How to get OpenVPN Systemd working on a self-compiled OpenVPN

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
houmie75
OpenVPN User
Posts: 26
Joined: Wed Jul 22, 2020 7:46 pm

How to get OpenVPN Systemd working on a self-compiled OpenVPN

Post by houmie75 » Sat Aug 01, 2020 4:02 pm

Hello,

I have compiled OpenVPN 2.4.9 successfully with systemd enabled.

/usr/local/sbin/openvpn --version
OpenVPN 2.4.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 1 2020
library versions: OpenSSL 1.1.1g 21 Apr 2020
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=no enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=no enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
But even after compilation and installation there are no service files to be found under /lib/systemd/system/.
Hence I copied them over from source code like this:

Code: Select all

cp /usr/local/lib/systemd/system/openvpn-server\@.service /lib/systemd/system/
And even then it is not quite in the right shape to be able to get started. So I did some minor modification:

Code: Select all

[Unit]
Description=OpenVPN service for %I
After=syslog.target network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/server
ExecStart=/usr/local/sbin/openvpn --status /var/log/openvpn/status.log --status-version 2 --suppress-timestamps --config /etc/openvpn/server/server.conf --cd /etc/openvpn/server/
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true
KillMode=process
RestartSec=5s
Restart=on-failure

[Install]
WantedBy=multi-user.target
But as soon as I start the service it says active (exited) and I can't find any process either: ps aux | grep openvpn
But if I run it like this in command line it works:

Code: Select all

/usr/local/sbin/openvpn --status /var/log/openvpn/status.log --status-version 2 --suppress-timestamps --config /etc/openvpn/server/server.conf --cd /etc/openvpn/server/
So how comes it doesn't work as service?
1) I have changed the type from notify to simple and to forking, without any luck.
2) Even though I have set the status log to be recorded here: --status /var/log/openvpn/status.log nothing gets generated when starting through systemctl.
But when I start it through commandline, despite --status /var/log/openvpn/status.log, it still gets directed to /var/log/openvpn/openvpn-status.log? Why?

Many Thanks,
Houman

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7584
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to get OpenVPN Systemd working on a self-compiled OpenVPN

Post by TinCanTech » Sat Aug 01, 2020 5:42 pm

Do you realise the next question yet ?

houmie75
OpenVPN User
Posts: 26
Joined: Wed Jul 22, 2020 7:46 pm

Re: How to get OpenVPN Systemd working on a self-compiled OpenVPN

Post by houmie75 » Sun Aug 02, 2020 7:08 am

Great news. I actually overcomplicated it. It is much simpler than I thought. There is no need to copy the files around or to change them.

Code: Select all

systemctl start openvpn-server@server.service
systemctl enable openvpn-server@server.service
This creates this symlink:
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-server@server.service → /usr/local/lib/systemd/system/openvpn-server@.service.
And everything just works after that.

I think I also solved the issue with the --status flag, and why it was ignored.

TinCanTech You probably need to see the server.conf :lol:
So that flag is overridden by the config by the look of it.

Code: Select all

port 1194
proto udp4
dev tun
ca ca.crt
cert server.crt
key server.key
dh none
user nobody
group nogroup
push "redirect-gateway def1 bypass-dhcp"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.0.0.1"
push "dhcp-option DNS 1.1.1.1"
duplicate-cn
keepalive 10 120
tls-crypt ta.key
cipher AES-256-GCM
auth SHA256
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log
verb 4
explicit-exit-notify 1
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so ovpn-0
Thanks,

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7584
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to get OpenVPN Systemd working on a self-compiled OpenVPN

Post by TinCanTech » Sun Aug 02, 2020 11:22 am

houmie75 wrote:
Sun Aug 02, 2020 7:08 am
You probably need to see the server.conf :lol:
So that flag is overridden by the config by the look of it.
Exactly, which ever directive is parsed last wins.

With the exception of --suppress-timestamps, which, once used, cannot be undone.

Post Reply