Chapter 6. Configure OpenVPN
The OpenVPN server side must have the plug-in interface enabled at compile time. If you compiled OpenVPN yourself or installed it via a supported distribution, this should already be enabled by default. In the OpenVPN configuration file, you will then need to add a plugin option. With the default location of the eurephia plug-in files, it should be something like this:
plugin /usr/lib/eurephia/eurephia-auth.so "{eurephia arguments}"
Please notice that all the eurephia arguments must be enclosed with double quotes ("). If this is not done, the eurephia plug-in will only receive the first part of the arguments and not all arguments.
The arguments the eurephia plug-in takes are:
--log-destination or -l
This defines how eurephia will do its logging. It can take a filename to log to a file. If the string is openvpn: it will pass the log data over to OpenVPN, which will combine the OpenVPN and eurephia logs. You can also log via syslog, by indicating syslog:. The last possible special value is none: which will disable logging completely.
With
syslog: you can also define which syslog facility the logging will go to. The default is to log to the
user facility. Other supported facilities are
authpriv,
daemon and
local0 to
local7. To send log data to the
daemon the
--log-destination argument need to be
--log-destination syslog:daemon
--log-level or -L
This defines how verbose the eurephia logging will be. The required argument to this option must be a numeric value, where 0 indicates as little logging as possible - only giving informative messages, or a high value like 50 to give really verbose logging. In general a log level less than 4 should be more than enough under normal circumstances.
To make logging above the log-level of 10 work, eurephia must have been compiled with debugging enabled.
--database-interface or -i
This argument must have a full path to the eurephia database driver module. This defines which database interface eurephia will use.
The only required argument is --database-interface. The other options are optional.
After these general arguments, a double dash (--) must follow before the arguments which the database driver requires.
6.1.1. eurephia and SQLite3
The SQLite3 driver only needs one argument, the filename to the database. A complete example for the default values of eurephia with SQLite3 would then be something like this:
plugin /usr/lib/eurephia/eurephia-auth.so "-L 2 -i /usr/lib/eurephia/edb-sqlite.so -- /etc/openvpn/eurephiadb"
When SQLite3 does database updates, it will create some temporary journal files (f.ex. /etc/openvpn/eurephiadb.jnl) during the write operation. The user which OpenVPN is configured to run as therefor needs write access to this directory to be allowed to create and write to the journal file. If SQLite3 is not able to create the temporary files, it will give an error about problems connecting to the database.
If you are using the --chroot feature, SQLite3 will create this journal file inside the chroot jail. For example, if you use --chroot /var/openvpn in your OpenVPN config and /etc/openvpn/eurephiadb for the database, SQLite3 will create the journal file in /var/openvpn/etc/openvpn/. In this scenario the OpenVPN user only needs write access to the chrooted directory. The database file itself must stay outside of the chroot, as the access to this database file is established before OpenVPN enters the chroot jail.
