search

kylemanna / docker-openvpn

🔒 OpenVPN server in a Docker container complete with an EasyRSA PKI CA
https://hub.docker.com/r/kylemanna/openvpn/
MIT License
8.62k stars 2.37k forks source link

Directory permission issue. #594

Open kabaret10 opened 3 years ago

kabaret10 commented 3 years ago

Hello there, I've done chmod 600 on whole volume directory and now in logs i have 2 errors about access to ccd directory. What directory permission will resolve this issue and would be safe? drw------- 5 root 65533 4096 Aug 5 15:06 openvpn-volume

Fri Aug  7 12:03:02 2020 OTPuser_2/192.168.1.63:57597 Could not access file '/etc/openvpn/ccd/OTPuser_2': Permission denied (errno=13)
Fri Aug  7 12:03:02 2020 OTPuser_2/192.168.1.63:57597 Could not access file '/etc/openvpn/ccd/DEFAULT': Permission denied (errno=13)

btw. using OVPN version 2.3 in 2020 is still safe with this config I've made? Im using Raspberry Pi and have no choice :-).

server 192.168.255.0 255.255.255.0
verb 3
key /etc/openvpn/pki/private/VPN.SERVERNAME.COM.key
ca /etc/openvpn/pki/ca.crt
cert /etc/openvpn/pki/issued/VPN.SERVERNAME.COM.crt
dh /etc/openvpn/pki/dh.pem
tls-auth /etc/openvpn/pki/ta.key
key-direction 0
keepalive 10 60
persist-key
persist-tun

proto udp
# Rely on Docker to do port mapping, internally always 1194
port 1194
dev tun0
status /tmp/openvpn-status.log
user nobody
group nogroup
### Route Configurations Below
route 192.168.254.0 255.255.255.0
### Push Configurations Below
push block-outside-dns
push dhcp-option DNS 8.8.8.8
push dhcp-option DNS 8.8.4.4
# Enable OTP+PAM for user authentication
plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
### Extra Configurations Below
cipher AES-256-CBC
auth SHA512
namelivia commented 2 years ago

I created some files under ccd and I'm having the same issue when mounting the volume, it's weird because apparently folders and files have the same permissions and owners as pki for example but if I figure out what's happening I'll post here the result.

namelivia commented 2 years ago

Ok, so generating the file and mounting the volume, the resulting ccd file had the following permissions:

-rwx------    1 1000     1000            43 Dec 14 20:09 my_client

but entering the container and regenerating the file from inside bash on the container using:

echo "ifconfig-push 192.168.254.1 192.168.254.2" | tee /etc/openvpn/ccd/my_client

generated the file with the following owner and permissions:

-rw-r--r--    1 root     root          42 Dec 14 20:37 my_client

And this last one worked