On Tue, Sep 9, 2025, at 5:31 AM, Jan Just Keijser wrote: > Hi Dan, > > On 08/09/2025 23:28, Dan Langille wrote: >> On Mon, Sep 8, 2025, at 4:38 PM, Gert Doering wrote: >>> Hi, >>> >>> On Mon, Sep 08, 2025 at 04:24:48PM -0400, Dan Langille wrote: >>>> I'm using openvpn-2.6.14 on FreeBSD 14.2 >>>> >>>> I've noticed these log entries: >>>> >>>> Sep 8 18:32:02 gw01 openvpn[63572]: pro06.int.example.org/10.0.0.10:64601 >>>> OPTIONS IMPORT: reading client specific options from: >>>> /usr/local/etc/openvpn/ccd/pro06.int.example.org >>>> Sep 8 18:32:02 gw01 foo[38754]: pro06.int.example.org connected with IP >>>> 10.0.0.10 >>>> Sep 8 18:32:02 gw01 openvpn[63572]: pro06.int.example.org/10.0.0.10:64601 >>>> OPTIONS IMPORT: reading client specific options from: >>>> /tmp/openvpn_cc_7e069917a782727053dbfb713ff7e3d6.tmp >>>> >>>> Why would the second entry be running as user foo? >>> Ignore my previous mail, I was assuming "this is an openvpn log prefix", >>> but that's on the other side of "name[pid]:". >>> >>> So this is from a different process than openvpn (pid=63572). No idea >>> what is running there - do a "ps axwu |grep 38754" to find out... >> The processes appear to be short-lived. I think I know why: >> >> client-connect /usr/local/sbin/serverlocal-events.sh >> client-disconnect /usr/local/sbin/serverlocal-events.sh >> >> >> # ls -l /usr/local/sbin/serverlocal-events.sh >> -rwxr-xr-x 1 root wheel 395 Sep 5 19:22 >> /usr/local/sbin/serverlocal-events.sh >> >> # cat /usr/local/sbin/serverlocal-events.sh >> #!/bin/sh >> >> # Taken from https://forums.openvpn.net/viewtopic.php?t=43899 >> >> # Executed on the server side for client connect and disconnect events. >> >> # Log client connect or disconnect event with IP address >> >> case "$script_type" in >> client-connect) >> logger "$common_name connected with IP $trusted_ip" >> ;; >> >> client-disconnect) >> logger "$common_name disconnected with IP $trusted_ip" >> esac >> >> That's the script which produces the foo entry. I see no reason for it to >> run as foo. >> > > does your openvpn configuration file itself contains an entry similar to > > user foo > group foo > > ? when the client-connect script is run, OpenVPN has switched to whatever > user you specify there. >
It has neither of those directives. [*11:19* gw01 *dvl* *~*] % sudo grep -i user /usr/local/etc/openvpn/openvpn.conf [*11:19* gw01 *dvl* *~*] % sudo grep -i group /usr/local/etc/openvpn/openvpn.conf [*11:19* gw01 *dvl* *~*] % -- Dan Langille [email protected]
_______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
