openvpn-server@server.service failed because the control process exited with error code.

[haggar11]

Hello

Running the latest version of script on debian debian-12.5.0-amd64. Script with all default setting except for port, port is free on the system, Unable to start openvpn Job for openvpn-server@server.service failed because the control process exited with error code.

"journalctl -xe" showing:

Mar 25 20:48:41 MN openvpn[184094]: Options error: In [CMD-LINE]:1: Error opening configuration file: server.conf Mar 25 20:48:41 MN openvpn[184094]: Use --help for more information. Mar 25 20:48:41 MN systemd[1]: openvpn-server@server.service: Main process exited, code=exited, status=1/FAILURE ░░ Subject: Unit process exited ░░ Defined-By: systemd ░░ Support: https://www.debian.org/support ░░ ░░ An ExecStart= process belonging to unit openvpn-server@server.service has exited. ░░ ░░ The process' exit code is 'exited' and its exit status is 1. Mar 25 20:48:41 MN systemd[1]: openvpn-server@server.service: Failed with result 'exit-code'. ░░ Subject: Unit failed ░░ Defined-By: systemd ░░ Support: https://www.debian.org/support ░░ ░░ The unit openvpn-server@server.service has entered the 'failed' state with result 'exit-code'. Mar 25 20:48:41 MN systemd[1]: Failed to start OpenVPN service for server. ░░ Subject: A start job for unit openvpn-server@server.service has failed

In other places showing error opening configration file, nothing has been done manually but all of the script.

Any help?

Regards

Hassan

[roda37]

Getting the same issue here, failing with:

Options error: --cert fails with 'redacted.crt': Permission denied (errno=13) Options error: --key fails with 'redacted.key': Permission denied (errno=13) Options error: --status fails with '/var/log/openvpn/status.log': Permission denied (errno=13) Options error: Please correct these errors.

There is a simple solution to this problem:

sudo chown -R openvpn:network /etc/openvpn/*

if it doesn't work do this: sudo chown -R openvpn:network /etc/openvpn/client /etc/openvpn/server /var/log/openvpn

[arthuradriaens-code]

I have the same issue on arch with only the default options

[dreamhunt]

Same here on Arch Linux. I tried everything even to downgrade Openvpn with no success. sudo chown -R openvpn:network /etc/openvpn/* and sudo chown -R openvpn:network /etc/openvpn/client /etc/openvpn/server /var/log/openvpn doesn't help.

[mozo78]

The problem is here on a clean Arch installation. I can't find a way to fix it. I installed Linux Mint and it's working fine. Very strange...

[mozo78]

When I start it like this: /usr/sbin/openvpn --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server/server.conf --writepid /run/openvpn/server.pid I'm getting the following error: /usr/sbin/openvpn --status /run/openvpn/server.status 10 --cd /etc/openvpn --config /etc/openvpn/server.conf --writepid /run/openvpn/server.pid 2024-05-01 14:29:06 Consider setting groups/curves preference with tls-groups instead of forcing a specific curve with ecdh-curve. 2024-05-01 14:29:06 Note: Treating option '--ncp-ciphers' as '--data-ciphers' (renamed in OpenVPN 2.5). 2024-05-01 14:29:06 Cannot pre-load keyfile (tls-crypt.key) 2024-05-01 14:29:06 Exiting due to fatal error

I tried different solutions from the web for the "Cannot pre-load keyfile (tls-crypt.key)" error but nothing helps.

If I start it with: openvpn /etc/openvpn/server.conf The error is still the same.

[mozo78]

Just intsalled Manjaro - still the same error.

[antonpetrovmain]

I had a similar issue with the tls-crypt.key file and have modified the /etc/openvpn/server.conf file to use absolute paths to some of the files:

tls-crypt /etc/openvpn/tls-crypt.key crl-verify /etc/openvpn/crl.pem ca /etc/openvpn/ca.crt cert /etc/openvpn/server_e9LLheSv4mJSsRCx.crt key /etc/openvpn/server_e9LLheSv4mJSsRCx.key

[mozo78]

I had a similar issue with the tls-crypt.key file and have modified the /etc/openvpn/server.conf file to use absolute paths to some of the files:

tls-crypt /etc/openvpn/tls-crypt.key crl-verify /etc/openvpn/crl.pem ca /etc/openvpn/ca.crt cert /etc/openvpn/server_e9LLheSv4mJSsRCx.crt key /etc/openvpn/server_e9LLheSv4mJSsRCx.key

Thank you but it doesn't work for me: Job for openvpn-server@server.service failed because the control process exited with error code. See "systemctl status openvpn-server@server.service" and "journalctl -xeu openvpn-server@server.service" for details.

[antonpetrovmain]

Can you show me the latest error from:

journalctl -exu openvpn-server@server.service -n 50

[antonpetrovmain]

Here is my attempt for a workaround on Arch:

$ curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh $ chmod +x ./openvpn-install.sh

First remove any previous installation with the 3rd option. Then run the script again to install it:

$ sudo ./openvpn-install.sh

The only thing I am changing from the defaults is the custom port on which to have the vpn server listening.

I get this error, same as you do:

Job for openvpn-server@server.service failed because the control process exited with error code. See "systemctl status openvpn-server@server.service" and "journalctl -xeu openvpn-server@server.service" for details.

Then, I inspect the error:

[anton@archlinux ~]$ journalctl -u openvpn-server@server.service -n 15 May 28 19:39:32 archlinux systemd[1]: Failed to start OpenVPN service for server. May 28 19:39:37 archlinux systemd[1]: openvpn-server@server.service: Scheduled restart job, restart counter is at 17. May 28 19:39:37 archlinux systemd[1]: Starting OpenVPN service for server... May 28 19:39:37 archlinux openvpn[23871]: Consider setting groups/curves preference with tls-groups instead of forcing a specific curve with ecdh-curve. May 28 19:39:37 archlinux openvpn[23871]: Note: Treating option '--ncp-ciphers' as '--data-ciphers' (renamed in OpenVPN 2.5). May 28 19:39:37 archlinux openvpn[23871]: Note: Kernel support for ovpn-dco missing, disabling data channel offload. May 28 19:39:37 archlinux openvpn[23871]: Options error: --ca fails with 'ca.crt': Permission denied (errno=13) May 28 19:39:37 archlinux openvpn[23871]: Options error: --cert fails with 'server_8asdf4cQb6LqDSmH.crt': Permission denied (errno=13) May 28 19:39:37 archlinux openvpn[23871]: Options error: --key fails with 'server_8asdf4cQb6LqDSmH.key': Permission denied (errno=13) May 28 19:39:37 archlinux openvpn[23871]: Options error: --status fails with '/var/log/openvpn/status.log': Permission denied (errno=13) May 28 19:39:37 archlinux openvpn[23871]: Options error: Please correct these errors. May 28 19:39:37 archlinux openvpn[23871]: Use --help for more information. May 28 19:39:37 archlinux systemd[1]: openvpn-server@server.service: Main process exited, code=exited, status=1/FAILURE May 28 19:39:37 archlinux systemd[1]: openvpn-server@server.service: Failed with result 'exit-code'. May 28 19:39:37 archlinux systemd[1]: Failed to start OpenVPN service for server.

So now I fix the permission denied errors with: $ sudo chown -R openvpn:network /etc/openvpn/ /var/log/openvpn/

I restart the server and observer journalctl again: $ sudo systemctl restart openvpn-server@server

[anton@archlinux ~]$ journalctl -u openvpn-server@server.service -n 15

May 28 19:42:27 archlinux openvpn[24109]: net_iface_up: set tun0 up May 28 19:42:27 archlinux openvpn[24109]: net_addr_v4_add: 10.8.0.1/24 dev tun0 May 28 19:42:27 archlinux openvpn[24109]: Could not determine IPv4/IPv6 protocol. Using AF_INET May 28 19:42:27 archlinux openvpn[24109]: Socket Buffers: R=[212992->212992] S=[212992->212992] May 28 19:42:27 archlinux openvpn[24109]: UDPv4 link local (bound): [AF_INET][undef]:98765 May 28 19:42:27 archlinux openvpn[24109]: UDPv4 link remote: [AF_UNSPEC] May 28 19:42:27 archlinux openvpn[24109]: capng_change_id('nobody','nobody') failed retaining capabilities: -9: Operation not permitted (errno=1) May 28 19:42:27 archlinux openvpn[24109]: Unable to retain capabilities May 28 19:42:27 archlinux openvpn[24109]: GID set to nobody May 28 19:42:27 archlinux openvpn[24109]: setgroups('nobody') failed: Operation not permitted (errno=1) May 28 19:42:27 archlinux openvpn[24109]: Exiting due to fatal error May 28 19:42:27 archlinux openvpn[24109]: Closing TUN/TAP interface May 28 19:42:27 archlinux openvpn[24109]: net_addr_v4_del: 10.8.0.1 dev tun0 May 28 19:42:27 archlinux systemd[1]: openvpn-server@server.service: Main process exited, code=exited, status=1/FAILURE May 28 19:42:27 archlinux systemd[1]: openvpn-server@server.service: Failed with result 'exit-code'.

Now, to fix the capabilities errors, I run: $ sudo setcap 'cap_net_admin=eip cap_net_bind_service=eip cap_net_raw=eip cap_setgid=eip cap_setuid=eip cap_setpcap=eip cap_sys_chroot=eip cap_dac_override=eip cap_audit_write=eip' /usr/bin/openvpn

$ sudo systemctl restart openvpn-server@server

And now when I run journalctl, all looks good:

[anton@archlinux ~]$ journalctl -u openvpn-server@server.service -n 15 May 28 19:44:01 archlinux openvpn[24307]: TUN/TAP device tun0 opened May 28 19:44:01 archlinux openvpn[24307]: net_iface_mtu_set: mtu 1500 for tun0 May 28 19:44:01 archlinux openvpn[24307]: net_iface_up: set tun0 up May 28 19:44:01 archlinux openvpn[24307]: net_addr_v4_add: 10.8.0.1/24 dev tun0 May 28 19:44:01 archlinux openvpn[24307]: Could not determine IPv4/IPv6 protocol. Using AF_INET May 28 19:44:01 archlinux openvpn[24307]: Socket Buffers: R=[212992->212992] S=[212992->212992] May 28 19:44:01 archlinux openvpn[24307]: UDPv4 link local (bound): [AF_INET][undef]:98765 May 28 19:44:01 archlinux openvpn[24307]: UDPv4 link remote: [AF_UNSPEC] May 28 19:44:01 archlinux openvpn[24307]: UID set to nobody May 28 19:44:01 archlinux openvpn[24307]: GID set to nobody May 28 19:44:01 archlinux openvpn[24307]: Capabilities retained: CAP_NET_ADMIN May 28 19:44:01 archlinux openvpn[24307]: MULTI: multi_init called, r=256 v=256 May 28 19:44:01 archlinux openvpn[24307]: IFCONFIG POOL IPv4: base=10.8.0.2 size=253 May 28 19:44:01 archlinux openvpn[24307]: IFCONFIG POOL LIST May 28 19:44:01 archlinux openvpn[24307]: Initialization Sequence Completed

Now I can finally connect to the openvpn server successfully :)

Hope this can help you as well.

[mozo78]

Can you show me the latest error from:

journalctl -exu openvpn-server@server.service -n 50

Here it is: https://pastebin.com/RM46pZUD

Hope this can help you as well.

Yes, it's working! Thank you very much!!!

[antonpetrovmain]

I now compared a bit more carefully all capabilities that the service is using and I see I might have missed one in my previous comment: CAP_IPC_LOCK

[anton@archlinux ~]$ grep -i capabilit /etc/systemd/system/openvpn-server\@.service AmbientCapabilities=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE

So I will set capabilities like that so the CAP_IPC_LOCK is also included:

anton@archlinux ~]$ sudo setcap 'cap_ipc_lock=eip cap_net_admin=eip cap_net_bind_service=eip cap_net_raw=eip cap_setgid=eip cap_setuid=eip cap_setpcap=eip cap_sys_chroot=eip cap_dac_override=eip cap_audit_write=eip' /usr/bin/openvpn

[mozo78]

Thank you for your splendid work :)

[tanvira1993]

===========solution============ if you face this error, run the script again and remove OpenVPN. and then edit the sh script replace "--secret" with "secret" then save. again run the script. it will work.

note- make sure user is root