Using OpenVPN with systemd
Solution 1
I think the Debian OpenVPN setup with systemd is currently a tad bit broken. To get it to work on my machines I had to:
-
Create
/etc/systemd/system/[email protected]
(the directory), and place in it a new file with this:[Unit] Requires=networking.service After=networking.service
I called my filelocal-after-ifup.conf
. It needs to end with.conf
. (This is the bit that's currently a tad bit broken.) -
Create a file in
/etc/tmpfiles.d
(I called minelocal-openvpn.conf
) with the contents:# Type Path Mode UID GID Age Argument d /run/openvpn 0755 root root - -
This is Debian bug 741938 (fixed in 2.3.3-1). Create a symlink into
multi-user.target.wants
(easiest way issystemctl enable openvpn@CONF_NAME.service
) E.g., if you have/etc/openvpn/foo.conf
, you'd use[email protected]
.If you also have the SysV init script showing up in systemd, disable it. This is Debian bug 700888 (fixed in 2.3.3-1).
NOTE: 2.3.3-1 or later is not yet in testing, though it is in unstable.
Solution 2
This type of unit file is an Instantiated Service - more details are available here
The following is the unit file for openvpn
on CentOS 7:
[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=syslog.target network.target
[Service]
PrivateTmp=true
Type=forking
PIDFile=/var/run/openvpn/%i.pid
ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf
[Install]
WantedBy=multi-user.target
and it resides as /usr/lib/systemd/system/openvpn@service
. The %i
in the file is replaced with the string after the @
in the unit name.
As the config file is at /etc/openvpn/myopenvpn.conf
then the service is started with:
systemctl start [email protected]
Solution 3
- Place all openvpn *.conf files into
/etc/openvpn/
. -
Edit
/etc/default/openvpn
. Uncomment this:AUTOSTART="all"
Run
systemctl daemon-reload
.- Run
service openvpn start
.
Solution 4
You need to create the service file by enabling openvpn@<configuration>.service
.
For example, if the configuration file is /etc/openvpn/client.conf
, the service name is [email protected]
.
Solution 5
The [email protected] has evolved greatly between Debians 8 and 9. The original package for Jessie for example fails to systemctl reload openvpn@
. To fix these the Stretch version introduces 10 new directives in the systemd-file including PIDFile=
to make reload work again.
For Stretch users, I'd suggest going for the backport, and if not possible to do that, at least get the systemd-file from https://packages.debian.org/jessie-backports/openvpn and extract debian/[email protected]
into /etc/systemd/system/[email protected]
and enjoy better functionality and security.
Related videos on Youtube
Comments
-
RoraΖ over 1 year
Ok, so I've been searching the web for solutions to this problem with no answers seeming to work for me. Hopefully someone can help me. I'm only trying to configure the OpenVPN Client.
I'm running
CrunchBang Linux 3.2.0-4-amd64 Debian 3.2.60-1+deb7u1 x86_64 GNU/Linux
and I just switched over to usingsystemd
. The changeover went smooth enough but now I can't get my OpenVPN client to come up using systemd I've tried following these configuration tutorials, but nothing works.- http://fedoraproject.org/wiki/Openvpn
- http://d.stavrovski.net/blog/how-to-install-and-set-up-openvpn-in-debian-7-wheezy
- And looked at a bunch of other different guides.
I can bring up the tunnel from the command line with
openvpn /etc/openvpn/vpn.conf
. So I know the config file is good, it was working with sysvinit just fine so I'm not surprised. I then attempt to just do a status withsystemctl status [email protected]
resulting in:$ sudo systemctl status [email protected] [email protected] Loaded: error (Reason: No such file or directory) Active: inactive (dead)
I realized that I need to do some setup for services. I want to be prompted for a password so I followed this guide to create an
[email protected]
in/etc/systemd/system/
. But restarting the OpenVPN service still doesn't prompt for a password.$ sudo service openvpn restart [ ok ] Restarting openvpn (via systemctl): openvpn.service.
The Fedora tutorials go through the steps of creating symbolic links, but don't create any of the .service files in the walk-throughs.
What piece am I missing? Do I need to create an [email protected]? If so, where exactly do I place it? I feel like it shouldn't be this difficult, but I can't seem to find any solution that works for me. I'm happy to provide any more information that's needed.
Solution
-rw-r--r-- 1 root root 319 Aug 7 10:42 [email protected] [Unit] Description=OpenVPN connection to %i After=network.target [Service] Type=forking ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf ExecReload=/bin/kill -HUP $MAINPID WorkingDirectory=/etc/openvpn [Install] WantedBy=multi-user.target [email protected] (END)
Symlink:
lrwxrwxrwx 1 root root 36 Aug 7 10:47 [email protected] -> /lib/systemd/system/[email protected]
Prompt For Password
Everything is working now, except for being prompted for a password to connect. I've attempted this solution. I tweaked the file from above just a bit, and added an Expect script like in the example. Working like a charm! My files are below.
Modified lines from the above
/lib/systemd/system/[email protected]
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --management localhost 5559 --management-query-passwords --management-forget-disconnect --config /etc/openvpn/%i.conf ExecStartPost=/usr/bin/expect /lib/systemd/system/openvpn_pw.exp
Expect script
/lib/systemd/system/openvpn_pw.exp
. Make sure to do the following:-
chmod +x
on the script. - Have
telnet
installed
Code of the expect script:
#!/usr/bin/expect set pass [exec /bin/systemd-ask-password "Please insert Private Key password: "] spawn telnet 127.0.0.1 5559 expect "Enter Private Key Password:" send "password 'Private Key' $pass\r" expect "SUCCESS: 'Private Key' password entered, but not yet verified" send "exit\r" expect eof
It should be noted that the above solution does log your password entered in plaintext in the following logs in
/var/log/syslog
and/var/log/daemon.log
-
RoraΖ almost 10 years$ sudo systemctl enable [email protected] [sudo] password for user: Failed to issue method call: No such file or directory
-
Karel almost 10 yearsYour configuration file is called 'vpn'?
-
RoraΖ almost 10 yearsYes,
/etc/openvpn/vpn.conf
-
Karel almost 10 yearsDoes
systemctl start [email protected]
not work either? That should work... -
Karel almost 10 yearsThe command should work so I think there is something wrong with your config.
sudo openvpn --config /etc/openvpn/vpn.conf
? -
RoraΖ almost 10 yearssystemctl enable still fails saying no such file or directory. I don't see any sysv init scripts in /lib/systemd, unless its systemd-initctl?
-
Karel almost 10 yearsThis might help: ask.fedoraproject.org/en/question/23085/…
-
RoraΖ almost 10 yearsAdded the
sudo openvpn --config line
-
derobert almost 10 years@raz The SysV script would be
/etc/init.d/openvpn
; systemd by default runs those just like sysv init would. That's theopenvpn.service
you have; you need to disable it (systemctl disable
). Does the file/lib/systemd/system/[email protected]
exist on your system? -
derobert almost 10 years@raz If you have that file, you can try a manual
ln -s /lib/systemd/system/[email protected] /etc/systemd/system/multi-user.target.wants/[email protected]ice
-
RoraΖ almost 10 yearsI don't have that file but I'm sure I could create it. I disabled the
/etc/init.d/openvpn script.
-
derobert almost 10 years@raz I'm not sure if Crunchbang has a backport of a newer OpenVPN package with it, but if not, you can grab that script from sources.debian.net/src/openvpn/2.3.3-1/debian/…
-
derobert almost 10 years@raz Also, I noticed I'd forgotten a step, please see the new number two. Beware that OpenVPN before 2.3.2-8 wasn't compiled with systemd support, so e.g., asking for passwords may not work.
-
garethTheRed almost 10 yearsWhat about
/lib/systemd/system/
? I seem to have both on my system, with identical contents (and they're not symlinks!). -
RoraΖ almost 10 yearsI did see the update! I've done everything, updated the post with what I've got file wise. I have a different error now!
-
RoraΖ almost 10 yearsI just added that file, updated my post with everything.
-
RoraΖ over 9 yearsThis is what the Expect script in my edited post uses.
-
Elias Probst over 9 yearsSorry, missed that edit.
-
Luciano Andress Martini over 7 yearsAnd yes it is still broken 2 years later.
-
neuhaus almost 7 yearsThis works for me on Raspbian GNU/Linux 8 (Debian Jessie). Thanks!
-
frr over 6 yearsThanks a lot for that explanation. Encountered recently in Debian 9.0 Stretch, fresh install, with its stock OpenVPN 2.4.0. As I found myself facing this issue, I'd actually been trying to wrap my mind around the Systemd "unit scripts" for some time (to hook something I'd normally put in rc.sysinit or rc.local). Apart from solving my OpenVPN vs. Systemd issue, your instructions have explained a lot, pointed me to furter reading and taught me how to configure systemd on my own. I suspect that the maintainer keeps the bug in, to elucidate admins on what Systemd has to offer in Debian.
-
frr over 6 yearsI actually have some fond past experience with OpenVPN. I previously compiled my own from source, and had my own approach on how to hook up multiple instances of the OpenVPN service into SysV init (using a mother script that would launch children). I know exactly what this (slightly broken) setup in Debian is aiming to achieve, and it is my goal exactly. Now my ages old multi-instance OpenVPN config plays well with the standard Debianese setup of OpenVPN. Kudos, have an upvote :-)
-
Luciano Andress Martini over 6 yearsI think they used this as a solution, because now is even worse in debian 9, the openvpn does not restart if a error ocurrs that is very stupid... Someone know some solution or workaround, i am writing a script to verify if openvpn is still running!