Hallo Ken,
thanks for this detailled report.
You brought me to a working solution.
I just create another symlink under /var/tmp/openvpn to the already encrypted directory where the openvpn files are and hope it works. Can't test it next week when I'm physically present at remote site.
From this I would tend to conclude that the openvpn program is coded not to allow the log files to be written to the /home directory tree. I am not sure about /tmp - I think that may be a special animal. However...
Thats very strange, it is exact the same openvpn binary.
On both systems
which openvpn
/usr/sbin/openvpn
md5sum /usr/sbin/openvpn
f2e5cf5fba33186e739031d2fed42429 /usr/sbin/openvpn
Update: You gave me the important hint: If binary are identical, it could be the service file, but on both, they are identical
Code: Select all
cat /lib/systemd/system/openvpn@.service
[Unit]
Description=OpenVPN connection to %i
PartOf=openvpn.service
ReloadPropagatedFrom=openvpn.service
Before=systemd-user-sessions.service
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
[Service]
PrivateTmp=true
KillMode=mixed
Type=forking
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
PIDFile=/run/openvpn/%i.pid
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn
ProtectSystem=yes
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
[Install]
WantedBy=multi-user.target
What me wondered was the Option "ProtectSystem"
According to
https://gist.github.com/ageis/f5595e59b ... 25a323db04
ProtectSystem
Takes a boolean argument or the special values "full" or "strict". If true, mounts the /usr and /boot directories read-only for processes invoked by this unit. If set to "full", the /etc directory is mounted read-only, too. If set to "strict" the entire file system hierarchy is mounted read-only, except for the API file system subtrees /dev, /proc and /sys (protect these directories using PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). This setting ensures that any modification of the vendor-supplied operating system (and optionally its configuration, and local mounts) is prohibited for the service. It is recommended to enable this setting for all long-running services, unless they are involved with system updates or need to modify the operating system in other ways. If this option is used, ReadWritePaths= may be used to exclude specific directories from being made read-only. This setting is implied if DynamicUser= is set. Defaults to off.
So only /usr and /boot directory should not be writable by this option.
Then I added a line in cat /lib/systemd/system/openvpn@.service under [Service]
But even after adding
no log is still written to that folder. Its very very strange.
PS: Have no experience with crypttab So you need a monitor and a keyboard to enter key or is it also possible to connect via ssh und then enter password. For me the second shouldn't be possible because ssh key, password and user should also be encrypted when it is uses as full encrypted system.
PPS: If you've read it works, then sorry, it was my mistake. I was in the wrong ssh tab with the system where it worked anyway.