user tunnel purpose

Hello,

Can you please describe the purpose of running openvpn as user ‘tunnel’ per the “…VPN-Firewall#How_to_use_VPN-Firewall” guide, as in, what does this accomplish and how so?

I understand this should be tested but I’d like to know this ownership modification to /etc/openvpn is expected to work with any VPN.

Thank you.

This was written long time ago.

Since OpenVPN will be run under user tunnel, that user requires read access to the folder /etc/openvpn.

sudo chown -R tunnel:tunnel /etc/openvpn
  • On reflection sudo chown -R tunnel:tunnel /etc/openvpn might not be needed but still a good idea. Would be enough if that folder was world-readable. But we probably don’t want that.
  • The folder owned by user tunnel means that OpenVPN could also write to that folder. That seems not needed and therefore shouldn’t be allowed.

Still set owner to to user/group tunnel.

sudo chown -R tunnel:tunnel /etc/openvpn

Remove write and execute permission for owner and group.

sudo chmod ug-wx tunnel:tunnel /etc/openvpn

Remove read/write/execute permission for others

sudo chmod o-rwx tunnel:tunnel /etc/openvpn

sudo chown -R tunnel:tunnel /var/run/openvpn

This is more useful (openvpn running as user tunnel writes there) but even then chmod would be useful to prevent others from reading files inside that folder.

vpn-firewall/usr/lib/tmpfiles.d/50_openvpn-unpriv.conf at master · adrelanos/vpn-firewall · GitHub could use an update/review/hardening. Patches welcome.

VPN service/server doesn’t matter since the software to use, only ever tested, is OpenVPN.

You may use my attached public key if you please, and may I have yours?
(Not a huge deal but I try to practice using pgp.)

“* The folder owned by user tunnel means that OpenVPN could also write
to that folder. That seems not needed and therefore shouldn’t be
allowed.”

You mean that OpenVPN could write to that tunnel-owned folder because
it isn’t owned by root like everything else in /etc? My /etc/openvpn is
owned by root by default so it must function fine by default, no? Why
should OpenVPN write to that folder if it’s not allowed by default?

And perhaps a dumb question, if we don’t want write/execute for owner
and group nor read/write/execute for others, then must I
password-protect user tunnel even though I don’t need to login as
tunnel? Otherwise another user could login as tunnel and read files
seemingly.

Thank you very much.

(Attachment pubkey.asc is missing)

Here is my public key since my attachment was rejected. Thank you again.

-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v1

lQdGBF4+pV8BEAC11kS+78lclPrBXaxeWzTJRzQJYIrOMpnn9rdGWpq/uWq4VG6+
akBrKJRUNkhL5zjs1C4nrrU6g34KDI01cTNF4DZohuXDup4jCXaWli+z5XBRI4Ex
wkmyhy4NNQMNhMPTd6ssCDGTWARphV36NoKwtIj7qhW6NRxUIOXd0tAU8x9rPNCE
60jzdNkr3BM4P32qG//yLIK5uxlzhODW3tz1FAFDUUA+pfKhZIYTWgknUatBvXZh
rrjRLu9yqZyijeOUmBQJRslWMiO9ZB+WCpvDVaUe0aYOcommllk8OsRwrBUYdjXX
0s7UxwOSprsMOHAj7cQA1HWjCJtl2p/nA3IpsO56u/ponNMrBvgRlc0Am2uD0HXU
BFTAPcG22ZssPHm/22gy3KGLWR+iIHQ12dVtUnCVJ9z8gb7QtpUN3ZvwJxuo+/zc
80rzMU1qjWUQljIaL9mP/Kg+kH8Zj//8Wr8WcHwgKdkgDMe7n4tGMxIDIOorqgyZ
t6w/3wrDSQcxn7nbF2C8nDakMnJksLySOgm97frSsuxdWUvqwtq+gjnaYrgzf54D
xfom0npE3dET7HuTVVjhm+cGQaKZ9bCeRG0cS+FSVys5QwcAUCjCVEfmgBhXP1Do
z2MkqYbz25JxVOVLNHmlw2jbsxGby+Ss2gFSUlJKQuRV4vmj+o/u61gHBwARAQAB
/gcDAg84A8EKyTcjYDABVTumRyyZkfahLjsNyNZPFbWTRmqpKMaowDhk4Q2zmCwM
FLJe3Hii2UzlD+kXwXzc3CR26bwJtrxQRJ9dKJag31iUrHy/RcJ0GaH1vZUkS6kH
YyuY07Uj7xMkiNFqF6do3yhc3FUB/Dsv6dVebbzwtpYALxsqRXJr03M0xD/kjo5p
0Oy5/i0vWOF4A+SyZv5qpPKzZ7/IwlWoVvhZVst7+sKXn7wURayRlgtu5GVn+s35
nfi86O9J4tLEhF/FHIX+7LxlPnAvBy9hWankyNoej5qfGYD4iAi4z6CdUSw/FWfp
GTbLH++F3GaylrIjwxwyC2jqlIP5YJ5V7GCzO5dzXUWDU/93A/IkiZYrgq+KJQcr
2jPWoOK/JKMsDG7oYj2l/I0vbPbtvyt5WYe7QjovZ3alnZdu5LWD0pGeUI4tKQ+t
NllKI1Fl1QLobU7n8zcNd/GfbESb3rHK6HtuXQ2Dapz1NI/YKiGM7CKQ6i88dKvi
wygtPo1DghCRz/7hgDOJQbevvJco9J6zlJtNxoY/oODGhRxFntAiTA5liysFWG05
U5QNdRL76z4IhUfcaade5xL/G4gQpX/d1ZII82N6QXtJbkm2SKEB6Ihu5bpKORGM
kQOXBmnMQL2LdamVy+uwmuvVGpR36WYXkqgJia5QsGH25g1t3maPyMwyQkhJLp7D
2FkX7GB2oUgU3GC+izf//2fG0ueQx0TKyh1BweiOyDw/wdMcxUXsTJOoWIctvYqC
K54ePNAwa3FqiXHfifQgtHx/8Hobb9LCDttEZxTK8xQQhSIwHh1x3DWgr6bF9u6X
kHs0S8tvIj+Of33W6rvZl7K+W1iMDdoR8y2S6RXSVvTevWcvjRJr8hiLGiFIjAWe
TcLzB3r6GqUJKDgwoW2apCdtZ3zNkSx32sIy7T2QL7befvwdTIwTNdKDTFQk42QT
PHD8xl2czRta3BYcIBTWLJXN/9V7IjB8MM2eAoYTpH3rjTZ9vg+C4uAuTeOSTsaD
du8R0rsaF/jCmmPP1atU0Q7xDgkOnlQi9cHlMpz89009/xHhppAvT5A9v6h3xun1
TUMB4m+8U4Pd3vUaWWh7iLHxICpx3YrZGbIFqcpFy3/mjrSyXPaOsuNPkLNWtzHV
MTNQZ83fNt/Hcz2yItLorbQeatOPxYC14iwjdpZRsJBE5q+hX/2/eEdI9DSp0e6N
JdqHWlfv/AMiPlmLaNGUkx5eCObsq1zw597z+Do8sLaTOyPqebOT9UUGzTbrBTLY
81Nhp3zLRCqY79dE0mwuJukv96438OzIC+kvfEH7vfxfKf5SMUR0qyu+GyxFr85y
eaOT6zs/N9z2+xaed4FLhz+t4EIOkTvg/WDoSdEB2XtQNW4gynyd71a3FFAZ7oa6
kNEs/hH3w5R6CUTEox1RAzVV/R5FB9QNW3JndtmMaJYIDJHEUif382waR/Csnz51
sFauL+edhm4GSUC0x9qlts5dHPj5hifJYrcxk5S1qlbwyin7uMytnpUJtbPRVBRh
QL46s1bBi039oW9rBYvylf/6Hbj4WXQTSbuNA6rcAf0bTApqhKquIhTKyIEsqA6O
HJJVymB2AimsW2C8/yX092KJ+s1yV83llLBcOL6idiBmIdd6XFKwZL44EsOQ7ofA
GeghiwoayWBNDvufmOTEmGSyR/ABt2CoVrpJ9AE68u6i03LO9O2YoMxCqR82IvCl
XhgxLCfemJvN45+8LA+nTNmUxeDQKYKTgVXXCbgFcbYHiUrBY//BtLa0HXRiY29t
IDx0YmNvbUBjb3VudGVybWFpbC5jb20+iQI4BBMBCAAiBQJePqVfAhsDBgsJCAcD
AgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCp+MTqIjahenqfD/9FnrjeDFC7LKIpbVdq
WLvHjdqhbfr6sYZstYQdsKKHGgj5enMMc38Y1gU31w7wTL4pjiTX9Q1mXJk37+MO
Z7/BXLBrH/0E3M3zPweERGccJBu9COe61CEY4vJozfvNCd8oDOYMaojkPcqmRyQA
mye4AHSXSXdjNH8cIK4DfuIG/yfHc+GlbVi+8zhJrQuVmpSPsySW1YR+7X46pl35
5bgMKmfEjIeNbf51Gu5FdDUEY50R+DriKCYyuNA7obe383hVYoPwRVnNtgRJmuR8
kuW6ZzSsL009zdXizj6GHk8u2QkWCg6Jo55e64NFdLZnzoQ8fXNKd50A91oDq1ES
p1BNfNBcLH4NsUNrV36SoMZQaqp8TYWG8U6ksyrCHsRN+UyrGsGVyYSbhb6paN62
sBZAHTfIcbhSi0TSR8ZsZe3GEYCPfwjGVfVUkeVMTkN4yMuh9mILFii+bE7cnQqP
KzMeIp5XbE9jOzvgNyOFIJaY8jNDsM/l/jZObjRRDiN4ITu0Qz39ybXiKrD2t8cQ
vw+tcPsMoTXZDmnZ2l7ggxbjrBp+8fQzfWQ6dZHAo3l6NG/XsVng1d7eI3uCEBYO
FOAMxrvflqe8rjApLQ4ruQjD0vUnT8RwQpkGPlROO3qJtc4blTXt6Gs+JI0veXhq
5ylheqq5OjG65G3VNouR7lXd3J0HRgRePqVfARAAsiRCfDc6hoJg7EtazaYsqwDR
iiTU+VOpAujrCHN2hcyUTORaTmFEoZofUuokYDSYu8wCWdOQ2oits+oC2jDRyH95
BBlzAeBmK5KgoJ0Q8LHIfFEeCLWtUnQfLMBEidvMqsCZrLzM1CEaePEix+DfEQDU
ZQdwi9xg6LdOcw5xk7XNjqj8YW1nAGC4OTO1G8YZzPTFd4JpbCoCZ77fFdJecwjv
J0+S7aMqaSjuJCokDxTooh+lX5TpkKbcVjJ1UM494Re67CkkGpPEfGZyUCgMWRjR
iyb5E7H/Rs5AR+wq9f997FexradnQBF1a/BiDgEMQ4EvGK8H3UHJuQXgNRn0iLeE
L1zJOomwmQODtp9gOheOL4nE5Mj4irijhe1pcuJ+csLo1hSN6OqKDtbiCoicBl74
nRK2dlpWo7kspc8skRRsfz4AZKYE+u/dggbBHgbPWY268KOqQZZ7/KflSngx+RLI
Ap/K9s38cNSLyFtZ/YGaLVW+MooDFcrZU18yudf67Khgi3RH+kSTTtrGZovL5sPy
BEh/VAq/9dc0pGD6QLq1L8lrehCo7y8pprA2NyDmeICfQzp6s6manFCL3BM+teUa
vdieYAWfyTTjlFSnEQOvu1vTAbYBrzfeIcVyzxE110IF1cPiG4HZMNwmpdPVxQ4F
lWJAR3W/FZKpcnIEQRcAEQEAAf4HAwIPOAPBCsk3I2Ac1THnf+7kPCxdifpIw0XR
SHqmwnd1/BYy30ugwtnGfq5EQR2DNiuLGplglEd4sEiJDGEAi9ZM9WMREhyqPxDa
TKe5p77v8XRSLHEu8l1upYP5svVCjQuULAdVruyfUgvsbUb87UI7cb38jvxRFOEb
Yq83b4E2fOaSSBK6G8dUzQxQF+TX5aJ2YTbyjmIjxeBEi6l3hNwukJZLbPuycrrr
tuj+ESRgL5UAElNhmRoxvAwoBtfflvGqsfczm45ojwUxpcQwsZq1VmgD8G2vNJfq
gdMwaY4MdXBFr18B4hHur1l1SgA5OKjB4y766okdvhLbMcXm4WPKMbwboT/Skz5g
86r/acs7GDqQzNXvSx+ROTNj7oObFuXqHdNDpXp05yJIvu7HjKdmfF/12DGy8mkj
PkSJ2ornpc6g9F0BysGjJ+qF86x18HT085k7FREuwIbH33F5CvQMFzmEj54ttpmt
bMpMz2BDhWpUP/XqX44g6cYEJiqPDXmVQ9rfgVjRnQ2kEAfHCYZeJ8f7ZwUoHKES
FmN7tX8pgjHFY6NE+Cxb1Ztr8tJ4M9/R02/mqxufEoX9uNNGPuOW3zcjn9ic3Eht
HuClEO2dX0ga7C1NM1YfyYM3kVM5Fa3eBtflfWrMLSQBc7fESoIP22TARNkU80XD
yZ7MdG7xsdm/6oRJFPINRFLU25p/I0AcPgjSeMWYL7I7IGcFGMuagk6eFBSmz+IB
s8jZcSv/QAIHWqniI5cIAZox34r3kVP8zvRnpIShx++5CyK0EfaZbvwLQMpNpXDQ
CVTZymuMIQ/nBNkIhxNcsi5JZymnKUW4wKKkf/1zOefYnap7owAXmcsTYHokQaaF
6936KGGkk0yJQn5ElYaQEnsFY/2yb93WnjuqYu7F/6w6VFTtzViEdMNL6B/tlM60
5IyGfHkjueme1VVTCOdmKjKdkPHNi2soWH8y8fTDZ5EC04WXdViu+jSE26f0egPD
LuiXEOW/EDqYsnZpSR798bi2Ni5ekTLlrSZOt5HufGBpugCdTtf/T2j8n2T8VSL+
c5ItUsJqPAIaFxjG3ZtHeuueJv/8KV3PoV/gtXcaZx6VrLyYmNLnGpvN3sTJknW3
RS7FDBfDb2KBrl3SCEgrsdGd5ifFhc0CVjDdNMPNqHPHAP67sbImtI6R8gSpRknk
lV31aQ9D59Dcr+WQkxMYauzdg8QK12r13j2khdubVcAnA4P8chkll24B0tPdL/wJ
P7sb+iZ1wc8dkisbPDOkMBNQ0scs/CNjq2fHmD0apb89sck+vFmdX/wl7Vu/fvN9
6riBJW5xEUVOfs/oTI+b/ShFc0/v6x27k3aaooClHWks7DlDfeoImcuUg43VugOO
x9noXsboomsLUJ5zzwqIt52g9ANqBPnETjl1+pTiZ/DgCck2If6Hz1fxsYSvZOAs
Uhw3VOxDk/2EtoyER8LpAKDhUBoaj3qMr5m7xXmo387yvjgN9X0gT+BOOjNaj4pj
AMU5KhZy62H3Fn/Whgk8wTujizkUOWTkSGo1TrRzqzM8zEBdtU8a0+8eeO3SkE3a
5PeqjNsf853rjBMqLU03WNube9dYtkZy6wCDfqvoMiTmbNxK2hNHbG4T0RhbXVXf
G2VrMXWD3/v9IKB27YvLG2zHpKZN1yK/qtrEB1ahGT15dq/IvE8AUlzpyLnWRkjf
oJa7eJLuVuCLQNXE3xSyHySLdehdoOBqU1PMstW/B205hwxkemLK9Xc+urQz2ZNV
o+jGb3gWgadqRyHYiQIfBBgBCAAJBQJePqVfAhsMAAoJEKn4xOoiNqF6IdoQAJ+U
g9QASjkaKWrynL0DDD7pWxsUhgkspaFtWaEzJaFFtydJRryJu4iUKe3WpaMNu734
5cNBWbpUtTA62c6jx12h2jXBlFS0lPmAvLNmR96xWp+8LxnqFuvvUIR1ywdlzVsX
/lCr/r3l3n9afgOx2QjgwedsxkJWMPsu4gPO0q9eLaC0NpoyWNZ5+T3XMlF3qPCt
icbH4BpjcshMZ35xRAbYKrV2sGgP7n2Feg3FRwjdKjKvTDkQAu/iA6ngVHLKWMhx
507GlZtfefxaXAG6OE650LmP0ghNfJ/G8MG7nstIebzAMw0NlrYUtz/IemrIP3kC
4xnB8GW9KK2WmbjH2NGy8RD/FfBdXvnsYVviwr2kM/RcUBhbeyI5Q2GJ5nQFqpAB
wcyLFG7JaxAugQw02FXD1rIikLxxka7fZ61HsUK2yVV2Uo0Ap36O7GpHOx5J0dAV
weS2mYq9F273Gj1fGEXeOTG1bSA4g5tSIXiBrqfBOqrWgfSjUlCualzKymY364U7
pPOigJppvl0CU7+ORRfghud3iyLkI5hEtXCLZIPJxz4JGIe+/cP+mZxcFALE2kGl
Z6VEEfBTbJoE5Y9BFzZGCWkwGQRMmptOEM8JQVRACOo3B7xvBppkUaqg/wL+MO08
Pa4YvsGg2DIKRWRlLxrY3dZHakdgyFvpbqsMJtR0
=pQQG
-----END PGP PRIVATE KEY BLOCK-----

This is a public forum. And my time is very limited. Therefore I am not suited as OpenPGP training partner.

Yes.

Ok.

This is only if you follow the instructions.

No. No password set is different from empty password. In essence: no password set = no login possible.

Thank you very much, you were helpful. I was not requesting pgp
training, only that we encrypt messages, but again it’s no biggie.

Dude you posted the key that keeps the messages encrypted…

It’s called private because it is meant to stay that way. I hope you didn’t use it in anything important.

1 Like

Re: key

Aha, I knew I would do something stupid. Well fortunately it’s no
biggie and I can change the key.