openvpn3-autoload: Error: The following options are missing to establish a connection: --client

[pohlandt]

I was following the instructions here in order to be able to script an openvpn session start / disconnect.

1. create a protected (chmod) directory, put the x.ovpn configuration file there as well as a x.autoload file. The x.ovpn works fine by itself (openvpn3 session-start --config x.ovpn). The autoload file looks like the one from the openvpn.net page (I just changed the credentials).
2. start the session by invoking openvpn3-autoload --directory path/to/file/pair

Unfortunately the session is not started, the output I get is
Error: The following options are missing to establish a connection: --client

Syslog looks like this:

dbus-daemon[646]: [system] Activating service name='net.openvpn.v3.configuration' requested by ':1.96' (uid=0 pid=6714 comm="/usr/bin/python3 /usr/sbin/openvpn3-autoload --dir" label="unconfined") (using servicehelper)
net.openvpn.v3.configuration[646]: OpenVPN3/Linux v19_beta (openvpn3-service-configmgr)
net.openvpn.v3.configuration[646]: OpenVPN core v3.7.1 linux x86_64 64-bit
net.openvpn.v3.configuration[646]: Copyright (C) 2012-2022 OpenVPN Inc. All rights reserved.
openvpn3-service-logger[1113]: Attached: {tag:136705894692312556}  [:1.97/net.openvpn.v3.configuration]
dbus-daemon[646]: [system] Successfully activated service 'net.openvpn.v3.configuration'
openvpn3-service-logger[1113]: {tag:136705894692312556} Parsed persistent configuration 'x.ovpn', owner: root

openvpn3 version gives

OpenVPN3/Linux v19_beta (openvpn3)
OpenVPN core v3.7.1 linux x86_64 64-bit

openvpn3-admin version --services gives

OpenVPN 3 D-Bus services:

  - Client backend starter service
     openvpn3-service-backendstart: v19_beta

  - Configuration Service
     openvpn3-service-configmgr:    v19_beta

  - Log Service
     openvpn3-service-logger:       v19_beta

  - Network Configuration Service
     openvpn3-service-netcfg:       v19_beta

  - Session Manager Service
     openvpn3-service-sessionmgr:   v19_beta

Am I missing something? Any help very much appreciated.

[dsommers]

The real error is this line: Error: The following options are missing to establish a connection: --client.

That means that your x.ovpn does not contain client on a single line.

[pohlandt]

Thank you! That was indeed what was missing.

Interesting that the client statement is not needed when using openvpn3 session-start. Is that intentional? If not, might be an improvement to remove the need for that statement (since apparently config files are often provided like that).

[dsommers]

This is partially by design.

OpenVPN 3 Linux today (unfortunately) only supports client mode. And to avoid surprises by users trying the openvpn2 command line interface with a server configuration file, the --remote and --client requirement was added. The openvpn2 command will also only be client mode, also in the future. The openvpn2, openvpn3-autoload and the helper tool used by the openvpn3-session@.service systemd unit file (you should migrate to that one!) are all written in Python, so they all share the same configuration parser. (OpenVPN 3 Linux ships with an openvpn3 Python 3 module).

The openvpn3 command line utility is written in C++ and will sometime in the future also support server mode. And the configuration manager which stores configuration files and will be targeting both client and server modes therefore cannot have the same validity checks as the client-only tools.

[pohlandt]

Thank you for this in-depth answer. If it's not too much to ask, could you explain what the advantage of migrating from autoload to a systemd unit would be?

[dsommers]

There is a big difference in how these two approaches work. openvpn3-autoload was written at the time when the Configuration Manager lacked persistent storage support, which is why it requires the additional .autoload file where certain settings can be set. But it has a lot of flaws; it does not integrate well with neither the config manager nor the session manager - so if you run it twice, the configuration will be imported twice and even started twice. To clean up, you need to manually delete configuration profiles and stop sessions, one-by-one. In addition, it will start all configured autoload profiles at once, if more has been configured.

The systemd approach integrates with both the configuration and session manager. Configuration files must be imported as a persistent configuration (to work during boot), but you don't need any .autoload file - all additional configuration settings set in that file is now set using openvpn3 config-manage and openvpn3 config-acl. It also integrates with the session manager - on a per-configuration profile basis. This means that VPN sessions are started and managed per configuration. On top of that, sessions stopped using openvpn3 session-manage will be reflected via the related openvpn3-session@.service instantly.

Due to the deficiencies in openvpn3-autoload, it is being deprecated for distributions using systemd. And we will look into more ways to further improve the systemd integration.

[pohlandt]

I see, will certainly consider switching once my setup gets more complex. Thank you very much for answering in such detail.

In case you're in touch with the maintainer of https://openvpn.net/blog/openvpn-3-linux-and-auth-user-pass/ it would probably be very useful to include this information there. I guess most uninformed people like me will end up using autoload by following the advice currently found on that page.