You are not logged in.
- Topics: Active | Unanswered
#1 2017-03-30 09:17:56
- noxpo
- Member
- Registered: 2014-10-18
- Posts: 11
[SOLVED] OpenVPN client doesn't start via systemd
Hi *,
Since a week or so ago systemd can't start my OpenVPN client anymore. systemctl status gives me:
Mär 30 10:44:35 gbi openvpn[1922]: WARNING: cannot stat file '/root/<client key file>': No such file or directory (errno=2)
Mär 30 10:44:35 gbi openvpn[1922]: Options error: --key fails with '/root/<client key file>': No such file or directory
Mär 30 10:44:35 gbi openvpn[1922]: WARNING: cannot stat file '/root/<tls auth key file>': No such file or directory (errno=2)
Mär 30 10:44:35 gbi openvpn[1922]: Options error: --tls-auth fails with '/root/<tls auth key file>': No such file or directory
Mär 30 10:44:35 gbi openvpn[1922]: Options error: Please correct these errors.
Mär 30 10:44:35 gbi openvpn[1922]: Use --help for more information.This is the unit file /usr/lib/systemd/system/openvpn-client@.service, it has never been changed/overridden:
[Unit]
Description=OpenVPN tunnel for %I
After=syslog.target network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/client
ExecStart=/usr/bin/openvpn --suppress-timestamps --nobind --config %i.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true
[Install]
WantedBy=multi-user.targetStrangely, manually starting openvpn with the ExecStart command from the unit file (as root and substituting the %i obviously) works perfectly. Any ideas?
Edit: the key file paths come from my OpenVPN client config file, so OpenVPN does use the correct config when started via systemd.
Edit: added [SOLVED] to subject
Last edited by noxpo (2017-03-30 20:14:48)
Offline
#2 2017-03-30 17:35:22
- QuackDonkey
- Member
- Registered: 2017-01-27
- Posts: 24
Re: [SOLVED] OpenVPN client doesn't start via systemd
Maybe try removing
ProtectHome=trueline from service file.
Offline
#3 2017-03-30 18:18:28
- rdeckard
- Wiki Maintainer
- Registered: 2015-01-28
- Posts: 137
Re: [SOLVED] OpenVPN client doesn't start via systemd
Can you connect running openvpn from the command line (outside of the systemd unit)?
Offline
#4 2017-03-30 20:13:02
- noxpo
- Member
- Registered: 2014-10-18
- Posts: 11
Re: [SOLVED] OpenVPN client doesn't start via systemd
@QuackDonkey: You're right, /root is a home directory too m)
Moved the key files elsewhere and now it works again, thx.
@rdeckard: Yes, everything works fine from the command line. And now I know that this is because no ProtectHome=true keeps OpenVPN from reading the key files then.
Offline
#5 2017-03-30 20:15:25
- aiBo
- Member
- Registered: 2010-11-10
- Posts: 50
Re: [SOLVED] OpenVPN client doesn't start via systemd
Maybe try removing
ProtectHome=trueline from service file.
This, as the manpage of systemd.exec says:
ProtectHome=
Takes a boolean argument or "read-only". If true, the directories /home, /root and /run/user
are made inaccessible and empty for processes invoked by this unit. If set to "read-only", the
three directories are made read-only instead.
So this directive being set to true is what is currently blocking the access to /root.
But, instead of changing the unit I would move the keys to /etc/openvpn. You can still protect them by giving only root read access using file permissions.
edit: too slow q.q
Last edited by aiBo (2017-03-30 20:16:08)
Offline