I am using tls_crypt => true, and connections to the server fail with the following log message:
Read error on key file ('/etc/openvpn/server/winterthur/keys/ta.key')
The problem is that the winterthur/easy-rsa/keys directory (which keys is a symlink to) is created with root:root ownership and read/write permissions for the owner user only.
OpenVPN seems to read the ta.key after privilege drop, so it would be necessary to
- make the
keys directory group-owned by the group used for OpenVPN with at least x permission for the group
- make the
ta.key file owned by that group as well with 640 permission
I am using
tls_crypt => true, and connections to the server fail with the following log message:The problem is that the
winterthur/easy-rsa/keysdirectory (whichkeysis a symlink to) is created withroot:rootownership and read/write permissions for the owner user only.OpenVPN seems to read the
ta.keyafter privilege drop, so it would be necessary tokeysdirectory group-owned by the group used for OpenVPN with at leastxpermission for the groupta.keyfile owned by that group as well with 640 permission