run OpenVPN with a different user then root

[manzano]

Hi, I would like to know if its possible to run the OpenVPN service with a user I created and not as root. So far I used the console to stop the OpenVPN service to then try to restart it using a different user, however that didn't work and caused the problem that clients could no longer connect to the VPN server.
If you have any ideas or experience how I can pull that of your help is much appreciated since I'm overall new to OPNsense.

Tanks a lot

Manzano

[Patrick M. Hausen]

OpenVPN needs to create interfaces, assign IP addresses and routes - all of which needs root privileges. What are you hoping to achieve?

[manzano]

Sorry my question was wrong.

I want to send the OpenVPN logs in OPNsense to a SIEM using a universal forwarder. Unfortunately the access of the OpenVPN log requires root so I have to run the Splunk Forwarder also as root to be able to read the logs. My end goal is to have a user Splunk which runs the Forwarder and has access to the log but is not root. So I need a solution for the Splunk user to read the log without being root while at the same time not changing the access right on the file if possible.

Thanks in advance

[bartjsmit]

Add these lines to your OpenVPN server config:

--user splunk
--persist-keys

You can do this (for now) from VPN, OpenVPN, Servers, edit, but you'll have to go command line at some point.

(lots of) details are here: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

Bart...

[manzano]

Tanks for the Help!

I have no problem with working over the console.
After I added the lines to the server.conf and restarted the service I could no longer connect clients.  Only after removing the two lines was I able to connect again. Any tips on that?

Thanks in advance

Manzano

[bartjsmit]

Does the daemon listen on the port you've specified? Check netstat -lun | grep vpn for evidence.

Increase the logging output for the log with verb options to see where the problems are.

Bart...