how to start openvpn without sudo
2,116 views
Skip to first unread message
Павлов Григорий
Dec 19, 2011, 4:37:47 AM12/19/11
to tunnelbli...@googlegroups.com
Hello, i'm trying to develop my own openvpn-gui for Mac OS. And i need to start openvpn without "sudo". It's posible, i know it, tunnelblick and viscosity do it succesfully.
That's what i did:
sudo chown -R root /users/h69/openvpn
sudo chgrp -R wheel /users/h69/openvpn
sudo chmod -R go-w /users/h69/openvpn
ls -l /users/h69/openvpn
-rwxr-xr-x 1 root wheel
When i'm trying to connect:
Cannot allocate TUN/TAP dev dynamically
Ok, google talks about setuid root. That's what i did:
sudo chmod 4755 /users/h69/openvpn
ls -l /users/h69/openvpn
-rwsr-xr-x 1 root wheel
When i'm trying to connect:
TUN/TAP device /dev/tun0 opened
Fri Dec 16 11:34:54 2011 /sbin/ifconfig tun0 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
Fri Dec 16 11:34:54 2011 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Fri Dec 16 11:34:54 2011 /sbin/ifconfig tun0 10.12.0.10 10.12.0.9 mtu 1500 netmask 255.255.255.255 up
Fri Dec 16 11:34:56 2011 /sbin/route add -net 95.211.138.146 192.168.0.1 255.255.255.255
route: must be root to alter routing table
Fri Dec 16 11:34:56 2011 ERROR: OS X route add command failed: external program exited with error status: 77
Fri Dec 16 11:34:56 2011 /sbin/route add -net 0.0.0.0 10.12.0.9 128.0.0.0
route: must be root to alter routing table
Fri Dec 16 11:34:56 2011 ERROR: OS X route add command failed: external program exited with error status: 77
Fri Dec 16 11:34:56 2011 /sbin/route add -net 128.0.0.0 10.12.0.9 128.0.0.0
route: must be root to alter routing table
Fri Dec 16 11:34:56 2011 ERROR: OS X route add command failed: external program exited with error status: 77
Fri Dec 16 11:34:56 2011 /sbin/route add -net 10.12.0.1 10.12.0.9 255.255.255.255
route: must be root to alter routing table
Fri Dec 16 11:34:56 2011 ERROR: OS X route add command failed: external program exited with error status: 77
Fri Dec 16 11:34:56 2011 Initialization Sequence Completed
That's how i'm starting openvpn:
./openvpn --config /users/h69/config/faceless.ovpn --cert /users/h69/config/keys/client9196.crt --ca /users/h69/config/keys/ca.crt --key /users/h69/config/keys/client9196.key --tls-auth /users/h69/config/keys/ta.key
When i'm starting openvpn with "sudo", i have no errors.
What can i do?
That's what i did:
sudo chown -R root /users/h69/openvpn
sudo chgrp -R wheel /users/h69/openvpn
sudo chmod -R go-w /users/h69/openvpn
ls -l /users/h69/openvpn
-rwxr-xr-x 1 root wheel
When i'm trying to connect:
Cannot allocate TUN/TAP dev dynamically
Ok, google talks about setuid root. That's what i did:
sudo chmod 4755 /users/h69/openvpn
ls -l /users/h69/openvpn
-rwsr-xr-x 1 root wheel
When i'm trying to connect:
TUN/TAP device /dev/tun0 opened
Fri Dec 16 11:34:54 2011 /sbin/ifconfig tun0 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
Fri Dec 16 11:34:54 2011 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
Fri Dec 16 11:34:54 2011 /sbin/ifconfig tun0 10.12.0.10 10.12.0.9 mtu 1500 netmask 255.255.255.255 up
Fri Dec 16 11:34:56 2011 /sbin/route add -net 95.211.138.146 192.168.0.1 255.255.255.255
route: must be root to alter routing table
Fri Dec 16 11:34:56 2011 ERROR: OS X route add command failed: external program exited with error status: 77
Fri Dec 16 11:34:56 2011 /sbin/route add -net 0.0.0.0 10.12.0.9 128.0.0.0
route: must be root to alter routing table
Fri Dec 16 11:34:56 2011 ERROR: OS X route add command failed: external program exited with error status: 77
Fri Dec 16 11:34:56 2011 /sbin/route add -net 128.0.0.0 10.12.0.9 128.0.0.0
route: must be root to alter routing table
Fri Dec 16 11:34:56 2011 ERROR: OS X route add command failed: external program exited with error status: 77
Fri Dec 16 11:34:56 2011 /sbin/route add -net 10.12.0.1 10.12.0.9 255.255.255.255
route: must be root to alter routing table
Fri Dec 16 11:34:56 2011 ERROR: OS X route add command failed: external program exited with error status: 77
Fri Dec 16 11:34:56 2011 Initialization Sequence Completed
That's how i'm starting openvpn:
./openvpn --config /users/h69/config/faceless.ovpn --cert /users/h69/config/keys/client9196.crt --ca /users/h69/config/keys/ca.crt --key /users/h69/config/keys/client9196.key --tls-auth /users/h69/config/keys/ta.key
When i'm starting openvpn with "sudo", i have no errors.
What can i do?
jkbull...gmail.com
Dec 19, 2011, 6:43:17 AM12/19/11
to tunnelbli...@googlegroups.com
You are on the right track setting openvpn to suid, but more needs to be done as root: your GUI must load and unload a special device driver (a .kext on OS X) that handles traffic destined for the VPN.
Tunnelblick uses the drivers from http://tuntaposx.sourceforge.net.
Your GUI should load the kext (tun or tap, depending on how your OpenVPN configuration is set up) only when the user wants to connect to the VPN, and should unload the kext when the VPN is disconnected. That way your software will interact properly with other software such as Tunnelblick. (Note that some VPN software which uses tun/tap drivers does not behave nicely and leaves their tun/tap driver loaded -- which will interfere with your GUI (or Tunnelblick, Viscosity, etc.). Cisco's VPN software is an example of such badly-behaved software.)
Instead of making OpenVPN suid root, Tunnelblick has a small "helper" program, "openvpnstart", which is suid root. It performs the load/unload of the kexts and starts OpenVPN. Because it starts OpenVPN as root, OpenVPN itself runs as root. You probably want to do something similar with a small "helper" program.
You may download and use the Tunnelblick source code under the terms of the GNU General Public License version 2 as published by the Free Software Foundation. See Checkout for details about downloading the Tunnelblick source code.
Good luck with your GUI!
Павлов Григорий
Dec 19, 2011, 9:24:04 AM12/19/11
to tunnelbli...@googlegroups.com
Thank you for your answer! Yes, i understand about load/unload kexts, and i do it. I created script:
#!/bin/sh
kextutil -b /users/h69/tun.kext
and set this script to suid:
sudo chown root /users/h69/load_tun.sh
sudo chgrp wheel /users/h69/load_tun.sh
sudo chmod go-w /users/h69/load_tun.sh
sudo chmod 4755 /users/h69/load_tun.sh
ls -l ./load_tun_s.sh
-rwsr-xr-x@ 1 root wheel
but after start this script i get message:
You must be running as root to load kexts or send personalities into the kernel.
so i forced to correct script:
#!/bin/sh
sudo kextutil -b /users/h69/tun.kext
How tunnelblick load kexts start openvpn without "sudo", without asking password? Or i did something wrong?
jkbull...gmail.com
Dec 19, 2011, 9:41:54 AM12/19/11
to tunnelbli...@googlegroups.com
Setting something to suid root is not the same as using sudo. When you use sudo, you must enter an admin password and run a program one time as root.
If you set a program to suid root, when executed (even by a regular user), the program can become root without asking for a password. That's the purpose of suid.
To set a program suid root requires an admin password:
sudo chown 0:0 sample-suid-programsudo chmod 4555 sample-suid-program
The first command makes the program's owner root:wheel. The second command sets the suid bit and sets permissions for such a file -- it can be executed and readable by everyone.
Note that the program should not be writable by anyone (except perhaps root) because there would be a security problem if an ordinary user could modify it and then execute the modified version as root.
Павлов Григорий
Dec 19, 2011, 10:53:38 AM12/19/11
to tunnelbli...@googlegroups.com
i did it for my script:
sudo chown 0:0 /users/h69/load_tun.sh
sudo chmod 4555 /users/h69/load_tun.sh
but
kextutil -b /users/h69/tun.kext
still says me:
You must be running as root to load kexts or send personalities into the kernel.
How can i solve this problem? How tunnelblick does it? You ask a password for the first start of tunnelblick and then you can live without it. That's what i need.
And thanks again for your detailed answer. Still hope for yor help.
jkbull...gmail.com
Dec 19, 2011, 11:04:16 AM12/19/11
to tunnelbli...@googlegroups.com
Maybe a script cannot use suid -- only an executable program can use it. That could be why you are getting the error.
As I said earlier, Tunnelblick solves this problem by using a subprogram called openvpnstart. It is not a script, it is a compiled program.
When Tunnelblick starts, it checks to see if openvpnstart is owned by root:wheel with the suid bit set. If not, it asks for an admin password and uses that to run a small helper program (installer) as root to change openvpnstart appropriately.
It's much more involved than that; "installer" handles all sorts of other situations that require root access, and Tunnelblick checks openvpnstart for more than just ownership by root and having the suid bit set.
Павлов Григорий
Dec 20, 2011, 9:34:16 AM12/20/11
to tunnelbli...@googlegroups.com
Hello again, i found a solution:
setuid(0);
setgid(0);
had to do it in my program that starts ovpn. now ovpn starts.
Thank you very very very much for the idea to create executable program, not script!
I think my problems do not end, but that's move forward.
Happy new year!
setuid(0);
setgid(0);
had to do it in my program that starts ovpn. now ovpn starts.
Thank you very very very much for the idea to create executable program, not script!
I think my problems do not end, but that's move forward.
Happy new year!
Reply all
Reply to author
Forward
0 new messages