Ok, so I’ve been searching the web for solutions to this problem with no answers seeming to work for me. Hopefully someone can help me. I’m only trying to configure the OpenVPN Client.
I’m running CrunchBang Linux 3.2.0-4-amd64 Debian 3.2.60-1+deb7u1 x86_64 GNU/Linux and I just switched over to using systemd. The changeover went smooth enough but now I can’t get my OpenVPN client to come up using systemd I’ve tried following these configuration tutorials, but nothing works.
- http://fedoraproject.org/wiki/Openvpn
- http://d.stavrovski.net/blog/how-to-install-and-set-up-openvpn-in-debian-7-wheezy
- And looked at a bunch of other different guides.
I can bring up the tunnel from the command line with openvpn /etc/openvpn/vpn.conf. So I know the config file is good, it was working with sysvinit just fine so I’m not surprised. I then attempt to just do a status with systemctl status [email protected] resulting in:
$ sudo systemctl status <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="e28d92878c94928ca294928ccc918790948b8187">[email protected]</a> <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="f996899c978f8997b98f8997d78a9c8b8f909a9c">[email protected]</a> Loaded: error (Reason: No such file or directory) Active: inactive (dead)
I realized that I need to do some setup for services. I want to be prompted for a password so I followed this guide to create an [email protected] in /etc/systemd/system/. But restarting the OpenVPN service still doesn’t prompt for a password.
$ sudo service openvpn restart [ ok ] Restarting openvpn (via systemctl): openvpn.service.
The Fedora tutorials go through the steps of creating symbolic links, but don’t create any of the .service files in the walk-throughs.
What piece am I missing? Do I need to create an [email protected]? If so, where exactly do I place it? I feel like it shouldn’t be this difficult, but I can’t seem to find any solution that works for me. I’m happy to provide any more information that’s needed.
Solution
-rw-r--r-- 1 root root 319 Aug 7 10:42 <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="dcb3acb9b2aaacb29cf2afb9aeaab5bfb9">[email protected]</a> [Unit] Description=OpenVPN connection to %i After=network.target [Service] Type=forking ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf ExecReload=/bin/kill -HUP $MAINPID WorkingDirectory=/etc/openvpn [Install] WantedBy=multi-user.target <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a5cad5c0cbd3d5cbe58bd6c0d7d3ccc6c0">[email protected]</a> (END)
Symlink:
lrwxrwxrwx 1 root root 36 Aug 7 10:47 <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="513e21343f27213f1127213f7f22342327383234">[email protected]</a> -> /lib/systemd/system/<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="234c53464d55534d630d504651554a4046">[email protected]</a>
Prompt For Password
Everything is working now, except for being prompted for a password to connect. I’ve attempted this solution. I tweaked the file from above just a bit, and added an Expect script like in the example. Working like a charm! My files are below.
Modified lines from the above /lib/systemd/system/[email protected]
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --management localhost 5559 --management-query-passwords --management-forget-disconnect --config /etc/openvpn/%i.conf ExecStartPost=/usr/bin/expect /lib/systemd/system/openvpn_pw.exp
Expect script /lib/systemd/system/openvpn_pw.exp. Make sure to do the following:
chmod +xon the script.- Have
telnetinstalled
Code of the expect script:
#!/usr/bin/expect set pass [exec /bin/systemd-ask-password "Please insert Private Key password: "] spawn telnet 127.0.0.1 5559 expect "Enter Private Key Password:" send "password 'Private Key' $passr" expect "SUCCESS: 'Private Key' password entered, but not yet verified" send "exitr" expect eof
It should be noted that the above solution does log your password entered in plaintext in the following logs in /var/log/syslog and /var/log/daemon.log
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
I think the Debian OpenVPN setup with systemd is currently a tad bit broken. To get it to work on my machines I had to:
-
Create
/etc/systemd/system/[email protected](the directory), and place in it a new file with this:[Unit] Requires=networking.service After=networking.service
I called my file
local-after-ifup.conf. It needs to end with.conf. (This is the bit that’s currently a tad bit broken.) -
Create a file in
/etc/tmpfiles.d(I called minelocal-openvpn.conf) with the contents:# Type Path Mode UID GID Age Argument d /run/openvpn 0755 root root - -
This is Debian bug 741938 (fixed in 2.3.3-1).
-
Create a symlink into
multi-user.target.wants(easiest way issystemctl enable [email protected]_NAME.service) E.g., if you have/etc/openvpn/foo.conf, you’d use[email protected]. - If you also have the SysV init script showing up in systemd, disable it. This is Debian bug 700888 (fixed in 2.3.3-1).
NOTE: 2.3.3-1 or later is not yet in testing, though it is in unstable.
Method 2
This type of unit file is an Instantiated Service – more details are available here
The following is the unit file for openvpn on CentOS 7:
[Unit] Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I After=syslog.target network.target [Service] PrivateTmp=true Type=forking PIDFile=/var/run/openvpn/%i.pid ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf [Install] WantedBy=multi-user.target
and it resides as /usr/lib/systemd/system/[email protected]. The %i in the file is replaced with the string after the @ in the unit name.
As the config file is at /etc/openvpn/myopenvpn.conf then the service is started with:
systemctl start <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="036c73666d75736d436e7a6c73666d75736d2d706671756a6066">[email protected]</a>
Method 3
- Place all openvpn *.conf files into
/etc/openvpn/. -
Edit
/etc/default/openvpn. Uncomment this:AUTOSTART="all"
-
Run
systemctl daemon-reload. - Run
service openvpn start.
Method 4
You need to create the service file by enabling [email protected]<configuration>.service.
For example, if the configuration file is /etc/openvpn/client.conf, the service name is [email protected].
Method 5
The proper solution would be, to make use of systemd’s systemd-ask-password/”Password Agents“, which provides a systemd builtin way to funnel passwords/passphrases to services.
You’ll need OpenVPN 2.3.0 or newer to do this.
Method 6
The [email protected] has evolved greatly between Debians 8 and 9. The original package for Jessie for example fails to systemctl reload [email protected]. To fix these the Stretch version introduces 10 new directives in the systemd-file including PIDFile= to make reload work again.
For Stretch users, I’d suggest going for the backport, and if not possible to do that, at least get the systemd-file from https://packages.debian.org/jessie-backports/openvpn and extract debian/[email protected] into /etc/systemd/system/[email protected] and enjoy better functionality and security.
Method 7
On a fresh Jessie_8.0.0 installation I did:
- copy the old
/etc/openvpn/cluster.conf(plus*.keyand*.crt) files from wheezy - uncommented
AUTOSTART="all"in/etc/default/openvpn– I think this had no effect /lib/systemd/system-generators/openvpn-generator clustersystemctl restart [email protected]
Now the tunnel is up – I will see what will happen after a reboot, but I can’t reboot in this moment
Method 8
I had better luck using openvpn‘s --auth-user-pass option to reference a config file instead of using the expect script, i.e.:
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --auth-user-pass /etc/openvpn/credentials.txt
where /etc/openvpn/credentials.txt is a text file that has my username on line 1 and my password is on line 2.
Obviously if you can’t store your credentials in plain text this is not a good solution, but it works for my purposes.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0