Openvpn Chroot Config

#1

Hi,

When using an openvpn chroot jail, is it better to have the CA, CERT, KEY, DH and TLS_AUTH files inside the chroot? I’m able to establish a connection when these files aren’t present inside the chroot, but i was just wondering if there was some reason (stability/reliability) for these files to be available inside the chroot.
Can anyone confirm that the CLIENT_CONFIG_DIR, the IFCONFIG_POOL_PERSIST, the CRL_VERIFY (ca.crl) and the AUTH_USER_PASS_VERIFY script have to be available inside the chroot, as do the script “dependencies”. At least, that’s what I understood from the openvpn manual.
The log files are always created in a path outside the chroot, even though the same path exists inside the chroot.
Regarding the AUTH_USER_PASS_VERIFY, is it better to mount --bind the scrit dependencies inside the chroot or to just copy them to the appropriate dir inside the chroot?
Regarding the TMP_DIR option, i did a mount --bind of /dev/shm (as suggested in the openvpn manual) inside the chroot, but in openwrt, /dev/shm is a link to /tmp/shm, should i mount --bind /tmp/shm instead of /dev/shm or is it the same? Which is better, mount --bind /dev/shm or /tmp/shm?
How can I make /dev/urandom available inside the chroot? Does the kernel have a getrandom() or getentropy() syscall?

Thank you for your help.

#2

Can anyone help with this?!

#3

Chroot disallows openvpn server to access any file outside of chroot so all dependencies and everything has to be inside chroot directory.

Either bind-mount /tmp/shm or just mount tmpfs there. It does not matter. The idea is not to write logs on flash as that would damage it and sent your router to sillicon heaven effectively.

Mounting dependencies to chroot is possible but you would have to mount whole bin and lib there, that defeats the purpose of chroot and icreases possibility of attacker escape from chroot. Better solution would be to selectively choose binaries and libraries and hardlink them to chroot. Note that it has to be hard link because soft links are expanded repative to chroot. This also means that chroot has to be on same FS as /bin, /lib, /usr and others.

#4

Thank you for your help. I ended up creating the same dir tree inside the chroot as was in the openvpn config, and copied the dependencies I wanted inside the chroot. So everything works even if I disable chroot. Instead of a hardlink I copied the needed dependencies inside the chroot. For example I created a lib and bin dir inside the chroot and copied inside, sh, awk, busybox, libgcc_s.so.1, etc. Space isn’t a problem so I thought it would be better than creating a hardlink. I had /dev/shm bind-mounted, but I’m going to change it to /tmp/shm, as you suggest. Logs are written outside the chroot in a dir inside /srv where my ssd disk is mounted. TMP_DIR is where the user/pass file is stored for verification using the AUTH_USER_PASS_VERIFY script. That’s why TMP_DIR was /dev/shm so that file never touched the disk, but as /dev/shm is a link to /tmp/shm, and as you suggested, it’s better to just use /tmp/shm. As to /dev/urandom, do you know if the kernel has a getrandom() or getentropy() syscall? Do you know if it’s better to have the CA, CERT, KEY, DH and TLS_AUTH files inside the chroot? I know CLIENT_CONFIG_DIR, the IFCONFIG_POOL_PERSIST, the CRL_VERIFY (ca.crl) and the AUTH_USER_PASS_VERIFY script have to be available inside the chroot, but I can’t find information anywhere regarding CA, CERT, KEY, DH and TLS_AUTH, do I put these outside the chroot for more security, or inside for stability/reliability? Sorry to bother with this and thank you for your help!