Through my research I came across several scripts and howtos on chrooting, or running openvpn as nobody. They all had issues for me on Arch. Below is a very simple way to run openvpn as a normal non-root user. I have found that this is the most secure method of configuring an openvpn client.
Create a script in /usr/local/sbin/unpriv-ip and chmod 755 it.
#!/bin/sh sudo /sbin/ip $*
Add yourself, or %group to sudoers at the bottom of the file, allowing you or your users to execute /sbin/ip elevated without a password.
you ALL=(ALL) NOPASSWD: /sbin/ip
Change your openvpn config file to use dev tunX and add a line for iproute
dev tunX iproute /usr/local/sbin/unpriv-ip
Create a tunnel adapter and grant yourself access.
sudo openvpn --mktun --dev tunX --user you --group users
Persist this by creating a service called /etc/systemd/sytem/tunnel.service
[Unit] Description=Tunnel Script [Service] ExecStart=/usr/bin/tun.sh [Install] WantedBy=multi-user.target
Create the script /usr/bin/tun.sh
#!/bin/sh openvpn --mktun --dev tunX --user you --group users
$ sudo chmod 755 /usr/bin/tun.sh $ sudo systemctl enable tunnel.service
Run the script as root, and then run openvpn as your normal user.
[you@host ~]$ openvpn conf.ovpn ..... ..... Wed Mar 15 23:42:47 2017 Initialization Sequence Completed
$ telnet ipcfg.me Connected to ipcfg.me. Escape character is '^]'. Your IPv4 is X.X.X.X Your Host is notyou.net
Reboot and enjoy the silence.
0 Comments