30

Ok, so I've been searching the web for solutions to this problem with no answers seeming to work for me. Hopefully someone can help me. I'm only trying to configure the OpenVPN Client.

I'm running CrunchBang Linux 3.2.0-4-amd64 Debian 3.2.60-1+deb7u1 x86_64 GNU/Linux and I just switched over to using systemd. The changeover went smooth enough but now I can't get my OpenVPN client to come up using systemd I've tried following these configuration tutorials, but nothing works.

I can bring up the tunnel from the command line with openvpn /etc/openvpn/vpn.conf. So I know the config file is good, it was working with sysvinit just fine so I'm not surprised. I then attempt to just do a status with systemctl status openvpn@vpn.service resulting in:

$ sudo systemctl status openvpn@vpn.service
  openvpn@vpn.service
Loaded: error (Reason: No such file or directory)
Active: inactive (dead)

I realized that I need to do some setup for services. I want to be prompted for a password so I followed this guide to create an openvpn@.service in /etc/systemd/system/. But restarting the OpenVPN service still doesn't prompt for a password. 

$ sudo service openvpn restart
[ ok ] Restarting openvpn (via systemctl): openvpn.service.

The Fedora tutorials go through the steps of creating symbolic links, but don't create any of the .service files in the walk-throughs.

What piece am I missing? Do I need to create an openvpn@vpn.service? If so, where exactly do I place it? I feel like it shouldn't be this difficult, but I can't seem to find any solution that works for me. I'm happy to provide any more information that's needed.

Solution

-rw-r--r--  1 root root   319 Aug  7 10:42 openvpn@.service

[Unit]
Description=OpenVPN connection to %i
After=network.target

[Service]
Type=forking
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn

[Install]
WantedBy=multi-user.target
openvpn@.service (END)

Symlink: 

lrwxrwxrwx  1 root root   36 Aug  7 10:47 openvpn@vpn.service -> /lib/systemd/system/openvpn@.service

Prompt For Password

Everything is working now, except for being prompted for a password to connect. I've attempted this solution. I tweaked the file from above just a bit, and added an Expect script like in the example. Working like a charm! My files are below.

Modified lines from the above /lib/systemd/system/openvpn@.service

ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --management localhost 5559 --management-query-passwords --management-forget-disconnect --config /etc/openvpn/%i.conf
ExecStartPost=/usr/bin/expect /lib/systemd/system/openvpn_pw.exp

Expect script /lib/systemd/system/openvpn_pw.exp. Make sure to do the following:

  • chmod +x on the script.
  • Have telnet installed

Code of the expect script:

#!/usr/bin/expect
set pass [exec /bin/systemd-ask-password "Please insert Private Key password: "]

spawn telnet 127.0.0.1 5559
expect "Enter Private Key Password:"
send "password 'Private Key' $pass\r"
expect "SUCCESS: 'Private Key' password entered, but not yet verified"
send "exit\r"
expect eof

It should be noted that the above solution does log your password entered in plaintext in the following logs in /var/log/syslog and /var/log/daemon.log

tshepang
  • 65,642
RoraΖ
  • 443
  • How does the openvpn@.service file looks like? – Cristian Ciupitu Aug 07 '14 at 14:11
  • Updated the post with the current error – RoraΖ Aug 07 '14 at 15:10
  • Look in /var/log/{syslog,daemon.log} and journalctl -b -m to find why OpenVPN exited. One of those places should contain the real error messages. (Or even journalctl -b -m _EXE=/usr/sbin/openvpn should give just OpenVPN messages). – derobert Aug 07 '14 at 15:10
  • Yep, I was getting there. We're hitting the password problem. I'll try this solution for it: https://bbs.archlinux.org/viewtopic.php?id=150440 Thanks for all your help! – RoraΖ Aug 07 '14 at 15:14
  • just for the record: copying the systemd script under /etc/systemd/system makes the changes permanent. If you change the script directly under /lib/systemd/system, this is going to be overwritten at some point by a package update. – Lethargos Apr 19 '21 at 11:14

8 Answers8

14

I think the Debian OpenVPN setup with systemd is currently a tad bit broken. To get it to work on my machines I had to:

  1. Create /etc/systemd/system/openvpn@.service.d (the directory), and place in it a new file with this:

    [Unit]
Requires=networking.service
After=networking.service
    I called my file local-after-ifup.conf. It needs to end with .conf. (This is the bit that's currently a tad bit broken.)

  2. Create a file in /etc/tmpfiles.d (I called mine local-openvpn.conf) with the contents:

    # Type Path         Mode UID  GID  Age Argument
d      /run/openvpn 0755 root root  -  -
    This is Debian bug 741938 (fixed in 2.3.3-1).

  3. Create a symlink into multi-user.target.wants (easiest way is systemctl enable openvpn@CONF_NAME.service) E.g., if you have /etc/openvpn/foo.conf, you'd use openvpn@foo.service.

  4. If you also have the SysV init script showing up in systemd, disable it. This is Debian bug 700888 (fixed in 2.3.3-1).

NOTE: 2.3.3-1 or later is not yet in testing, though it is in unstable.

derobert
  • 109,670
  • systemctl enable still fails saying no such file or directory. I don't see any sysv init scripts in /lib/systemd, unless its systemd-initctl? – RoraΖ Aug 07 '14 at 14:28
  • @raz The SysV script would be /etc/init.d/openvpn; systemd by default runs those just like sysv init would. That's the openvpn.service you have; you need to disable it (systemctl disable). Does the file /lib/systemd/system/openvpn@.service exist on your system? – derobert Aug 07 '14 at 14:31
  • @raz If you have that file, you can try a manual ln -s /lib/systemd/system/openvpn@.service /etc/systemd/system/multi-user.target.wants/openvpn@vpn.service – derobert Aug 07 '14 at 14:32
  • I don't have that file but I'm sure I could create it. I disabled the /etc/init.d/openvpn script. – RoraΖ Aug 07 '14 at 14:36
  • @raz I'm not sure if Crunchbang has a backport of a newer OpenVPN package with it, but if not, you can grab that script from http://sources.debian.net/src/openvpn/2.3.3-1/debian/openvpn%40.service – derobert Aug 07 '14 at 14:40
  • @raz Also, I noticed I'd forgotten a step, please see the new number two. Beware that OpenVPN before 2.3.2-8 wasn't compiled with systemd support, so e.g., asking for passwords may not work. – derobert Aug 07 '14 at 14:44
  • I did see the update! I've done everything, updated the post with what I've got file wise. I have a different error now! – RoraΖ Aug 07 '14 at 15:06
  • And yes it is still broken 2 years later. – Luciano Andress Martini Nov 30 '16 at 16:14
  • Thanks a lot for that explanation. Encountered recently in Debian 9.0 Stretch, fresh install, with its stock OpenVPN 2.4.0. As I found myself facing this issue, I'd actually been trying to wrap my mind around the Systemd "unit scripts" for some time (to hook something I'd normally put in rc.sysinit or rc.local). Apart from solving my OpenVPN vs. Systemd issue, your instructions have explained a lot, pointed me to furter reading and taught me how to configure systemd on my own. I suspect that the maintainer keeps the bug in, to elucidate admins on what Systemd has to offer in Debian. – frr Aug 16 '17 at 14:40
  • I actually have some fond past experience with OpenVPN. I previously compiled my own from source, and had my own approach on how to hook up multiple instances of the OpenVPN service into SysV init (using a mother script that would launch children). I know exactly what this (slightly broken) setup in Debian is aiming to achieve, and it is my goal exactly. Now my ages old multi-instance OpenVPN config plays well with the standard Debianese setup of OpenVPN. Kudos, have an upvote :-) – frr Aug 16 '17 at 14:45
12

This type of unit file is an Instantiated Service - more details are available here

The following is the unit file for openvpn on CentOS 7:

[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=syslog.target network.target

[Service]
PrivateTmp=true
Type=forking
PIDFile=/var/run/openvpn/%i.pid
ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf

[Install]
WantedBy=multi-user.target

and it resides as /usr/lib/systemd/system/openvpn@service. The %i in the file is replaced with the string after the @ in the unit name.

As the config file is at /etc/openvpn/myopenvpn.conf then the service is started with:

systemctl start openvpn@myopenvpn.service
garethTheRed
  • 33,957
8

You need to create the service file by enabling openvpn@<configuration>.service.

For example, if the configuration file is /etc/openvpn/client.conf, the service name is openvpn@client.service.

From the Arch Wiki

Karel
  • 1,468
8
  1. Place all openvpn *.conf files into /etc/openvpn/.

  2. Edit /etc/default/openvpn. Uncomment this:

    AUTOSTART="all"

  3. Run systemctl daemon-reload.

  4. Run service openvpn start.
Joost
  • 163
  • 4
Aleksey Alekseev
  • 81
  • I think they used this as a solution, because now is even worse in debian 9, the openvpn does not restart if a error ocurrs that is very stupid... Someone know some solution or workaround, i am writing a script to verify if openvpn is still running! – Luciano Andress Martini Nov 23 '17 at 18:10
  • This was perfect. it would start and stop even though I called it the obvious client.conf, now with this my single config just runs. Thanks! – Mitchell Currie Feb 06 '19 at 04:14
  • /etc/default/openvpn is still there but Debian 10 and its derivatives do not appear to use it - /usr/lib/systemd/system/openvpn.service is now a oneshot service that just runs /bin/true (for backwards compatibility?). The answers stating systemctl enable openvpn@conffile.service work. – bain Jan 03 '21 at 21:02
1

The proper solution would be, to make use of systemd's systemd-ask-password/"Password Agents", which provides a systemd builtin way to funnel passwords/passphrases to services.

You'll need OpenVPN 2.3.0 or newer to do this.

Elias Probst
  • 1,053
1

The openvpn@.service has evolved greatly between Debians 8 and 9. The original package for Jessie for example fails to systemctl reload openvpn@. To fix these the Stretch version introduces 10 new directives in the systemd-file including PIDFile= to make reload work again.

For Stretch users, I'd suggest going for the backport, and if not possible to do that, at least get the systemd-file from https://packages.debian.org/jessie-backports/openvpn and extract debian/openvpn@.service into /etc/systemd/system/openvpn@.service and enjoy better functionality and security.

Jari Turkia
  • 149
0

On a fresh Jessie_8.0.0 installation I did:

  1. copy the old /etc/openvpn/cluster.conf (plus *.key and *.crt) files from wheezy
  2. uncommented AUTOSTART="all" in /etc/default/openvpn - I think this had no effect
  3. /lib/systemd/system-generators/openvpn-generator cluster
  4. systemctl restart openvpn@cluster.service

Now the tunnel is up - I will see what will happen after a reboot, but I can't reboot in this moment

Kevdog777
  • 3,224
Peter
  • 1
0

I had better luck using openvpn's --auth-user-pass option to reference a config file instead of using the expect script, i.e.:

ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --auth-user-pass /etc/openvpn/credentials.txt

where /etc/openvpn/credentials.txt is a text file that has my username on line 1 and my password is on line 2.

Obviously if you can't store your credentials in plain text this is not a good solution, but it works for my purposes.

Cara McCormack
  • 101