Problem in starting openvpn

[etrader]

I just installed OpenVPN according to the instruction give at http://directspace.net/eportal/knowledg ... icle&id=10

But when I try to start openvpn, it fails with this error

Code: Select all

 ~]# service openvpn start
Starting openvpn: /etc/init.d/openvpn: line 169: script_security---script-security 2: command not found
/etc/init.d/openvpn: line 169: script_security---script-security 2: command not found

[martian111]

Hi,

I just ran into this problem when installing the newest version of OpenVPN using RPMForge:
openvpn x86_64 2.2.0-2.el5.rf rpmforge 469 k

The issue is a typo in the /etc/init.d/openvpn file. The following patch fixed this issue for me:

Code: Select all

[root@server openvpn]# diff -u /etc/init.d/openvpn.orig /etc/init.d/openvpn
--- /etc/init.d/openvpn.orig	2011-05-23 15:01:04.000000000 -0600
+++ /etc/init.d/openvpn	2011-06-05 05:04:15.000000000 -0600
@@ -166,7 +166,7 @@
         # Handle backward compatibility, see Red Hat Bugzilla ID #458594
         script_security=''
         if [ -z "$( grep '^[[:space:]]*script-security[[:space:]]' $c )" ]; then
-            script_security-"--script-security 2"
+            script_security="--script-security 2"
         fi
 	    $openvpn --daemon --writepid $piddir/$bn.pid --config $c --cd $work $script_security
 	    if [ $? = 0 ]; then

I'm not sure yet where to post a bug on this... but it's a simple fix at this point...

Hope this helps...
Martin

[martian111]

Actually, found the RPMforge committer and left him a comment/message:
https://github.com/repoforge/rpms/commi ... ript.patch

Also opened a new bug/issue:
https://github.com/repoforge/rpms/issues/11


Martin

[etrader]

I edited /etc/init.d/openvpn file by changing the line to

Code: Select all

script_security="--script-security 2"

The error is gone, but still when starting openvpn, it fails.

[maikcat]

hi there,

please post openvpn server log if you want someone to help you..


Michael.

[etrader]

Sorry for my failure. Where can I find openvpn server log?

[maikcat]

add log statement inside server config f.e

log /etc/openvpn/server.log

and restart the server

Michael.

[etrader]

Thanks Michael. This is what written into the server log after trying to start openvpn (which is FAILED in ssh)

Code: Select all

Wed Jun  8 10:12:05 2011 OpenVPN 2.2.0 i686-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on May 23 2011
Wed Jun  8 10:12:05 2011 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Wed Jun  8 10:12:05 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Wed Jun  8 10:12:05 2011 Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file
Wed Jun  8 10:12:05 2011 Exiting

[maikcat]

hi there,

>Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file

your dh1024.pem file is missing or it is located elsewhere...

when you generated certs , you issued build-dh command
this command creates the above file.

it would help alot if you posted the server config file though.

Michael.

[etrader]

Actually I did not created certs manually, as I followed the procedure instructed at http://directspace.net/eportal/knowledg ... icle&id=10

The openvpn.conf is

Code: Select all

dev tun
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
push "route 10.8.0.0 255.255.255.0"
push "redirect-gateway"
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
group nobody
daemon
log /etc/openvpn/server.log

[maikcat]

hi there,

anyway the dh1024.pem file is missing...

i suggest you read the docs and build keys by yourself.

Michael.

[etrader]

Thanks Michael. I created it according to the OpenVPN How-To, and now the openvpn is successfully starting on the server. But I cannot connect to it by OpenVPN GUI from my Windows machine. The icon remains yellow without any error message.

I do not know whether it is still a problem associated with the server, or bad configuration of Open VPN GUI. How I cannot verify (test) that OpenVPN on the server is working correctly?

Thank you in advance.

[maikcat]

hi there,

for start you should post your configs here...
and server logs.

Michael.

[etrader]

Thanks for your kind attention. The server config is

Code: Select all

dev tun
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
ca ca.crt
cert etrader.crt
key etrader.key
dh dh1024.pem
push "route 10.8.0.0 255.255.255.0"
push "redirect-gateway"
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
group nobody
daemon
log /etc/openvpn/server.log

The config file in C:\Program Files\OpenVPN\config

Code: Select all

remote 69.163.33.111
tls-client
dev tap
ca ca.crt
cert etrader.crt
key etrader.key
ping 10
verb 1
mute 10
comp-lzo

[maikcat]

hi there,

remove this
>push "route 10.8.0.0 255.255.255.0"

also change this

>push "redirect-gateway"

to this

push "redirect-gateway def1"

also to your client config

change this
>dev tap
to this
dev tun

ps: i noticed that you are using the SAME certificate to both server/client...
can you post exactly how did you build your keys?

Michael

[etrader]

Thanks for your patience. It seems I have done something wrong. I copied the crt and key files from the server to my local Windows machine. Should I create cert in my local machin? I just created static key file.

[maikcat]

hi there,

to create your keys follow the above sequence..

first edit vars file
source it
then do the following

build-ca
build-key-server server <--builds a key named server for use on your openvpn server
build-dh
build-key user01 <--build a key named user for use on your client

to generate static.key file cd into keys dir and type
openvpn --genkey --secret ta.key

replace the names into your configs and try again to connect...

ps: there is a detailed howto into doc section to the openvpn.net site

Michael.