OpenVPN server.service fails to start

Followed the setup guide for a hardened VPN server here (https://www.linode.com/docs/networking/vpn/set-up-a-hardened-openvpn-server/) but I get this failure when trying to start the services:

sudo systemctl status openvpn*● [email protected] - OpenVPN connection to server
   Loaded: loaded (/lib/systemd/system/[email protected]; disabled; vendor preset: enabled)
   Active: failed (Result: resources) since Wed 2019-12-25 10:17:49 EST; 1h 56min ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
  Process: 812 ExecStart=/usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.sta

Dec 25 10:17:48 piholevpn1 systemd[1]: Starting OpenVPN connection to server...
Dec 25 10:17:49 piholevpn1 systemd[1]: [email protected]: PID 857 read from file /run/openv
Dec 25 10:17:49 piholevpn1 systemd[1]: Failed to start OpenVPN connection to server.
Dec 25 10:17:49 piholevpn1 systemd[1]: [email protected]: Unit entered failed state.
Dec 25 10:17:49 piholevpn1 systemd[1]: [email protected]: Failed with result 'resources'.

● openvpn.service - OpenVPN service
   Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enabled)
   Active: active (exited) since Wed 2019-12-25 10:17:49 EST; 1h 56min ago
  Process: 950 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
 Main PID: 950 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 4915)
   CGroup: /system.slice/openvpn.service

Dec 25 10:17:49 piholevpn1 systemd[1]: Starting OpenVPN service...
Dec 25 10:17:49 piholevpn1 systemd[1]: Started OpenVPN service.
lines 1-24/24 (END)

Here’s the content of /etc/openvpn/server.conf

dev tun
persist-key
persist-tun
topology subnet
port 1194
proto udp
keepalive 10 120

# Location of certificate authority's cert.
ca /etc/openvpn/server/ca.crt

# Location of VPN server's TLS cert.
cert /etc/openvpn/server/server.crt

# Location of server's TLS key
key /etc/openvpn/server/server.key

# Location of DH parameter file.
dh /etc/openvpn/server/dhp4096.pem

# The VPN's address block starts here.
server 10.89.0.0 255.255.255.0

explicit-exit-notify 1

# Drop root privileges and switch to the `ovpn` user after startup.
user ovpn

# OpenVPN process is exclusive member of ovpn group.
group ovpn

# Cryptography options. We force these onto clients by
# setting them here and not in client.ovpn. See
# `openvpn --show-tls`, `openvpn --show-ciphers` and
#`openvpn --show-digests` for all supported options.
tls-crypt /etc/openvpn/server/ta.key
auth SHA512    # This needs to be in client.ovpn too though.
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
ncp-ciphers AES-256-GCM:AES-256-CBC

# Logging options.
ifconfig-pool-persist ipp.txt
status openvpn-status.log
log /var/log/openvpn.log
verb 3

Any ideas what my problem is?

7 Replies

What version of OpenVPN are you running?

@benjaminherrin Additionally, what operating system did you deploy onto the Linode?

Debian GNU/Linux 9.11 (stretch)

OpenVPN 2.4.8 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 30 2019
library versions: OpenSSL 1.0.2t 10 Sep 2019, LZO 2.08

You've specified your cipher suites in a format that is their official name.

TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

However, OpenSSL doesn't understand this format. Don't ask me why they chose to format things differently.

The OpenSSL-understood equivalents would be this:

DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256

The server conf text is exactly what is given in Linode’s guide that I liked to above. I did try that change but got the same error. 🤔

Okay, let me dig into it for a bit and get back to you. :)

Actually idk why I’m making more work for myself, I’m just going to deploy a one click Debian server with OpenVPN preinstalled. 😂 thanks for your help @hyperlumic and I hope you have a great holiday!

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct