157

I'm trying to setup an OpenVPN Access Server in AWS using the market place AMI, but I;m struggling to connect to it.

The access server is up and running. I've also added a user with Auto-Login and generated the relevant client config and certificates.

I then copied said files down to my machine and tried to connect using openvpn client.ovpn but got the following output and error,

Wed Nov 26 12:41:10 2014 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb  4 2014
Wed Nov 26 12:41:10 2014 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Wed Nov 26 12:41:10 2014 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Nov 26 12:41:10 2014 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Nov 26 12:41:10 2014 Socket Buffers: R=[212992->200000] S=[212992->200000]
Wed Nov 26 12:41:10 2014 UDPv4 link local: [undef]
Wed Nov 26 12:41:10 2014 UDPv4 link remote: [AF_INET]<REMOVED_IP>:1194
Wed Nov 26 12:41:10 2014 TLS: Initial packet from [AF_INET]<REMOVED_IP>:1194, sid=2a06a918 c4ecc6df
Wed Nov 26 12:41:11 2014 VERIFY OK: depth=1, CN=OpenVPN CA
Wed Nov 26 12:41:11 2014 VERIFY OK: nsCertType=SERVER
Wed Nov 26 12:41:11 2014 VERIFY OK: depth=0, CN=OpenVPN Server
Wed Nov 26 12:41:11 2014 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Nov 26 12:41:11 2014 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Nov 26 12:41:11 2014 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Nov 26 12:41:11 2014 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Nov 26 12:41:11 2014 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Nov 26 12:41:11 2014 [OpenVPN Server] Peer Connection Initiated with [AF_INET]54.173.232.46:1194
Wed Nov 26 12:41:14 2014 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Wed Nov 26 12:41:14 2014 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,comp-lzo yes,redirect-private def1,redirect-private bypass-dhcp,redirect-private autolocal,redirect-private bypass-dns,route-gateway 172.16.224.129,route 172.16.1.0 255.255.255.0,route 172.16.224.0 255.255.255.0,block-ipv6,ifconfig 172.16.224.131 255.255.255.128'
Wed Nov 26 12:41:14 2014 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.3.2)
Wed Nov 26 12:41:14 2014 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.3.2)
Wed Nov 26 12:41:14 2014 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.3.2)
Wed Nov 26 12:41:14 2014 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:18: block-ipv6 (2.3.2)
Wed Nov 26 12:41:14 2014 OPTIONS IMPORT: timers and/or timeouts modified
Wed Nov 26 12:41:14 2014 OPTIONS IMPORT: explicit notify parm(s) modified
Wed Nov 26 12:41:14 2014 OPTIONS IMPORT: LZO parms modified
Wed Nov 26 12:41:14 2014 OPTIONS IMPORT: --ifconfig/up options modified
Wed Nov 26 12:41:14 2014 OPTIONS IMPORT: route options modified
Wed Nov 26 12:41:14 2014 OPTIONS IMPORT: route-related options modified
Wed Nov 26 12:41:14 2014 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=wlan0 HWADDR=c4:85:08:c9:14:f4
Wed Nov 26 12:41:14 2014 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
Wed Nov 26 12:41:14 2014 Exiting due to fatal error

Any idea what the problem is? I assume it's failing to create the tunnel due to the ERROR line?

I'm running server version 2.0.10 and client version,

OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb  4 2014
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_crypto=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_eurephia=yes enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_ifconfig_path=/sbin/ifconfig with_iproute_path=/sbin/ip with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_route_path=/sbin/route with_sysroot=no
Nakilon
  • 128
  • 1
  • 1
  • 8
Stephen Melrose
  • 5,565
  • 5
  • 24
  • 21

4 Answers4

283

Looks like this is a simple matter of sudo.

sudo openvpn client.ovpn worked a treat.

Stephen Melrose
  • 5,565
  • 5
  • 24
  • 21
6

Creating the TUN or TAP adaptor requires privileges that you possibly don't have - hence the command works with sudo, but not without.

On my system, if the openvpn command is run like this;

sudo openvpn --config file.ovpn

then a device tun0 is created. Almost always, creating devices requires privileges.

user417751
  • 61
  • 1
  • 1
2

Using Linux Mint, and connecting via the Network Manager UI (which does not prompt for a sudo pwd) -- I assumed it wasn't necessary. Turns out, this was the problem for me! Connecting via sudo from a terminal worked perfectly.

Josh M.
  • 667
  • 8
  • 21
-2

You could always run chmod u+s on the openvpn binary as root (setting uid 0).

sudo chmod u+s $(which openvpn)

This will allow a local user to execute the process as the root user. At this point your network manager/nm-applet stuff will also allow connection establishment.

  • Adding the SUID bit to an application can be a major security violation. – Rowan Hawkins Oct 02 '20 at 11:43
  • I don't fully disagree with you, yet having sudo without password protection is better? , yes one can tweak sudoers to only allow for password less use of a spesific program e.t.c However.. It all depends on the type of exposure the machine is facing right? Normally some applications need the SUID bit set to achieve a good experience, this is why i suggest it under this circumstance. This will also enable the use of NetworkManager e.t.c. – Rahmi Acar Oct 04 '20 at 20:03
  • sudo should always have password protection and it can be limited in the sudoers file to be a particular application per user. – Rowan Hawkins Oct 20 '20 at 20:39
  • Do you think it depends on circumstances or not? Do you think that some guys desktop require the same level of protection as a public service? Or do you think that a box that does not see exposure can be assumed to be pretty damn safe even if a program has suid 0? Many programs require this and comes with systems by default as suid 0 you know. It all depends on the use of the system, same with sudo, even though i rate sudo more critical as scripts can absuse it. – Rahmi Acar Nov 22 '20 at 16:12
  • This is Server Fault, for Professional System Administrators in a business environment. What you are suggesting is bad business and security practice. In a business environment you never assume that any particular system is `safe` because it can be used as a vector to attack the rest of your network. If you want to do this in a home user situation, then you need to go back over to the Super User stack https://superuser.com/ – Rowan Hawkins Nov 24 '20 at 21:25