search

angristan / openvpn-install

Set up your own OpenVPN server on Debian, Ubuntu, Fedora, CentOS or Arch Linux.
https://stanislas.blog
MIT License
13.44k stars 2.94k forks source link

[Bug]: openvpn-install fails to install on Arch Linux Arm #1025

Closed daniel071 closed 1 year ago

daniel071 commented 2 years ago

Make sure your check these beforehand!

Server OS

Arch Linux Arm

OpenVPN version

OpenVPN 2.5.7 [git:makepkg/a0f9a3e9404c8321+] armv7l-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 2 2022

Client

Linux arch linux arm 5.15.56-3-rpi-ARCH #1 SMP Fri Aug 12 04:20:40 MDT 2022 armv7l GNU/Linux

What is the bug?

Similar to https://github.com/angristan/openvpn-install/issues/420 and https://github.com/angristan/openvpn-install/issues/363 I've tried on multiple machines and I end up in the same error. On my previous install of Arch Linux Arm it worked without issues. I've tried copying the easyrsa binaries to the openvpn-install script location, however it still fails to generate keys and certs.

Relevant log output

--2022-08-19 07:33:43--  https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving github.com (github.com)... 20.248.137.48
Connecting to github.com (github.com)|20.248.137.48|:443... connected.
The certificate has expired

gzip: stdin: unexpected end of file
tar: Child returned status 1
tar: Error is not recoverable: exiting now
./openvpn-install.sh: line 731: ./easyrsa: No such file or directory
./openvpn-install.sh: line 732: ./easyrsa: No such file or directory
./openvpn-install.sh: line 739: ./easyrsa: No such file or directory
./openvpn-install.sh: line 740: ./easyrsa: No such file or directory
2022-08-19 07:33:43 WARNING: Using --genkey --secret filename is DEPRECATED.  Use --genkey secret filename instead.
cp: cannot stat 'pki/ca.crt': No such file or directory
cp: cannot stat 'pki/private/ca.key': No such file or directory
cp: cannot stat 'pki/issued/server_mFlb9YE2ASgfQNe5.crt': No such file or directory
cp: cannot stat 'pki/private/server_mFlb9YE2ASgfQNe5.key': No such file or directory
cp: cannot stat '/etc/openvpn/easy-rsa/pki/crl.pem': No such file or directory
chmod: cannot access '/etc/openvpn/crl.pem': No such file or directory
* Applying /usr/lib/sysctl.d/10-arch.conf ...
fs.inotify.max_user_instances = 1024
fs.inotify.max_user_watches = 524288
* Applying /usr/lib/sysctl.d/50-coredump.conf ...
kernel.core_pattern = |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h
kernel.core_pipe_limit = 16
fs.suid_dumpable = 2
* Applying /usr/lib/sysctl.d/50-default.conf ...
kernel.sysrq = 16
kernel.core_uses_pid = 1
net.ipv4.conf.default.rp_filter = 2
sysctl: setting key "net.ipv4.conf.all.rp_filter": Invalid argument
net.ipv4.conf.default.accept_source_route = 0
sysctl: setting key "net.ipv4.conf.all.accept_source_route": Invalid argument
net.ipv4.conf.default.promote_secondaries = 1
sysctl: setting key "net.ipv4.conf.all.promote_secondaries": Invalid argument
net.ipv4.ping_group_range = 0 2147483647
net.core.default_qdisc = fq_codel
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.protected_regular = 1
fs.protected_fifos = 1
* Applying /etc/sysctl.d/99-openvpn.conf ...
net.ipv4.ip_forward = 1
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-server@server.service -> /etc/systemd/system/openvpn-server@.service.
Job for openvpn-server@server.service failed because the control process exited with error code.
See "systemctl status openvpn-server@server.service" and "journalctl -xeu openvpn-server@server.service" for details.
Created symlink /etc/systemd/system/multi-user.target.wants/iptables-openvpn.service -> /etc/systemd/system/iptables-openvpn.service.

$ sudo systemctl status openvpn-server@server.service
* openvpn-server@server.service - OpenVPN service for server
     Loaded: loaded (/etc/systemd/system/openvpn-server@.service; enabled; preset: disabled)
     Active: activating (auto-restart) (Result: exit-code) since Fri 2022-08-19 07:41:25 UTC; 3s ago
       Docs: man:openvpn(8)
             https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
             https://community.openvpn.net/openvpn/wiki/HOWTO
    Process: 2380 ExecStart=/usr/bin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --config server.conf (code=exited, status=1/FAILURE)
   Main PID: 2380 (code=exited, status=1/FAILURE)
        CPU: 132ms

Aug 19 07:41:25 alarmpi systemd[1]: openvpn-server@server.service: Main process exited, code=exited, status=1/FAILURE
Aug 19 07:41:25 alarmpi systemd[1]: openvpn-server@server.service: Failed with result 'exit-code'.
Aug 19 07:41:25 alarmpi systemd[1]: Failed to start OpenVPN service for server.
Aug 19 07:41:30 alarmpi systemd[1]: openvpn-server@server.service: Scheduled restart job, restart counter is at 82.
Aug 19 07:41:30 alarmpi systemd[1]: Stopped OpenVPN service for server.
Aug 19 07:41:30 alarmpi systemd[1]: Starting OpenVPN service for server...
Aug 19 07:41:31 alarmpi openvpn[2397]: Consider setting groups/curves preference with tls-groups instead of forcing a specific curve with ecdh-curve.
Aug 19 07:41:31 alarmpi openvpn[2397]: Note: Treating option '--ncp-ciphers' as  '--data-ciphers' (renamed in OpenVPN 2.5).
Aug 19 07:41:31 alarmpi openvpn[2397]: Options error: --ca fails with 'ca.crt': No such file or directory (errno=2)
Aug 19 07:41:31 alarmpi openvpn[2397]: Options error: --cert fails with 'server_mFlb9YE2ASgfQNe5.crt': No such file or directory (errno=2)
Aug 19 07:41:31 alarmpi openvpn[2397]: WARNING: cannot stat file 'server_mFlb9YE2ASgfQNe5.key': No such file or directory (errno=2)
Aug 19 07:41:31 alarmpi openvpn[2397]: Options error: --key fails with 'server_mFlb9YE2ASgfQNe5.key': No such file or directory (errno=2)
Aug 19 07:41:31 alarmpi openvpn[2397]: Options error: --crl-verify fails with 'crl.pem': No such file or directory (errno=2)
Aug 19 07:41:31 alarmpi openvpn[2397]: Options error: --status fails with '/var/log/openvpn/status.log': Permission denied (errno=13)
Aug 19 07:41:31 alarmpi openvpn[2397]: Options error: Please correct these errors.
Aug 19 07:41:31 alarmpi openvpn[2397]: Use --help for more information.
Aug 19 07:41:31 alarmpi systemd[1]: openvpn-server@server.service: Main process exited, code=exited, status=1/FAILURE
Aug 19 07:41:31 alarmpi systemd[1]: openvpn-server@server.service: Failed with result 'exit-code'.
Aug 19 07:41:31 alarmpi systemd[1]: Failed to start OpenVPN service for server.
Aug 19 07:41:36 alarmpi systemd[1]: openvpn-server@server.service: Scheduled restart job, restart counter is at 83.
Aug 19 07:41:36 alarmpi systemd[1]: Stopped OpenVPN service for server.
Aug 19 07:41:36 alarmpi systemd[1]: Starting OpenVPN service for server...
Aug 19 07:41:38 alarmpi openvpn[2408]: Consider setting groups/curves preference with tls-groups instead of forcing a specific curve with ecdh-curve.
Aug 19 07:41:38 alarmpi openvpn[2408]: Note: Treating option '--ncp-ciphers' as  '--data-ciphers' (renamed in OpenVPN 2.5).
Aug 19 07:41:38 alarmpi openvpn[2408]: Options error: --ca fails with 'ca.crt': No such file or directory (errno=2)
Aug 19 07:41:38 alarmpi openvpn[2408]: Options error: --cert fails with 'server_mFlb9YE2ASgfQNe5.crt': No such file or directory (errno=2)
luntik2012 commented 2 years ago

similar on archlinux, 4553dd9c2181bc086975fd5c8e4bc56ba332a3e7:

Aug 25 10:31:12 pc systemd[1]: Starting OpenVPN service for server...
░░ Subject: A start job for unit openvpn-server@server.service has begun execution
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A start job for unit openvpn-server@server.service has begun execution.
░░ 
░░ The job identifier is 4587.
Aug 25 10:31:12 pc openvpn[2337]: Consider setting groups/curves preference with tls-groups instead of forcing a specific curve with ecdh-curve.
Aug 25 10:31:12 pc openvpn[2337]: Note: Treating option '--ncp-ciphers' as  '--data-ciphers' (renamed in OpenVPN 2.5).
Aug 25 10:31:12 pc openvpn[2337]: Options error: --ca fails with 'ca.crt': Permission denied (errno=13)
Aug 25 10:31:12 pc openvpn[2337]: Options error: --cert fails with 'server_XUP4y8fvCc3kylnb.crt': Permission denied (errno=13)
Aug 25 10:31:12 pc openvpn[2337]: Options error: --key fails with 'server_XUP4y8fvCc3kylnb.key': Permission denied (errno=13)
Aug 25 10:31:12 pc openvpn[2337]: Options error: --status fails with '/var/log/openvpn/status.log': Permission denied (errno=13)
Aug 25 10:31:12 pc openvpn[2337]: Options error: Please correct these errors.
Aug 25 10:31:12 pc openvpn[2337]: Use --help for more information.
Aug 25 10:31:12 pc systemd[1]: openvpn-server@server.service: Main process exited, code=exited, status=1/FAILURE
Rijul-A commented 1 year ago

I had the same issue. The client device could not connect to the server with this error SIGUSR1[soft,connection-reset] received, process restarting because the server hadn't properly started. I fixed it using these commands, run as root.

chown openvpn:network /etc/openvpn/ca.cert
chown openvpn:network /etc/openvpn/server_*
chown -R openvpn:network /var/log/openvpn
angristan commented 1 year ago

The The certificate has expired error looks like a CA issue on your system :)

angristan commented 1 year ago

As for @Rijul-A's errors, see https://github.com/angristan/openvpn-install/issues/788

daniel071 commented 1 year ago

I have finally figured out how to solve my issues.

I had to change /etc/iptables/add-openvpn-rules.sh and /etc/iptables/rm-openvpn-rules.sh

#!/bin/sh
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o eth -j MASQUERADE
iptables -D INPUT -i tun0 -j ACCEPT
iptables -D FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -D FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -D INPUT -i eth0 -p udp --dport 3333 -j ACCEPT

TO 

#!/bin/sh
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o end0 -j MASQUERADE
iptables -D INPUT -i tun0 -j ACCEPT
iptables -D FORWARD -i end0 -o tun0 -j ACCEPT
iptables -D FORWARD -i tun0 -o end0 -j ACCEPT
iptables -D INPUT -i end0 -p udp --dport 3333 -j ACCEPT

And had to change the owner and group of /etc/openvpn to openvpn:network so that files would load correctly.

Then run systemctl restart iptables-openvpn And run systemctl restart openvpn-server@server