Arch Linux

greyseal96

Member

Registered: 2014-03-20

Posts: 31

[Solved] Question about securing OpenVPN client with user/group nobody

Hi all,

This is more of a quick advice/opinion question.  I'm setting up OpenVPN to run and I don't need it to run upon start up.  I'll only need to run it from time to time to connect to a remote network.  Consequently, I'm thinking that I don't need to set things up to run with the systemd service unit correct?

Next, I'm wondering how necessary it is to have the OpenVPN client downgrade its permissions after startup.  I've been reading the Arch wiki OpenVPN page and the OpenVPN HOW TO page and I'm wondering if it is worth it, from a security standpoint, to have OpenVPN switch to user/group nobody after startup when running as a client?  I've got an OpenVPN server set up which I run unattended and I've got it secured to drop to nobody and run in a chroot jail but I did all that because the server is running unattended. 

I'm wondering if it's worth the extra hassle of the extra steps mentioned in the Arch wiki OpenVPN page where it talks about various ways to get around the permission downgrade.  If I'm just going to be running OpenVPN manually every now and then for a few hours at a time how much of a security risk is it to run OpenVPN with sudo?  I like being secure but I'm wondering how much effort is reasonable with this.  I'm not an expert in this area so I'm hoping somebody can help to enlighten me or point me to something to read to get some more information/perspective.

Last edited by greyseal96 (2016-12-09 09:15:21)

x33a

Forum Fellow

Registered: 2009-08-15

Posts: 4,587

Re: [Solved] Question about securing OpenVPN client with user/group nobody

It is always recommended to run a process with the lowest required privileges.

Security is all about finding the perfect balance between usability and inconvenience. But it varies from user to user. So, it is up to you to decide how much inconvenience you are willing to tolerate.

R00KIE

Forum Fellow

From: Between a computer and a chair

Registered: 2008-09-14

Posts: 4,734

Re: [Solved] Question about securing OpenVPN client with user/group nobody

You could setup everything and use systemctl to start/stop the openvpn service when you need it (you can start services without having them enabled) and have it drop privileges.

It also depends on which network manager you use, networkmanager has an openvpn plugin which will run as a less privileged user, but this might require some extra setup to enable all protections (I don't remember exactly but I think it is to enable chroot).

---

R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

greyseal96

Member

Registered: 2014-03-20

Posts: 31

Re: [Solved] Question about securing OpenVPN client with user/group nobody

Thanks for responding x33a and R00KIE.  I kind of suspected that the answer would be that it's a personal decision.  As kind of a follow-up to that, from what I've read, OpenVPN seems like it's pretty secure running under the elevated privileges and that dropping to user/group nobody is just kind of "icing on the cake".  Is that an accurate summary? 

To R00KIE's point about using systemctl and NetworkManager...  I've already tried NetworkManager and it worked OK but since I was only using it for VPN connectivity, it seemed like kind of a heavy handed solution just for that.  The plain vanilla Arch networking setup with netctl, dhcpcd, etc. was sufficient for this particular box prior to that so I've just decided to work directly with OpenVPN on this particular machine.  Not a slam against NM; I use it on other boxes and it works just fine on those.  It was just a little much in this situation.

As far as systemctl goes, I've thought about using that.  I see on the wiki that there are instructions for how to get that set up with the privilege drop but my concern with that is being able to handle routes and other options that get pushed out by the OpenVPN server after connection.  Because the privileges drop after it's daemonized, I wouldn't be able pick up things that get pushed out by the server after connection.  It's probably a minor quibble but I just want to see how much effort is involved in working around that.  I may end up going the systemctl route in the end.  We'll see.

Thanks again for your responses/help.