[ale] OpenVPN Question
Jerry Yu
jjj863 at gmail.com
Tue Nov 14 08:09:43 EST 2006
for both client and server. In my client.conf from OpenVPN 2.0.2,
-------cut--------cut-----------------x--------------------------cut-------
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nobody
-------cut--------cut-----------------x--------------------------cut-------
On 11/13/06, John Mills <johnmills at speakeasy.net> wrote:
>
> Jerry -
>
> Thanks for your comments. They raised a question for me.
>
> Further suggestions welcome.
>
> - Mills
>
> On Fri, 3 Nov 2006, Jerry Yu wrote:
>
> > openVPN runs as a least-privileged user such as 'nobody', so, I'd think
> you
> > need let this 'nobody' read. other than that, as restrictive as you can
> be.
> > The certificate is guarded by a passphrase, so use a long winding one.
>
> Q) Are you referring to the client here, and if so, what should I do to
> set openvpn's USER to 'nobody'?
>
> > set up sudo, so you can start/stop openvpn at will as a regular user.
> Add a
> > command line alias "alias off='sudo /etc/init.d/openvpn stop", so you
> can
> > save a few keystrokes.
>
> I made a 'sudo' script. 'openvpn' wanted to be started just above the
> directory holding my certificates, and - in my case - that's the directory
> with the *.ovpn configuration directory. I unpacked the files from our IT
> dept. into '~/.openvpn' and my script 'cd's there to run. There's
> probably a cleaner way to do this. Effectively my startup is:
> # cd $HOME/.openvpn; openvpn --config <configfile>
>
> > If you do want GUI on linux, there's a lot on sourceforge. In
> particular,
> > OpenVPNmanager sounds like what you requested.
> > http://sourceforge.net/search/?type_of_search=soft&words=openvpn+gui
>
> Good thought. I used the GUI once to get an idea of the sequence, then
> 'winged it' with my sudo script.
>
> > On 11/3/06, John Mills <johnmills at speakeasy.net> wrote:
>
> > > 1. I have file set with certificate, etc., for the connection. Where
> is it
> > > appropriate to save this, and with what permissions?
>
> > > 2. As a client I would like to open and close the tunnel manually (by
> > > screen widget for example). How can I achieve this?
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Ale
mailing list