You are not logged in.

Pages: 1

#1 2017-04-20 11:30:01

kokoko3k
Member
Registered: 2008-11-14
Posts: 2,394

[SOLVED] openvpn+systemd not working, systemd does not follow symlinks

# systemctl start openvpn-server@server-bridge
Job for openvpn-server@server-bridge.service failed because the control process exited with error code.
See "systemctl status openvpn-server@server-bridge.service" and "journalctl -xe" for details.

#systemctl status openvpn-server@server-bridge.service
# systemctl status openvpn-server@server-bridge.service                                                                                       
● openvpn-server@server-bridge.service - OpenVPN service for server/bridge
   Loaded: loaded (/usr/lib/systemd/system/openvpn-server@.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2017-04-20 13:10:53 CEST; 22s ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
  Process: 10011 ExecStart=/usr/bin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf (code=exi
 Main PID: 10011 (code=exited, status=1/FAILURE)

apr 20 13:10:53 Gozer systemd[1]: Starting OpenVPN service for server/bridge...
apr 20 13:10:53 Gozer systemd[1]: openvpn-server@server-bridge.service: Main process exited, code=exited, status=1/FAILURE
apr 20 13:10:53 Gozer systemd[1]: Failed to start OpenVPN service for server/bridge.
apr 20 13:10:53 Gozer systemd[1]: openvpn-server@server-bridge.service: Unit entered failed state.
apr 20 13:10:53 Gozer systemd[1]: openvpn-server@server-bridge.service: Failed with result 'exit-code'.

#LC_ALL=C journalctl -xe|grep -i20 openvpn #Just relevant infos follow:
-- Unit openvpn-server@server-bridge.service has begun starting up.
Apr 20 13:10:53 Gozer systemd[1]: openvpn-server@server-bridge.service: Main process exited, code=exited, status=1/FAILURE
Apr 20 13:10:53 Gozer systemd[1]: Failed to start OpenVPN service for server/bridge.
-- Subject: Unit openvpn-server@server-bridge.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit openvpn-server@server-bridge.service has failed.
-- 
-- The result is failed.

#No overrides:
# find /etc/systemd -iname "*openvpn*" 
/etc/systemd/system/multi-user.target.wants/openvpn-server@server-bridge.service

The service file:

# cat /usr/lib/systemd/system/openvpn-server\@.service 
[Unit]
Description=OpenVPN service for %I
After=syslog.target network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
Type=notify
PrivateTmp=true
WorkingDirectory=/etc/openvpn/server
ExecStart=/usr/bin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
ProtectSystem=true
ProtectHome=true

[Install]
WantedBy=multi-user.target

But i can start it manually:

1# rm  /var/log/openvpn-server-bridge.log
1# /usr/bin/openvpn --config server-bridge.conf --status /tmp/status.log --status-version 2  --suppress-timestamps --log /var/log/openvpn-server-bridge.log

2# cat /var/log/openvpn-server-bridge.log
OpenVPN 2.4.1 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2017
[..]
Initialization Sequence Completed

The issue is that when started via systemd, it is unable to find some files, see:

#> systemctl start openvpn-server@server-bridge
Job for openvpn-server@server-bridge.service failed because the control process exited with error code.
See "systemctl status openvpn-server@server-bridge.service" and "journalctl -xe" for details.

#> cat /var/log/openvpn-server-bridge.log
Options error: --dh fails with '/etc/openvpn/keys/dh2048.pem': No such file or directory
Options error: --ca fails with '/etc/openvpn/keys/ca.crt': No such file or directory
Options error: --cert fails with '/etc/openvpn/keys/Gozer.crt': No such file or directory
WARNING: cannot stat file '/etc/openvpn/keys/Gozer.key': No such file or directory (errno=2)
Options error: --key fails with '/etc/openvpn/keys/Gozer.key': No such file or directory
WARNING: cannot stat file '/etc/openvpn/keys/ta.key': No such file or directory (errno=2)
Options error: --tls-auth fails with '/etc/openvpn/keys/ta.key': No such file or directory
Options error: Please correct these errors.
Use --help for more information.

Still, they are there, but they are symlinks:

ls -la /etc/openvpn/keys/dh2048.pem
-rw-r--r-- 1 root root 424 dic  3  2014 /etc/openvpn/keys/dh2048.pem
# ls -la /etc/openvpn/|grep keys
lrwxrwxrwx   1 root root       19 dic  3  2014 keys -> /root/.openvpn/keys
# ls -la /root/.openvpn/keys/dh2048.pem
-rw-r--r-- 1 root root 424 dic  3  2014 /root/.openvpn/keys/dh2048.pem

Any idea what's going on?

--EDIT---
And indeed, i replaced the ExecStart line in /usr/lib/systemd/system/openvpn-server@.service and restarted the service, see:

# grep ExecStart /usr/lib/systemd/system/openvpn-server\@.service
ExecStart=/usr/bin/find -L /etc/openvpn
# systemctl daemon-reload
# systemctl start openvpn-server@server-bridge
apr 20 13:40:00 Gozer systemd[1]: Starting OpenVPN service for server/bridge...
apr 20 13:40:00 Gozer find[5242]: /etc/openvpn
apr 20 13:40:00 Gozer find[5242]: /etc/openvpn/bridge.stop.sh
apr 20 13:40:00 Gozer find[5242]: /etc/openvpn/ipp-bridge.txt
apr 20 13:40:00 Gozer find[5242]: /etc/openvpn/server
apr 20 13:40:00 Gozer find[5242]: /etc/openvpn/server/ipp-bridge.txt
apr 20 13:40:00 Gozer find[5242]: /etc/openvpn/server/server-bridge.conf
apr 20 13:40:00 Gozer find[5242]: /etc/openvpn/server/openvpn.conf
apr 20 13:40:00 Gozer find[5242]: /etc/openvpn/server/nickinickilaptop.conf
apr 20 13:40:00 Gozer find[5242]: /etc/openvpn/server/rocky.conf
apr 20 13:40:00 Gozer find[5242]: /etc/openvpn/server/slimer.conf
apr 20 13:40:00 Gozer find[5242]: /etc/openvpn/server/travelmate.conf
apr 20 13:40:00 Gozer find[5242]: /etc/openvpn/server/openvpn-status.log
apr 20 13:40:00 Gozer find[5242]: /etc/openvpn/server/ipp.txt
apr 20 13:40:00 Gozer find[5242]: /etc/openvpn/server/server.conf
apr 20 13:40:00 Gozer find[5242]: /etc/openvpn/server/mamma.conf
apr 20 13:40:00 Gozer find[5242]: /etc/openvpn/server/openvpn-status-bridge.log
apr 20 13:40:00 Gozer find[5242]: /etc/openvpn/server/netbook.conf
apr 20 13:40:00 Gozer find[5242]: /etc/openvpn/bridge.start.sh
apr 20 13:40:00 Gozer find[5242]: /etc/openvpn/client
apr 20 13:40:00 Gozer find[5242]: /etc/openvpn/down
apr 20 13:40:00 Gozer find[5242]: /etc/openvpn/openvpn-status.log
apr 20 13:40:00 Gozer find[5242]: /etc/openvpn/ipp.txt
apr 20 13:40:00 Gozer find[5242]: /etc/openvpn/up
apr 20 13:40:00 Gozer find[5242]: /etc/openvpn/openvpn-status-bridge.log
apr 20 13:40:00 Gozer find[5242]: /etc/openvpn/keys
apr 20 13:40:00 Gozer systemd[1]: Started OpenVPN service for server/bridge.

Via Systemd, find does not follows symlinks, but it does via interactive terminal:

# /usr/bin/find -L /etc/openvpn|grep keys
/etc/openvpn/keys
/etc/openvpn/keys/serial.old
/etc/openvpn/keys/index.txt
/etc/openvpn/keys/CertificatoDiRiserva4.csr
/etc/openvpn/keys/06.pem
/etc/openvpn/keys/CertificatoDiRiserva7.crt
/etc/openvpn/keys/dh2048.pem
/etc/openvpn/keys/slimer.crt
/etc/openvpn/keys/VirtualboxProva.key
/etc/openvpn/keys/travelmate.key
/etc/openvpn/keys/CertificatoDiRiserva2.csr
/etc/openvpn/keys/0A.pem
/etc/openvpn/keys/travelmate.crt
/etc/openvpn/keys/nickinickilaptop.crt
/etc/openvpn/keys/04.pem
/etc/openvpn/keys/ca.key
/etc/openvpn/keys/0E.pem
/etc/openvpn/keys/CertificatoDiRiserva7.csr
/etc/openvpn/keys/VirtualboxProva.csr
/etc/openvpn/keys/CertificatoDiRiserva6.csr
/etc/openvpn/keys/0F.pem
/etc/openvpn/keys/CertificatoDiRiserva8.csr
/etc/openvpn/keys/CertificatoDiRiserva4.crt
/etc/openvpn/keys/01.pem
/etc/openvpn/keys/CertificatoDiRiserva2.key
/etc/openvpn/keys/02.pem
/etc/openvpn/keys/VirtualboxProva.crt
/etc/openvpn/keys/08.pem
/etc/openvpn/keys/0C.pem
/etc/openvpn/keys/CertificatoDiRiserva4.key
/etc/openvpn/keys/rocky.crt
/etc/openvpn/keys/CertificatoDiRiserva1.key
/etc/openvpn/keys/travelmate.csr
/etc/openvpn/keys/CertificatoDiRiserva1.crt
/etc/openvpn/keys/CertificatoDiRiserva3.csr
/etc/openvpn/keys/slimer.key
/etc/openvpn/keys/0D.pem
/etc/openvpn/keys/netbook.crt
/etc/openvpn/keys/index.txt.attr
/etc/openvpn/keys/0B.pem
/etc/openvpn/keys/CertificatoDiRiserva5.csr
/etc/openvpn/keys/CertificatoDiRiserva5.key
/etc/openvpn/keys/CertificatoDiRiserva2.crt
/etc/openvpn/keys/netbook.csr
/etc/openvpn/keys/03.pem
/etc/openvpn/keys/CertificatoDiRiserva7.key
/etc/openvpn/keys/ca.crt
/etc/openvpn/keys/CertificatoDiRiserva9.key
/etc/openvpn/keys/netbook.key
/etc/openvpn/keys/Gozer.crt
/etc/openvpn/keys/nickinickilaptop.key
/etc/openvpn/keys/rocky.key
/etc/openvpn/keys/CertificatoDiRiserva9.csr
/etc/openvpn/keys/index.txt.old
/etc/openvpn/keys/05.pem
/etc/openvpn/keys/Gozer.key
/etc/openvpn/keys/mamma.key
/etc/openvpn/keys/CertificatoDiRiserva3.crt
/etc/openvpn/keys/nickinickilaptop.csr
/etc/openvpn/keys/rocky.csr
/etc/openvpn/keys/CertificatoDiRiserva9.crt
/etc/openvpn/keys/slimer.csr
/etc/openvpn/keys/10.pem
/etc/openvpn/keys/CertificatoDiRiserva8.key
/etc/openvpn/keys/CertificatoDiRiserva6.crt
/etc/openvpn/keys/index.txt.attr.old
/etc/openvpn/keys/CertificatoDiRiserva3.key
/etc/openvpn/keys/CertificatoDiRiserva5.crt
/etc/openvpn/keys/09.pem
/etc/openvpn/keys/CertificatoDiRiserva1.csr
/etc/openvpn/keys/CertificatoDiRiserva6.key
/etc/openvpn/keys/CertificatoDiRiserva8.crt
/etc/openvpn/keys/mamma.csr
/etc/openvpn/keys/07.pem
/etc/openvpn/keys/Gozer.csr
/etc/openvpn/keys/11.pem
/etc/openvpn/keys/mamma.crt
/etc/openvpn/keys/serial
/etc/openvpn/keys/ta.key

It worked fine in the past, and it does not seem that systemd has been upgraded.

???

-EDIT-
I've to add that my /root is symlinked to /home/root if that matters.

--EDIT--
Upstream? just opened:
https://github.com/systemd/systemd/issues/5767

Last edited by kokoko3k (2017-04-21 07:17:25)

Help me to improve ssh-rdp !
Retroarch User? Try my koko-aio shader !

Offline

#2 2017-04-20 22:34:13

loqs
Member
Registered: 2014-03-06
Posts: 17,369

Re: [SOLVED] openvpn+systemd not working, systemd does not follow symlinks

ProtectHome=true
man 5 systemd.exec wrote:

       ProtectHome=
           Takes a boolean argument or "read-only". If true, the directories
           /home, /root and /run/user are made inaccessible and empty for
           processes invoked by this unit. If set to "read-only", the three
           directories are made read-only instead. It is recommended to enable
           this setting for all long-running services (in particular
           network-facing ones), to ensure they cannot get access to private
           user data, unless the services actually require access to the
           user's private data. This setting is implied if DynamicUser= is
           set. For this setting the same restrictions regarding mount
           propagation and privileges apply as for ReadOnlyPaths= and related
           calls, see above.

Offline

#3 2017-04-21 07:17:09

kokoko3k
Member
Registered: 2008-11-14
Posts: 2,394

Re: [SOLVED] openvpn+systemd not working, systemd does not follow symlinks

Great, thank you for spotting it!

Help me to improve ssh-rdp !
Retroarch User? Try my koko-aio shader !

Offline

Pages: 1

Board footer

Powered by FluxBB