Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: openvpn-install fails to install on Arch Linux Arm #1025

Closed
4 tasks done
daniel071 opened this issue Aug 19, 2022 · 5 comments
Closed
4 tasks done

[Bug]: openvpn-install fails to install on Arch Linux Arm #1025

daniel071 opened this issue Aug 19, 2022 · 5 comments
Labels
invalid

Comments

@daniel071
Copy link

Make sure your check these beforehand!

Server OS

Arch Linux Arm

OpenVPN version

OpenVPN 2.5.7 [git:makepkg/a0f9a3e9404c8321+] armv7l-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jun 2 2022

Client

Linux arch linux arm 5.15.56-3-rpi-ARCH #1 SMP Fri Aug 12 04:20:40 MDT 2022 armv7l GNU/Linux

What is the bug?

Similar to
#420 and #363
I've tried on multiple machines and I end up in the same error. On my previous install of Arch Linux Arm it worked without issues. I've tried copying the easyrsa binaries to the openvpn-install script location, however it still fails to generate keys and certs.

Relevant log output

--2022-08-19 07:33:43--  https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.7/EasyRSA-3.0.7.tgz
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving github.com (github.com)... 20.248.137.48
Connecting to github.com (github.com)|20.248.137.48|:443... connected.
The certificate has expired

gzip: stdin: unexpected end of file
tar: Child returned status 1
tar: Error is not recoverable: exiting now
./openvpn-install.sh: line 731: ./easyrsa: No such file or directory
./openvpn-install.sh: line 732: ./easyrsa: No such file or directory
./openvpn-install.sh: line 739: ./easyrsa: No such file or directory
./openvpn-install.sh: line 740: ./easyrsa: No such file or directory
2022-08-19 07:33:43 WARNING: Using --genkey --secret filename is DEPRECATED.  Use --genkey secret filename instead.
cp: cannot stat 'pki/ca.crt': No such file or directory
cp: cannot stat 'pki/private/ca.key': No such file or directory
cp: cannot stat 'pki/issued/server_mFlb9YE2ASgfQNe5.crt': No such file or directory
cp: cannot stat 'pki/private/server_mFlb9YE2ASgfQNe5.key': No such file or directory
cp: cannot stat '/etc/openvpn/easy-rsa/pki/crl.pem': No such file or directory
chmod: cannot access '/etc/openvpn/crl.pem': No such file or directory
* Applying /usr/lib/sysctl.d/10-arch.conf ...
fs.inotify.max_user_instances = 1024
fs.inotify.max_user_watches = 524288
* Applying /usr/lib/sysctl.d/50-coredump.conf ...
kernel.core_pattern = |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h
kernel.core_pipe_limit = 16
fs.suid_dumpable = 2
* Applying /usr/lib/sysctl.d/50-default.conf ...
kernel.sysrq = 16
kernel.core_uses_pid = 1
net.ipv4.conf.default.rp_filter = 2
sysctl: setting key "net.ipv4.conf.all.rp_filter": Invalid argument
net.ipv4.conf.default.accept_source_route = 0
sysctl: setting key "net.ipv4.conf.all.accept_source_route": Invalid argument
net.ipv4.conf.default.promote_secondaries = 1
sysctl: setting key "net.ipv4.conf.all.promote_secondaries": Invalid argument
net.ipv4.ping_group_range = 0 2147483647
net.core.default_qdisc = fq_codel
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.protected_regular = 1
fs.protected_fifos = 1
* Applying /etc/sysctl.d/99-openvpn.conf ...
net.ipv4.ip_forward = 1
Created symlink /etc/systemd/system/multi-user.target.wants/openvpn-server@server.service -> /etc/systemd/system/openvpn-server@.service.
Job for openvpn-server@server.service failed because the control process exited with error code.
See "systemctl status openvpn-server@server.service" and "journalctl -xeu openvpn-server@server.service" for details.
Created symlink /etc/systemd/system/multi-user.target.wants/iptables-openvpn.service -> /etc/systemd/system/iptables-openvpn.service.



$ sudo systemctl status openvpn-server@server.service
* openvpn-server@server.service - OpenVPN service for server
     Loaded: loaded (/etc/systemd/system/openvpn-server@.service; enabled; preset: disabled)
     Active: activating (auto-restart) (Result: exit-code) since Fri 2022-08-19 07:41:25 UTC; 3s ago
       Docs: man:openvpn(8)
             https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
             https://community.openvpn.net/openvpn/wiki/HOWTO
    Process: 2380 ExecStart=/usr/bin/openvpn --status /run/openvpn-server/status-server.log --status-version 2 --suppress-timestamps --config server.conf (code=exited, status=1/FAILURE)
   Main PID: 2380 (code=exited, status=1/FAILURE)
        CPU: 132ms

Aug 19 07:41:25 alarmpi systemd[1]: openvpn-server@server.service: Main process exited, code=exited, status=1/FAILURE
Aug 19 07:41:25 alarmpi systemd[1]: openvpn-server@server.service: Failed with result 'exit-code'.
Aug 19 07:41:25 alarmpi systemd[1]: Failed to start OpenVPN service for server.
Aug 19 07:41:30 alarmpi systemd[1]: openvpn-server@server.service: Scheduled restart job, restart counter is at 82.
Aug 19 07:41:30 alarmpi systemd[1]: Stopped OpenVPN service for server.
Aug 19 07:41:30 alarmpi systemd[1]: Starting OpenVPN service for server...
Aug 19 07:41:31 alarmpi openvpn[2397]: Consider setting groups/curves preference with tls-groups instead of forcing a specific curve with ecdh-curve.
Aug 19 07:41:31 alarmpi openvpn[2397]: Note: Treating option '--ncp-ciphers' as  '--data-ciphers' (renamed in OpenVPN 2.5).
Aug 19 07:41:31 alarmpi openvpn[2397]: Options error: --ca fails with 'ca.crt': No such file or directory (errno=2)
Aug 19 07:41:31 alarmpi openvpn[2397]: Options error: --cert fails with 'server_mFlb9YE2ASgfQNe5.crt': No such file or directory (errno=2)
Aug 19 07:41:31 alarmpi openvpn[2397]: WARNING: cannot stat file 'server_mFlb9YE2ASgfQNe5.key': No such file or directory (errno=2)
Aug 19 07:41:31 alarmpi openvpn[2397]: Options error: --key fails with 'server_mFlb9YE2ASgfQNe5.key': No such file or directory (errno=2)
Aug 19 07:41:31 alarmpi openvpn[2397]: Options error: --crl-verify fails with 'crl.pem': No such file or directory (errno=2)
Aug 19 07:41:31 alarmpi openvpn[2397]: Options error: --status fails with '/var/log/openvpn/status.log': Permission denied (errno=13)
Aug 19 07:41:31 alarmpi openvpn[2397]: Options error: Please correct these errors.
Aug 19 07:41:31 alarmpi openvpn[2397]: Use --help for more information.
Aug 19 07:41:31 alarmpi systemd[1]: openvpn-server@server.service: Main process exited, code=exited, status=1/FAILURE
Aug 19 07:41:31 alarmpi systemd[1]: openvpn-server@server.service: Failed with result 'exit-code'.
Aug 19 07:41:31 alarmpi systemd[1]: Failed to start OpenVPN service for server.
Aug 19 07:41:36 alarmpi systemd[1]: openvpn-server@server.service: Scheduled restart job, restart counter is at 83.
Aug 19 07:41:36 alarmpi systemd[1]: Stopped OpenVPN service for server.
Aug 19 07:41:36 alarmpi systemd[1]: Starting OpenVPN service for server...
Aug 19 07:41:38 alarmpi openvpn[2408]: Consider setting groups/curves preference with tls-groups instead of forcing a specific curve with ecdh-curve.
Aug 19 07:41:38 alarmpi openvpn[2408]: Note: Treating option '--ncp-ciphers' as  '--data-ciphers' (renamed in OpenVPN 2.5).
Aug 19 07:41:38 alarmpi openvpn[2408]: Options error: --ca fails with 'ca.crt': No such file or directory (errno=2)
Aug 19 07:41:38 alarmpi openvpn[2408]: Options error: --cert fails with 'server_mFlb9YE2ASgfQNe5.crt': No such file or directory (errno=2)
@luntik2012
Copy link

luntik2012 commented Aug 25, 2022
edited

similar on archlinux, 4553dd9:

Aug 25 10:31:12 pc systemd[1]: Starting OpenVPN service for server...
░░ Subject: A start job for unit openvpn-server@server.service has begun execution
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A start job for unit openvpn-server@server.service has begun execution.
░░ 
░░ The job identifier is 4587.
Aug 25 10:31:12 pc openvpn[2337]: Consider setting groups/curves preference with tls-groups instead of forcing a specific curve with ecdh-curve.
Aug 25 10:31:12 pc openvpn[2337]: Note: Treating option '--ncp-ciphers' as  '--data-ciphers' (renamed in OpenVPN 2.5).
Aug 25 10:31:12 pc openvpn[2337]: Options error: --ca fails with 'ca.crt': Permission denied (errno=13)
Aug 25 10:31:12 pc openvpn[2337]: Options error: --cert fails with 'server_XUP4y8fvCc3kylnb.crt': Permission denied (errno=13)
Aug 25 10:31:12 pc openvpn[2337]: Options error: --key fails with 'server_XUP4y8fvCc3kylnb.key': Permission denied (errno=13)
Aug 25 10:31:12 pc openvpn[2337]: Options error: --status fails with '/var/log/openvpn/status.log': Permission denied (errno=13)
Aug 25 10:31:12 pc openvpn[2337]: Options error: Please correct these errors.
Aug 25 10:31:12 pc openvpn[2337]: Use --help for more information.
Aug 25 10:31:12 pc systemd[1]: openvpn-server@server.service: Main process exited, code=exited, status=1/FAILURE

@Rijul-A
Copy link

Rijul-A commented Nov 1, 2022

I had the same issue. The client device could not connect to the server with this error SIGUSR1[soft,connection-reset] received, process restarting because the server hadn't properly started. I fixed it using these commands, run as root.

chown openvpn:network /etc/openvpn/ca.cert
chown openvpn:network /etc/openvpn/server_*
chown -R openvpn:network /var/log/openvpn

@angristan
Copy link
Owner

The The certificate has expired error looks like a CA issue on your system :)

@angristan angristan closed this as not planned Won't fix, can't repro, duplicate, stale Jan 22, 2023
@angristan
Copy link
Owner

As for @Rijul-A's errors, see #788

@daniel071
Copy link
Author

I have finally figured out how to solve my issues.

I had to change /etc/iptables/add-openvpn-rules.sh and /etc/iptables/rm-openvpn-rules.sh

#!/bin/sh
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o eth -j MASQUERADE
iptables -D INPUT -i tun0 -j ACCEPT
iptables -D FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -D FORWARD -i tun0 -o eth0 -j ACCEPT
iptables -D INPUT -i eth0 -p udp --dport 3333 -j ACCEPT

TO

#!/bin/sh
iptables -t nat -D POSTROUTING -s 10.8.0.0/24 -o end0 -j MASQUERADE
iptables -D INPUT -i tun0 -j ACCEPT
iptables -D FORWARD -i end0 -o tun0 -j ACCEPT
iptables -D FORWARD -i tun0 -o end0 -j ACCEPT
iptables -D INPUT -i end0 -p udp --dport 3333 -j ACCEPT

And had to change the owner and group of /etc/openvpn to openvpn:network so that files would load correctly.

Then run systemctl restart iptables-openvpn
And run systemctl restart openvpn-server@server

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@luntik2012 @angristan @Rijul-A @daniel071