I am setting up site to site vpn, so I've setup a service on a debian which starts on boot. But after some time(~1h) my tunnel disappears. So after digging around in logs I found that it complains about auth from stdin, but my config has a password in it.
OpenVPN version:
OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Nov 12 2015
May 18 12:38:39 vpn-hostname ovpn-client[3185]: ERROR: could not read Auth username from stdin
May 18 12:38:39 vpn-hostname ovpn-client[3185]: Exiting due to fatal error
May 18 12:38:39 vpn-hostname ovpn-client[3185]: /sbin/ip addr del dev tun0 192.168.61.3/24
May 18 12:38:39 vpn-hostname systemd[1]: openvpn@client.service: main process exited, code=exited, status=1/FAILURE
May 18 12:38:39 vpn-hostname systemd[1]: Unit openvpn@client.service entered failed state.
My configuration exported from pfsense(public domain redacted), pfsense-auth is a file with user/password and it works first time and should be ok, I can restart openvpn service and it works again for about 1h.
Client
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
auth-user-pass pfsense-auth
auth-nocache
remote my-redacted-vpn.com 1194 udp
lport 0
verify-x509-name "my-redacted-vpn.com" name
pkcs12 pfSense-udp-1194-scaleway1.my-redacted-vpn.com.p12
tls-auth pfSense-udp-1194-scaleway1.my-redacted-vpn.com-tls.key 1
ns-cert-type server
That makes sense, but it doesn't seem to work. I've added config option "auth-retry nointeract" which should reread username/passworod from given file. But my connection seems to keep dropping on reauth. I tried rebooting server, which didn't help either. Maybe options order is incorrect?
Updated configuration:
updated configuration
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
auth-user-pass pfsense-auth
auth-retry nointeract
auth-nocache
remote vpn.my-redacted-domain.com 1194 udp
lport 0
verify-x509-name "vpn.my-redacted-domain.com" name
pkcs12 pfSense-udp-1194-scaleway1.my-redacted-domain.com.p12
tls-auth pfSense-udp-1194-scaleway1.my-redacted-domain.com-tls.key 1
ns-cert-type server
May 19 14:10:19 scw-f1e4c6 ovpn-client[3165]: UDPv4 link local (bound): [undef]
May 19 14:10:19 scw-f1e4c6 ovpn-client[3165]: UDPv4 link remote: [AF_INET]1.2.3.4:1194
May 19 14:10:19 scw-f1e4c6 ovpn-client[3165]: [my-redacted-domain.com] Peer Connection Initiated with [AF_INET]1.2.3.4:1194
May 19 14:10:21 scw-f1e4c6 ovpn-client[3165]: TUN/TAP device tun0 opened
May 19 14:10:21 scw-f1e4c6 ovpn-client[3165]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
May 19 14:10:21 scw-f1e4c6 ovpn-client[3165]: /sbin/ip link set dev tun0 up mtu 1500
May 19 14:10:21 scw-f1e4c6 ovpn-client[3165]: /sbin/ip addr add dev tun0 192.168.61.3/24 broadcast 192.168.61.255
May 19 14:10:21 scw-f1e4c6 ovpn-client[3165]: Initialization Sequence Completed
May 19 15:11:49 scw-f1e4c6 ovpn-client[3165]: ERROR: could not read Auth username from stdin
May 19 15:11:49 scw-f1e4c6 ovpn-client[3165]: Exiting due to fatal error
May 19 15:11:49 scw-f1e4c6 ovpn-client[3165]: /sbin/ip addr del dev tun0 192.168.61.3/24
I am using standard openvpn installation on centos 7 using systemd provided openvpn service, so I'm not sure about privileges. Will try absolute path. Link you provided seems to be ubuntu/debian repository, could try building latest version from source if that's not too difficult.
# This service is actually a systemd target,
# but we are using a service since targets cannot be reloaded.
[Unit]
Description=OpenVPN service
After=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/true
ExecReload=/bin/true
WorkingDirectory=/etc/openvpn
[Install]
WantedBy=multi-user.target
Just tried passing passing pkcs12 and tls-auth options using absolute paths(previously tried adding absolute path to auth-user-pass) which didn't help either.
It takes an hour to debug it, so its quite slow process. Next I'm trying to launch openvpn --config client.conf to rule out if it's the service problem or the configuration.