openvpn startup script isn't working in ubuntu 18.04

Bug #1771650 reported by Fanar Webb on 2018-05-16
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Release Notes for Ubuntu
Undecided
Unassigned
openvpn (Ubuntu)
Medium
Unassigned

Bug Description

Its very simple.

1- Install ubuntu 18.04.
2- Install Openvpn using apt.
3- Put your configuration at path /etc/openvpn, for example : /etc/openvpn/myconfig.conf.
4- start openvpn service! It won't start automatically.

Note : my config have a security weakness, but it still valid and works perfect if I start it manually. For example : openvpn /etc/openvpn/myconfig.conf - it works !

Thank you

David Ing (divirtual) wrote :

I have a problem that may be related, but I haven't been able to get OpenVPN working. https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/1772066

How do you start OpenVPN manually?

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager-openvpn (Ubuntu):
status: New → Confirmed
Sebastien Bacher (seb128) wrote :

the description suggests the command line openvpn is used, not the network-manager plugin

affects: network-manager-openvpn (Ubuntu) → openvpn (Ubuntu)
Simon Déziel (sdeziel) wrote :

@Fanar, could you please attach the openvpn logs of the failed service start? You can collect them with:

  journalctl -u openvpn@myconfig > /tmp/openvpn-myconfig.log

Thanks

Changed in openvpn (Ubuntu):
status: Confirmed → Incomplete
Fanar Webb (fanarweb) wrote :

No results :

cat /tmp/openvpn-myconfig.log
-- Logs begin at Thu 2018-05-24 11:33:12 +03, end at Fri 2018-05-25 17:37:44 +03. --

Fanar Webb (fanarweb) wrote :

I still can connect if I run openvpn from command line, but init script won't start the service, I tried also making changes to /etc/default/openvpn with no luck.

Simon Déziel (sdeziel) wrote :

What do you get from "systemctl -a | grep openvpn"?

systemctl -a | grep openvpn
  openvpn.service
                                  loaded active exited
OpenVPN service

2018-05-25 17:53 GMT+03:00 Simon Déziel <email address hidden>:

> What do you get from "systemctl -a | grep openvpn"?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1771650
>
> Title:
> openvpn startup script isn't working in ubuntu 18.04
>
> Status in openvpn package in Ubuntu:
> Incomplete
>
> Bug description:
> Its very simple.
>
> 1- Install ubuntu 18.04.
> 2- Install Openvpn using apt.
> 3- Put your configuration at path /etc/openvpn, for example :
> /etc/openvpn/myconfig.conf.
> 4- start openvpn service! It won't start automatically.
>
> Note : my config have a security weakness, but it still valid and
> works perfect if I start it manually. For example : openvpn
> /etc/openvpn/myconfig.conf - it works !
>
>
> Thank you
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/
> 1771650/+subscriptions
>

Simon Déziel (sdeziel) wrote :

Can you try to enable and start it with:

 sudo systemctl enable openvpn@myconfig
 sudo systemctl start openvpn@myconfig

Then collect the logs as mentioned before, please?

Fanar Webb (fanarweb) wrote :

ok it worked this time, and it is still working even after restarting the service

/etc/init.d/openvpn restart

ifconfig tun0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
        inet 10.122.11.10 netmask 255.255.255.255 destination 10.0.11.9
        inet6 fe80::82bc:c88a:6a62:bc0c prefixlen 64 scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
        RX packets 0 bytes 0 (0.0 B)
        RX errors 0 dropped 0 overruns 0 frame 0
        TX packets 15 bytes 1304 (1.3 KB)
        TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

we shouldn't need to enable every profile by itself, should we ? we used to just add .conf file with its requirements at /etc/openvpn (or even under a subfolder there) and it would work normally.

Thank you for taking care of this anyway.

Fanar Webb (fanarweb) wrote :

I can see that there is new file under :

/<email address hidden>

we never needed such file before to run ovpn service.

Andreas Hasenack (ahasenack) wrote :

See this upstream change: https://github.com/OpenVPN/openvpn/commit/28bd79ac980488dbfce2e8136287e38c6f35a043

I believe all you had to do was place the config file in /etc/openvpn/server or /etc/openvpn/client, then the systemd units would pick it up automatically.

Could you please verify that? If that fixes your use case, then we might want to add an entry to the 18.04 release notes.

Simon Déziel (sdeziel) wrote :

The package shipped in Bionic does create the directories /etc/openvpn/server and /etc/openvpn/client but it only ships a systemd unit that looks for configuration files from /etc/openvpn directly.

Andreas Hasenack (ahasenack) wrote :

This needs further investigation, because the package does ship service files for server and client:

# dpkg -L openvpn|grep service
/lib/systemd/system/openvpn-client@.service
/lib/systemd/system/openvpn-server@.service
/lib/systemd/system/openvpn.service
/lib/systemd/system/openvpn@.service

We might be using them incorrectly.

Changed in openvpn (Ubuntu):
status: Incomplete → Triaged
importance: Undecided → Medium
Andreas Hasenack (ahasenack) wrote :

Assuming you have a config file called /etc/openvpn/server/myconfig, can you try:

systemctl start openvpn-server@myconfig

That should trigger the openvpn-server@ service file, which will replace %i in the Exec line below with what's after @ in the systemctl start command:
ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf

So it should work?

Simon Déziel (sdeziel) wrote :

@ahasenack, thanks, I was indeed wrong with the -client/-server@ units. It's weird they don't show up in "systemctl -a | grep openvpn" though. The openvpn.postinst only seem to enable openvpn.service.

Andreas Hasenack (ahasenack) wrote :

The client/server @ units need a config file, otherwise they cannot be activated. I'm not sure what the main openvpn.service one is for now, though.

Ah, it does nothing apparently:
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/true
ExecReload=/bin/true
WorkingDirectory=/etc/openvpn

Andreas Hasenack (ahasenack) wrote :

@Fanar does comment #15 solve your case? If yes, I can add a release notes task to this bug and update https://wiki.ubuntu.com/BionicBeaver/ReleaseNotes mentioning this change

Fanar Webb (fanarweb) wrote :

to fix the problem I had to do this :

1- copy my config file to /etc/openvpn directory (not under /etc/openvpn/server)
2- systemctl enable <email address hidden>
3- systemctl enable openvpn@server2 (to be sure).
4- systemctl start openvpn-server@server2

then rebooted, all works now and starts on boot.

Thank you all, but I think some fix should be released, this is not how things used to work.

affects: openvpn → ubuntu-release-notes
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers