You are not logged in.

#1 2021-01-04 10:09:32

monotiz
Member
Registered: 2007-10-20
Posts: 136

[SOLVED] OpenVPN fail to start as service with systemd

Hi,
I'm trying to configure an OpenVPN server, following the arch wiki page.

I successfully manually start the server with

openvpn /etc/openvpn/server/my-config.conf

Unfortunatly I got error when I start the systemd service:

# systemctl start openvpn-server@my-config.service
Job for openvpn-server@my-config.service failed because the control process exited with error code.
See "systemctl status openvpn-server@my-config.service" and "journalctl -xe" for details.

This is the details:

# journalctl -xe
...
gen 04 12:01:42 my-config openvpn[108559]: Consider setting groups/curves preference with tls-groups instead of forcing a specific curve with ecdh-curve.
gen 04 12:01:42 my-config openvpn[108559]: Options error: --ca fails with '/etc/openvpn/server/ca.crt': Permission denied (errno=13)
gen 04 12:01:42 my-config openvpn[108559]: Options error: --cert fails with '/etc/openvpn/server/my-config.crt': Permission denied (errno=13)
gen 04 12:01:42 my-config openvpn[108559]: Options error: --key fails with '/etc/openvpn/server/my-config.key': Permission denied (errno=13)
gen 04 12:01:42 my-config openvpn[108559]: Options error: Please correct these errors.
gen 04 12:01:42 my-config openvpn[108559]: Use --help for more information.
gen 04 12:01:42 my-config systemd[1]: openvpn-server@my-config.service: Main process exited, code=exited, status=1/FAILURE
...

The file permissions:

# ls -l /etc/openvpn/server/
-rw-r--r-- 1 root root 10955  4 gen 11.57 my-config.conf
-rw------- 1 root root  4270  4 gen 09.59 my-config.crt
-rw------- 1 root root  1704  4 gen 09.47 my-config.key
-r-------- 1 root root   847  4 gen 09.44 ca.crt
-rw------- 1 root root   636  4 gen 09.47 ta.key

If I give a chmod 664 for that files, everythings works fine... but I don't want to give a 644 permission...

What's wrong with it?
Thank you.

Last edited by monotiz (2021-01-05 09:26:14)

Offline

#2 2021-01-04 12:02:26

schard
Member
From: Hannover
Registered: 2016-05-06
Posts: 1,067
Website

Re: [SOLVED] OpenVPN fail to start as service with systemd

In the update to OpenVPN 2.5.0-3, the service was changed by the maintainers to run as a non-privileged user.

pacman wrote:

:: OpenVPN now uses a netlink interface for network configuration. The systemd
   units start the process with a dedicated unprivileged user 'openvpn', with
   extra capabilities(7). The configuration should no longer drop privileges,
   so remove 'user' and 'group' directives.
   Scripts that require elevated privileges may need a workaround.

I.e.

chown -R openvpn.network /etc/openvpn/client /etc/openvpn/server

Offline

#3 2021-01-05 09:27:41

monotiz
Member
Registered: 2007-10-20
Posts: 136

Re: [SOLVED] OpenVPN fail to start as service with systemd

Thank you. I solved with your post. For the others, here my new permissions:

# ls -l /etc/openvpn/server/
-r-------- 1 openvpn network 10957  5 gen 11.10 xxx.conf
-r-------- 1 openvpn network  4270  4 gen 09.59 xxx.crt
-r-------- 1 openvpn network  1704  4 gen 09.47 xxx.key
-r-------- 1 openvpn network   847  4 gen 09.44 ca.crt
-r-------- 1 openvpn network    62  5 gen 11.10 ipp.txt
-rw------- 1 openvpn network   741  5 gen 11.09 openvpn-status.log
-r-------- 1 openvpn network   636  4 gen 09.47 ta.key

Offline

Board footer

Powered by FluxBB