[SOLVED] OpenVPN on Debian 8

akashi · 07-04-2015, 12:54 AM

I need help please!

I managed to install and configure OpenVPN 2.3.4

The OpenVPN service does not load during boot because it is loaded before the network is up

Code:

Jul 04 04:47:45 osmc systemd[1]: openvpn@server.service: control process exited, code=exited status=1
Jul 04 04:47:45 osmc systemd[1]: Failed to start OpenVPN connection to server.
Jul 04 04:47:45 osmc systemd[1]: Unit openvpn@server.service entered failed state.
Jul 04 04:47:45 osmc dbus[279]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkitd.service'
Jul 04 04:47:46 osmc polkitd[394]: started daemon version 0.105 using authority implementation `local' version `0.105'
Jul 04 04:47:46 osmc dbus[279]: [system] Successfully activated service 'org.freedesktop.PolicyKit1'
Jul 04 04:47:46 osmc udisks-glue[378]: Device file /dev/mmcblk0 inserted
Jul 04 04:47:46 osmc udisks-glue[378]: Device file /dev/sda inserted
Jul 04 04:47:46 osmc sudo[408]: osmc : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/sbin/hdparm -S 240 /dev/sda
Jul 04 04:47:46 osmc sudo[408]: pam_unix(sudo:session): session opened for user root by (uid=0)
Jul 04 04:47:46 osmc udisks-glue[378]: /dev/sda:
Jul 04 04:47:46 osmc udisks-glue[378]: setting standby to 240 (20 minutes)
Jul 04 04:47:46 osmc sudo[408]: pam_unix(sudo:session): session closed for user root
Jul 04 04:47:46 osmc kernel: IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
Jul 04 04:47:46 osmc connmand[286]: eth0 {add} route fe80:: gw :: scope 0 <UNIVERSE>
Jul 04 04:47:46 osmc connmand[286]: eth0 {update} flags 102467 <UP,RUNNING,LOWER_UP>
Jul 04 04:47:46 osmc connmand[286]: eth0 {newlink} index 2 address B8:27:EB:BB:BC:85 mtu 1500
Jul 04 04:47:46 osmc connmand[286]: eth0 {newlink} index 2 operstate 6 <UP>
Jul 04 04:47:46 osmc kernel: smsc95xx 1-1.1:1.0 eth0: link up, 100Mbps, full-duplex, lpa 0xCDE1
Jul 04 04:47:46 osmc kernel: 8021q: 802.1Q VLAN Support v1.8
Jul 04 04:47:46 osmc connmand[286]: Skipping disconnect of carrier, network is connecting.
Jul 04 04:47:46 osmc minidlna[304]: Starting minidlna: minidlna.
Jul 04 04:47:46 osmc avahi-daemon[277]: Joining mDNS multicast group on interface eth0.IPv4 with address 192.168.1.100.
Jul 04 04:47:46 osmc avahi-daemon[277]: New relevant interface eth0.IPv4 for mDNS.
Jul 04 04:47:46 osmc avahi-daemon[277]: Registering new address record for 192.168.1.100 on eth0.IPv4.

The network is managed by connman

I read online about editing the openvpn@.service and adding

Code:

[Unit]
...
Wants=network-online.target
After=network-online.target

Unfortunately this did not help.

OpenVPN error:

Code:

Sat Jul  4 05:36:21 2015 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec  1 2014
Sat Jul  4 05:36:21 2015 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
Sat Jul  4 05:36:21 2015 Control Channel Authentication: using '/usr/share/easy-rsa/keys/ta.key' as a OpenVPN static key file
Sat Jul  4 05:36:21 2015 TCP/UDP: Socket bind failed on local address [AF_INET]192.168.1.100:443: Cannot assign requested address
Sat Jul  4 05:36:21 2015 Exiting due to fatal error

If I restart the OpenVPN service once the system has booted, it works perfectly:

Code:

Sat Jul  4 05:52:49 2015 OpenVPN 2.3.4 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec  1 2014
Sat Jul  4 05:52:49 2015 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08
Sat Jul  4 05:52:49 2015 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Sat Jul  4 05:52:49 2015 Control Channel Authentication: using '/usr/share/easy-rsa/keys/ta.key' as a OpenVPN static key file
Sat Jul  4 05:52:49 2015 TUN/TAP device tun0 opened
Sat Jul  4 05:52:49 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Jul  4 05:52:49 2015 /sbin/ip link set dev tun0 up mtu 1500
Sat Jul  4 05:52:49 2015 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Sat Jul  4 05:52:49 2015 GID set to nogroup
Sat Jul  4 05:52:49 2015 UID set to nobody
Sat Jul  4 05:52:49 2015 Listening for incoming TCP connection on [AF_INET]192.168.1.100:443
Sat Jul  4 05:52:49 2015 TCPv4_SERVER link local (bound): [AF_INET]192.168.1.100:443
Sat Jul  4 05:52:49 2015 TCPv4_SERVER link remote: [undef]
Sat Jul  4 05:52:49 2015 Initialization Sequence Completed

Please bare in mind I am still learning the basics of Linux.

Thanks in advance.

ferrari · 07-04-2015, 07:01 AM

I'm wondering if it's because nothing else is configured to make sure network is actually up before network-online.target is reached. For those of us who use NetworkManager, there is a NetworkManager-Wait-Online.service that helps with this. (A ConMan-Wait-Online.service would be nice.) Anyway, you could check this with

Code:

systemctl list-dependencies network-online.target --reverse

FWIW, a similar discussion here:
http://unix.stackexchange.com/questi...ng-has-started

Some general workarounds...
1. What you could do is write a script called by a custom service that checks that network connectivity has been established, looping until this condition is met. That could use the ordering

Code:

Wants=network.target
Before=network.target network-online.target

so that the openvpn@server.service only starts when this service has determined that the network is active.

2. The other possible quick and dirty solution might be to introduce a delay in the execution of the command called by openvpn@server.service using the sleep command for example.

akashi · 07-04-2015, 06:16 PM

Quote:

Originally Posted by ferrari

Anyway, you could check this with

Code:

systemctl list-dependencies network-online.target --reverse

Thank you for providing multiple possible solutions. Here is my command output:

Code:

network-online.target
* |-aria2.service
* |-minidlna.service
* |-ntp.service
* |-nzbdrone.service
* |-nzbget.service
* `-rpcbind.service

The services listed above all work correctly.

Can you please provide the command to add in the unit file to introduce a delay start with the sleep command?

Thanks again.

akashi · 07-04-2015, 06:59 PM

ferrari, I was finally able to solve this annoying problem with your guidance.

I investigated the boot log with 'journalctl -b' and noticed after the eth0 was up, the NTP service was started.

I simply edit my openvpn@.service and added 'After=ntp.service' and now OpenVPN is loading on every boot.

You can also add 'After=multi-user.target' instead as it works too.

Many thanks for your help.

ferrari · 07-04-2015, 07:36 PM

Well done.

joshuambenhase · 11-07-2015, 03:18 PM

Im sorry, I am somewhat new to Linux as well and I have realized that this is my issue as well. My problem now is, I do not quite understand when you say 'edit openvpn@.service'? Where is that file? How do I edit that and add the new line so when system boots, it starts at the correct time?

joshuambenhase · 11-07-2015, 03:37 PM

Okay, I found what I was looking for but it doesn't seem to fix the issue. This is what is happening. Connected to VPN fine, reboot, can't connect, reload VPN, can connect. I thought this topic was exactly the solution and it may be but it doesnt seem to be working. I may be adding it to wrong file or wrong part of file. Help greatly appreciated. Thanks in advance!

akashi · 02-01-2016, 02:35 PM

Quote:

Originally Posted by joshuambenhase

Okay, I found what I was looking for but it doesn't seem to fix the issue. This is what is happening. Connected to VPN fine, reboot, can't connect, reload VPN, can connect. I thought this topic was exactly the solution and it may be but it doesnt seem to be working. I may be adding it to wrong file or wrong part of file. Help greatly appreciated. Thanks in advance!

I know I am responding to a very old post but I hope it helps someone:

Edit this file with your text editor, in my case I use nano

Code:

nano /lib/systemd/system/openvpn@.service

Add the text below in red:

Code:

[Unit]
Description=OpenVPN connection to %i
PartOf=openvpn.service
ReloadPropagatedFrom=openvpn.service
After=ntp.service

[Service]
Type=forking
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn -$
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn

[Install]
WantedBy=multi-user.target

Save and reboot.