File and process permissions
For OpenVPN to be effective, the user running the OpenVPN process will need to have the necessary privileges and access to the system, networking, and filesystem. This includes access to writing log files, modifying network adapter settings and the system routing tables, and executing scripts or programs.
Privilege de-escalation
As stated earlier, to make many of the network and routing changes, OpenVPN will need some initial privileges in excess of a typical user. Once these changes have been made, there is usually no need to retain these administrative rights. Using the --user
and --group
configuration parameters, the administrator can instruct OpenVPN that unprivileged user to operate as once the initialization process has completed.
There are caveats to dropping to an unprivileged user, however. First, all files that the OpenVPN process needs to use during normal operation must be readable and/or writable by the unprivileged user. This includes --client-config...