I followed the OpenWrt instructions and installed OpenVPN on the latest OpenWrt 21.02.1
The client config and server conf files both have these lines at the top:
user nobody
group nogroup
dev tun
..
..
I installed the OpenVPN for Android app on my Android phone. When entering the client config file... am I supposed to comment out or delete the first two lines since there is no user called: nobody and no group called nogroup in my Android. At least I didn't see anything in /etc/group and /etc/passwd.
OK I actually got it to work by commenting out those lines but what am I missing out on by commenting them out? Is there a way to obtain the benefit of running as user "nobody" and group "nogroup" when connecting to OpenVPN server on OpenWrt from an Android phone?
I am using the OpenVPN for Android app on a Pixel4a that is not rooted. On the link you provided to the OpenVPN manual it states:
--user user Change the user ID of the OpenVPN process to user after initialization, dropping privileges in the process. This option is useful to protect the system in the event that some hostile party was able to gain control of an OpenVPN session.
When I open Termux in the phone and try commands like ps, top, htop, pstree I am unable to see what user is running the OpenVPN for Android app process. Maybe that is because my phone is not rooted.
On the OpenVPN server side I run this command and get that result:
root@OPENWRT:~# ps | grep openvpn
10831 root 1228 S grep openvpn
31966 root 5256 S /usr/sbin/openvpn --syslog openvpn(server) --status /var/run/openv
This just tells me that OpenVPN server is being run as the root user.
I wonder is there a way for me to check if the OpenVPN connection from my phone is being run as an unpriviledged user or as root user.
Do you have many users on your phone to begin with that doesn’t have “admin” privileges?
But it doesn’t really matter because the VPN tunnel doesn’t care about what happens in the client and server. And the client and server doesn’t care what happens in the tunnel.
It is three separate systems where the client and server send data to each other. The VPN service only manages the scrambling of the data between the client and server.
It feels that it is more of a phone support question than OpenVPN or OpenWRT question.
That app ignores the OpenVPN --user and --group options and it runs as an unpriviledged user which can be confirmed by installing Android Debug Bridge (ADB) on a computer to which the phone is attached via USB cable. Then run commands such as these: