This forum is for all inquiries relating to the installation of OpenVPN from source and with binaries.
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
maxburn
- OpenVPN Power User
- Posts: 65
- Joined: Mon Dec 12, 2016 6:07 pm
Post
by maxburn » Sat Nov 11, 2017 1:34 am
Edit I misstated the issue originally. Present state is VPN clients will not connect after a reboot. I have to SSH into the server and
Code: Select all
sudo systemctl stop openvpn@server
sudo systemctl start openvpn@server
It's like it isn't starting the right config file at first????
Somehow I messed up when installing the service and have two entries. Mostly I followed the digital ocean guide but I used some config files from work, which worked fine for me until I messed up and got duplicate services, don't remember what I did.
Code: Select all
$ sudo systemctl list-unit-files | grep vpn
openvpn.service disabled
openvpn@.service enabled
Before when I had both services enabled I was starting with two vtun# connections which broke all sorts of things, including remote SSH.
I think somehow the errors I get when removing the one I don't want are involved. It's like it starts the one I don't want first anyway.
Code: Select all
$ sudo systemctl disable openvpn
Synchronizing state of openvpn.service with SysV init with /lib/systemd/systemd-sysv-install...
Executing /lib/systemd/systemd-sysv-install disable openvpn
insserv: warning: current start runlevel(s) (empty) of script `openvpn' overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `openvpn' overrides LSB defaults (0 1 6).
insserv: warning: current start runlevel(s) (empty) of script `openvpn' overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `openvpn' overrides LSB defaults (0 1 6).
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Post
by TinCanTech » Sat Nov 11, 2017 12:24 pm
There is a new README.systemd (which is not in the release version yet):
distro/systemd/README.systemd wrote:OpenVPN and systemd
===================
As of OpenVPN v2.4, upstream is shipping systemd unit files to provide a
fine grained control of each OpenVPN configuration as well as trying to
restrict the capabilities the OpenVPN process have on a system.
Configuration profile types
---------------------------
These new unit files separates between client and server profiles. The
configuration files are kept in separate directories, to provide clarity
of the profile they run under.
Typically the client profile cannot bind to any ports below port 1024
and the client configuration is always started with --nobind.
The server profile is allowed to bind to any ports. In addition it enables
a client status file, usually found in the /run/openvpn-server directory.
The status format is set to version 2 by default. These settings may be
overridden by adding --status and/or --status-version in the OpenVPN
configuration file.
Neither of these profiles makes use of PID files, but OpenVPN reports back to
systemd its PID once it has initialized.
For configuration using a peer-to-peer mode (not using --mode server on one
of the sides) it is recommended to use the client profile.
Configuration files
-------------------
These new unit files expects client configuration files to be made available
in /etc/openvpn/client. Similar for the server configurations, it is expected
to be found in /etc/openvpn/server. The configuration files must have a .conf
file extension.
Managing VPN tunnels
--------------------
Use the normal systemctl tool to start, stop VPN tunnels, as well as enable
and disable tunnels at boot time. The syntax is:
- client configurations:
# systemctl $OPER openvpn-client@$CONFIGNAME
- server configurations:
# systemctl $OPER openvpn-server@$CONFIGNAME
Similarly, to view the OpenVPN journal log use a similar syntax:
# journalctl -u openvpn-client@$CONFIGNAME
or
# journalctl -u openvpn-server@$CONFIGNAME
* Examples
Say your server configuration is /etc/openvpn/server/tun0.conf, you
start this VPN service like this:
# systemctl start openvpn-server@tun0
A client configuration file in /etc/openvpn/client/corpvpn.conf is
started like this:
# systemctl start openvpn-client@corpvpn
To view the server configuration's journal only listing entries from
yesterday and until today:
# journalctl --since yesterday -u openvpn-server@tun0
-
maxburn
- OpenVPN Power User
- Posts: 65
- Joined: Mon Dec 12, 2016 6:07 pm
Post
by maxburn » Sat Nov 11, 2017 3:18 pm
Yes, based on the extra service name I believe I messed up along the lines of "systemctl enable openvpn" and didn't put in the @configname. What I really don't get is with it disabled openvpn does not work after a reboot. Walking through this:
Code: Select all
$ sudo systemctl list-unit-files | grep vpn
[sudo] password for scottjal:
openvpn.service disabled
openvpn@.service disabled
enable, start and check the one I want
Code: Select all
$ sudo systemctl enable openvpn@server
Created symlink from /etc/systemd/system/multi-user.target.wants/openvpn@server.service to /lib/systemd/system/openvpn@.service.
$ sudo systemctl start openvpn@server
$ sudo systemctl status openvpn@server
● openvpn@server.service - OpenVPN connection to server
Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2017-11-11 10:02:42 EST; 7s ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 6834 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid (code=exi
Main PID: 6836 (openvpn)
CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
└─6836 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/server.conf --writepid /run/openvpn/server.pid
Nov 11 10:02:42 ubuntuserver ovpn-server[6836]: TCPv4_SERVER link remote: [undef]
Nov 11 10:02:42 ubuntuserver ovpn-server[6836]: MULTI: multi_init called, r=256 v=256
Nov 11 10:02:42 ubuntuserver ovpn-server[6836]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Nov 11 10:02:42 ubuntuserver ovpn-server[6836]: ifconfig_pool_read(), in='client4,10.8.0.4', TODO: IPv6
Nov 11 10:02:42 ubuntuserver ovpn-server[6836]: succeeded -> ifconfig_pool_set()
Nov 11 10:02:42 ubuntuserver ovpn-server[6836]: IFCONFIG POOL LIST
Nov 11 10:02:42 ubuntuserver ovpn-server[6836]: client4,10.8.0.4
Nov 11 10:02:42 ubuntuserver ovpn-server[6836]: MULTI: TCP INIT maxclients=1024 maxevents=1028
Nov 11 10:02:42 ubuntuserver ovpn-server[6836]: Initialization Sequence Completed
Nov 11 10:02:42 ubuntuserver systemd[1]: Started OpenVPN connection to server.
At this point I can verify that the VPN works externally through my phone. Other services like SSH, samba shares work etc. BUT if I reboot the server all those things break, SSH won't connect, samba shares won't mount, the VPN will not connect, it's a mess. If I then stop openvpn@server I can SSH again.
Why would this work if I manually start it but not after a reboot with an enabled service?
-
maxburn
- OpenVPN Power User
- Posts: 65
- Joined: Mon Dec 12, 2016 6:07 pm
Post
by maxburn » Sat Nov 11, 2017 3:52 pm
Hope this post gets approved, I think I have it fixed but I would like confirmation this is a good fix.
So if it works when I start it but not the service starting it during boot I was operating on the theory that openvpn was starting too soon, before the network interface was up. (I had this happen with PiHole.) Some searching around found this:
https://unix.stackexchange.com/question ... et-written
I didn't follow that exactly though. Looking in /lib/systemd/system I can see my service openvpn@.service and in that file it has the quoted [unit] section. I simply added these two lines:
Code: Select all
Requires=networking.service
After=networking.service
So now everything appears to be OK after reboot?
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Post
by TinCanTech » Sat Nov 11, 2017 4:24 pm
maxburn wrote: ↑Sat Nov 11, 2017 3:52 pm
Looking in /lib/systemd/system I can see my service openvpn@.service and in that file it has the quoted [unit] section. I simply added these two lines:
I think the
preferred way is to put your customisation into a unit file which is located in /
etc/systemd/system .. so that future up dates do not over write your changes.
-
maxburn
- OpenVPN Power User
- Posts: 65
- Joined: Mon Dec 12, 2016 6:07 pm
Post
by maxburn » Sat Nov 11, 2017 5:12 pm
Right, did that following the linked guide. Still seems to work after reboot.
I guess the real question is why isn't this already in the stock config? I'm a complete novice and I've already run into this twice.