OpenVPN server.service fails to start
Followed the setup guide for a hardened VPN server here (https://www.linode.com/docs/networking/vpn/set-up-a-hardened-openvpn-server/) but I get this failure when trying to start the services:
sudo systemctl status openvpn*● [email protected] - OpenVPN connection to server Loaded: loaded (/lib/systemd/system/[email protected]; disabled; vendor preset: enabled) Active: failed (Result: resources) since Wed 2019-12-25 10:17:49 EST; 1h 56min ago Docs: man:openvpn(8) https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage https://community.openvpn.net/openvpn/wiki/HOWTO Process: 812 ExecStart=/usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.sta Dec 25 10:17:48 piholevpn1 systemd: Starting OpenVPN connection to server... Dec 25 10:17:49 piholevpn1 systemd: [email protected]: PID 857 read from file /run/openv Dec 25 10:17:49 piholevpn1 systemd: Failed to start OpenVPN connection to server. Dec 25 10:17:49 piholevpn1 systemd: [email protected]: Unit entered failed state. Dec 25 10:17:49 piholevpn1 systemd: [email protected]: Failed with result 'resources'. ● openvpn.service - OpenVPN service Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enabled) Active: active (exited) since Wed 2019-12-25 10:17:49 EST; 1h 56min ago Process: 950 ExecStart=/bin/true (code=exited, status=0/SUCCESS) Main PID: 950 (code=exited, status=0/SUCCESS) Tasks: 0 (limit: 4915) CGroup: /system.slice/openvpn.service Dec 25 10:17:49 piholevpn1 systemd: Starting OpenVPN service... Dec 25 10:17:49 piholevpn1 systemd: Started OpenVPN service. lines 1-24/24 (END)
Here’s the content of /etc/openvpn/server.conf
dev tun persist-key persist-tun topology subnet port 1194 proto udp keepalive 10 120 # Location of certificate authority's cert. ca /etc/openvpn/server/ca.crt # Location of VPN server's TLS cert. cert /etc/openvpn/server/server.crt # Location of server's TLS key key /etc/openvpn/server/server.key # Location of DH parameter file. dh /etc/openvpn/server/dhp4096.pem # The VPN's address block starts here. server 10.89.0.0 255.255.255.0 explicit-exit-notify 1 # Drop root privileges and switch to the `ovpn` user after startup. user ovpn # OpenVPN process is exclusive member of ovpn group. group ovpn # Cryptography options. We force these onto clients by # setting them here and not in client.ovpn. See # `openvpn --show-tls`, `openvpn --show-ciphers` and #`openvpn --show-digests` for all supported options. tls-crypt /etc/openvpn/server/ta.key auth SHA512 # This needs to be in client.ovpn too though. tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256 ncp-ciphers AES-256-GCM:AES-256-CBC # Logging options. ifconfig-pool-persist ipp.txt status openvpn-status.log log /var/log/openvpn.log verb 3
Any ideas what my problem is?
Debian GNU/Linux 9.11 (stretch)
OpenVPN 2.4.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 30 2019
library versions: OpenSSL 1.0.2t 10 Sep 2019, LZO 2.08
You've specified your cipher suites in a format that is their official name.
However, OpenSSL doesn't understand this format. Don't ask me why they chose to format things differently.
The OpenSSL-understood equivalents would be this:
The server conf text is exactly what is given in Linode’s guide that I liked to above. I did try that change but got the same error. 🤔