OpenVPN can't write logfile to home folder

[RDPUser]

I'm using OpenVPN as a service. When in the config file

Code: Select all

log /var/log/vpn.log

everything works fine, but thats not where I want the log
When using

Code: Select all

log /home/pi/vpn.log

openvpn logs to syslog and tells

Code: Select all

 Warning: Error redirecting stdout/stderr to --log file: /home/pi/vpn.log: Permission denied (errno=13)

Whats going on here? I thought as service it is running as root and can write everywhere.

On an older PI this configuration works perfect writing the log to home folder

Update: As workaround: OpenVPN only creates the LOG at the desired location when the folder written to is own by root.

[epoch1970]

IIRC by default openvpn runs as user nobody.
You could change the owner of the process to "pi", but the best is to let openvpn write where it is allowed to under the default uid, and link that folder into your home dir. Everybody (e.g. "pi") has complete access to nobody's files.

[DougieLawson]

IIRC by default openvpn runs as user nobody.
You could change the owner of the process to "pi", but the best is to let openvpn write where it is allowed to under the default uid, and link that folder into your home dir. Everybody (e.g. "pi") has complete access to nobody's files.

On my system it's running with uid=openvpn gid=openvpn.
I've got it logging to /var/log/openvpn/openvpn.log and /var/log/openvpn/openvpn-status.log which are both owned by root.root.

[RDPUser]

I'm confused because

Code: Select all

 $ ps -aux | grep openvpn
root      8475  0.0  0.4   8424  4244 ?        Ss   16:55   0:06 /usr/sbin/openvpn --daemon ovpn-vpnverbindung --status /run/openvpn/vpnverbindung.status 10 --cd /etc/openvpn --config /etc/openvpn/vpnverbindung.conf --writepid /run/openvpn/vpnverbindung.pid
pi       25204  0.0  0.0   4776   548 pts/1    S+   20:58   0:00 grep --color=auto openvpn

shows its running as root.

Code: Select all

 ls -l /var/log/vpn.log
-rw------- 1 root root 1210 Jan  7 16:55 /var/log/vpn.log

I can't cat /var/log/vpn.log, must do it with sudo

[DougieLawson]

I'm using a systemd service file to get openvpn running.

With an openvpn configuration at /etc/openvpn/raspberry.conf then sudo systemctl enable openvpn@raspberry gets it enabled at boot time.

[taylorkh]

Do you have a User=root line in the [Service] stanza of your .service file? I was setting up a service to connect to ProtonVPN. It did not work until I added that line. I think it had more to do with finding the ProtonVPN configuration files than "who" was running the process. Might be worth trying.

Ken

[DougieLawson]

No. I'm using the openvpn@.service file that is part of the package.

My config file has

Code: Select all

user openvpn
group openvpn

[taylorkh]

Are you (your account where you wish to write the log files) a member of the openvpn group or have you granted the openvpn user access to the desired location? That might do the trick. If you sudo su openvpn you can then try creating a file in the desired location as if you were that user.

Ken

[RDPUser]

Trying to figure it out more.
There is no user openvpn on both systems. Folling "working" means that I can write log to /home/pi
I've compared groups of nobody, pi and root. There are no differences. On both the official openvpn via sudo apt install openvpn is installed.

Working:

Code: Select all

openvpn --version
OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
library versions: OpenSSL 1.0.2q  20 Nov 2018, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_sysroot=no

Code: Select all

cat /lib/systemd/system/openvpn@.service
[Unit]
Description=OpenVPN connection to %i
PartOf=openvpn.service
ReloadPropagatedFrom=openvpn.service
Before=systemd-user-sessions.service
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
PrivateTmp=true
KillMode=mixed
Type=forking
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
PIDFile=/run/openvpn/%i.pid
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn
ProtectSystem=yes
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw

[Install]
WantedBy=multi-user.target

Not working

Code: Select all

OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
library versions: OpenSSL 1.0.2q  20 Nov 2018, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_sysroot=no

Code: Select all

cat /lib/systemd/system/openvpn@.service
[Unit]
Description=OpenVPN connection to %i
PartOf=openvpn.service
ReloadPropagatedFrom=openvpn.service
Before=systemd-user-sessions.service
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
PrivateTmp=true
KillMode=mixed
Type=forking
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
PIDFile=/run/openvpn/%i.pid
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn
ProtectSystem=yes
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw

[Install]
WantedBy=multi-user.target

With executing

Code: Select all

sudo openvpn --config /etc/openvpn/vpn.conf

it writes the log file to desired folder. After killing that instance and starting the service again, old log-file still exists, but isn't written into.
Googling for this error mainly shows issues about SELinux, but Raspian hasn't SELinux as far as I know. Am I wrong?

[RDPUser]

Can somebody help me?

[taylorkh]

Does openvpn do the vpn tasks which you need it to do? If it does, and going back to your earlier post... is using sudo to read the log in /var/log an insurmountable obstacle? Just wondering?

Ken

[RDPUser]

Yeah VPN is doing its task except writing log to the wrong place. I want the log at a secure/encrypted location thats why I need to change the location.

[taylorkh]

secure/encrypted location

I wonder if that is the issue? If /home/pi/ is encrypted that would seem to imply that user pi would have to unlock his/her encrypted storage at some point. Depending on how/when this is done, it might still be locked when root is trying to write the log file. At least that sounds like a possible cause.

Ken

[RDPUser]

Hallo Ken,

thanks for considering, however that is not the issue. /home/pi is untouched. The encrypted location lies somewhere lese. However as long as openvpn can't write to /home/pi the chances are very low that it can write to its intented location. BTW OpenVPN couldn't write to that location neither. The problem existed from begining without any encryption.

[taylorkh]

By the username Pi I suspect you are using Raspbian(?) Are you using openvpn as a service for incoming connections or to connect to a vpn server out on the Internet (provided by a commercial vpn provider)? I have used openvpn in the second way but not in the first - and not on Raspbian. Ubuntu Mate and CentOS do not seem to write any vpn log files when operating as a vpn client - the second case.

That said, assuming you are using openvpn as a server - for incoming connections - I would be willing to try and setup a similar configuration on my test Pi provided you can give me step by step directions to replicate what you have. In doing so you may find something which is causing your issue. I often find that when describing an issue in detail on a Linux forum. Sort of solve my own problem

Ken

[RDPUser]

By the username Pi I suspect you are using Raspbian(?) Are you using openvpn as a service for incoming connections or to connect to a vpn server out on the Internet (provided by a commercial vpn provider)? I have used openvpn in the second way but not in the first - and not on Raspbian. Ubuntu Mate and CentOS do not seem to write any vpn log files when operating as a vpn client - the second case.

That said, assuming you are using openvpn as a server - for incoming connections - I would be willing to try and setup a similar configuration on my test Pi provided you can give me step by step directions to replicate what you have. In doing so you may find something which is causing your issue. I often find that when describing an issue in detail on a Linux forum. Sort of solve my own problem

Ken

Wow, thank you very much for helping me by setting up a similiar configuration.

I take the PI to connect to my own VPN server. However thats not important. Actually OpenVPN has not connect to everywhere. Even creating a nonworking configuration will lead to output which is not redirected to the path where it should. The log file is written by the directive "log /home/pi/vpn.log"

I just did the steps again with a fresh raspbian and same problem. So I describe step by step.

1. Download Raspbian from https://www.raspberrypi.org/downloads/raspbian/ Take

Raspbian Stretch with desktop
Image with desktop based on Debian Stretch
Version: November 2018
Release date: 2018-11-13
Kernel version: 4.14
Release notes: Link

2. Flash it with Etcher to SD-Card
3. Create a file "ssh" on boot partition
4. Boot the Raspi with this card and connect via SSH
5. Setup OpenVPN with

Code: Select all

sudo apt install openvpn
cd /etc/openvpn
sudo nano vpn.conf
within vpn.conf write and save (without the dashes '-----')
-----
log /home/pi/vpn.log
remote bla.la
key nokey.txt
-----
sudo systemctl daemon-reload #otherwise new configuration file is not recoginized. OpenVPN will tell you a sucessfull start but actually it starts up with no configuration at all. Changes thereafter within the file only need sudo /etc/init.d/openvpn restart
sudo /etc/init.d/openvpn restart #to restart it and initialize with the just created config

Now try sudo cat /home/pi/vpn.log That file wont exist
Execute cat /var/log/syslog and you'll see

Code: Select all

Jan 17 18:42:09 raspberrypi systemd[1]: Stopping OpenVPN service...
Jan 17 18:42:09 raspberrypi systemd[1]: Starting OpenVPN service...
Jan 17 18:42:09 raspberrypi systemd[1]: Starting OpenVPN connection to vpn...
Jan 17 18:42:09 raspberrypi ovpn-vpn[2006]: Warning: Error redirecting stdout/stderr to --log file: /home/pi/vpn.log: Permission denied (errno=13)
Jan 17 18:42:09 raspberrypi ovpn-vpn[2006]: disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Jan 17 18:42:09 raspberrypi ovpn-vpn[2006]: Options error: You must define TUN/TAP device (--dev)
Jan 17 18:42:09 raspberrypi ovpn-vpn[2006]: Use --help for more information.

Important is that line

Code: Select all

Jan 17 18:42:09 raspberrypi ovpn-vpn[2006]: Warning: Error redirecting stdout/stderr to --log file: /home/pi/vpn.log: Permission denied (errno=13)

[RDPUser]

If it helps you to have a configuration where openvpn is running instead of exiting to see which user openvpn is running, please execute
cd /etc/openvpn
sudo openvpn --genkey --secret nokey.txt

And take this config

Code: Select all

log /home/pi/vpn.log
remote bla.la.nonexistent8
secret nokey.txt
dev tun
proto udp

Remember sudo /etc/init.d/openvpn restart (be careful not to take reload parameter, that won't help)

[taylorkh]

I have a newly imaged and updated Raspberian stretch installation which I built yesterday. I have done nothing but set the locale and let it run the updates. I will try setting up your configuration and let you know what I find.

Ken

[taylorkh]

I configured my system as you described. I can confirm your findings. If I omit the log /home/pi/vpn.log entry in /etc/openvpn/vpn.conf I find the log file in /var/log as I would expect. I did observe that the permissions on /var/log/vpn/log were 600. This makes me think that the log path may be hard coded into the openvpn program along with instructions to lock down the log file from 644.

I had company come over and did not get to dig any further this evening. I will look some more in the morning.

Ken

[RDPUser]

Thanks for your fast analyze.

This makes me think that the log path may be hard coded into the openvpn program along with instructions to lock down the log file from 644.

Just a hint. On other Raspberry OpenVPN also installed via apt get and same version, OpenVPN can write to home directory.

[taylorkh]

Good morning RDPUser,

As I posted last evening I was able to reproduce your issue exactly. Then I got distracted by some other things. I am back at it this morning and here are the results of my experimentation. I tried different locations and names for the vpn log as described below. Some worked and some did not work.

---------- worked OK ------------

log /var/log/vpn.log

log /var/log/myvpn.log

mkdir /var/log/george
log /var/log/george/vpn.log

log /root/vpn.log

log /etc/vpn.log

made my own directory off root...

pi@raspberrypi:~ $ sudo mkdir /mylogs
pi@raspberrypi:~ $ ls -ld /mylogs/
drwxr-xr-x 2 root root 4096 Jan 18 08:15 /mylogs/
log /mylogs/vpn.log

---------- did not work ------------

log /tmp/vpn.log (no error but no log created)

chmod 777 on /home/pi and try to write log there

adduser ken (did not create home/ken, assign shell etc.)
mkdir /home/ken
chown ken /home/ken
log /home/ken/vpn.log

----------------------------------------

From this I would tend to conclude that the openvpn program is coded not to allow the log files to be written to the /home directory tree. I am not sure about /tmp - I think that may be a special animal. However...

As I can make my own directory (off /) and put the log there... Might that provide a way forward? If you create an encrypted partition, mount it with a key file using /etc/crypttab and /etc/fstab and write the files there? or if YOU want to have sole access to the encrypted data - unlock and mount the encrypted partiton manually and start openvpn manually?

Ken

p.s. Let me know if you need help with crypttab. I have that in place on my servers and it works well. I also have a systemctl service/unit file and script in beta which will look for a specific USB flash drive by UUID at boot, if it is present it will be mounted and the key file on the flash drive used to unlock the hard drives. If the flash drive is not present the machine will continue to boot with the drives locked. If crypttab cannot find the necessary key file system hangs and never boots.

[RDPUser]

Hallo Ken,

thanks for this detailled report.

You brought me to a working solution.
I just create another symlink under /var/tmp/openvpn to the already encrypted directory where the openvpn files are and hope it works. Can't test it next week when I'm physically present at remote site.

From this I would tend to conclude that the openvpn program is coded not to allow the log files to be written to the /home directory tree. I am not sure about /tmp - I think that may be a special animal. However...

Thats very strange, it is exact the same openvpn binary.

On both systems

which openvpn
/usr/sbin/openvpn

md5sum /usr/sbin/openvpn
f2e5cf5fba33186e739031d2fed42429 /usr/sbin/openvpn

Update: You gave me the important hint: If binary are identical, it could be the service file, but on both, they are identical

Code: Select all

 cat /lib/systemd/system/openvpn@.service
[Unit]
Description=OpenVPN connection to %i
PartOf=openvpn.service
ReloadPropagatedFrom=openvpn.service
Before=systemd-user-sessions.service
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
PrivateTmp=true
KillMode=mixed
Type=forking
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
PIDFile=/run/openvpn/%i.pid
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn
ProtectSystem=yes
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw

[Install]
WantedBy=multi-user.target

What me wondered was the Option "ProtectSystem"
According to https://gist.github.com/ageis/f5595e59b ... 25a323db04

ProtectSystem

Takes a boolean argument or the special values "full" or "strict". If true, mounts the /usr and /boot directories read-only for processes invoked by this unit. If set to "full", the /etc directory is mounted read-only, too. If set to "strict" the entire file system hierarchy is mounted read-only, except for the API file system subtrees /dev, /proc and /sys (protect these directories using PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). This setting ensures that any modification of the vendor-supplied operating system (and optionally its configuration, and local mounts) is prohibited for the service. It is recommended to enable this setting for all long-running services, unless they are involved with system updates or need to modify the operating system in other ways. If this option is used, ReadWritePaths= may be used to exclude specific directories from being made read-only. This setting is implied if DynamicUser= is set. Defaults to off.

So only /usr and /boot directory should not be writable by this option.
Then I added a line in cat /lib/systemd/system/openvpn@.service under [Service]
But even after adding

Code: Select all

ReadWritePaths=/home/pi

no log is still written to that folder. Its very very strange.

PS: Have no experience with crypttab So you need a monitor and a keyboard to enter key or is it also possible to connect via ssh und then enter password. For me the second shouldn't be possible because ssh key, password and user should also be encrypted when it is uses as full encrypted system.

PPS: If you've read it works, then sorry, it was my mistake. I was in the wrong ssh tab with the system where it worked anyway.

[taylorkh]

Glad to help.

Raspbian is rather strange from what I have seen. I am using Ubuntu Mate 18.04 on my Pi's. I have not tried the openvpn log issue on Ubuntu yet. At the moment I am attempting to move a working image from a 16 GB card to a 64 GB card so I can add my music collection to it. It will be a jukebox in my workshop. So far, no go.

As to crypttab...

As I am using it, I boot the server from a USB flash drive - allows me to use all 4 SATA ports for data drives. On the boot drive in /root/ I have the key file called my_key in this example. The /etc/crypttab entry would be:

# <target name> <source device> <key file> <options>
secret1a /dev/disk/by-uuid/51747c03-03f3-4fda-8bdd-c44b08f0e247 /root/my_key luks

and in /etc/fstab

/dev/mapper/secret1a /data/data22.1a ext4 defaults,nofail 0 1

This will unlock the partition on the drive and mount it at /data/data22.1a upon boot.

My naming scheme is 22 is from the server name, 1a is the first of a pair of drives. I manually sync the data on 1a to 1b. The main reason for encrypting the drives is in the event that a LARGE (4 6 or 8 TB) drive goes bad in warranty I do not want to throw it away. Nor do I want to return it to the manufactured with my data on it. If it is broken I obviously cannot wipe it with any degree of confidence. And, by having the OS on a flash drive... if a black helicopter shows up I can power down the servers, pull and destroy the flash drive and the data is quite securely encrypted I have returned a defective encrypted drive. I have not seen a black helicopter. That said...

The process to create an encrypted partition, file system, loopback file etc. is done with the program cryptsetup. There is a lot of good documentation on-line about using cryptsetup and LUKS (Linux Unified Key Setup.) As to the key file.. You can generate a key file or just use any small binary file which you have handy. A picture, .mp3, program shared library it does not matter. And if you remember what the file is (before you rename it to my_key or some other key sounding file) you might be able to find another copy of it gets lost

Ken

[taylorkh]

p.s. The cruypttab process I described works on my headless servers. No intervention is required. If you are considering whole disk encryption for the operating system... that can be done but from my experience it requires a pass phrase to be entered to boot the machine, On the other hand I have set up an encrypted swap space which does not require interaction. It gets re-encrypted each time the machine boots and thus anything on it is lost.

If you want to protect the logs in the event that someone makes off with the Pi then you would have to unlock the resource and take the key with you. If you want to keep out snoopers while the machine is running... having the log owned by root with 600 permissions is probably just as good as writing them to an encrypted resource.

Ken

[RDPUser]

Hallo Ken,

thanks for all your support. I had another idea, because you wrote just creating a directory under / works, so I tried just writing into a directory that owns root and bingo. Now I have unter /home/pi/logs a directory owned by root (chown) and logs are written. Very strange, but it works. On the other PI, it was from an older image, folder owner is still PI.