OpenVPN client - Can start manually in container but start as service fails

[Woodworker_Life]

Hi forum!

Unfortunately I cannot find why this is happening; I had it work in my previous setup but probably I'm overlooking a smallie somewhere. Here are the details of my setup:

Proxmox: 6.2-4
LXC Container: Debian 10.4
Unpriviledged Container: No (checkbox removed during creation)

Container config: /etc/pve/nodes/proxmox/lxc/100.conf
Added 2 lines at the end of the conf-file:

arch: amd64
cores: 2
hostname: OpenVPN
memory: 2048
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.1.1,hwaddr=26:52:40:FF:1C:7F,ip=192.168.1.100/24,ip6=dhcp,type=veth
ostype: debian
rootfs: local-lvm:vm-100-disk-0,size=2G
swap: 2048
lxc.cgroup.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

OpenVPN Client: auto-login (The client does not require login details)

Copied working `server2server.ovpn` file to `/etc/openvpn/server.server.conf`

OpenVPN Service status:

* openvpn.service - OpenVPN service
   Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enabled)
   Active: active (exited) since Fri 2020-05-22 16:36:57 UTC; 51s ago
  Process: 585 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 585 (code=exited, status=0/SUCCESS)

May 22 16:36:57 OpenVPN systemd[1]: Starting OpenVPN service...
May 22 16:36:57 OpenVPN systemd[1]: Started OpenVPN service.

So the service does not load, but manual starting works:

root@OpenVPN:~# `openvpn --config /etc/openvpn/server2server.conf`

with this manual command, the tunnel gets established without problem:
root@OpenVPN:~# openvpn --config /etc/openvpn/server2server.conf OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead. Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication TCP/UDP: Preserving recently used remote address: [AF_INET]217.160.xx.yyy:1194 Socket Buffers: R=[212992->212992] S=[212992->212992] UDP link local: (not bound) UDP link remote: [AF_INET]217.160.xx.yyy:1194 Server poll timeout, restarting SIGUSR1[soft,server_poll] received, process restarting WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead. Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication TCP/UDP: Preserving recently used remote address: [AF_INET]217.160.xx.yyy:1194 Socket Buffers: R=[212992->212992] S=[212992->212992] UDP link local: (not bound) UDP link remote: [AF_INET]217.160.xx.yyy:1194 Server poll timeout, restarting SIGUSR1[soft,server_poll] received, process restarting WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead. Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication TCP/UDP: Preserving recently used remote address: [AF_INET]217.160.xx.yyy:443 Socket Buffers: R=[131072->131072] S=[16384->16384] Attempting to establish TCP connection with [AF_INET]217.160.xx.yyy:443 [nonblock] TCP connection established with [AF_INET]217.160.xx.yyy:443 TCP_CLIENT link local: (not bound) TCP_CLIENT link remote: [AF_INET]217.160.xx.yyy:443 TLS: Initial packet from [AF_INET]217.160.xx.yyy:443, sid=95f7491a 37beea56 VERIFY OK: depth=1, CN=OpenVPN CA VERIFY OK: nsCertType=SERVER VERIFY OK: depth=0, CN=OpenVPN Server Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA [OpenVPN Server] Peer Connection Initiated with [AF_INET]217.160.xx.yyy:443 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1) PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,socket-flags TCP_NODELAY,compress stub-v2,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 10.10.10.1,dhcp-option DNS 212.227.123.16,dhcp-option DNS 212.227.123.17,register-dns,block-ipv6,ifconfig 10.10.10.10 255.255.255.0,peer-id 0,auth-tokenSESS_ID,cipher AES-256-GCM' Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.4.7) Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.4.7) Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.4.7) Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:18: register-dns (2.4.7) Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:19: block-ipv6 (2.4.7) WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this OPTIONS IMPORT: timers and/or timeouts modified OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp OPTIONS IMPORT: compression parms modified OPTIONS IMPORT: --socket-flags option modified Socket flags: TCP_NODELAY=1 succeeded OPTIONS IMPORT: --ifconfig/up options modified OPTIONS IMPORT: route options modified OPTIONS IMPORT: route-related options modified OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified OPTIONS IMPORT: peer-id set OPTIONS IMPORT: adjusting link_mtu to 1627 OPTIONS IMPORT: data channel crypto options modified Data Channel: using negotiated cipher 'AES-256-GCM' Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=26:52:40:ff:1c:7f TUN/TAP device tun0 opened TUN/TAP TX queue length set to 100 /sbin/ip link set dev tun0 up mtu 1500 /sbin/ip addr add dev tun0 10.10.10.10/24 broadcast 10.10.10.255 ROUTE remote_host is NOT LOCAL /sbin/ip route add 217.160.xx.yyy/32 via 192.168.1.1 /sbin/ip route add 0.0.0.0/1 via 10.10.10.1 /sbin/ip route add 128.0.0.0/1 via 10.10.10.1 Initialization Sequence Completed

What Am I overlooking to get this to start automatically at boot by systemd?

 

[Woodworker_Life]

Solved it.

First I did following 3 steps with the setup above:
1) I setup openvpn service manually: `systemctl enable openvpn@server2server.service` (after I have copied the server2server.ovpn file to /etc/openvpn/server2server.conf)
2) reloading the deamon: systemctl daemon-reload
3) Starting the service: service openvpn@server2server start

This resulted still in error message:
openvpn@server2server.service: Failed at step NAMESPACE spawning /usr/sbin/openvpn: Permission denied

Seems we need to enable nesting so we can run other container-runtimes underneath itself, I added 1 line to /etc/pve/nodes/proxmox/lxc/100.conf :

arch: amd64
cores: 2
hostname: OpenVPN
memory: 2048
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.1.1,hwaddr=26:52:40:FF:1C:7F,ip=192.168.1.100/24,ip6=dhcp,type=veth
ostype: debian
rootfs: local-lvm:vm-100-disk-0,size=2G
swap: 2048
lxc.cgroup.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"
features: nesting=1

Now I was able to start the service and it persists also after lxc-reboot:
service openvpn@server2server start