Can't start VPN with "service openvpn"

Hello. I can’t start OpenVpn on Whonix WS 14 by means of “sudo service openvpn start”, i put configs to /etc/openvpn. If i try start with "sudo openvpn myconfigvpn.conf - all work. But I need it at autostart. On old Whonix 13 i just put configs and make service openvpn start - all work. How i can fix it?

That’s probably not Whonix-specific, but you may need to edit /etc/default/openvpn and set one of the AUTOSTART variables. Perhaps AUTOSTART="all" for simplest setup.

You may also need to run sudo systemctl daemon-reload after that, and then your openvpn service will probably start next time you run sudo service openvpn start.

1 Like

It is doesn’t help…

Openvpn service is work, but can’t connect to my vpn.

sudo service openvpn status
openvpn.service - OpenVPN service
Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enabled)
Active: active (exited) since Sun 2018-09-16 00:46:01 UTC; 5min ago
Process: 686 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 686 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 4915)
CGroup: /system.slice/openvpn.service

Sep 16 00:46:01 host systemd[1]: Starting OpenVPN service…
Sep 16 00:46:01 host systemd[1]: Started OpenVPN service.

Which virtualizer? VirtualBox, KVM or Qubes?

Which instructions did you follow?

Not Whonix specific indeed. Free Support for Whonix ™ applies.


/lib/systemd/system/openvpn.service by default does nothing.

# This service is actually a systemd target,
# but we are using a service since targets cannot be reloaded.

[Unit]
Description=OpenVPN service
After=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/true
ExecReload=/bin/true
WorkingDirectory=/etc/openvpn

[Install]
WantedBy=multi-user.target

See also /lib/systemd/system/openvpn@.service.


Generally, make sure to read first:


Then either

might apply.

After control according to this instruction, the last result:
> openvpn@openvpn.service - OpenVPN connection to openvpn

Loaded: loaded (/lib/systemd/system/openvpn@openvpn.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/openvpn@openvpn.service.d
└─50_unpriv.conf
Active: failed (Result: exit-code) since Mon 2018-09-17 03:04:31 UTC; 9s ago
Docs: man:openvpn(8)
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
https://community.openvpn.net/openvpn/wiki/HOWTO
Process: 2535 ExecStopPost=/usr/bin/sudo --non-interactive /usr/sbin/openvpn --rmtun --dev tun0 (code=exited, status=0/SUCCESS)
Process: 2531 ExecStart=/usr/sbin/openvpn --daemon ovpn-openvpn --status /run/openvpn/openvpn.status 10 --cd /etc/openvpn --config /etc/openvpn/openvpn.conf --writepid /run/op
Process: 2521 ExecStartPre=/usr/bin/sudo --non-interactive /usr/sbin/openvpn --mktun --dev tun0 --dev-type tun --user tunnel --group tunnel (code=exited, status=0/SUCCESS)
Process: 2508 ExecStartPre=/usr/bin/sudo --non-interactive /usr/sbin/openvpn --rmtun --dev tun0 (code=exited, status=0/SUCCESS)
Main PID: 2533 (code=exited, status=1/FAILURE)

Sep 17 03:04:30 host ovpn-openvpn[2533]: PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.6.0.1,redirect-gateway def1 bypass-dhcp,route-ipv6 0000::/2,route-ipv6 40
Sep 17 03:04:30 host ovpn-openvpn[2533]: OPTIONS IMPORT: --socket-flags option modified
Sep 17 03:04:30 host ovpn-openvpn[2533]: Socket flags: TCP_NODELAY=1 succeeded
Sep 17 03:04:31 host systemd[1]: openvpn@openvpn.service: Main process exited, code=exited, status=1/FAILURE
Sep 17 03:04:31 host sudo[2535]: tunnel : TTY=unknown ; PWD=/etc/openvpn ; USER=root ; COMMAND=/usr/sbin/openvpn --rmtun --dev tun0
Sep 17 03:04:31 host sudo[2535]: pam_unix(sudo:session): session opened for user root by (uid=0)
Sep 17 03:04:31 host sudo[2535]: Mon Sep 17 03:04:31 2018 TUN/TAP device tun0 opened
Sep 17 03:04:31 host sudo[2535]: Mon Sep 17 03:04:31 2018 Persist state set to: OFF
Sep 17 03:04:31 host systemd[1]: openvpn@openvpn.service: Unit entered failed state.
Sep 17 03:04:31 host systemd[1]: openvpn@openvpn.service: Failed with result ‘exit-code’.

Also, after “install resolvconf” there was other problem - in “sudo cat /etc/resolv.conf” i see only this text:

#Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#DO NOT EDIT THIS FILE BY HAND – YOUR CHANGES WILL BE OVERWRITTEN

If i change this text and add nameserver 10.152.152.10 or my vpn dns server, after reboot this text is overwritten.

If I write nothing, then VPN can’t connect to VPN server, and in Firefox doesn’t work internet, but in Tor he work, but vpn service show “active” status.

Also debug mode:

user@host:/etc/openvpn$ sudo /usr/sbin/openvpn --rmtun --dev tun0
Mon Sep 17 03:13:41 2018 TUN/TAP device tun0 opened
Mon Sep 17 03:13:41 2018 Persist state set to: OFF
user@host:/etc/openvpn$ sudo /usr/sbin/openvpn --mktun --dev tun0 --dev-type tun --user tunnel --group tunnel
Mon Sep 17 03:13:48 2018 TUN/TAP device tun0 opened
Mon Sep 17 03:13:48 2018 Persist state set to: ON

and
sudo -u tunnel openvpn /etc/openvpn/openvpn.conf

The list line:

Mon Sep 17 03:14:39 2018 ROUTE6: default_gateway=UNDEF
Mon Sep 17 03:14:39 2018 ERROR: Cannot ioctl TUNSETIFF tun0: Operation not permitted (errno=1)
Mon Sep 17 03:14:39 2018 Exiting due to fatal error

But in my config “tun0”, “tun” i tried too.

I don’t know what do… Help me please :frowning:

Follow the full instructions not just a a single chapter from there.

Firewall need configure too? On old Whonix 13 i just copy openvpn.conf and start and was ok…

Im need VPN only for white ip, for security okay is tor

Also, im use VirtualBox and Whonix 14.

Last situation:
After all it has turned out to start a vpn, but there are problems. 1) resolvconf every time is rewritten, there was it after “install resolvconf” as in manual. therefore every time isn’t present the Internet at inclusion and vpn can’t will be connected. When I hands write nameserver 10.152.152.10 there, vpn begins to work and resolvconf rewritten nameserver to VPN dns.

But, all this isn’t important because what has turned out doesn’t suit me. It was necessary for me just collaboration work VPN and TOR, not full connection through VPN, for example: in Firefox i open sites under white ip vpn, in Tor Browser and App i use Tor socks.

But if to do as according to the instruction, it turns out that if Firewall it is included - Tor doesn’t work if it is switched off - VPN…

HELP ME PLEASE… I already try to adjust the whole week. :sob:

In old Whonix i just copy Vpn files to /etc/openvpn/ and all work…
But in Whonix 14 doesn’t work:( I’m need do it on Whonix Workstation 14 in VirtualBox

Im need use VPN only for static white IP, im don’t need full tunnel VPN on Workstation. Can’t find solution. Only one worker decision if i just start in console: openvpn /etc/openvpn/openvpn.conf and it work as im want - In firefox im see white ip, in Tor Browser - Tor ip. But i just want connect it on startup, like on old whonix with sudo service openvpn start.

Thanks.

Connecting to Tor before a VPN

What?

What you gave me - it removes Tor Socks in general. I do not NEED it. I need USE of Tor Socks, me need VPN to USE for Firefox, I do not want to turn off stream isolation.

Please read full post.

Impossible. You cannot use user -> Tor -> VPN -> destination plus have stream isolation at the same time. Incompatible. If want stream isolation, stay away from user -> Tor -> VPN -> destination.

But at me it turned out to do so on previous a Whonix 13. Once again, I need the scheme W GW + W WS + vpn on WS, but to me is not necessary VPN for everything. It is only necessary for me that use in Firefox. Also, as i said, if i start VPN manually from console and config file - The scheme works. I cannot just understand how to make autostart VPN with Openvpn service.

Try to figure out how to do that on Debian stretch as per Self Support First Policy for Whonix.

I try, but have many Errors, Openvpn don’t work as service Out-of-box in Whonix

@benev

You likely made a mistake when you configured your VPN. I followed the instructions as written in the wiki and my VPN client auto starts and connects. The information you need can be found in:

https://www.whonix.org/wiki/Tunnels/Connecting_to_Tor_before_a_VPN

You’re saying you want to use the VPN with Firefox (in Whonix Workstation) and not Tor Browser?

If so:

No other browsers should be used other than Tor Browser.

https://whonix.org/wiki/Tor_Browser#Anonymity_vs_Pseudonymity

Also, do not use Tor and clearnet at the same time.

https://whonix.org/wiki/DoNot#Use_Clearnet_and_Tor_at_the_Same_Time

1 Like

Maybe I’m not explaining correctly, I’m not English-speaking… But I need something different, not exactly what is written in this guide. I need to run VPN simply by default, without the configuration of the VPN firewall, I do not need to make a complete tunnel in the WS, I only need an interlayer, which will work only in non-configured of Tor Socks applications such as FF, I need exactly this for their own purposes. What is written in the guide - does full work through VPN, including Tor Browser, and removes the stream isolation. However, all I need is to get a white ip in FF for web surfing on several sites.I n the previous version, Whonix 13, it worked by simply putting the configuration files in /etc/openvpn and it automatically started vpn at system startup through the Openvpn service. Now, it does not work to get what I need, I have to include it from the console, by entering the command cd /etc/openvpn, sudo openvpn myvpn.conf.

Help me to solve this problem, based on my conditions, please.

Everything about this sentence still means to me either or both of these:

  1. You don’t have AUTOSTART configured right in /etc/default/openvpn. The AUTOSTART variable defines which VPN profiles will get automatically started when you start the OpenVPN daemon.
  2. Something perhaps to do with ‘relative’ paths in your /etc/openvpn/myvpn.conf e.g paths to certs and keys, that only works if you are cd’d into /etc/openvpn. Which maybe breaks your startup even if your AUTOSTART is correct. You could try putting ‘absolute’ paths to your ca, cert, key, dhparams etc paths in your config to see if that helps.

Perhaps if you paste your /etc/default/openvpn and your /etc/openvpn/myvpn.conf it will be clearer for us to help. Be sure not to paste any private keys (sometimes these are embedded in the myvpn.conf file, depends on your configuration) and perhaps mask any explicit settings e.g your server’s IP etc.

2 Likes

etc/default/openvpn

# This is the configuration file for /etc/init.d/openvpn

#
# Start only these VPNs automatically via init script.
# Allowed values are "all", "none" or space separated list of
# names of the VPNs. If empty, "all" is assumed.
# The VPN name refers to the VPN configutation file name.
# i.e. "home" would be /etc/openvpn/home.conf
#
# If you're running systemd, changing this variable will
# require running "systemctl daemon-reload" followed by
# a restart of the openvpn service (if you removed entries
# you may have to stop those manually)
#
AUTOSTART="all"
#AUTOSTART="none"
#AUTOSTART="home office"
#
# WARNING: If you're running systemd the rest of the
# options in this file are ignored.
#
# Refresh interval (in seconds) of default status files
# located in /var/run/openvpn.$NAME.status
# Defaults to 10, 0 disables status file generation
#
#STATUSREFRESH=10
#STATUSREFRESH=0
# Optional arguments to openvpn's command line
OPTARGS=""
#
# If you need openvpn running after sendsigs, i.e.
# to let umountnfs work over the vpn, set OMIT_SENDSIGS
# to 1 and include umountnfs as Required-Stop: in openvpn's
# init.d script (remember to run insserv after that)
#
OMIT_SENDSIGS=0

/etc/openvpn/myvpn.conf

client
dev tun
proto tcp

remote vpnsite.com 443

cipher AES-256-CBC
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
remote-cert-tls server
ping 10
ping-restart 60
sndbuf 524288
rcvbuf 524288


auth-user-pass my_userpass.txt
ca my_ca.crt
crl-verify my_crl.pem


tun-ipv6
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf



tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA

Same VPN config worked in Whonix 13 by default

auth-user-pass my_userpass.txt
ca my_ca.crt
crl-verify my_crl.pem

Try making these (and also presumably your ‘cert’ and ‘key’ parameters that you omitted) be absolute paths, instead of relative paths. In other words, add the prefix /etc/openvpn/ to each of those values.

Same as you have for the up and down parameters (they are absolute paths).

The issue may be that when the openvpn daemon tries to autostart the service, it can’t find those files as it’s not operating within the context of the /etc/openvpn folder. That would also explain why it works fine if you start it manually whilst cd’d into /etc/openvpn.

2 Likes

Hello. I try:

  1. Reinstall fresh Whonix 14
  2. Make dist-upgrade
  3. Upload files of my VPN to /etc/openvpn
  4. Edit etc/default/openvpn to autostart
  5. Edit my_vpn.conf with /etc/openvpn/userpass… as u said.
  6. Reboot
    VPN doesn’t work.
    service openvpn status

openvpn.service - OpenVPN service
Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enabled)
Active: active (exited) since Fri 2018-09-28 15:23:02 UTC; 8s ago
Process: 2229 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 2229 (code=exited, status=0/SUCCESS)

Sep 28 15:23:02 host systemd[1]: Starting OpenVPN service…
Sep 28 15:23:02 host systemd[1]: Started OpenVPN service.

So service is work, but VPN can’t connect.

I also try rename my_vpn.conf to openvpn.conf and give 755 chmod for all VPN files - it’s too doesn’t help.

And again, it’s work if i start hands from console sudo openvpn --config /etc/openvpn/openvpn.conf

Help me pleeeasee…