# Log rotation



## woodson2 (Jul 8, 2009)

I'm running openvpn on FreeBSD 7.2

I currently have the following entry in /etc/newsyslog.conf for rotating my openvpn.log file

```
/var/log/openvpn.log    root:wheel      600  5     *    $W5D23 JC /var/run/openvpn.pid
```
The log rotates but can't restart openvpn...this is what I see in the openvpn log

```
Fri Jun 26 23:00:02 2009 us=800261 Note: cannot open openvpn-status.log for WRITE
Fri Jun 26 23:00:02 2009 us=800286 Note: cannot open ipp.txt for READ/WRITE
Fri Jun 26 23:00:02 2009 us=809848 Cannot open /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem for DH parameters: error:0200100D:system library:fo
pen:Permission denied: error:2006D002:BIO routines:BIO_new_file:system lib
Fri Jun 26 23:00:02 2009 us=809866 Exiting
```

Note: Root has rw access to all the files that are complaining..


----------



## anomie (Jul 9, 2009)

Just curious: what user does the openvpn daemon run as?


----------



## DutchDaemon (Jul 9, 2009)

OpenVPN starts as root, and then drops its privileges to nobody:nobody (in the default setup).

```
# Downgrade privileges after initialization (non-Windows only)
user nobody
group nobody
```
On the server side, there's this option:

```
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
```
Nothing about accessibility/permissions of log/pid files, but a [cmd=]/usr/local/etc/rc.d/openvpn restart[/cmd] works (maybe there's a momentary root escalation in there to handle those problems?).


----------



## woodson2 (Jul 9, 2009)

DutchDaemon said:
			
		

> OpenVPN starts as root, and then drops its privileges to nobody:nobody (in the default setup).
> 
> ```
> # Downgrade privileges after initialization (non-Windows only)
> ...




I have both of these options enabled on the server.....I guess I could keep root privileges but of course this is not recommended.....hmm


----------



## SirDice (Jul 10, 2009)

Create a directory /var/log/openvpn and make sure the openvpn user has write access to it. Have openvpn log in that directory.


----------

