I am using a Linux OS with Grsecurity, on which I have OpenVPN installed as a client, which connects to a server on the Internet. This OS has two functions: one is to connect to the OpenVPN server and the other is to share its VPN connection to a private network, to which it is also attached. I want the security high, obviously, so that any kind of malice possibly coming from the server gets stopped dead on the OS by Grsecurity.
I added the functionality for sysctl option "socket_client_gid" and for sysctl option "socket_server_gid" on the kernel, but I have yet to make use of them. I would like a clarification on one issue. In this OpenVPN client I have configured the program to start up with admin rights using sudo and then to drop its rights to a user with no privileges immediately after running the startup scripts, which initially need privileges to set up routing, etc. Again, the user who starts the OpenVPN script routine is not root, but uses sudo for the privilege, and, as far as I am aware, just before the connection takes place, the program drops rights to a "nobody" user, who has no privilege, and it then establishes a connection.
Is there a way to use one of these sysctl options to further restrict the possibility of this user from running a server program or from connecting to another host, other than this one connection needed for the OpenVPN server? Which user should have this restriction if possible? I would like to button this down as tight as it can get. Thanks.