Hi,
When using an openvpn chroot jail, is it better to have the CA, CERT, KEY, DH and TLS_AUTH files inside the chroot? I’m able to establish a connection when these files aren’t present inside the chroot, but i was just wondering if there was some reason (stability/reliability) for these files to be available inside the chroot.
Can anyone confirm that the CLIENT_CONFIG_DIR, the IFCONFIG_POOL_PERSIST, the CRL_VERIFY (ca.crl) and the AUTH_USER_PASS_VERIFY script have to be available inside the chroot, as do the script “dependencies”. At least, that’s what I understood from the openvpn manual.
The log files are always created in a path outside the chroot, even though the same path exists inside the chroot.
Regarding the AUTH_USER_PASS_VERIFY, is it better to mount --bind the scrit dependencies inside the chroot or to just copy them to the appropriate dir inside the chroot?
Regarding the TMP_DIR option, i did a mount --bind of /dev/shm (as suggested in the openvpn manual) inside the chroot, but in openwrt, /dev/shm is a link to /tmp/shm, should i mount --bind /tmp/shm instead of /dev/shm or is it the same? Which is better, mount --bind /dev/shm or /tmp/shm?
How can I make /dev/urandom available inside the chroot? Does the kernel have a getrandom() or getentropy() syscall?
Thank you for your help.