You are not logged in.
Hi,
I'm trying to configure an OpenVPN server, following the arch wiki page.
I successfully manually start the server with
openvpn /etc/openvpn/server/my-config.conf
Unfortunatly I got error when I start the systemd service:
# systemctl start openvpn-server@my-config.service
Job for openvpn-server@my-config.service failed because the control process exited with error code.
See "systemctl status openvpn-server@my-config.service" and "journalctl -xe" for details.
This is the details:
# journalctl -xe
...
gen 04 12:01:42 my-config openvpn[108559]: Consider setting groups/curves preference with tls-groups instead of forcing a specific curve with ecdh-curve.
gen 04 12:01:42 my-config openvpn[108559]: Options error: --ca fails with '/etc/openvpn/server/ca.crt': Permission denied (errno=13)
gen 04 12:01:42 my-config openvpn[108559]: Options error: --cert fails with '/etc/openvpn/server/my-config.crt': Permission denied (errno=13)
gen 04 12:01:42 my-config openvpn[108559]: Options error: --key fails with '/etc/openvpn/server/my-config.key': Permission denied (errno=13)
gen 04 12:01:42 my-config openvpn[108559]: Options error: Please correct these errors.
gen 04 12:01:42 my-config openvpn[108559]: Use --help for more information.
gen 04 12:01:42 my-config systemd[1]: openvpn-server@my-config.service: Main process exited, code=exited, status=1/FAILURE
...
The file permissions:
# ls -l /etc/openvpn/server/
-rw-r--r-- 1 root root 10955 4 gen 11.57 my-config.conf
-rw------- 1 root root 4270 4 gen 09.59 my-config.crt
-rw------- 1 root root 1704 4 gen 09.47 my-config.key
-r-------- 1 root root 847 4 gen 09.44 ca.crt
-rw------- 1 root root 636 4 gen 09.47 ta.key
If I give a chmod 664 for that files, everythings works fine... but I don't want to give a 644 permission...
What's wrong with it?
Thank you.
Last edited by monotiz (2021-01-05 09:26:14)
Offline
In the update to OpenVPN 2.5.0-3, the service was changed by the maintainers to run as a non-privileged user.
:: OpenVPN now uses a netlink interface for network configuration. The systemd
units start the process with a dedicated unprivileged user 'openvpn', with
extra capabilities(7). The configuration should no longer drop privileges,
so remove 'user' and 'group' directives.
Scripts that require elevated privileges may need a workaround.
I.e.
chown -R openvpn.network /etc/openvpn/client /etc/openvpn/server
Inofficial first vice president of the Rust Evangelism Strike Force
Offline
Thank you. I solved with your post. For the others, here my new permissions:
# ls -l /etc/openvpn/server/
-r-------- 1 openvpn network 10957 5 gen 11.10 xxx.conf
-r-------- 1 openvpn network 4270 4 gen 09.59 xxx.crt
-r-------- 1 openvpn network 1704 4 gen 09.47 xxx.key
-r-------- 1 openvpn network 847 4 gen 09.44 ca.crt
-r-------- 1 openvpn network 62 5 gen 11.10 ipp.txt
-rw------- 1 openvpn network 741 5 gen 11.09 openvpn-status.log
-r-------- 1 openvpn network 636 4 gen 09.47 ta.key
Offline
Thanks for this. Solved the issue I was having on my raspberry too.
Offline