Server Config
local mydomain.com
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.1.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DOMAIN subdomain.mydomain.com"
push "dhcp-option DNS 192.168.157.149"
push "block-outside-dns"
push "route 192.168.157.149 255.255.255.0"
push "route 0.0.0.0 192.0.0.0 net_gateway"
push "route 64.0.0.0 192.0.0.0 net_gateway"
push "route 128.0.0.0 192.0.0.0 net_gateway"
push "route 192.0.0.0 192.0.0.0 net_gateway"
push "route 10.0.0.0 255.255.255.0"
push "route 10.1.0.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
explicit-exit-notify
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.1.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DOMAIN subdomain.mydomain.com"
push "dhcp-option DNS 192.168.157.149"
push "block-outside-dns"
push "route 192.168.157.149 255.255.255.0"
push "route 0.0.0.0 192.0.0.0 net_gateway"
push "route 64.0.0.0 192.0.0.0 net_gateway"
push "route 128.0.0.0 192.0.0.0 net_gateway"
push "route 192.0.0.0 192.0.0.0 net_gateway"
push "route 10.0.0.0 255.255.255.0"
push "route 10.1.0.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
explicit-exit-notify
I wanted to enable use of same client with different usernames. So I edited the config and added the below lines in the server.conf file
Server Config Additions
script-security 2 # must be at least 2
auth-user-pass-verify /home/forge/scripts/checkUser.sh via-file
username-as-common-name # without this openvpn will use cn in the certificate as username
duplicate-cn # you may need this if everyone is using same certificate
auth-user-pass-verify /home/forge/scripts/checkUser.sh via-file
username-as-common-name # without this openvpn will use cn in the certificate as username
duplicate-cn # you may need this if everyone is using same certificate
With this (above) additions in the config, openvpn server refuses to start.
To debug, I commented the above lines and uncommented one by one. So now I can pin point that the line
Code: Select all
auth-user-pass-verify /home/forge/scripts/checkUser.sh via-file
There was no clue on why it is failing in the
Code: Select all
systemctl status
Code: Select all
journalctl -xe
Code: Select all
checkUser.sh
Code: Select all
status-server.log
Though ```sudo systemctl start openvpn-server``` fails, running openvpn directly works: ```sudo openvpn --config /etc/openvpn/server/server.conf```!!!
This is how ```/lib/systemd/system/openvpn-server@.service``` looks:
Code: Select all
[Unit]
Description=OpenVPN service for %I
After=syslog.target network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/server
ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true
KillMode=process
RestartSec=5s
Restart=on-failure
[Install]
WantedBy=multi-user.target