Open zilexa opened 6 years ago
ausbin
commented
6 years ago Jan 19 22:46:06 Raspberry systemd[1]: [/lib/systemd/system/openvpn@.service:9] Unknown lvalue 'requires' in section 'Unit'
Jan 19 22:46:06 Raspberry systemd[1]: [/lib/systemd/system/openvpn@.service:10] Unknown lvalue 'after' in section 'Unit'This makes me wonder if the [Unit] section contains requires=xxx instead of Requires=xxx, and the same for After. Could you post your openvpn@.service file?
zilexa
commented
6 years ago File /lib/systemd/system/openvpn@.service:
Unit]
Description=OpenVPN connection to %i
[Service]
PrivateTmp=true
Type=forking
ExecStart=/usr/bin/openvpn --cd /etc/openvpn --config /etc/openvpn/%i.conf --daemon openvpn@$
PIDFile=/run/openvpn@%i.pid
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID$
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
[Install]
WantedBy=multi-user.targetAnd /etc/systemd/system/openvpn@.service.d/netns.conf:
[Unit]
Requires=netns@%i.service
After=netns@%i.service
[Service]
# Needed to call setns() as ip netns does
CapabilityBoundingSet=CAP_SYS_ADMINI believe the system cannot find netns@.service so I copied it to the default location for .service files:
cp /etc/systemd/system/netns@.service /lib/systemd/system/netns@.service
Now at least the first errors are gone "unknown lvalue ... in section..." so it seems we are getting closer.
root@Raspberry:~# systemctl start openvpn@ns-vpn
A dependency job for openvpn@ns-vpn.service failed. See 'journalctl -xe' for details.
root@Raspberry:~# systemctl status openvpn@ns-vpn
● openvpn@ns-vpn.service - OpenVPN connection to ns-vpn
Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor preset: enabled)
Drop-In: /etc/systemd/system/openvpn@.service.d
└─netns.conf
Active: inactive (dead)
Jan 19 22:47:40 Raspberry systemd[1]: Dependency failed for OpenVPN connection to ns-vpn.
Jan 19 22:47:40 Raspberry systemd[1]: openvpn@ns-vpn.service: Job openvpn@ns-vpn.service/start failed with result 'dependency'.
Jan 19 22:56:33 Raspberry systemd[1]: Dependency failed for OpenVPN connection to ns-vpn.
Jan 19 22:56:33 Raspberry systemd[1]: openvpn@ns-vpn.service: Job openvpn@ns-vpn.service/start failed with result 'dependency'.
Jan 19 23:02:57 Raspberry systemd[1]: Dependency failed for OpenVPN connection to ns-vpn.
Jan 19 23:02:57 Raspberry systemd[1]: openvpn@ns-vpn.service: Job openvpn@ns-vpn.service/start failed with result 'dependency'.
Jan 20 09:38:10 Raspberry systemd[1]: Dependency failed for OpenVPN connection to ns-vpn.
Jan 20 09:38:10 Raspberry systemd[1]: openvpn@ns-vpn.service: Job openvpn@ns-vpn.service/start failed with result 'dependency'.
Jan 20 09:40:16 Raspberry systemd[1]: Dependency failed for OpenVPN connection to ns-vpn.
Jan 20 09:40:16 Raspberry systemd[1]: openvpn@ns-vpn.service: Job openvpn@ns-vpn.service/start failed with result 'dependency'.When I check ctljournal, it says:
Jan 20 09:40:16 Raspberry systemd[1]: Starting network namespace ns/vpn...
-- Subject: Unit netns@ns-vpn.service has begun start-up
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- Unit netns@ns-vpn.service has begun starting up.
Jan 20 09:40:16 Raspberry ip[3769]: Cannot create namespace file "/var/run/netns/ns/vpn": No such file or directory
Jan 20 09:40:16 Raspberry systemd[1]: netns@ns-vpn.service: Main process exited, code=exited, status=1/FAILURE
Jan 20 09:40:16 Raspberry systemd[1]: Failed to start network namespace ns/vpn.
-- Subject: Unit netns@ns-vpn.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- Unit netns@ns-vpn.service has failed.
--
-- The result is failed.
Jan 20 09:40:16 Raspberry systemd[1]: Dependency failed for OpenVPN connection to ns-vpn.
-- Subject: Unit openvpn@ns-vpn.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- Unit openvpn@ns-vpn.service has failed.
--
-- The result is dependency.
Jan 20 09:40:16 Raspberry systemd[1]: openvpn@ns-vpn.service: Job openvpn@ns-vpn.service/start failed with result 'dependency'.
Jan 20 09:40:16 Raspberry systemd[1]: netns@ns-vpn.service: Unit entered failed state.
Jan 20 09:40:16 Raspberry systemd[1]: netns@ns-vpn.service: Failed with result 'exit-code'.Note the /var/run/netns directory exists but it is empty...
zilexa
commented
6 years ago (I accidentally closed the issue)
ausbin
commented
6 years ago I wonder if this is because combining drop-in files with overriding the entire unit isn't supported or doesn't work too well. You shouldn't ever have to put .service files in /lib/systemd/system by hand, that's kinda bad
What if you delete the drop-in config file netns.conf and leave openvpn@.service in /etc/systemd/system, but have it look like this instead
[Unit]
Description=OpenVPN connection to %i
Requires=netns@%i.service
After=netns@%i.service
[Service]
PrivateTmp=true
Type=forking
ExecStart=/usr/bin/openvpn --cd /etc/openvpn --config /etc/openvpn/%i.conf --daemon openvpn@%i --writepid /run/openvpn@%i.pid --status-version 2
PIDFile=/run/openvpn@%i.pid
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_SYS_ADMIN
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
[Install]
WantedBy=multi-user.targetHa thanks! That helped! I also had to change ExecStart to /usr/sbin/openvpn (sbin instead of bin) because /openvpn did not exist in 'bin' folder.
But it seems the up script failed :( see the 2nd last line below. Not sure if we can fix that one..
root@Raspberry:/# journalctl -xe
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- Unit openvpn@nsvpn.service has finished starting up.
--
-- The start-up result is done.
Jan 20 18:35:18 Raspberry openvpn@nsvpn[5000]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Jan 20 18:35:18 Raspberry openvpn@nsvpn[5000]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 20 18:35:18 Raspberry openvpn@nsvpn[5000]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Jan 20 18:35:18 Raspberry openvpn@nsvpn[5000]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Jan 20 18:35:18 Raspberry openvpn@nsvpn[5000]: TCP/UDP: Preserving recently used remote address: [AF_INET]196.196.244.12:1194
Jan 20 18:35:18 Raspberry openvpn@nsvpn[5000]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Jan 20 18:35:18 Raspberry openvpn@nsvpn[5000]: UDP link local: (not bound)
Jan 20 18:35:18 Raspberry openvpn@nsvpn[5000]: UDP link remote: [AF_INET]196.196.244.12:1194
Jan 20 18:35:18 Raspberry openvpn@nsvpn[5000]: TLS: Initial packet from [AF_INET]196.196.244.12:1194, sid=a54ce442 516c5f45
Jan 20 18:35:18 Raspberry openvpn@nsvpn[5000]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 20 18:35:18 Raspberry openvpn@nsvpn[5000]: VERIFY OK: depth=1, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=se65.nordvpn.com, name=NordVPN, emai
Jan 20 18:35:19 Raspberry openvpn@nsvpn[5000]: Validating certificate key usage
Jan 20 18:35:19 Raspberry openvpn@nsvpn[5000]: ++ Certificate has key usage 00a0, expects 00a0
Jan 20 18:35:19 Raspberry openvpn@nsvpn[5000]: VERIFY KU OK
Jan 20 18:35:19 Raspberry openvpn@nsvpn[5000]: Validating certificate extended key usage
Jan 20 18:35:19 Raspberry openvpn@nsvpn[5000]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jan 20 18:35:19 Raspberry openvpn@nsvpn[5000]: VERIFY EKU OK
Jan 20 18:35:19 Raspberry openvpn@nsvpn[5000]: VERIFY OK: depth=0, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=se65.nordvpn.com, name=NordVPN, emai
Jan 20 18:35:19 Raspberry openvpn@nsvpn[5000]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jan 20 18:35:19 Raspberry openvpn@nsvpn[5000]: [se65.nordvpn.com] Peer Connection Initiated with [AF_INET]196.196.244.12:1194
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: SENT CONTROL [se65.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,dhcp-option
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: Socket Buffers: R=[163840->327680] S=[163840->327680]
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: OPTIONS IMPORT: route options modified
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: OPTIONS IMPORT: route-related options modified
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: OPTIONS IMPORT: peer-id set
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: OPTIONS IMPORT: adjusting link_mtu to 1657
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: OPTIONS IMPORT: data channel crypto options modified
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 20 18:35:20 Raspberry kernel: tun: Universal TUN/TAP device driver, 1.6
Jan 20 18:35:20 Raspberry kernel: tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: ROUTE_GATEWAY 192.168.1.254/255.255.255.0 IFACE=eth0 HWADDR=b8:27:eb:e3:cb:07
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: TUN/TAP device tun0 opened
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: TUN/TAP TX queue length set to 100
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: /usr/local/bin/vpn-ns tun0 1500 1585 10.8.8.116 255.255.255.0 init
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: WARNING: Failed running command (--route-up): external program exited with error status: 2
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: Initialization Sequence Completed/usr/local/bin/vpn-ns exists right? could you post your openvpn config file?
zilexa
commented
6 years ago I triple checked, /usr/local/bin/vpn-ns definitely exists, it contains the exact copy of your blog. openvpn config file (it is nordvpn.ovpn file modified according to the blog and renamed it to nsvpn.conf):
root@Raspberry:/etc/openvpn# cat nsvpn.conf
# _ _ ___ ______ _ _
# | \ | | ___ _ __ __| \ \ / / _ \| \ | |
# | \| |/ _ \| '__/ _` |\ \ / /| |_) | \| |
# | |\ | (_) | | | (_| | \ V / | __/| |\ |
# |_| \_|\___/|_| \__,_| \_/ |_| |_| \_|
#
client
dev tun
proto udp
remote 196.196.244.12 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
explicit-exit-notify 3
remote-cert-tls server
#mute 10000
auth-user-pass
comp-lzo
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
# script should run `ip`, not openvpn
route-noexec
ifconfig-noexec
up "/usr/local/bin/vpn-ns"
route-up "/usr/local/bin/vpn-ns"
script-security 2
<ca>
-----BEGIN CERTIFICATE-----
MIIExzCCA6+gAwIBAgIJAKGnvAwP6tcDMA0GCSqGSIb3DQEBCwUAMIGdMQswCQYD
VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEZMBcGA1UEAxMQc2U2NS5ub3JkdnBu
LmNvbTEQMA4GA1UEKRMHTm9yZFZQTjEfMB0GCSqGSIb3DQEJARYQY2VydEBub3Jk
dnBuLmNvbTAeFw0xNzEyMDQxMjE3MTdaFw0yNzEyMDIxMjE3MTdaMIGdMQswCQYD
VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEZMBcGA1UEAxMQc2U2NS5ub3JkdnBu
LmNvbTEQMA4GA1UEKRMHTm9yZFZQTjEfMB0GCSqGSIb3DQEJARYQY2VydEBub3Jk
dnBuLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMXEczmyRa2v
2aoYjiAg5CuLd7K3EUoaJmGDcEqONSpCkuMX69ot8lX5qGbEpxF4tBMqVT7qpEvy
IHNr4wVIlxRXVBcReGUJcX5bmWTigkvgKG0mQSMcDrBZCdrnPw1rTI3A84w9Q6xQ
ChBtchDy0zfUHQGnlXJTBHHkcS8TA6YlsLeotfd3afVfYPaevNbqBsqJhY5yZt8t
j6LLL85/2TqZbXUNI2aOgMnGbW/Nij3OfMxQy6U7yUAAAxhdQOv6Wko9NMiYhWq3
K2HvlMo5loJRrrYJtv/kqo2FhrB5X2s+TPUyD7QKIKz5jHSUwTBdDk5hUrrGh4Kl
Ko9s5E8A9W0CAwEAAaOCAQYwggECMB0GA1UdDgQWBBTjzJ5Jam8FnjFCbiJH6/Z1
yHLyzjCB0gYDVR0jBIHKMIHHgBTjzJ5Jam8FnjFCbiJH6/Z1yHLyzqGBo6SBoDCB
nTELMAkGA1UEBhMCUEExCzAJBgNVBAgTAlBBMQ8wDQYDVQQHEwZQYW5hbWExEDAO
BgNVBAoTB05vcmRWUE4xEDAOBgNVBAsTB05vcmRWUE4xGTAXBgNVBAMTEHNlNjUu
bm9yZHZwbi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEWEGNl
cnRAbm9yZHZwbi5jb22CCQChp7wMD+rXAzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4IBAQBGfuIiCKmzfjnfyaRhghfFbQYAY/vNvgl43DcApALpQlK/NyaN
1eXFZ5DP+rr+9JyRyY1kX73VDyrjgTmsb3PLoW461ld0mBg5VvM6Zfjdqgrolphb
raW2zlZx8zIzb1oxKj+d2mKA6iceh0f6IV429rsVoI0MMc8CIWfajXwLKfxs3GE/
mC4lusdkiIUZfzUckcjP9inbTmEBXZfj+FgaAB1KR9zAW8GwTYxzU+KJHBBnfjee
n/bzYYkhtcFfk+iG9AVJZmDR1OA3wt5mg16xMtlJV+wxRNVV3A8Su9E9uhAx5Xgi
JLwbo8ldcVzoVQtjr8mR4hXNsO/FWx4yR6sx
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
f4f99d00e7ef3d33e1b4e911eb07a2a4
f5b21443b07fef0c6ced5a5b4302f640
6242c9e1dc49b5db1c175821252ee9b3
6c841c6fe66c176d7f10d30a71c8f5cc
573548503f1d3b35b9cbe7b2f25578ea
cd65db109064d44fb1406d8d664119ae
189bac9a05592dea47cbd8c61ed7b10d
a8cf5fcdcb1af201eaf11bd6e579cff0
d132bad23f2870dad48b47cae12a1e4d
ea8a7a2b15993509bbf81310fc2d1137
5ed89e2befc01b7f1c35551ebfbe0117
3c95ebe72b478d0c8c58fbbd3f23a329
af327e65a7431ed12baca3b2c6093c0c
fdcd928ea1eb71596e21288fa1ba48fe
7d0fb54a506302d50a9044eafa4b85ed
a115348d16dd4e686612eac3fd626bda
-----END OpenVPN Static key V1-----
</tls-auth>if i run
$ ip link set dev enx503f560224e5 downas my (non-root) user, i get exit code 2, so i wonder if it's a permissions issue. like in particular, if one of the Capabilities are missing from the service file.
Try changing the CapabilityBoundingSet line in /etc/systemd/system/openvpn@.service to just
CapabilityBoundingSet=this will reset the list of allowed capabilities from the ones configured in /lib/systemd/system/openvpn@.service
ausbin
commented
6 years ago you'll have to do a systemctl daemon-reload when you change systemd units btw
zilexa
commented
6 years ago You mean I should create /etc/systemd/system/openvpn@.service? Because until now, I have put openvpn@.service in /lib/systemd/system/.
If I simply copy that version to /etc/systemd/system/ and only change CapabilityBoundingSet= and leave the old version as is, I get the same behavior.
but I am not sure if systemctl will actually look at the newly created file /etc/systemd/system/openvpn@.service.
I did do:
root@Raspberry:/# nano /etc/systemd/system/openvpn@.service
root@Raspberry:/# systemctl stop openvpn@nsvpn
root@Raspberry:/# systemctl disable openvpn@nsvpn
root@Raspberry:/# systemctl disable openvpn@.service
Removed /etc/systemd/system/multi-user.target.wants/openvpn@ns-vpn.service.
root@Raspberry:/# systemctl daemon-reload
root@Raspberry:/# systemctl start openvpn@nsvpn
Enter Auth Username: myusername
Enter Auth Password: *********
root@Raspberry:/# systemctl status openvpn@nsvpn
● openvpn@nsvpn.service - OpenVPN connection to nsvpn
Loaded: loaded (/lib/systemd/system/openvpn@.service; disabled; vendor preset: enabled)
Active: active (running) since Sat 2018-01-20 20:15:50 GMT; 6s ago
Process: 5335 ExecStart=/usr/sbin/openvpn --cd /etc/openvpn --config /etc/openvpn/nsvpn.conf --daemon openvpn@nsvpn --writepid /run/openvpn@nsvpn.pid --status-version 2 (code=exited, stat
Main PID: 5338 (openvpn)
CGroup: /system.slice/system-openvpn.slice/openvpn@nsvpn.service
└─5338 /usr/sbin/openvpn --cd /etc/openvpn --config /etc/openvpn/nsvpn.conf --daemon openvpn@nsvpn --writepid /run/openvpn@nsvpn.pid --status-version 2
Jan 20 20:15:52 Raspberry openvpn@nsvpn[5338]: OPTIONS IMPORT: adjusting link_mtu to 1657
Jan 20 20:15:52 Raspberry openvpn@nsvpn[5338]: OPTIONS IMPORT: data channel crypto options modified
Jan 20 20:15:52 Raspberry openvpn@nsvpn[5338]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 20 20:15:52 Raspberry openvpn@nsvpn[5338]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 20 20:15:52 Raspberry openvpn@nsvpn[5338]: ROUTE_GATEWAY 192.168.1.254/255.255.255.0 IFACE=eth0 HWADDR=b8:27:eb:e3:cb:07
Jan 20 20:15:52 Raspberry openvpn@nsvpn[5338]: TUN/TAP device tun0 opened
Jan 20 20:15:52 Raspberry openvpn@nsvpn[5338]: TUN/TAP TX queue length set to 100
Jan 20 20:15:52 Raspberry openvpn@nsvpn[5338]: /usr/local/bin/vpn-ns tun0 1500 1585 10.8.8.116 255.255.255.0 init
Jan 20 20:15:52 Raspberry openvpn@nsvpn[5338]: WARNING: Failed running command (--route-up): external program exited with error status: 2
Jan 20 20:15:52 Raspberry openvpn@nsvpn[5338]: Initialization Sequence CompletedOnly the operating system should be managing .service files in /lib/systemd/system/. If it works it works I guess, but I wouldn't do that
and it does look at it: https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Unit%20File%20Load%20Path
ausbin
commented
6 years ago I'm not sure what to try next tho. Might be a good idea to get the environmental variables openvpn is passing to vpn-ns and then run vpn-ns in a shell with those environmental variables to see how it behaves (hopefully it will produce a helpful error message). that's how i originally wrote the script at least -- i just set up and route-up to run some script that ran env >/tmp/env or something instead
zilexa
commented
6 years ago I believe I made a mistake interpreting your blog.
I added CAP_SYS_ADMIN to the only openvpn@.service file I could find on my system (which was in /lib/systemd/system). Then I created the file /etc/systemd/system/openvpn@.service.d/netns.conf (note there was no openvpn@.service file in /etc/systemd/system on my machine) and copied the contents from your blog (also containing CAP_SYS_ADMIN.
I actually tested all of the above on DietPi, which is also Debian Stretch based but not as "clean" Debian Stretch as OSMC is so I am going to start over on a clean OSMC system now and I want to make sure I make no mistakes understanding the steps from your blog.
As you explained I should not manually change files in /lib/... BUT: re-reading your blog I believe I should not change any openvpn@.service file at all, I should only create the drop-in unit in /etc/systemd/system/openvpn@.service.d/netns.conf and see if that works, right?
I am going to do that now and follow the other steps on an untouched OSMC device.
If I end up with the same result I will do more trial and error to get the up script working.
zilexa
commented
6 years ago So that went really smooth (and makes more sense). Also on OSMC, openvpn is located in usr/bin just like in your blog (on DietPi it was usr/sbin). I only created the drop-in unit and followed the other steps.
I still get the same error Failed running command (--route-up): external program exited with error status: 2. I will try the method you described to get a more useful error message.
also the netns script you provide says
echo "$0: unknown \$script_type: '$script_type'" >&2
exit 2;And I am getting errorcode 2 so the issue must be with the case above this part.
my output now:
Jan 21 01:49:46 Vero ovpn-nsnordvpn[4932]: VERIFY EKU OK
Jan 21 01:49:46 Vero ovpn-nsnordvpn[4932]: VERIFY OK: depth=0, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=se65.nordvpn.com, name=NordVPN, emailAddress=cert@nordvpn.com
Jan 21 01:49:46 Vero ovpn-nsnordvpn[4932]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jan 21 01:49:46 Vero ovpn-nsnordvpn[4932]: [se65.nordvpn.com] Peer Connection Initiated with [AF_INET]196.196.244.12:1194
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: SENT CONTROL [se65.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,dhcp-option DNS 78.46.223.24,dhcp-option DNS 162.242
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: Socket Buffers: R=[212992->1048576] S=[212992->1048576]
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: route options modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: route-related options modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: peer-id set
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: adjusting link_mtu to 1657
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: data channel crypto options modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: ROUTE_GATEWAY 192.168.1.254/255.255.255.0 IFACE=wlan0 HWADDR=cc:b8:a8:11:64:48
Jan 21 01:49:47 Vero connmand[388]: tun0 {create} index 4 type 65534 <NONE>
Jan 21 01:49:47 Vero connmand[388]: tun0 {update} flags 4240 <DOWN>
Jan 21 01:49:47 Vero connmand[388]: tun0 {newlink} index 4 address 00:00:00:00:00:00 mtu 1500
Jan 21 01:49:47 Vero connmand[388]: tun0 {newlink} index 4 operstate 2 <DOWN>
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: TUN/TAP device tun0 opened
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: TUN/TAP TX queue length set to 100
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: /usr/local/bin/vpn-ns tun0 1500 1585 10.8.8.116 255.255.255.0 init
Jan 21 01:49:47 Vero connmand[388]: tun0 {dellink} index 4 operstate 2 <DOWN>
Jan 21 01:49:47 Vero connmand[388]: (null) {remove} index 4
Jan 21 01:49:48 Vero ovpn-nsnordvpn[4932]: WARNING: Failed running command (--route-up): external program exited with error status: 2
Jan 21 01:49:48 Vero ovpn-nsnordvpn[4932]: Initialization Sequence Completed
Jan 21 01:49:55 Vero sudo[4963]: osmc : TTY=pts/0 ; PWD=/home ; USER=root ; COMMAND=/bin/systemctl status openvpn@nsnordvpn
Jan 21 01:49:55 Vero sudo[4963]: pam_unix(sudo:session): session opened for user root by osmc(uid=0)
Jan 21 01:50:35 Vero sudo[4963]: pam_unix(sudo:session): session closed for user root
Jan 21 01:50:52 Vero sudo[5038]: osmc : TTY=pts/0 ; PWD=/home ; USER=root ; COMMAND=/bin/journalctl -xe
Jan 21 01:50:52 Vero sudo[5038]: pam_unix(sudo:session): session opened for user root by osmc(uid=0)The issue with the script is probably due to no $PATH.
I want to try to replace variables in the net-ns script and replace them for the absolute values. $1 --> should this be the IP address range or just 24 or eth0? $ns --> should this be (in my example) net-ns@nsvpn.service? $tun_mtu --> should this be mtu0?
zilexa
commented
6 years ago I never got this working, gave up a week later in January, but I would like to try again. Just wonder if more people have tried using your nsdo on Debian Stretch?
Hi! I never spend much time figuring this out even though I believe it isn't that difficult with your blog article. So tonight I tried again and it all made much more sense. I successfully build nsdo and performed the steps in your blog. I use a RPi3 running DietPi (based on Debian Stretch).
Unfortunately the openvpn@.service file is giving me troubles. This is what happens when I run
systemctl start openvpn@ns-vpn(my vpn conf file is /etc/openvpn/ns-vpn.conf).should I also edit the openvpn.service file? I did not touch that one. I hope you can help me figure out how to modify openvpn@.service. I have no clue how to troubleshoot this. I believe this is the only issue and nsdo should do the trick once openvpn is running.