Cannot get openVPN client config to start @ boot

[socialdefect]

Hi, Im building a wifi AP that routes all trafic over VPN. It all works just fine, VPN client config works, it gets the login info from a text file and connects without any problems. I can start it using: service openvpn@myvpn start from the cli. But when I try to use update-rc.d to add it to my runlevels update-rc.d cannot find the config. Same for systemctl but service can find it.. I tried copying the openvpn startup stript in /etc/init.d and edited it to start openvpn with my profile but this results in openvpn asking for login info and does not take the login info from file as I configured. Same thing when I start it using cron with exactly the same command that works like a charm when I execute it manually... Any ideas????

[epoch1970]

Did you edit /etc/defaults/openvpn?

[DougieLawson]

There's some arcane incantations needed for openvpn with systemd.

With a /etc/openvpn/foobar.conf

sudo systemctl enable openvpn@foobar gets it running.

It's a bit quirky that you have to enable the config name like that.

[socialdefect]

Thanks. Now systemd recognizes the profile but I stille get access errors. When I start: "openvpn --config ./etc/openvpn/nl.conf" on the commandline it all works fine but when I use systemctl, update-rc.d or service I get an error that openvpn cannot read the certicicates and login info. All files are owned by root and are chmodded 644. Tried chmodding 777 to rule out permission issues but without success..

[DougieLawson]

What do you get from
sudo systemctl enable openvpn@nl
sudo systemctl start openvpn@nl
sudo systemctl status openvpn
sudo systemctl status openvpn@nl?

Should be something like

Code: Select all

● openvpn.service - OpenVPN service
   Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enabled)
   Active: active (exited) since Thu 2019-08-22 10:16:10 UTC; 1 day 4h ago
 Main PID: 549 (code=exited, status=0/SUCCESS)
   Memory: 0B
   CGroup: /system.slice/openvpn.service

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
● openvpn@apollo.service - OpenVPN connection to apollo
   Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2019-08-22 10:16:13 UTC; 1 day 4h ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
 Main PID: 570 (openvpn)
   Status: "Initialization Sequence Completed"
   Memory: 1.1M
   CGroup: /system.slice/system-openvpn.slice/openvpn@apollo.service
           └─570 /usr/sbin/openvpn --daemon ovpn-apollo --status /run/openvpn/apollo.status 10 --cd /etc/openvpn --config /etc/openvpn/apollo.conf --writepid /run/openvpn/apollo.pid

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

[Bosse_B]

There's some arcane incantations needed for openvpn with systemd.

With a /etc/openvpn/foobar.conf

sudo systemctl enable openvpn@foobar gets it running.

It's a bit quirky that you have to enable the config name like that.

Hi Dougie,
I come from a different thread concerning almost the same issue about connecting OpenVPN as a client on Raspbian...

The command above in your reply needs some kind of transfer of the password associated with the OVPN file referenced, right?
How is that accomplished? I am having trouble as it is to get the connection going (using my command as shown below) even in a terminal on Raspbian Buster because the login dialog does not show.
I have tested both with a terminal started inside the GUI (via VNC) and from an SSH terminal from my Windows laptop using PuTTY, but no connection is established and eventually the openvon process dies (probably after not getting any password).
Here is my command to try to just open a connection to the VPN server:

Code: Select all

sudo openvpn --config /etc/openvpn/client/BosseB_local95.ovpn --daemon

If I try the command shown in your post, will it ask for the password like if I use my own command without the --daemon argument?
And how can I shut it down when I am done with the connection?
Should it look like this for me?

Code: Select all

sudo systemctl enable openvpn@BosseB_local95

I have copied my ovpn file over to /etc/openvpn/ from the /etc/openvpn/client subdir so it now exists in both.

NOTE:
I want to be able to connect VPN when needed only, so I need to both be able to start and stop the connection...

[DougieLawson]

There's no password on any of my certificates or private keys.

openssl rsa -in /etc/openvpn/mypasswordprotected.key -out /etc/openvpn/mykeywithoutapassword.key

[Bosse_B]

There's no password on any of my certificates or private keys.

openssl rsa -in /etc/openvpn/mypasswordprotected.key -out /etc/openvpn/mykeywithoutapassword.key

I tried the removal but got:

Code: Select all

pi@rpi4-gui:/etc/openvpn $ sudo ssl -in BosseB_RPi_local95.ovpn -out BosseB_RPi_local95_NP.ovpn
sudo: ssl: command not found
pi@rpi4-gui:/etc/openvpn $ which ssl
pi@rpi4-gui:/etc/openvpn $

Should there not be a flag for the password removal operation too?
Like -removepwd or similar.
I have no clue as to why ssl is not installed, does it not come with openvpn?
Do I have to execute the above statement on the OpenVPN server where the ovpn file was created in the first place?
Well, tried that and ssl is not available there either.

[epoch1970]

Try with openssl, and not ssl?
If not installed (?) it is surely available.
You can run the command on any machine where openssl is available and the key file present.
Of course once done you need to copy the key file to the server and restart it.

There is an awkward option in ovpn where you can get it to read the password from a text file, and use that to unlock the key. That should work as well, but removing the password from the server key makes much more sense.

[Bosse_B]

Yeah, openssl is what is installed but....

Code: Select all

pi@rpi4-gui:/etc/openvpn $ sudo openssl -in BosseB_RPi_local95.ovpn -out BosseB_RPi_local95-NP.ovpn
Invalid command '-in'; type "help" for a list.
pi@rpi4-gui:/etc/openvpn $ openssl help
Standard commands
asn1parse         ca                ciphers           cms
crl               crl2pkcs7         dgst              dhparam
dsa               dsaparam          ec                ecparam
enc               engine            errstr            gendsa
genpkey           genrsa            help              list
nseq              ocsp              passwd            pkcs12
pkcs7             pkcs8             pkey              pkeyparam
pkeyutl           prime             rand              rehash
req               rsa               rsautl            s_client
s_server          s_time            sess_id           smime
speed             spkac             srp               storeutl
ts                verify            version           x509

Message Digest commands (see the `dgst' command for more details)
blake2b512        blake2s256        gost              md4
md5               rmd160            sha1              sha224
sha256            sha3-224          sha3-256          sha3-384
sha3-512          sha384            sha512            sha512-224
sha512-256        shake128          shake256          sm3

Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb
aes-256-cbc       aes-256-ecb       aria-128-cbc      aria-128-cfb
aria-128-cfb1     aria-128-cfb8     aria-128-ctr      aria-128-ecb
aria-128-ofb      aria-192-cbc      aria-192-cfb      aria-192-cfb1
aria-192-cfb8     aria-192-ctr      aria-192-ecb      aria-192-ofb
aria-256-cbc      aria-256-cfb      aria-256-cfb1     aria-256-cfb8
aria-256-ctr      aria-256-ecb      aria-256-ofb      base64
bf                bf-cbc            bf-cfb            bf-ecb
bf-ofb            camellia-128-cbc  camellia-128-ecb  camellia-192-cbc
camellia-192-ecb  camellia-256-cbc  camellia-256-ecb  cast
cast-cbc          cast5-cbc         cast5-cfb         cast5-ecb
cast5-ofb         des               des-cbc           des-cfb
des-ecb           des-ede           des-ede-cbc       des-ede-cfb
des-ede-ofb       des-ede3          des-ede3-cbc      des-ede3-cfb
des-ede3-ofb      des-ofb           des3              desx
rc2               rc2-40-cbc        rc2-64-cbc        rc2-cbc
rc2-cfb           rc2-ecb           rc2-ofb           rc4
rc4-40            seed              seed-cbc          seed-cfb
seed-ecb          seed-ofb          sm4-cbc           sm4-cfb
sm4-ctr           sm4-ecb           sm4-ofb

Seems like I am out of luck here.
Is the only way out then to go to the VPN server and generate a new certificate and ovpn file without entering a password anywhere in the easy-rsa processing?
It seems like it will be a security breach since then anyone getting hold of the ovpn file can connect.

[epoch1970]

Man, read or if not copy-paste what DougieLawson gave you.. “openssl rsa -in ...”

[Bosse_B]

Man, read or if not copy-paste what DougieLawson gave you.. “openssl rsa -in ...”

I am blushing in humiliation!!!

You are absolutely correct in that I did not see the rsa word in the command!
Command executes OK when correctly written and produces a new ovpn file.

However, I made another error in believing it would change the ovpn file to a passwordless ovpn file.
Instead the command seems to create a file with only a modified RSA key.
So the result is an ovpn file that is not an ovpn file at all....

Next I edited the original ovpn file and replaced the old RSA key block with the new RSA key block.
Then I tried to use it with openvpn:

Code: Select all

pi@rpi4-gui:/etc/openvpn $ sudo openvpn --config /etc/openvpn/BosseB_RPi_local95_NP.ovpn
Sat Dec 21 00:50:31 2019 OpenVPN 2.4.7 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Sat Dec 21 00:50:31 2019 library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Sat Dec 21 00:50:31 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]209.xx.xx.36:1195
Sat Dec 21 00:50:31 2019 UDP link local: (not bound)
Sat Dec 21 00:50:31 2019 UDP link remote: [AF_INET]209.xx.xx.36:1195
Sat Dec 21 00:50:32 2019 [AGIVPN] Peer Connection Initiated with [AF_INET]209.xx.xx.36:1195
Sat Dec 21 00:50:33 2019 TUN/TAP device tun0 opened
Sat Dec 21 00:50:33 2019 /sbin/ip link set dev tun0 up mtu 1500
Sat Dec 21 00:50:33 2019 /sbin/ip addr add dev tun0 10.8.1.5/24 broadcast 10.8.1.255
Sat Dec 21 00:50:33 2019 Initialization Sequence Completed
--- here terminal blocks inside openvpn until I use Ctrl-C ----
^C
Sat Dec 21 00:51:48 2019 event_wait : Interrupted system call (code=4)
Sat Dec 21 00:51:48 2019 /sbin/ip addr del dev tun0 10.8.1.5/24
Sat Dec 21 00:51:48 2019 SIGINT[hard,] received, process exiting
pi@rpi4-gui:/etc/openvpn $

While it was blocking I opened another terminal via PuTTY to the Rpi and tested pinging computers in the remote location and it worked just fine!
So now I have an ovpn file that does not require me to enter a password!
Next (for tomorrow) is to integrate this in my openvpn scripts so I can easily open and close the connection.