[Bug]: Cannot pre-load keyfile (tls-crypt.key)

[luntik2012]

Make sure your check these beforehand!

• [X] Issues - https://github.com/angristan/openvpn-install/issues
• [X] README and FAQ - https://github.com/angristan/openvpn-install
• [X] Wiki - https://github.com/angristan/openvpn-install/wiki
• [X] Discussions - https://github.com/angristan/openvpn-install/discussions

Server OS

archlinux

OpenVPN version

2.5.8

Client

No response

What is the bug?

openvpn-server@.service failure

Relevant log output

Nov 04 12:27:07 myserver systemd[1]: openvpn-server@server.service: Main process exited, code=exited, status=1/FAILURE
Nov 04 12:27:07 myserver systemd[1]: openvpn-server@server.service: Failed with result 'exit-code'.
Nov 04 12:27:07 myserver systemd[1]: Failed to start OpenVPN service for server.

```sh
$ pwd
/etc/openvpn
$ sudo -H -u openvpn /usr/bin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --config server.conf
Consider setting groups/curves preference with tls-groups instead of forcing a specific curve with ecdh-curve.
Note: Treating option '--ncp-ciphers' as  '--data-ciphers' (renamed in OpenVPN 2.5).
Cannot pre-load keyfile (tls-crypt.key)
Exiting due to fatal error

[llamich]

I have the same problem since last month...

[purum-pum-pum]

I have the same promblem too. Ubuntu 22.04

I have build openvpn from /master to get DCO support. It works fine starting like a process sudo openvpn --config But i can't start it as a service/

My configuration for building configure --enable-dco --disable-lz4 --disable-lzo --enable-systemd

[andreagobetti]

I'm facing the same problem, fresh install on Debian 11.6, installed using the default configuration:

systemd[1]: Starting OpenVPN connection to server...
ovpn-server[17044]: Consider setting groups/curves preference with tls-groups instead of forcing a specific curve with ecdh-curve.
ovpn-server[17044]: Note: Treating option '--ncp-ciphers' as  '--data-ciphers' (renamed in OpenVPN 2.5).
ovpn-server[17044]: Cannot pre-load keyfile (tls-crypt.key)
ovpn-server[17044]: Exiting due to fatal error
systemd[1]: openvpn@server.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: openvpn@server.service: Failed with result 'exit-code'

[seinmon]

Have you tried changing the address of tls-crypt.key (in /etc/openvpn/server.conf to /etc/openvpn/tls-crypt.key?

[hartmanshk]

I have the same issue here on Debian 11.6. tls-crypt.key is missing in /etc/openvpn/

[TheZuna]

Debian GNU/Linux 11 (bullseye) same error

[1s0n]

You can fix this by moving /etc/openvpn/tls-crypt.key to /etc/openvpn/server/tls-crypt.key, and the rest of the files ending in .key, .pem, and .crt in the /etc/openvpn into the /etc/openvpn/server folder.

Ill try to make a fix for it.

[TinCanTech]

If the TLS-Crypt key is missing or in the wrong place then the error is:

Options error: --tls-crypt fails with 'tls-crypt.key': No such file or directory (errno=2)

To understand what the error Cannot pre-load keyfile (tls-crypt.key) means, it would be useful to see the key-file in question.

I have just tested the script on Debian-11 and it works correctly.

[peter2233finn]

I had the same problem here. a workaround is to cope the key files from /etc/openvpn to /etc/openvpn/easy-rsa/pki/

cp /etc/openvpn/*.key /etc/openvpn/easy-rsa/pki/

[viplike]

for those, who use ubuntu 22.10 on digital ocean, in my case the reason was in using new repositories that are not supported / not found by some reason (404). The solution is:

// remove current openvpn, enter the command and select option #3
./openvpn-install.sh

// replace all instances of http://mirrors.digitalocean.com/ubuntu with http://old-releases.ubuntu.com/ubuntu
// in the next file
sudo nano /etc/apt/sources.list

// update packages
sudo apt-get update

// optional, but I usually also do it
sudo apt-get upgrade

// reinstall openvpn
./openvpn-install.sh

[SaranKumar2727]

Do any of the above approches worked? B/c I have tried everything but the error still pops up...(ubuntu 22.04.5)