.666.66.66:64191 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=wwww:xxxx:y:zzzz::1000
Fri Dec 8 18:47:47 2017 client1/66.666.66.66:64191 WARNING: Failed running command (--client-connect): could not execute external program
Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 PUSH: Received control message: 'PUSH_REQUEST'
Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 Delayed exit in 5 seconds
Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 SENT CONTROL [client1]: 'AUTH_FAILED' (status=1)
Fri Dec 8 18:47:53 2017 client1/66.666.66.66:64191 SIGTERM[soft,delayed-exit] received, client-instance exiting
linux vpn openvpn
asked Dec 8 '17 at 16:44
user846226user846226
2172522
Check out thescript-securityconfiguration option.
– kostix
Dec 8 '17 at 17:21
As you can see, script-security is set to 2 and the script just execs echo command. Thanks anyway.
– user846226
Dec 8 '17 at 18:04
Can you include the full log entry in your question?
– Zoredache
Dec 8 '17 at 18:33
Just did it. :)
– user846226
Dec 8 '17 at 19:00
add a comment |
1
1
1
I've just configured OpenVPN on my server and it has been working fine till i changed it to work in chroot mode.
This is the main configuration file vpn.example.com.conf:
local w.x.y.z
port 1194
proto udp
proto-force udp
dev tun
ifconfig-ipv6 wwww:xxxx:yyyy:zzzz::1 wwww:xxxx:yyyy:zzzz::2
ca /etc/openvpn/easy-rsa3/easyrsa3/pki/ca.crt
cert /etc/openvpn/easy-rsa3/easyrsa3/pki/issued/vpn.example.com.crt
key /etc/openvpn/easy-rsa3/easyrsa3/pki/private/vpn.example.com.key
dh /etc/openvpn/easy-rsa3/easyrsa3/pki/dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 wwww:xxxx:yyyy:zzzz::/64
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS w.x.y.z"
push "dhcp-option DNS z.w.x.y"
push "dhcp-option DNS 8.8.8.8"
push "route-ipv6 wwww:xxxx:yyyy:zzzz::2/64"
push "route-ipv6 wwww::/3"
push "redirect-gateway def1"
tls-crypt /etc/openvpn/easy-rsa3/easyrsa3/ta.key
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
tls-version-min 1.2
auth SHA512
crl-verify /etc/openvpn/easy-rsa3/easyrsa3/pki/crl.pem
cipher AES-256-GCM
compress lz4
user nobody
group nogroup
verify-client-cert require
remote-cert-tls client
username-as-common-name
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
script-security 2
client-connect /etc/openvpn/scripts/connect_.sh
client-disconnect /etc/openvpn/scripts/disconnect.sh
management /run/openvpn/openvpn.sock unix pw-management-file
keepalive 10 120
persist-key
persist-tun
status /var/log/openvpn/status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
max-clients 5
To configure chroot i just:
1. Created openvpn user by running useradd openvpn -d /etc/openvpn.
2. chown -R openvpn:openvpn /etc/openvpn.
3. Changed all paths in the config file into relatives ones.
4. Added openvpn ALL=(ALL) NOPASSWD: /sbin/ip to /etc/sudoers
5. Added the following directives chroot /etc/openvpn, iproute unpriv-ip, user openvpn, group openvpn.
6. cat unpriv-ip
#!/bin/sh
/usr/bin/sudo /sbin/ip $*
7. Also edited rsyslog config to create an extra socket into openvpn chroot directory.
Lastly simplified connect_.sh script to:
#!/bin/bash
/bin/echo 'a'
exit 0
When i run openvpn --config vpn.example.com.conf and try to connect i see WARNING: Failed running command (--client-connect): could not execute external program but if u run su - openvpn i can successfully run ./scripts/connect_.sh script
The following is the output when running openvpn from command line and before any client tries to connect:
cd /etc/openvpn/
root@we:/etc/openvpn# /usr/sbin/openvpn --config conf.d/vpn.example.com[easy-rsa3+chroot].conf --verb 3
Fri Dec 8 19:45:01 2017 OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 22 2017
Fri Dec 8 19:45:01 2017 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Fri Dec 8 19:45:01 2017 MANAGEMENT: unix domain socket listening on /run/openvpn/openvpn.sock
Fri Dec 8 19:45:01 2017 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Dec 8 19:45:01 2017 PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Fri Dec 8 19:45:01 2017 Diffie-Hellman initialized with 4096 bit key
Fri Dec 8 19:45:01 2017 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Dec 8 19:45:01 2017 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Dec 8 19:45:01 2017 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Dec 8 19:45:01 2017 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Dec 8 19:45:01 2017 TUN/TAP device tun0 opened
Fri Dec 8 19:45:01 2017 TUN/TAP TX queue length set to 100
Fri Dec 8 19:45:01 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Fri Dec 8 19:45:01 2017 unpriv-ip link set dev tun0 up mtu 1500
Fri Dec 8 19:45:01 2017 unpriv-ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Fri Dec 8 19:45:01 2017 unpriv-ip -6 addr add wwww:xxxx:yyyy:zzzz::1/64 dev tun0
Fri Dec 8 19:45:01 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Dec 8 19:45:01 2017 Socket Buffers: R=[8388608->8388608] S=[212992->212992]
Fri Dec 8 19:45:01 2017 UDPv4 link local (bound): [AF_INET]w.x.y.z:1194
Fri Dec 8 19:45:01 2017 UDPv4 link remote: [AF_UNSPEC]
Fri Dec 8 18:45:01 2017 chroot to '/etc/openvpn' and cd to '/' succeeded
Fri Dec 8 18:45:01 2017 GID set to openvpn
Fri Dec 8 18:45:01 2017 UID set to openvpn
Fri Dec 8 18:45:01 2017 MULTI: multi_init called, r=256 v=256
Fri Dec 8 18:45:01 2017 IFCONFIG POOL IPv6: (IPv4) size=252, size_ipv6=65536, netbits=64, base_ipv6=wwww:xxxx:yyyy:zzzz::1000
Fri Dec 8 18:45:01 2017 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=1
Fri Dec 8 18:45:01 2017 ifconfig_pool_read(), in='client1,10.8.0.2,wwww:xxxx:yyyy:zzzz::1000', TODO: IPv6
Fri Dec 8 18:45:01 2017 succeeded -> ifconfig_pool_set()
Fri Dec 8 18:45:01 2017 IFCONFIG POOL LIST
Fri Dec 8 18:45:01 2017 client1,10.8.0.2,wwww:xxxx:yyyy:zzzz::1000
Fri Dec 8 18:45:01 2017 Initialization Sequence Completed
That's the output when a client tries to connect:
Fri Dec 8 18:47:44 2017 66.666.66.66:64191 TLS: Initial packet from [AF_INET]66.666.66.66:64191, sid=1c8b367d eb08e85e
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY OK: depth=1, C=FF, ST=ZZZ, L=SomeCity, O=Some Text, OU=String, CN=String CA, emailAddress=user@example.com
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Validating certificate key usage
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 ++ Certificate has key usage 0080, expects 0080
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY KU OK
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Validating certificate extended key usage
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY EKU OK
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY OK: depth=1, C=FF, ST=ZZZ, L=SomeCity, O=Some Text, OU=String, CN=String CA, emailAddress=user@example.com
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_VER=2.4.4
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_PLAT=mac
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_PROTO=2
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_NCP=2
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZ4=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZ4v2=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZO=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_COMP_STUB=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_COMP_STUBv2=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_TCPNL=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_4920_3.7.4a__build_4920)"
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 TLS: Username/Password authentication succeeded for username 'client' [CN SET]
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 [client1] Peer Connection Initiated with [AF_INET]66.666.66.66:64191
Fri Dec 8 18:47:47 2017 client1/66.666.66.66:64191 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=wwww:xxxx:y:zzzz::1000
Fri Dec 8 18:47:47 2017 client1/66.666.66.66:64191 WARNING: Failed running command (--client-connect): could not execute external program
Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 PUSH: Received control message: 'PUSH_REQUEST'
Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 Delayed exit in 5 seconds
Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 SENT CONTROL [client1]: 'AUTH_FAILED' (status=1)
Fri Dec 8 18:47:53 2017 client1/66.666.66.66:64191 SIGTERM[soft,delayed-exit] received, client-instance exiting
linux vpn openvpn
asked Dec 8 '17 at 16:44
user846226user846226
2172522
I've just configured OpenVPN on my server and it has been working fine till i changed it to work in chroot mode.
This is the main configuration file vpn.example.com.conf:
local w.x.y.z
port 1194
proto udp
proto-force udp
dev tun
ifconfig-ipv6 wwww:xxxx:yyyy:zzzz::1 wwww:xxxx:yyyy:zzzz::2
ca /etc/openvpn/easy-rsa3/easyrsa3/pki/ca.crt
cert /etc/openvpn/easy-rsa3/easyrsa3/pki/issued/vpn.example.com.crt
key /etc/openvpn/easy-rsa3/easyrsa3/pki/private/vpn.example.com.key
dh /etc/openvpn/easy-rsa3/easyrsa3/pki/dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
server-ipv6 wwww:xxxx:yyyy:zzzz::/64
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS w.x.y.z"
push "dhcp-option DNS z.w.x.y"
push "dhcp-option DNS 8.8.8.8"
push "route-ipv6 wwww:xxxx:yyyy:zzzz::2/64"
push "route-ipv6 wwww::/3"
push "redirect-gateway def1"
tls-crypt /etc/openvpn/easy-rsa3/easyrsa3/ta.key
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
tls-version-min 1.2
auth SHA512
crl-verify /etc/openvpn/easy-rsa3/easyrsa3/pki/crl.pem
cipher AES-256-GCM
compress lz4
user nobody
group nogroup
verify-client-cert require
remote-cert-tls client
username-as-common-name
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
script-security 2
client-connect /etc/openvpn/scripts/connect_.sh
client-disconnect /etc/openvpn/scripts/disconnect.sh
management /run/openvpn/openvpn.sock unix pw-management-file
keepalive 10 120
persist-key
persist-tun
status /var/log/openvpn/status.log
log-append /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
max-clients 5
To configure chroot i just:
1. Created openvpn user by running useradd openvpn -d /etc/openvpn.
2. chown -R openvpn:openvpn /etc/openvpn.
3. Changed all paths in the config file into relatives ones.
4. Added openvpn ALL=(ALL) NOPASSWD: /sbin/ip to /etc/sudoers
5. Added the following directives chroot /etc/openvpn, iproute unpriv-ip, user openvpn, group openvpn.
6. cat unpriv-ip
#!/bin/sh
/usr/bin/sudo /sbin/ip $*
7. Also edited rsyslog config to create an extra socket into openvpn chroot directory.
Lastly simplified connect_.sh script to:
#!/bin/bash
/bin/echo 'a'
exit 0
When i run openvpn --config vpn.example.com.conf and try to connect i see WARNING: Failed running command (--client-connect): could not execute external program but if u run su - openvpn i can successfully run ./scripts/connect_.sh script
The following is the output when running openvpn from command line and before any client tries to connect:
cd /etc/openvpn/
root@we:/etc/openvpn# /usr/sbin/openvpn --config conf.d/vpn.example.com[easy-rsa3+chroot].conf --verb 3
Fri Dec 8 19:45:01 2017 OpenVPN 2.4.0 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 22 2017
Fri Dec 8 19:45:01 2017 library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Fri Dec 8 19:45:01 2017 MANAGEMENT: unix domain socket listening on /run/openvpn/openvpn.sock
Fri Dec 8 19:45:01 2017 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Fri Dec 8 19:45:01 2017 PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Fri Dec 8 19:45:01 2017 Diffie-Hellman initialized with 4096 bit key
Fri Dec 8 19:45:01 2017 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Dec 8 19:45:01 2017 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Dec 8 19:45:01 2017 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Fri Dec 8 19:45:01 2017 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Fri Dec 8 19:45:01 2017 TUN/TAP device tun0 opened
Fri Dec 8 19:45:01 2017 TUN/TAP TX queue length set to 100
Fri Dec 8 19:45:01 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=1
Fri Dec 8 19:45:01 2017 unpriv-ip link set dev tun0 up mtu 1500
Fri Dec 8 19:45:01 2017 unpriv-ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Fri Dec 8 19:45:01 2017 unpriv-ip -6 addr add wwww:xxxx:yyyy:zzzz::1/64 dev tun0
Fri Dec 8 19:45:01 2017 Could not determine IPv4/IPv6 protocol. Using AF_INET
Fri Dec 8 19:45:01 2017 Socket Buffers: R=[8388608->8388608] S=[212992->212992]
Fri Dec 8 19:45:01 2017 UDPv4 link local (bound): [AF_INET]w.x.y.z:1194
Fri Dec 8 19:45:01 2017 UDPv4 link remote: [AF_UNSPEC]
Fri Dec 8 18:45:01 2017 chroot to '/etc/openvpn' and cd to '/' succeeded
Fri Dec 8 18:45:01 2017 GID set to openvpn
Fri Dec 8 18:45:01 2017 UID set to openvpn
Fri Dec 8 18:45:01 2017 MULTI: multi_init called, r=256 v=256
Fri Dec 8 18:45:01 2017 IFCONFIG POOL IPv6: (IPv4) size=252, size_ipv6=65536, netbits=64, base_ipv6=wwww:xxxx:yyyy:zzzz::1000
Fri Dec 8 18:45:01 2017 IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=1
Fri Dec 8 18:45:01 2017 ifconfig_pool_read(), in='client1,10.8.0.2,wwww:xxxx:yyyy:zzzz::1000', TODO: IPv6
Fri Dec 8 18:45:01 2017 succeeded -> ifconfig_pool_set()
Fri Dec 8 18:45:01 2017 IFCONFIG POOL LIST
Fri Dec 8 18:45:01 2017 client1,10.8.0.2,wwww:xxxx:yyyy:zzzz::1000
Fri Dec 8 18:45:01 2017 Initialization Sequence Completed
That's the output when a client tries to connect:
Fri Dec 8 18:47:44 2017 66.666.66.66:64191 TLS: Initial packet from [AF_INET]66.666.66.66:64191, sid=1c8b367d eb08e85e
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY OK: depth=1, C=FF, ST=ZZZ, L=SomeCity, O=Some Text, OU=String, CN=String CA, emailAddress=user@example.com
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Validating certificate key usage
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 ++ Certificate has key usage 0080, expects 0080
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY KU OK
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Validating certificate extended key usage
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 ++ Certificate has EKU (str) TLS Web Client Authentication, expects TLS Web Client Authentication
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY EKU OK
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 VERIFY OK: depth=1, C=FF, ST=ZZZ, L=SomeCity, O=Some Text, OU=String, CN=String CA, emailAddress=user@example.com
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_VER=2.4.4
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_PLAT=mac
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_PROTO=2
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_NCP=2
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZ4=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZ4v2=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_LZO=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_COMP_STUB=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_COMP_STUBv2=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_TCPNL=1
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_4920_3.7.4a__build_4920)"
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 TLS: Username/Password authentication succeeded for username 'client' [CN SET]
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 4096 bit RSA
Fri Dec 8 18:47:47 2017 66.666.66.66:64191 [client1] Peer Connection Initiated with [AF_INET]66.666.66.66:64191
Fri Dec 8 18:47:47 2017 client1/66.666.66.66:64191 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=wwww:xxxx:y:zzzz::1000
Fri Dec 8 18:47:47 2017 client1/66.666.66.66:64191 WARNING: Failed running command (--client-connect): could not execute external program
Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 PUSH: Received control message: 'PUSH_REQUEST'
Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 Delayed exit in 5 seconds
Fri Dec 8 18:47:48 2017 client1/66.666.66.66:64191 SENT CONTROL [client1]: 'AUTH_FAILED' (status=1)
Fri Dec 8 18:47:53 2017 client1/66.666.66.66:64191 SIGTERM[soft,delayed-exit] received, client-instance exiting
linux vpn openvpn
linux vpn openvpn
asked Dec 8 '17 at 16:44
user846226user846226
2172522
asked Dec 8 '17 at 16:44
user846226user846226
2172522
edited Dec 8 '17 at 18:56
user846226
asked Dec 8 '17 at 16:44
user846226user846226
2172522
asked Dec 8 '17 at 16:44
user846226user846226
2172522
asked Dec 8 '17 at 16:44
user846226user846226
2172522
2172522
Check out thescript-securityconfiguration option.
– kostix
Dec 8 '17 at 17:21
As you can see, script-security is set to 2 and the script just execs echo command. Thanks anyway.
– user846226
Dec 8 '17 at 18:04
Can you include the full log entry in your question?
– Zoredache
Dec 8 '17 at 18:33
Just did it. :)
– user846226
Dec 8 '17 at 19:00
add a comment |
Check out thescript-securityconfiguration option.
– kostix
Dec 8 '17 at 17:21
As you can see, script-security is set to 2 and the script just execs echo command. Thanks anyway.
– user846226
Dec 8 '17 at 18:04
Can you include the full log entry in your question?
– Zoredache
Dec 8 '17 at 18:33
Just did it. :)
– user846226
Dec 8 '17 at 19:00
Check out the
script-security configuration option.– kostix
Dec 8 '17 at 17:21
Check out the
script-security configuration option.– kostix
Dec 8 '17 at 17:21
As you can see, script-security is set to 2 and the script just execs echo command. Thanks anyway.
– user846226
Dec 8 '17 at 18:04
As you can see, script-security is set to 2 and the script just execs echo command. Thanks anyway.
– user846226
Dec 8 '17 at 18:04
Can you include the full log entry in your question?
– Zoredache
Dec 8 '17 at 18:33
Can you include the full log entry in your question?
– Zoredache
Dec 8 '17 at 18:33
Just did it. :)
– user846226
Dec 8 '17 at 19:00
Just did it. :)
– user846226
Dec 8 '17 at 19:00
add a comment |
1 Answer
1
active
oldest
votes
1
As my script was using bash i needed to move bash and all dependencies into chroot:
cp -v /bin/bash /etc/openvpn/bin
So run ldd /bin/bash and move all dependencies into chroot directory:
linux-vdso.so.1 => (0x00007fff1fbe5000)
libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f86fcbbc000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f86fc9b8000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f86fc5f1000)
/lib64/ld-linux-x86-64.so.2 (0x000055a1be46b000)
answered Dec 9 '17 at 13:25
user846226user846226
2172522
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f887243%2fopenvpn-warning-failed-running-command-client-connect-could-not-execute-ex%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
1
As my script was using bash i needed to move bash and all dependencies into chroot:
cp -v /bin/bash /etc/openvpn/bin
So run ldd /bin/bash and move all dependencies into chroot directory:
linux-vdso.so.1 => (0x00007fff1fbe5000)
libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f86fcbbc000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f86fc9b8000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f86fc5f1000)
/lib64/ld-linux-x86-64.so.2 (0x000055a1be46b000)
answered Dec 9 '17 at 13:25
user846226user846226
2172522
add a comment |
1
As my script was using bash i needed to move bash and all dependencies into chroot:
cp -v /bin/bash /etc/openvpn/bin
So run ldd /bin/bash and move all dependencies into chroot directory:
linux-vdso.so.1 => (0x00007fff1fbe5000)
libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f86fcbbc000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f86fc9b8000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f86fc5f1000)
/lib64/ld-linux-x86-64.so.2 (0x000055a1be46b000)
answered Dec 9 '17 at 13:25
user846226user846226
2172522
add a comment |
1
1
1
As my script was using bash i needed to move bash and all dependencies into chroot:
cp -v /bin/bash /etc/openvpn/bin
So run ldd /bin/bash and move all dependencies into chroot directory:
linux-vdso.so.1 => (0x00007fff1fbe5000)
libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f86fcbbc000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f86fc9b8000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f86fc5f1000)
/lib64/ld-linux-x86-64.so.2 (0x000055a1be46b000)
answered Dec 9 '17 at 13:25
user846226user846226
2172522
As my script was using bash i needed to move bash and all dependencies into chroot:
cp -v /bin/bash /etc/openvpn/bin
So run ldd /bin/bash and move all dependencies into chroot directory:
linux-vdso.so.1 => (0x00007fff1fbe5000)
libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007f86fcbbc000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f86fc9b8000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f86fc5f1000)
/lib64/ld-linux-x86-64.so.2 (0x000055a1be46b000)
answered Dec 9 '17 at 13:25
user846226user846226
2172522
answered Dec 9 '17 at 13:25
user846226user846226
2172522
answered Dec 9 '17 at 13:25
user846226user846226
2172522
answered Dec 9 '17 at 13:25
user846226user846226
2172522
2172522
add a comment |
add a comment |
draft saved
draft discarded
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f887243%2fopenvpn-warning-failed-running-command-client-connect-could-not-execute-ex%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Check out the
script-securityconfiguration option.– kostix
Dec 8 '17 at 17:21
As you can see, script-security is set to 2 and the script just execs echo command. Thanks anyway.
– user846226
Dec 8 '17 at 18:04
Can you include the full log entry in your question?
– Zoredache
Dec 8 '17 at 18:33
Just did it. :)
– user846226
Dec 8 '17 at 19:00