search

StreisandEffect / streisand

Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
https://twitter.com/streisandvpn
Other
23.19k stars 1.99k forks source link

Updated the wiki: https://github.com/jlund/streisand/wiki/Setting-an-OpenWrt-Based-Router-as-OpenVPN-Client #842

Open rainkinz opened 7 years ago

rainkinz commented 7 years ago

Hi,

I added the following to this entry in the wiki:

https://github.com/jlund/streisand/wiki/Setting-an-OpenWrt-Based-Router-as-OpenVPN-Client

I hope that's ok. It is what worked for me. Please feel free to remove if it's wrong or not wanted.

13) Connecting clients behind the client router

Say you're a road warrior and have setup an OpenVPN connection to the server running Streisand. You might want to connect to clients running on the OpenWrt LAN. To do this on the server running Streisand:

client-config-dir /etc/openvpn/ccd
iroute 192.168.10.0 255.255.255.0

Where 192.168.10.0 is your LAN network. So you will need to adjust appropriately.

alimakki commented 7 years ago

@rainkinz, thank you for this!

cpu commented 7 years ago

@rainkinz I really appreciate you figuring this process out & writing it down. That said, I'm hesitant to see the wiki used for this purpose. I just went and looked at the wiki for the first time and had to delete three pages that had no information.

I think there needs to be a clear delineation between docs we intend to support as a project and community docs that are external. For supported docs I'd prefer to see a .md file added to the docs/ folder as a pull request. This means that the text can be reviewed before it is added and there is central change control and history. For community docs I'd rather see them posted on a blog or somewhere external to the repo & referenced with a link from here.

@alimakki @jlund Do you think this content is something you're interested in officially supporting & maintaining? If so then I propose we ask that this be submitted via a PR and we turn off the Wiki on this repo. If it isn't something that we want to maintain officially I propose we move it outside of the repo and add a link. My own vote is that we don't have the resources to keep this tested & up to date and it should probably be an external guide. I'm happy to go either way based on group consensus.

EDIT: Oops! I'm just realizing this was likely a pre-existing page and @rainkinz was just adding to it. I still think now is the right time to decide on the future of the page/project wiki.

nopdotcom commented 7 years ago

+1. Another thought is making a streisand-doc-contrib repository. When somebody wants to contribute new_platform, request a PR for streisand-doc-contrib/$new_platform/index.md and any images. More than one person wants to document LEDE? OK, make them both their $new_platform-$username, and let other people fight about how to merge.

The downside of a contrib repository is that it’s not necessarily in sync with the main one. But it’s contributed docs: ones we don’t think are important enough to force through the normal release process.

(I’m using the term “we” to mean “project managers”, although it feels sort of odd to write “we” and purposefully not include myself.)

rainkinz commented 7 years ago

Any of those options sound good to me. Would it be terrible to have a doc/contrib/$new_platform/index.md directory in the main project?

cpu commented 7 years ago

@rainkinz Thanks for being open to the discussion!

Another thought is making a streisand-doc-contrib repository. When somebody wants to contribute new_platform, request a PR for streisand-doc-contrib/$new_platform/index.md and any images. More than one person wants to document LEDE? OK, make them both their $new_platform-$username, and let other people fight about how to merge.

@nopdotcom I like that idea. @jlund @alimakki What do you think?

Any of those options sound good to me. Would it be terrible to have `doc/contrib/$new_platform/index.md directory in the main project?

@rainkinz That sounds OK to me but I would prefer the separate repository approach because it means we could more easily elevate folks like yourself that frequently contribute good docs updates to an access level that allows you to review & merge docs PRs. If we put the contrib docs in the main repository it would mean a smaller set of individuals can merge since there's no way to scope the access to just subfolders of the project.

rainkinz commented 7 years ago

@cpu that all sounds good to me.

cpu commented 7 years ago

@jlund @alimakki @nickolasclarke Thoughts?

nickolasclarke commented 7 years ago

@cpu my only hesitation is that that will mean we have 3 repos for streisand related stuff. Perhaps we could use streisand-discussions to house that code and keep things more concise? Im not highly opinionated either way though. I think having a way to bring in more regular contributors is great.

cpu commented 7 years ago

Perhaps we could use streisand-discussions to house that code and keep things more concise?

I think the title of the repository would make that a little bit confusing.

nickolasclarke commented 7 years ago

@cpu yeah, I thought that as well. Its pretty new and not widely used yet, names can be changed.

damko commented 6 years ago

I tried to use the directive 

client-config-dir /etc/openvpn/ccd

but it doesn't work for me.

When the client tries to connect syslog says:

Could not access file '/etc/openvpn/ccd/scheme.angle' Permission denied (errno=13)

The file is there. I tried with the silliest rights with no difference. I even moved the folder to /tmp It feels like there's a jail or something in the way. Any tip?

cpu commented 6 years ago

@rainkinz Do you have any advice for @damko? Have you seen the problem they report with the client-config-dir permissions error?

rainkinz commented 6 years ago

@damko What is the output of:

ls -l /etc/openvpn/ccd

I don't know what that scheme.angle file would be? There should only be *.ovpn files int ehre I think.

alimakki commented 6 years ago

@rainkinz We previously used to have a list of vpn client names for OpenVPN, since then we've rolled out multiple client generations for various VPNs we have. As such, we generate client names from the BIP-0039 wordlist. scheme.angle is one such randomly generated client name.

rainkinz commented 6 years ago

Ah, I see. Anyway, I'm sure you've looked at this, but what is the output of: 

ls -l /etc/openvpn/ccd

and what user is the openvpn running as? Usually something like nobody, so make sure that user can see the files in that directory. e.g.

sudo su - nobody
ls -l /etc/openvpn/ccd
ls -l /etc/openvpn/ccd/scheme.angle

or similar. If they aren't readable by the nobody then I think that is your problem. You will need to make them readable for the user that ultimately runs the openvpn daemon.

damko commented 6 years ago

@rainkinz "I don't know what that scheme.angle file would be?" It comes from 

openssl x509 -in /etc/openvpn/scheme.angle/client.crt -noout -subject

subject= /C=US/ST=California/L=Beverly Hills/O=ACME CORPORATION/OU=Anvil Department/CN=scheme.angle

Basically the client will present itself to the server by using the CN present in its own certificate (written in the .ovpn file) and then openvpn will look in ccd/ for a file named in the same way.

The only way I've found so far to make the client-config-dir work is to run openvpn as user and group root.

If I try to run it at nobody:nogroup I can't overcome the permission problem because the issue is in the filesystem not in openvpn

root@streisand:~# user="nobody"
root@streisand:~# dir="/test"
root@streisand:~# mkdir /test
root@streisand:~# touch /test/delme
root@streisand:~# chown nobody:nogroup -R /test
root@streisand:~# su -m $user -c "test -r $dir" || echo "$dir is not readable"
root@streisand:~# su -m $user -c "ls $dir"
delme

So far, so good. Now

root@streisand:~# ls -l /etc/openvpn/
...
drwxrwxrwx   2 nobody nogroup 4096 Dec  6 02:02 ccd/
...
root@streisand:~# dir="/etc/openvpn/ccd"
root@streisand:~# su -m $user -c "test -r $dir" || echo "$dir is not readable"
/etc/openvpn/ccd is not readable
root@streisand:~# su -m $user -c "ls $dir"
ls: cannot access '/etc/openvpn/ccd': Permission denied

And

root@streisand:~# dir="/etc/openvpn"
root@streisand:~# su -m $user -c "test -r $dir" || echo "$dir is not readable"
root@streisand:~# su -m $user -c "ls -l $dir"
ls: cannot access '/etc/openvpn/ccd': Permission denied
ls: cannot access '/etc/openvpn/serial.old': Permission denied
ls: cannot access '/etc/openvpn/scheme.angle': Permission denied
ls: cannot access '/etc/openvpn/bottom.tunnel': Permission denied
ls: cannot access '/etc/openvpn/garlic.wealth': Permission denied
ls: cannot access '/etc/openvpn/index.txt.attr': Permission denied
ls: cannot access '/etc/openvpn/oven.emerge': Permission denied
ls: cannot access '/etc/openvpn/sugar.benefit': Permission denied
ls: cannot access '/etc/openvpn/fresh.pretty': Permission denied
ls: cannot access '/etc/openvpn/ta.key': Permission denied
ls: cannot access '/etc/openvpn/01.pem': Permission denied
ls: cannot access '/etc/openvpn/alcohol.village': Permission denied
ls: cannot access '/etc/openvpn/income.strategy': Permission denied
ls: cannot access '/etc/openvpn/return.ten': Permission denied
ls: cannot access '/etc/openvpn/server-udp.conf': Permission denied
ls: cannot access '/etc/openvpn/openvpn_server_common_name': Permission denied
ls: cannot access '/etc/openvpn/ca.key': Permission denied
ls: cannot access '/etc/openvpn/server.key': Permission denied
ls: cannot access '/etc/openvpn/index.txt': Permission denied
ls: cannot access '/etc/openvpn/server.csr': Permission denied
ls: cannot access '/etc/openvpn/index.txt.old': Permission denied
ls: cannot access '/etc/openvpn/fiction.elite': Permission denied
ls: cannot access '/etc/openvpn/ca.crt': Permission denied
ls: cannot access '/etc/openvpn/grant.bargain': Permission denied
ls: cannot access '/etc/openvpn/rigid.advice': Permission denied
ls: cannot access '/etc/openvpn/noise.black': Permission denied
ls: cannot access '/etc/openvpn/book.piece': Permission denied
ls: cannot access '/etc/openvpn/shiver.remember': Permission denied
ls: cannot access '/etc/openvpn/server.crt': Permission denied
ls: cannot access '/etc/openvpn/solid.shock': Permission denied
ls: cannot access '/etc/openvpn/until.chalk': Permission denied
ls: cannot access '/etc/openvpn/ca.srl': Permission denied
ls: cannot access '/etc/openvpn/server.conf': Permission denied
ls: cannot access '/etc/openvpn/mushroom.dismiss': Permission denied
ls: cannot access '/etc/openvpn/trash': Permission denied
ls: cannot access '/etc/openvpn/serial': Permission denied
ls: cannot access '/etc/openvpn/update-resolv-conf': Permission denied
ls: cannot access '/etc/openvpn/delay.exact': Permission denied
ls: cannot access '/etc/openvpn/openssl.cnf': Permission denied
ls: cannot access '/etc/openvpn/pd': Permission denied
total 0
-????????? ? ? ? ?            ? 01.pem
d????????? ? ? ? ?            ? alcohol.village
d????????? ? ? ? ?            ? book.piece
d????????? ? ? ? ?            ? bottom.tunnel
-????????? ? ? ? ?            ? ca.crt
-????????? ? ? ? ?            ? ca.key
-????????? ? ? ? ?            ? ca.srl
d????????? ? ? ? ?            ? ccd
d????????? ? ? ? ?            ? delay.exact
d????????? ? ? ? ?            ? fiction.elite
d????????? ? ? ? ?            ? fresh.pretty
d????????? ? ? ? ?            ? garlic.wealth
d????????? ? ? ? ?            ? grant.bargain
d????????? ? ? ? ?            ? income.strategy
-????????? ? ? ? ?            ? index.txt
-????????? ? ? ? ?            ? index.txt.attr
-????????? ? ? ? ?            ? index.txt.old
d????????? ? ? ? ?            ? mushroom.dismiss
d????????? ? ? ? ?            ? noise.black
-????????? ? ? ? ?            ? openssl.cnf
-????????? ? ? ? ?            ? openvpn_server_common_name
d????????? ? ? ? ?            ? oven.emerge
d????????? ? ? ? ?            ? pd
d????????? ? ? ? ?            ? return.ten
d????????? ? ? ? ?            ? rigid.advice
d????????? ? ? ? ?            ? scheme.angle
-????????? ? ? ? ?            ? serial
-????????? ? ? ? ?            ? serial.old
-????????? ? ? ? ?            ? server.conf
-????????? ? ? ? ?            ? server.crt
-????????? ? ? ? ?            ? server.csr
-????????? ? ? ? ?            ? server.key
-????????? ? ? ? ?            ? server-udp.conf
d????????? ? ? ? ?            ? shiver.remember
d????????? ? ? ? ?            ? solid.shock
d????????? ? ? ? ?            ? sugar.benefit
-????????? ? ? ? ?            ? ta.key
d????????? ? ? ? ?            ? trash
d????????? ? ? ? ?            ? until.chalk
-????????? ? ? ? ?            ? update-resolv-conf
mk2soldier commented 6 years ago

I'm incurring in the same problem described by @damko, I'm trying to offer the clients a static IP based on the CN by using the client-config-dir directive in /etc/openvpn/server-udp.conf I've tried chowning the ccd directory to the nobody:nogroup user/group as well as chmodding the ccd directory to 777 but to no avail :( Any ideas?

damko commented 6 years ago

@mk2soldier if I remember correctly I was not able neither to diagnose nor to fix the issue and I started with a fresh install on a new VM

Torxed commented 6 years ago 
# ls -ld / /etc /etc/openvpn /etc/openvpn/server/ccd /etc/openvpn/server/ccd/host.name
drwxr-xr-x 19 root   root   4096 Jan  5 18:47 /
drwxr-xr-x 71 root   root   4096 Apr 30 17:30 /etc
drwxr-xr-x  4 root   root   4096 Mar  6  2017 /etc/openvpn
drwxrwxrwx  2 root   root   4096 May 28 20:38 /etc/openvpn/server/ccd
-rwxrwxrwx  1 nobody nobody   77 May 28 20:38 /etc/openvpn/server/ccd/host.name

The shitty chmod is on purpose to avoid permission errors while searching for the error. This exact same setup worked half a year to a year ago. It was time to re-issue some certs to i updated the server and pushed out new certs just to end up with:

Could not access file '/etc/openvpn/server/ccd/host.name' Permission denied (errno=13)

This appears to be a common OpenVPN issue? If so, have anyone reported this to the OpenVPN community?

Randall475 commented 4 years ago

I know this is more than a year later but I found a solution or workaround and want to make it available for anyone else who's stumbling aimlessly from place to place around the internets like I did.

I'm using OpenWRT, and was also getting

daemon.warn openvpn(server)[22591]: client/xxx.xxx.xxx.xxx:xxx Could not access file '/etc/openvpn/ccd/client': Permission denied (errno=13)

This was still occurring after I had granted nobody and nogroup ownership of both /etc/openvpn/ccd and the one file I had in the ccd folder and set permissions to 755.

I then changed user and group ownership of /etc/openvpn (chown nobody /etc/openvpn; chgrp nogroup /etc/openvpn) and now it works fine. I just tried first with 755 on /etc/openvpn and then with just 700 and both work fine:

daemon.notice openvpn(server)[24075]: client/xxx.xxx.xxx.xxx:xxx OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/client

cedroid09 commented 3 years ago

Hello,

I know this issue is open for sometime, but i would like to add that @Randall475 proposed solution works. The only thing i would like to know why does it require that the ccd is set to nobody instead of user openvpn?

It doesn't not even work when you specify to the system that user openvpn should be used to start the daemon.

user openvpn group openvpn daemon openvpn