Ask / Submit
3

OpenVPN connects on CLI, not on GUI [2.1.4]

asked 2018-03-06 08:58:10 +0200

J24 gravatar image

updated 2018-03-07 09:42:52 +0200

I realize VPN with settings GUI is still in beta. This is to report my experience with it.

I set up an OpenVPN server on my VPS following this guide. Using the .ovpn file generated following the guide I can connect in the terminal

devel-su openvpn --config client1.ovpn

Using the browser I can confirm that a VPN connection is succesfully working.

Next I set up a connection using the same .ovpn file in the settings GUI import feature. When trying to enable the connection, it says "connecting" for two seconds, then without any error message the status goes back to "unused".

EDIT1: Thanks for the hints on logs! This is the error I get:

openvpn[11958]: setgid('nobody') failed: Operation not permitted (errno=1)
openvpn[11958]: Exiting due to fatal error
openvpn[11958]: Closing TUN/TAP interface

Should I use some other group in Step 12/Linux section of the referred guide?

edit retag flag offensive close delete

Comments

Are you using certificates, I suggest making sure the full path is in the ovpn file, and not just a ./ or similar. If you are using username/password only, may be an issue.

Nieldk ( 2018-03-06 09:03:08 +0200 )edit

The certs and keys are embedded on the ovpn file as per step 10 on the guide.

J24 ( 2018-03-06 09:15:21 +0200 )edit

Hi.

I usually check the logs this way:

devel-su journalctl -l -f | grep openvpn

If you don't see any messages while trying restart journald with:

devel-su journal restart systemd-journald

And try again. (This has happened to my while trying this answer.:D )

Regards.

Pasko ( 2018-03-06 10:44:58 +0200 )edit

Using the journalctl command above, I get the following:

neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Private Key Password:'. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.

I didn't follow the guide, but the behaviour is similar for me: works on the command-line, but doesn't using the UI.

Éibhear ( 2018-03-06 12:40:37 +0200 )edit
1

Hi @Éibhear

Instead, try this sequence (I suppose you're logging in remotely via ssh? )

nemo@sailfish > devel-su
root@sailfish > systemctl restart systemd-journald
root@sailfish > journalctl -l -f | grep openvpn

And then try to start the VPN from the GUI....keep in mind that once the VPN connection is established you may loose access via ssh :-)

Regards.

Pasko ( 2018-03-06 16:17:56 +0200 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2018-03-07 10:09:26 +0200

J24 gravatar image

updated 2018-03-07 10:15:21 +0200

With the help of logs I got it working. I had to comment the user and group directives in the ovpn file:

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

Leaving either of them uncommented gives the setuid/setgid error (see EDIT1 on the question).

This still rises two concerns:

  1. Is it now using the intended privileges or is not downgrading them a security issue?
  2. If the privileges are correct, the above settings should probably be ignored, so that they won't cause problems to users.
edit flag offensive delete publish link more

Comments

1

Thank. It helped me too

fcdk1982 ( 2018-03-07 23:46:29 +0200 )edit

Hi.

Glad you figured it out! :)

Regards.

Pasko ( 2018-03-09 12:14:21 +0200 )edit
Login/Signup to Answer

Question tools

Follow
1 follower

Stats

Asked: 2018-03-06 08:58:10 +0200

Seen: 400 times

Last updated: Mar 07