openvpn-install: FIX - Error opening configuration file: server.conf

Recurring problem on fresh Centos 7 installations:

service openvpn@server status -l Redirecting to /bin/systemctl status -l openvpn@server.service ● openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Thu 2019-09-12 20:04:37 EDT; 17s ago Process: 11239 ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf (code=exited, status=1/FAILURE) Main PID: 11239 (code=exited, status=1/FAILURE)

Sep 12 20:04:37 server.masked.com systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server… Sep 12 20:04:37 server.masked.com openvpn[11239]: Options error: In [CMD-LINE]:1: Error opening configuration file: server.conf Sep 12 20:04:37 server.masked.com openvpn[11239]: Use --help for more information. Sep 12 20:04:37 server.masked.com systemd[1]: openvpn@server.service: main process exited, code=exited, status=1/FAILURE Sep 12 20:04:37 server.masked.com systemd[1]: Failed to start OpenVPN Robust And Highly Flexible Tunneling Application On server. Sep 12 20:04:37 server.masked.com systemd[1]: Unit openvpn@server.service entered failed state. Sep 12 20:04:37 server.masked.com systemd[1]: openvpn@server.service failed.

FIX:

sed -i 's#/etc/openvpn/ --config#/etc/openvpn/server/ --config#g' /usr/lib/systemd/system/openvpn@.service
systemctl daemon-reload
service openvpn@server restart

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 17 (4 by maintainers)

Most upvoted comments

fixfiles -R openvpn restore

also did fix this issue on Rocky Linux 9. Thanks @Sispheor

On my side the error was due to selinux (centos8) I used this to fix

fixfiles -R openvpn restore

Tried that first time it didn’t work and got sudo: fixfiles: command not found. Did apt-get install policycoreutils which after that, I retyped sudo fixfiles -R openvpn restore got this error /sbin/fixfiles: line 204: rpm: command not found openvpn not found

As you can see, the syslog is pumping the above reported error non-stop, which cannot possibly be good, but the service seems to be reporting that it is running.

openvpn-server@server.service (which is the right service) is not the same as openvpn@server.service (which is the one where you are seeing errors).

Use the script in a clean system and don’t mess with the services, it will work.

On my side the error was due to selinux (centos8) I used this to fix

fixfiles -R openvpn restore

you should start service after installation in the script

I do, see line 365.

I always used openvpn@server in the past, I do not know why it has 2 service files?

Because the maintainers/developers decided to use a new service unit which is more flexible. The old service you were using will probably be discontinued in the future.

I’m from the upstream OpenVPN core team. Please read the documentation for the systemd implementation, available here: https://github.com/OpenVPN/openvpn/blob/master/distro/systemd/README.systemd

The separation between client and server profiles was done for 2 reasons: a) To not collide with the brokenness various Linux distros ships which has not been coordinated with the upstream OpenVPN project, and b) to allow different security hardening and behavior (like automatic service restart) in server and client roles.

The openvpn.service and openvpn@.service methods is not supported by upstream OpenVPN and considered being a broken legacy approach. Which is why upstream OpenVPN ships openvpn-client@.service and openvpn-server@.service to provide a standardized way to manage OpenVPN configurations across all distributions.

I can see why it’s happening:

openvpn package owns /lib/systemd/system/openvpn@.service systemd service file which has these lines:

WorkingDirectory=/etc/openvpn
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid

So, when template unit is instantiated as e.g. “openvpn@server.service”, it will look for config in --config /etc/openvpn/server.conf. Which obviously does not exist. Even openvpn package itself does not provide it, nor implies that location. I checked dpkg-query --listfiles openvpn:

/etc/openvpn
/etc/openvpn/client
/etc/openvpn/server
/etc/openvpn/update-resolv-conf

— that’s all for /etc/openvpn, and it does look like server config supposed to go under /etc/openvpn/server/ directory.

Moreover, openvpn-server@.service template uses different syntax for ExecStart:

WorkingDirectory=/etc/openvpn/server
ExecStart=/usr/sbin/openvpn --status %t/openvpn-server/status-%i.log --status-version 2 --suppress-timestamps --config %i.conf

Note that different working directory and the non-absolute config path being used here.


I think the we found here is the issue with openvpn packaging and systemd integration, and should be reported to OpenVPN repository instead.

You don’t need to do that. Service should be managed like this:

systemctl status openvpn-server@server.service