After enabling CRL checking on my OpenVPN server, I have encountered an annoying permission issue. When I tried connecting from the Android app, the connection would simply timeout. Before enabling CRLs this had never happened, so I realized there must be something wrong with them.
So I looked into the OpenVPN logs (
/var/log/openvpn.log) and noticed the following entry:
CRL: cannot read: /etc/openvpn/easy-rsa/keys/crl.pem: Permission denied (errno=13)
The weird thing was that both the
crl.pem file and the whole
/etc/openvpn folder were owned by root and were perfectly readable with a
nano crl.pem when run from the CLI. So from a filesystem point of view, everything looked ok.
Then I remembered these 2 lines from server.conf:
user nobody group nogroup
This is the user and group that the OpenVPN daemon runs with, while I was tuning the permissions for user
root instead. Therefore yes, when logged in as
root everything would look ok, but then after starting OpenVPN, this permission issue came up as the user
nobody did not have permissions over the CRL file.
sudo chown -R nobody:nogroup /etc/openvpn sudo chmod -R 700 /etc/openvpn