$ sudo openvpn --config vpn-tick-psk.conf
[...]
Wed May 14 12:02:21 2008 /usr/sbin/openvpn-vulnkey -q /home/martin/key
Wed May 14 12:02:21 2008 TUN/TAP device tun0 opened
Wed May 14 12:02:21 2008 ifconfig tun0 10.99.0.1 pointopoint 10.99.0.2 mtu 1500
Wed May 14 12:02:21 2008 GID set to nogroup
Wed May 14 12:02:21 2008 UID set to nobody
[...]
So for this configuration, the key is checked before dropping privileges.
Could you please attach your configuration file? I tried this with PSKs, and it works for me as well:
-rw------- 1 martin martin 636 2008-05-14 12:00 key
(not accessible to nobody/nogroup)
----- vpn-tick-psk.conf -----
remote tick.local
dev tun
ifconfig 10.99.0.1 10.99.0.2
user nobody
group nogroup
secret /home/martin/key ------- ------- ------- ------- ---
-------
$ sudo openvpn --config vpn-tick-psk.conf openvpn- vulnkey -q /home/martin/key
[...]
Wed May 14 12:02:21 2008 /usr/sbin/
Wed May 14 12:02:21 2008 TUN/TAP device tun0 opened
Wed May 14 12:02:21 2008 ifconfig tun0 10.99.0.1 pointopoint 10.99.0.2 mtu 1500
Wed May 14 12:02:21 2008 GID set to nogroup
Wed May 14 12:02:21 2008 UID set to nobody
[...]
So for this configuration, the key is checked before dropping privileges.