# [SOLVED] Openvpn client-connect causes auth failure

## Kresp

I want Openvpn to send an email every time somebody connects.

However, if I set client-connect option in openvpn.conf on the server, it causes auth failure:

```

[server] Peer Connection Initiated with [AF_INET]10.18.0.1:25250

SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

AUTH: Received control message: AUTH_FAILED

SIGTERM[soft,auth-failure] received, process exiting

```

This is if I run openvpn manually with sudo.

When starting it as OpenRC service, it stays inactive indefinitely.

Config option goes like this:

```

client-connect /etc/openvpn/notify.sh

```

I checked permissions, and tested with different paths, including /tmp , 777 permissions, and by using /bin/true as the program to run.

Script just contains exit 0 .

Without this option everything works flawlessly.

OpenVPN is 2.4.3.Last edited by Kresp on Thu Sep 28, 2017 4:34 am; edited 1 time in total

----------

## Maxxx

Try to add this line:

```
script-security 3 system
```

in yuor openvpn.conf

----------

## Kresp

 *Maxxx wrote:*   

> Try to add this line:
> 
> ```
> script-security 3 system
> ```
> ...

 

"Method" is removed past 2.3 version.

script-security 3 and script-security 2 works well with client-connect /bin/true but returns auth failure with client-connect /path/to/script.sh even with valid permissions for the file.

Getting there.

Will check it out further later. It probably needs to be client-connect /bin/sh /path/to/script.sh or something like that.

----------

## Kresp

Shebang was missing in my script. It all works now.

However, there's another problem:

My script will contain e-mail/password, but OpenVpn does not run as root, but as nobody.

I obsiously don't want to give o+r permission.

Is chown'ning file to nobody:nobody bad practice? Like this:

```

$ ls -lah /etc/openvpn/

total 88K

drwxr-xr-x  2 root   root   4.0K Sep 28 09:17 .

drwxr-xr-x 60 root   root   4.0K Sep 24 11:29 ..

-rwxr-xr-x  1 root   root    943 Sep  5 20:44 down.sh

-rwx------  1 nobody nobody   55 Sep 28 09:16 notify.sh

-rw-r--r--  1 root   root    881 Sep 28 09:17 openvpn.conf

-rwxr-xr-x  1 root   root   2.8K Sep  5 20:44 up.sh

```

----------

## Hu

In general, nobody should be able to read sensitive passwords.

As I interpret the ebuild, the VPN server should be running as the dedicated openvpn user, not as the generic nobody user.  Are you seeing different results?  If so, was that the default or did you change it?

----------

## Kresp

Well, I have

```

user nobody

group nobody

```

in my server config - that's what developers recommend:

https://community.openvpn.net/openvpn/wiki/HOWTO#usergroupnon-Windowsonly

https://community.openvpn.net/openvpn/wiki/HOWTO#Editingtheserverconfigurationfile

----------

## Hu

That recommendation was popular a decade ago.  Recent security practice recognizes that running all the servers as the same faceless user means that a problem in any server exposes every server.  The developers are right to recommend that you drop privileges, but wrong to recommend that you drop to a widely used faceless account.  You should use a dedicated faceless account.  Gentoo creates for you the openvpn faceless user for this purpose.  You should use that, not nobody.

----------

## Kresp

 *Hu wrote:*   

> That recommendation was popular a decade ago.  Recent security practice recognizes that running all the servers as the same faceless user means that a problem in any server exposes every server.  The developers are right to recommend that you drop privileges, but wrong to recommend that you drop to a widely used faceless account.  You should use a dedicated faceless account.  Gentoo creates for you the openvpn faceless user for this purpose.  You should use that, not nobody.

 

Ah, OK... That actually makes sense.

I'll switch to default openvpn user then.

----------

