Openvpn Fedora 16 x64

[kidboy]

Hi, i install openvpn on Fedora 16 x86_64 and when i try start the service ( systemctl start openvpn.service ) i recive a error: Failed to issue method call: Unit openvpn.service failed to load: No such file or directory. See system logs and 'systemctl status openvpn.service' for details.

I can see a /lib/systemd/system/openvpn\@.service. What i have to do for openvpn work as a server daemon in Fedora 16 ?

[beaker_]

systemctl restart openvpn@ServerOrClientConfFileName.service

Where /etc/openvpn/ServerOrClientFileName.conf

[Proxin]

Hi,
Sorry to bump an old thread, but I'm having this same issue and 'systemctl restart openvpn@server.service' did not work...

When I tried this, I got an error:

Code:

Job failed. See system logs and 'systemctl status' for details.

And when I use 'systemctl status openvpn@server.service':

Code:

openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
	  Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled)
	  Active: failed since Sun, 06 May 2012 21:19:25 -0700; 2min 5s ago
	 Process: 2693 ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf (code=exited, status=1/FAILURE)
	  CGroup: name=systemd:/system/openvpn@.service/server

My server configuration file is /etc/openvpn/server.conf.

What can I do to get this to work?

[beaker_]

At a terminal:

Code:

su
cd /etc/openvpn
openvpn --config server.conf

Any hints?

[Proxin]

Thanks for the reply beaker,
I figured out, it was my mistake- I had the wrong name for a few certs and keys, so it had no other option than to throw an error about not being able to find them.

However, I'm now experiencing another error upon trying to connect a client:

Code:

read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, client-instance restarting

I've looked around and Googled for solutions but haven't been able to remedy this.
Will post my server.conf when I get home. Is there a recommended solution in the meantime?

[beaker_]

Client and Server config probably don't agree. Look at hardening, you'll see a paragraph wrt using tls-auth (ta.key).

At worst, someone between your server and client has substitute their tls key for your own.

---------- Post added at 09:57 PM ---------- Previous post was at 09:56 PM ----------

http://openvpn.net/index.php/open-so....html#security

[Proxin]

Quote:

Originally Posted by beaker_

Client and Server config probably don't agree. Look at hardening, you'll see a paragraph wrt using tls-auth (ta.key).

At worst, someone between your server and client has substitute their tls key for your own.

Very informing page. I followed the guide on setting up ta.key but still have the same issue.
Here is my server.conf:
http://pastebin.com/pfYNinwN

Here's a different part of the error...

Code:

Local Options hash (VER=V4): '14168604''
Expected Remote Options hash (VER=V4): '504e775e'
TLS: Initial packet from <my client's ip address>, sid blablabla
read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

Sorry to keep bugging with this... I wish I could just not have these issues :/

[beaker_]

From here I guess they weren't signed by the same or trusted certificate authority.

I'm assuming you used the easy-rsa script and that your procedure looked pretty much like http://openvpn.net/index.php/open-so...howto.html#pki .

From here you server.conf looks stock enough to fly with little-no troubleshooting so here's a winbloz client conf. I've deleted detail to be vague. .\\VPN_Name\\ is relative so I have a directory named VPN_Name under config. I also use a different cipher so don't dwell over it.

Code:

dev tun
proto udp
remote SomeNameIDontKnow 1194
resolv-retry 90
nobind
persist-key
persist-tun
ca .\\VPN_Name\\ca.crt
cert .\\VPN_Name\\RemoteClientName.crt
key .\\VPN_Name\\RemoteClientName .key
ns-cert-type server
tls-auth .\\VPN_Name\\ta.key 1
tls-client
cipher AES-256-CBC
comp-lzo
verb 3

I suspect you've beat on it enough that you've lost track for which key's were generated when and with who. Probably best to revisit the easy-rsa script, verify that vars is to your liking. And then do a:
source ./vars
./clean-all

Rebuild your CA, dh parameters, cert and keys. Rebuild your ta.key wouldn't hurt but shouldn't be necessary.

[Proxin]

Quote:

Originally Posted by beaker_

From here I guess they weren't signed by the same or trusted certificate authority.

I'm assuming you used the easy-rsa script and that your procedure looked pretty much like http://openvpn.net/index.php/open-so...howto.html#pki .

From here you server.conf looks stock enough to fly with little-no troubleshooting so here's a winbloz client conf. I've deleted detail to be vague. .\\VPN_Name\\ is relative so I have a directory named VPN_Name under config. I also use a different cipher so don't dwell over it.

Code:

dev tun
proto udp
remote SomeNameIDontKnow 1194
resolv-retry 90
nobind
persist-key
persist-tun
ca .\\VPN_Name\\ca.crt
cert .\\VPN_Name\\RemoteClientName.crt
key .\\VPN_Name\\RemoteClientName .key
ns-cert-type server
tls-auth .\\VPN_Name\\ta.key 1
tls-client
cipher AES-256-CBC
comp-lzo
verb 3

I suspect you've beat on it enough that you've lost track for which key's were generated when and with who. Probably best to revisit the easy-rsa script, verify that vars is to your liking. And then do a:
source ./vars
./clean-all

Rebuild your CA, dh parameters, cert and keys. Rebuild your ta.key wouldn't hurt but shouldn't be necessary.

What you said about me messing with it so much that I lost track- that was quite correct
I did what you said and rebuilt all of the keys etc. and now it's working great.
Thanks for the help beaker_. Finally got this working