OpenVPN server.service fails to start
Followed the setup guide for a hardened VPN server here (https://www.linode.com/docs/networking/vpn/set-up-a-hardened-openvpn-server/) but I get this failure when trying to start the services:
sudo systemctl status openvpn*● openvpn@server.service - OpenVPN connection to server
Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled; vendor preset: enabled)
Active: failed (Result: resources) since Wed 2019-12-25 10:17:49 EST; 1h 56min ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 812 ExecStart=/usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.sta
Dec 25 10:17:48 piholevpn1 systemd[1]: Starting OpenVPN connection to server...
Dec 25 10:17:49 piholevpn1 systemd[1]: openvpn@server.service: PID 857 read from file /run/openv
Dec 25 10:17:49 piholevpn1 systemd[1]: Failed to start OpenVPN connection to server.
Dec 25 10:17:49 piholevpn1 systemd[1]: openvpn@server.service: Unit entered failed state.
Dec 25 10:17:49 piholevpn1 systemd[1]: openvpn@server.service: Failed with result 'resources'.
● openvpn.service - OpenVPN service
Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enabled)
Active: active (exited) since Wed 2019-12-25 10:17:49 EST; 1h 56min ago
Process: 950 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 950 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 4915)
CGroup: /system.slice/openvpn.service
Dec 25 10:17:49 piholevpn1 systemd[1]: Starting OpenVPN service...
Dec 25 10:17:49 piholevpn1 systemd[1]: Started OpenVPN service.
lines 1-24/24 (END)
Here’s the content of /etc/openvpn/server.conf
dev tun
persist-key
persist-tun
topology subnet
port 1194
proto udp
keepalive 10 120
# Location of certificate authority's cert.
ca /etc/openvpn/server/ca.crt
# Location of VPN server's TLS cert.
cert /etc/openvpn/server/server.crt
# Location of server's TLS key
key /etc/openvpn/server/server.key
# Location of DH parameter file.
dh /etc/openvpn/server/dhp4096.pem
# The VPN's address block starts here.
server 10.89.0.0 255.255.255.0
explicit-exit-notify 1
# Drop root privileges and switch to the `ovpn` user after startup.
user ovpn
# OpenVPN process is exclusive member of ovpn group.
group ovpn
# Cryptography options. We force these onto clients by
# setting them here and not in client.ovpn. See
# `openvpn --show-tls`, `openvpn --show-ciphers` and
#`openvpn --show-digests` for all supported options.
tls-crypt /etc/openvpn/server/ta.key
auth SHA512 # This needs to be in client.ovpn too though.
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
ncp-ciphers AES-256-GCM:AES-256-CBC
# Logging options.
ifconfig-pool-persist ipp.txt
status openvpn-status.log
log /var/log/openvpn.log
verb 3
Any ideas what my problem is?
7 Replies
What version of OpenVPN are you running?
@benjaminherrin Additionally, what operating system did you deploy onto the Linode?
Debian GNU/Linux 9.11 (stretch)
OpenVPN 2.4.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 30 2019
library versions: OpenSSL 1.0.2t 10 Sep 2019, LZO 2.08
You've specified your cipher suites in a format that is their official name.
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
However, OpenSSL doesn't understand this format. Don't ask me why they chose to format things differently.
The OpenSSL-understood equivalents would be this:
DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256
The server conf text is exactly what is given in Linode’s guide that I liked to above. I did try that change but got the same error. 🤔
Okay, let me dig into it for a bit and get back to you. :)
Actually idk why I’m making more work for myself, I’m just going to deploy a one click Debian server with OpenVPN preinstalled. 😂 thanks for your help @hyperlumic and I hope you have a great holiday!