current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Unix & Linux Stack Exchange is a question and answer site for users of Linux, FreeBSD and other Un*x-like operating systems.. It's 100% free, no registration required.
up vote 3 down vote favorite

Ok, so I've been searching the web for solutions to this problem with no answers seeming to work for me. Hopefully someone can help me. I'm only trying to configure the OpenVPN Client.

I'm running CrunchBang Linux 3.2.0-4-amd64 Debian 3.2.60-1+deb7u1 x86_64 GNU/Linux and I just switched over to using systemd. The changeover went smooth enough but now I can't get my OpenVPN client to come up using systemd I've tried following these configuration tutorials, but nothing works.

I can bring up the tunnel from the command line with openvpn /etc/openvpn/vpn.conf. So I know the config file is good, it was working with sysvinit just fine so I'm not surprised. I then attempt to just do a status with systemctl status [email protected] resulting in:

$ sudo systemctl status [email protected]
  [email protected]
  Loaded: error (Reason: No such file or directory)
  Active: inactive (dead)

I realized that I need to do some setup for services. I want to be prompted for a password so I followed this guide to create an [email protected] in /etc/systemd/system/. But restarting the OpenVPN service still doesn't prompt for a password. 

$ sudo service openvpn restart
[ ok ] Restarting openvpn (via systemctl): openvpn.service.

In the Fedora tutorials the go through steps of creating symbolic links, but don't create any of the .service files in the walk throughs.

What piece am I missing? Do I need to create an [email protected]? If so, where exactly do I place it? I feel like it shouldn't be this difficult, but I can't seem to find any solution that works for me. I'm happy to provide any more information that's needed.

Thanks in advance.

Solution:

-rw-r--r--  1 root root   319 Aug  7 10:42 [email protected]

[Unit]
Description=OpenVPN connection to %i
After=network.target

[Service]
Type=forking
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn

[Install]
WantedBy=multi-user.target
[email protected] (END)

Symlink: 

lrwxrwxrwx  1 root root   36 Aug  7 10:47 [email protected] -> /lib/systemd/system/[email protected]

Prompt For Password

Everything is working now, except for being prompted for a password to connect. I'm attempted this solution. I tweaked the file from above just a bit, and added an Expect script like in the example. Working like a charm! My files are below.

Modified lines from the above /lib/systemd/system/[email protected]

ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --management localhost 5559 --management-query-passwords --management-forget-disconnect --config /etc/openvpn/%i.conf
ExecStartPost=/usr/bin/expect /lib/systemd/system/openvpn_pw.exp

Expect script /lib/systemd/system/openvpn_pw.exp. Make sure to do the following:

  • chmod +x on the script.

  • Have telnet installed

    #!/usr/bin/expect
    set pass [exec /bin/systemd-ask-password "Please insert Private Key password: "]

    spawn telnet 127.0.0.1 5559
    expect "Enter Private Key Password:"
    send "password 'Private Key' $pass\r"
    expect "SUCCESS: 'Private Key' password entered, but not yet verified"
    send "exit\r"
    expect eof

It should be noted that the above solution does log your password entered in plaintext in the following logs in /var/log/syslog and /var/log/daemon.log

share|improve this question
    
How does the [email protected] file looks like? –  Cristian Ciupitu Aug 7 at 14:11
    
Updated the post with the current error –  raz Aug 7 at 15:10
    
Look in /var/log/{syslog,daemon.log} and journalctl -b -m to find why OpenVPN exited. One of those places should contain the real error messages. (Or even journalctl -b -m _EXE=/usr/sbin/openvpn should give just OpenVPN messages). –  derobert Aug 7 at 15:10
    
Yep, I was getting there. We're hitting the password problem. I'll try this solution for it: bbs.archlinux.org/viewtopic.php?id=150440 Thanks for all your help! –  raz Aug 7 at 15:14

4 Answers 4

up vote 2 down vote accepted

I think the Debian OpenVPN setup with systemd is currently a tad bit broken. To get it to work on my machines I had to:

  1. Create /etc/systemd/system/[email protected] (the directory), and place in it a new file with this:

    [Unit]
Requires=networking.service
After=networking.service
    I called my file local-after-ifup.conf. It needs to end with .conf. (This is the bit that's currently a tad bit broken.)

  2. Create a file in /etc/tmpfiles.d (I called mine local-openvpn.conf) with the contents:

    # Type Path         Mode UID  GID  Age Argument
d      /run/openvpn 0755 root root  -  -
    This is Debian bug 741938 (fixed in 2.3.3-1).

  3. Create a symlink into multi-user.target.wants (easiest way is systemctl enable openvpn@CONF_NAME.service) E.g., if you have /etc/openvpn/foo.conf, you'd use [email protected].

  4. If you also have the SysV init script showing up in systemd, disable it. This is Debian bug 700888 (fixed in 2.3.3-1).

NOTE: 2.3.3-1 or later is not yet in testing, though it is in unstable.

share|improve this answer
    
systemctl enable still fails saying no such file or directory. I don't see any sysv init scripts in /lib/systemd, unless its systemd-initctl? –  raz Aug 7 at 14:28
    
@raz The SysV script would be /etc/init.d/openvpn; systemd by default runs those just like sysv init would. That's the openvpn.service you have; you need to disable it (systemctl disable). Does the file /lib/systemd/system/[email protected] exist on your system? –  derobert Aug 7 at 14:31
    
@raz If you have that file, you can try a manual ln -s /lib/systemd/system/[email protected] /etc/systemd/system/multi-user.target.wants/[email protected] –  derobert Aug 7 at 14:32
    
I don't have that file but I'm sure I could create it. I disabled the /etc/init.d/openvpn script. –  raz Aug 7 at 14:36
    
@raz I'm not sure if Crunchbang has a backport of a newer OpenVPN package with it, but if not, you can grab that script from sources.debian.net/src/openvpn/2.3.3-1/debian/… –  derobert Aug 7 at 14:40
up vote 1 down vote

This type of unit file is an Instantiated Service - more details are available here

The following is the unit file for openvpn on CentOS 7:

[Unit]
Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
After=syslog.target network.target

[Service]
PrivateTmp=true
Type=forking
PIDFile=/var/run/openvpn/%i.pid
ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf

[Install]
WantedBy=multi-user.target

and it resides as /usr/lib/systemd/system/openvpn@service. The %i in the file is replaced with the string after the @ in the unit name.

As the config file is at /etc/openvpn/myopenvpn.conf then the service is started with:

systemctl start [email protected]
share|improve this answer
    
I only have /usr/lib/systemd/user/ Nothing else at the /usr/lib/systemd level. –  raz Aug 7 at 14:38
    
What about /lib/systemd/system/ ? I seem to have both on my system, with identical contents (and they're not symlinks!). –  garethTheRed Aug 7 at 14:46
    
I just added that file, updated my post with everything. –  raz Aug 7 at 15:09
up vote 0 down vote

You need to create the service file by enabling openvpn@<configuration>.service.

For example, if the configuration file is /etc/openvpn/client.conf, the service name is [email protected].

From the Arch Wiki

share|improve this answer
    
$ sudo systemctl enable [email protected] [sudo] password for user: Failed to issue method call: No such file or directory –  raz Aug 7 at 14:06
    
Your configuration file is called 'vpn'? –  Karlo Aug 7 at 14:07
    
Yes, /etc/openvpn/vpn.conf –  raz Aug 7 at 14:08
    
Does systemctl start [email protected] not work either? That should work... –  Karlo Aug 7 at 14:16
    
$ sudo systemctl start [email protected] Failed to issue method call: Unit [email protected] failed to load: No such file or directory. See system logs and 'systemctl status [email protected]' for details. –  raz Aug 7 at 14:18
up vote 0 down vote

The proper solution would be, to make use of systemd's systemd-ask-password/"Password Agents", which provides a systemd builtin way to funnel passwords/passphrases to services.

You'll need OpenVPN 2.3.0 or newer to do this.

share|improve this answer
    
This is what the Expect script in my edited post uses. –  raz Sep 15 at 18:43
    
Sorry, missed that edit. –  Elias Probst Sep 15 at 18:59

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.