OpenVPN client - Can start manually in container but start as service fails

Woodworker_Life

New Member
Apr 27, 2020
2
0
1
54
Hi forum!

Unfortunately I cannot find why this is happening; I had it work in my previous setup but probably I'm overlooking a smallie somewhere. Here are the details of my setup:

Proxmox: 6.2-4
LXC Container: Debian 10.4
Unpriviledged Container: No (checkbox removed during creation)

Container config: /etc/pve/nodes/proxmox/lxc/100.conf
Added 2 lines at the end of the conf-file:
Code:
arch: amd64
cores: 2
hostname: OpenVPN
memory: 2048
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.1.1,hwaddr=26:52:40:FF:1C:7F,ip=192.168.1.100/24,ip6=dhcp,type=veth
ostype: debian
rootfs: local-lvm:vm-100-disk-0,size=2G
swap: 2048
lxc.cgroup.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"
OpenVPN Client: auto-login (The client does not require login details)

Copied working `server2server.ovpn` file to `/etc/openvpn/server.server.conf`

OpenVPN Service status:
Code:
* openvpn.service - OpenVPN service
   Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enabled)
   Active: active (exited) since Fri 2020-05-22 16:36:57 UTC; 51s ago
  Process: 585 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 585 (code=exited, status=0/SUCCESS)

May 22 16:36:57 OpenVPN systemd[1]: Starting OpenVPN service...
May 22 16:36:57 OpenVPN systemd[1]: Started OpenVPN service.
So the service does not load, but manual starting works:

root@OpenVPN:~# `openvpn --config /etc/openvpn/server2server.conf`

with this manual command, the tunnel gets established without problem:

root@OpenVPN:~# openvpn --config /etc/openvpn/server2server.conf
OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
TCP/UDP: Preserving recently used remote address: [AF_INET]217.160.xx.yyy:1194
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDP link local: (not bound)
UDP link remote: [AF_INET]217.160.xx.yyy:1194
Server poll timeout, restarting
SIGUSR1[soft,server_poll] received, process restarting
WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
TCP/UDP: Preserving recently used remote address: [AF_INET]217.160.xx.yyy:1194
Socket Buffers: R=[212992->212992] S=[212992->212992]
UDP link local: (not bound)
UDP link remote: [AF_INET]217.160.xx.yyy:1194
Server poll timeout, restarting
SIGUSR1[soft,server_poll] received, process restarting
WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
TCP/UDP: Preserving recently used remote address: [AF_INET]217.160.xx.yyy:443
Socket Buffers: R=[131072->131072] S=[16384->16384]
Attempting to establish TCP connection with [AF_INET]217.160.xx.yyy:443 [nonblock]
TCP connection established with [AF_INET]217.160.xx.yyy:443
TCP_CLIENT link local: (not bound)
TCP_CLIENT link remote: [AF_INET]217.160.xx.yyy:443
TLS: Initial packet from [AF_INET]217.160.xx.yyy:443, sid=95f7491a 37beea56
VERIFY OK: depth=1, CN=OpenVPN CA
VERIFY OK: nsCertType=SERVER
VERIFY OK: depth=0, CN=OpenVPN Server
Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
[OpenVPN Server] Peer Connection Initiated with [AF_INET]217.160.xx.yyy:443
SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,socket-flags TCP_NODELAY,compress stub-v2,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 10.10.10.1,dhcp-option DNS 212.227.123.16,dhcp-option DNS 212.227.123.17,register-dns,block-ipv6,ifconfig 10.10.10.10 255.255.255.0,peer-id 0,auth-tokenSESS_ID,cipher AES-256-GCM'
Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:4: dhcp-pre-release (2.4.7)
Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:5: dhcp-renew (2.4.7)
Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:6: dhcp-release (2.4.7)
Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:18: register-dns (2.4.7)
Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:19: block-ipv6 (2.4.7)
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
OPTIONS IMPORT: timers and/or timeouts modified
OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
OPTIONS IMPORT: compression parms modified
OPTIONS IMPORT: --socket-flags option modified
Socket flags: TCP_NODELAY=1 succeeded
OPTIONS IMPORT: --ifconfig/up options modified
OPTIONS IMPORT: route options modified
OPTIONS IMPORT: route-related options modified
OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
OPTIONS IMPORT: peer-id set
OPTIONS IMPORT: adjusting link_mtu to 1627
OPTIONS IMPORT: data channel crypto options modified
Data Channel: using negotiated cipher 'AES-256-GCM'
Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=eth0 HWADDR=26:52:40:ff:1c:7f
TUN/TAP device tun0 opened
TUN/TAP TX queue length set to 100
/sbin/ip link set dev tun0 up mtu 1500
/sbin/ip addr add dev tun0 10.10.10.10/24 broadcast 10.10.10.255
ROUTE remote_host is NOT LOCAL
/sbin/ip route add 217.160.xx.yyy/32 via 192.168.1.1
/sbin/ip route add 0.0.0.0/1 via 10.10.10.1
/sbin/ip route add 128.0.0.0/1 via 10.10.10.1
Initialization Sequence Completed


What Am I overlooking to get this to start automatically at boot by systemd?
 
Last edited:

Woodworker_Life

New Member
Apr 27, 2020
2
0
1
54
Solved it.

First I did following 3 steps with the setup above:
1) I setup openvpn service manually: `systemctl enable openvpn@server2server.service` (after I have copied the server2server.ovpn file to /etc/openvpn/server2server.conf)
2) reloading the deamon: systemctl daemon-reload
3) Starting the service: service openvpn@server2server start

This resulted still in error message:
openvpn@server2server.service: Failed at step NAMESPACE spawning /usr/sbin/openvpn: Permission denied

Seems we need to enable nesting so we can run other container-runtimes underneath itself, I added 1 line to /etc/pve/nodes/proxmox/lxc/100.conf :
Code:
arch: amd64
cores: 2
hostname: OpenVPN
memory: 2048
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.1.1,hwaddr=26:52:40:FF:1C:7F,ip=192.168.1.100/24,ip6=dhcp,type=veth
ostype: debian
rootfs: local-lvm:vm-100-disk-0,size=2G
swap: 2048
lxc.cgroup.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"
features: nesting=1
Now I was able to start the service and it persists also after lxc-reboot:
service openvpn@server2server start
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!