Hello,
I am setting up VPN-Firewall on HOST machine. Instalation goes without any problems, however, openvpn does not start as it suppose to. Operating system: Debian 8. I am attaching neccessary logs and information.
Netfilter Status seems not to complain.
user@host:~$ sudo service netfilter-persistent status
● netfilter-persistent.service - netfilter persistent configuration
Loaded: loaded (/lib/systemd/system/netfilter-persistent.service; enabled)
Drop-In: /lib/systemd/system/netfilter-persistent.service.d
└─20_vpn-firewall.conf
Active: active (exited) since 2018-03-09 14:56:44 CET; 2min 6s ago
Main PID: 1557 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/netfilter-persistent.service
mar 09 14:56:44 host netfilter-persistent[1557]: run-parts: executing /usr/share/netfilter-per...art
mar 09 14:56:44 host netfilter-persistent[1557]: OK: IPv6 suppot not avalaible on system
mar 09 14:56:44 host netfilter-persistent[1557]: OK: The firewall should not show any messages,
mar 09 14:56:44 host netfilter-persistent[1557]: OK: besides output beginning with prefix OK:...
mar 09 14:56:44 host netfilter-persistent[1557]: OK: FORWARDING: false
mar 09 14:56:44 host netfilter-persistent[1557]: OK: VPN firewall loaded.
mar 09 14:56:44 host systemd[1]: Started netfilter persistent configuration.
Hint: Some lines were ellipsized, use -l to show in full.
However openvpn service already has some problems.
user@host:~$ sudo service openvpn@openvpn status
● openvpn@openvpn.service - OpenVPN connection to openvpn
Loaded: loaded (/lib/systemd/system/openvpn@openvpn.service; enabled)
Drop-In: /lib/systemd/system/openvpn@openvpn.service.d
└─50-unpriv.conf
Active: failed (Result: exit-code) since pią 2018-03-09 14:58:06 CET; 10s ago
Process: 1791 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf (code=exited, status=0/SUCCESS)
Main PID: 1792 (code=exited, status=1/FAILURE)
mar 09 14:58:05 host ovpn-openvpn[1792]: OPTIONS IMPORT: explicit notify parm(s) modified
mar 09 14:58:05 host ovpn-openvpn[1792]: OPTIONS IMPORT: --ifconfig/up options modified
mar 09 14:58:05 host ovpn-openvpn[1792]: OPTIONS IMPORT: route options modified
mar 09 14:58:05 host ovpn-openvpn[1792]: OPTIONS IMPORT: route-related options modified
mar 09 14:58:05 host ovpn-openvpn[1792]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option optio...ied
mar 09 14:58:05 host ovpn-openvpn[1792]: ROUTE_GATEWAY 10.64.64.64
mar 09 14:58:05 host ovpn-openvpn[1792]: ERROR: Cannot ioctl TUNSETIFF tun0: Operation not per...=1)
mar 09 14:58:05 host ovpn-openvpn[1792]: Exiting due to fatal error
mar 09 14:58:06 host systemd[1]: openvpn@openvpn.service: main process exited, code=exited, s...LURE
mar 09 14:58:06 host systemd[1]: Unit openvpn@openvpn.service entered failed state.
Openvpn .conf file - dev is set to tun0.
user@host:/etc/openvpn$ cat openvpn.conf
client
dev tun0
proto udp
remote <ip> <port>
auth-user-pass /etc/openvpn/auth.txt
resolv-retry infinite
nobind
persist-tun
persist-key
persist-remote-ip
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA
ns-cert-type server
verify-x509-name de name-prefix
key-direction 1
comp-lzo
verb 3
;ca ca.crt
<ca>
###KEY HERE###
</ca>
<tls-auth>
###KEY HERE###
</tls-auth>
#############################
## VPN-Firewall specific settings ##
#############################
client
dev tun0
persist-tun
persist-key
script-security 2
up "/etc/openvpn/update-resolv-conf script_type=up dev=tun0"
down "/etc/openvpn/update-resolv-conf script_type=down dev=tun0"
user tunnel
iproute /usr/bin/ip-unpriv
Upon checking dmesg output right after reboot. I can grab some specific errors. Well, error seems self explainatory, however i have no clue how to fix it in vpn-firewall script.
[ 29.929328] systemd[1]: [/lib/systemd/system/openvpn@openvpn.service.d/50-unpriv.conf:13] Failed to parse protect system value, ignoring: strict
[ 29.929412] systemd[1]: [/lib/systemd/system/openvpn@openvpn.service.d/50-unpriv.conf:15] Unknown lvalue 'ProtectControlGroups' in section 'Service'
[ 29.929418] systemd[1]: [/lib/systemd/system/openvpn@openvpn.service.d/50-unpriv.conf:16] Unknown lvalue 'RestrictRealtime' in section 'Service'
[ 29.929424] systemd[1]: [/lib/systemd/system/openvpn@openvpn.service.d/50-unpriv.conf:17] Unknown lvalue 'ProtectKernelModules' in section 'Service'
[ 29.929434] systemd[1]: [/lib/systemd/system/openvpn@openvpn.service.d/50-unpriv.conf:20] Unknown lvalue 'ReadWritePaths' in section 'Service'
[ 29.929440] systemd[1]: [/lib/systemd/system/openvpn@openvpn.service.d/50-unpriv.conf:21] Unknown lvalue 'ProtectKernelTunables' in section 'Service'
[ 29.929451] systemd[1]: [/lib/systemd/system/openvpn@openvpn.service.d/50-unpriv.conf:26] Unknown lvalue 'MemoryDenyWriteExecute' in section 'Service'
[ 29.929457] systemd[1]: [/lib/systemd/system/openvpn@openvpn.service.d/50-unpriv.conf:27] Unknown lvalue 'AmbientCapabilities' in section 'Service'
Onwership and permissions on neccessary files.
user@host:ls -al /run/resolvconf
drwxrwxr-x 3 root tunnel 100 mar 9 10:24 .
drwxr-xr-x 26 root root 900 mar 9 10:22 ..
-rw-r--r-- 1 root root 0 mar 9 10:24 enable-updates
drwxrwxr-x 2 root tunnel 40 mar 9 10:22 interface
-rw-r--r-- 1 root root 151 mar 9 10:22 resolv.conf
user@host:sudo chown --recursive root:tunnel /run/resolvconf #This sets ownership only temporary, after reboot it reverses
user@host:ls -al /run/resolvconf
drwxrwxr-x 3 root tunnel 100 mar 9 10:24 .
drwxr-xr-x 26 root root 900 mar 9 10:22 ..
-rw-r--r-- 1 root tunnel 0 mar 9 10:24 enable-updates
drwxrwxr-x 2 root tunnel 40 mar 9 10:22 interface
-rw-r--r-- 1 root tunnel 151 mar 9 10:22 resolv.conf
user@host:sudo chmod --recursive 775 /run/resolvconf
user@host:ls -al /run/resolvconf
drwxrwxr-x 3 root tunnel 100 mar 9 10:24 .
drwxr-xr-x 26 root root 900 mar 9 10:22 ..
-rwxrwxr-x 1 root tunnel 0 mar 9 10:24 enable-updates
drwxrwxr-x 2 root tunnel 40 mar 9 10:22 interface
-rwxrwxr-x 1 root tunnel 151 mar 9 10:22 resolv.conf
user@host: ls -la /etc/openvpn
drwxr-xr-x 2 tunnel tunnel 4096 mar 8 14:56 .
drwxr-xr-x 129 root root 12288 mar 8 16:45 ..
-rwxr-xr-x 1 tunnel tunnel 29 mar 8 14:59 auth.txt
-rwxr-xr-x 1 tunnel tunnel 3090 mar 9 10:38 openvpn.conf
-rwxr-xr-x 1 tunnel tunnel 1301 jun 26 2017 update-resolv-conf
I am hitting my head against a wall here for few days already. Last time i was setting VPN-Firewall installation went without any problems.