openvpn[]: Options error: In [CMD-LINE]:1: Error opening configuration file
Solution 1
You might want to run
fixfiles -R openvpn restore
An ls -alZ should give you something like this (showing your files are in the correct selinux context now):
[root@server openvpn]# ls -alZ /etc/openvpn/
drwxr-xr-x. root root system_u:object_r:openvpn_etc_t:s0 .
drwxr-xr-x. root root system_u:object_r:etc_t:s0 ..
drwxr-xr-x. root root unconfined_u:object_r:openvpn_etc_t:s0 certs
-rw-r--r--. root root unconfined_u:object_r:openvpn_etc_t:s0 dh2048.pem
drwxr-xr-x. root root unconfined_u:object_r:openvpn_etc_t:s0 easy-rsa
-rw-------. root root unconfined_u:object_r:openvpn_etc_rw_t:s0 ipp.txt
-rw-------. root root unconfined_u:object_r:openvpn_etc_t:s0 ta.key
-rw-------. openvpn openvpn unconfined_u:object_r:openvpn_etc_t:s0 server.conf
If you have a statement like
status openvpn-status.log
in your openvpn config file, you might notice the server still won't start. A peek at the /var/log/audit/audit.log will reveal
type=AVC msg=audit(1413580155.710:1265): avc: denied { write } for pid=19725 comm="openvpn" name="openvpn-status.log" dev="dm-1" ino=54153273 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_etc_t:s0 tclass=file
Changing the context of this file to rw does the trick:
chcon -t openvpn_etc_rw_t openvpn-status.log
and
[root@server openvpn]# ls -alZ openvpn-status.log
-rw-------. root root unconfined_u:object_r:openvpn_etc_t:s0 openvpn-status.log
will become
-rw-------. root root unconfined_u:object_r:openvpn_etc_rw_t:s0 openvpn-status.log
Afterwards the call
service openvpn@server start
worked flawlessly.
[root@server openvpn]# service openvpn@server status
Redirecting to /bin/systemctl status [email protected]
[email protected] - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/[email protected]; disabled)
Active: active (running) since Fri 2014-10-17 23:13:49 CEST; 9s ago
Process: 20445 ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf (code=exited, status=0/SUCCESS)
Main PID: 20449 (openvpn)
CGroup: /system.slice/system-openvpn.slice/[email protected]
└─20449 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --cd /etc/openvpn/ --config server.conf
Oct 17 23:13:49 server openvpn[20445]: ROUTE_GATEWAY xx.xxx.xx.x/255.255.255.0 IFACE=eth0 HWADDR=XX:XX:XX:XX:XX:XX
Oct 17 23:13:49 server openvpn[20449]: GID set to nobody
Oct 17 23:13:49 server openvpn[20449]: UID set to nobody
Oct 17 23:13:49 server openvpn[20449]: UDPv4 link local (bound): [undef]
Oct 17 23:13:49 server openvpn[20449]: UDPv4 link remote: [undef]
Oct 17 23:13:49 server openvpn[20449]: MULTI: multi_init called, r=256 v=256
Oct 17 23:13:49 server openvpn[20449]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Oct 17 23:13:49 server systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
Oct 17 23:13:49 server openvpn[20449]: IFCONFIG POOL LIST
Oct 17 23:13:49 server openvpn[20449]: Initialization Sequence Completed
PS: I'm on Centos 7.
Solution 2
For anyone else that finds this thread, I had the problem on Fedora 26. Turns out the instructions I was following had you put the conf files in /etc/openvpn directory, but they need to go in /etc/openvpn/server.
Solution 3
The problem is SELinux, editing /etc/sysconfig/selinux
and setting SELINUX=permissive
and then rebooting fixed it for me. I remember in fedora that there was a command that had to be run to allow the cert directory to be used properly, but I forget what that command is. Setting to permissive fixes completely but a more preferred way would be to fix it so that it can use the directory properly.
Related videos on Youtube
xenoterracide
Former Linux System Administrator, now full time Java Software Engineer.
Updated on September 18, 2022Comments
-
xenoterracide almost 2 years
when trying to
service openvpn start
Oct 12 14:02:01 ccushing1 openvpn[9091]: Options error: In [CMD-LINE]:1: Error opening configuration file: devnet-client-vm.conf
running
openvpn devnet-client-vm.conf
works just fine. Why does openvpn not start? how can I fix it? -
AlexWalterbos over 6 yearsTHANK YOU. For others that have to go this deep: You have to copy your
ca
,crt
andkey
(so two.crt
files and a.key
) file to the same directory -
oucil over 4 yearsThis was also the solution for me on CentOS 8
-
ansi_lumen over 4 yearsThis should be marked as the correct answer.
-
G-Man Says 'Reinstate Monica' over 4 years@GAD3R: Huh? It appears to me that this does provide an answer to the question; every bit as much as Jeremiah’s answer, which is similar (but not identical).