errors with external script calling start openvpn

[leptserkhan]

Hello.

I am using an external program to start openvpn (as opposed to typing service openvpn start at console, i.e. My setup does not use init files to start). The script works fine and starts openvpn when executed from the console, but when called from another program (both the other program and openvpn running as root) there are many errors displayed about not being able to write to the stats file, cannot find the ta.key file, etc.

I'm sure this is a permissions problem and openvpn is being very protective although I have both included level 2 for script usage both in the script and the .conf file.

Are there some general scripting rules that must be followed when calling it to start from another script? Please remember, I am not trying to run a script AFTER start, but use the script to actually start openvpn.

Thank you.

[leptserkhan]

Thank you for replying and I'm glad to see someone has a crystal ball!

I have placed, below here, my server and client configuration.

To wrap up, I am using on the server a program called knockd, which is a listenting daemon -- it listens for a special series of tcp "knocks" then runs a command.

The script it calls works perfectly when I run it by hand on the server, said command being:

server openvpn start

The start script contains the following and is located in the /usr/sbin directory where the file for openvpn resides. It is owned by root:

#!/bin/bash
service openvpn start
exit 0

The knockd configuration file which does all the work contains:
[options]
UseSyslog

[startvpn]
sequence = 5000,6000,7000 <------------- a series of knocks on these ports
seq_timeout = 50
command = /usr/sbin/start.sh
tcpflags = syn

It too is owned by root.

The syslog shows:
Nov 21 08:16:01 myipaddress knockd: starting up, listening on eth0
Nov 21 08:16:20 myipaddress knockd: serveripaddress: startvpn: Stage 1

Here are the server and client config files:

Server configuration
local myipaddress
port 443
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 192.168.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
max-clients 100
persist-tun
status openvpn-status.log
verb 3

Client configuration:
client
dev tun
remote server IP address
nobind
user nobody
group nogroup
chroot /someplace/safe
persist-key
persist-tun
ca ca.crt
cert client5.crt
key client5.key
tls-remote server
comp-lzo
verb 3

[leptserkhan]

Thank you for the suggestion. I did try that and then though, wait a minute, the openvpn is not even on when I use knockd. That's the purpose of knockd is to turn it on. Also, I'm not connecting with the client anyway so why would the settings in the client have bearing on how the server starts up?

Nevertheless I changed the settings in the client and no joy. I had thought of this before, too, and also turned off the nobody and nogroup in the server as well no joy.

I do have a ta key just didn't mention it in the post.

Thank you.

[leptserkhan]

Pardon me, but what's the relevance of knowing if a client has a ta key in this situation?

The openvpn server is not running on the server -- the whole purpose of this exercise is to turn it on. It doesnt even get that far. So why would examining the client which is remote to the server be in any way related to solving this issue, which is about running a program on the server, not the client machine.

It is possible to turn on an openvpn server with out first firing up clients I believe.

[leptserkhan]

Despite many posts about openvpn interacting with scripts and other triggers outside the purview of openvpn, I guess that overall attitude explains why there are so many unanswered posts on this forum. That despite this forum title of Scripting and Customizations

I think people are taking their questions elsewhere, which is what I shall do, too.