OpenVPN service is dead

litikiti · #1 18th January 2010, 10:30 AM

Hello all!

I'm trying to set up OpenVPN on my PC running Fedora 12.
I have all the settings, key files, etc.
BUT - it requires authentication.
So, when I start it manually - it runs normally:

[root@AIRAHQ openvpn]# openvpn adsecurity.conf
Mon Jan 18 10:21:46 2010 OpenVPN 2.1_rc20 i686-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 25 2009
Enter Auth Username:adsecurity
Enter Auth Password:
Mon Jan 18 10:22:02 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Jan 18 10:22:02 2010 WARNING: file 'adsecurity.key' is group or others accessible
Mon Jan 18 10:22:02 2010 WARNING: file 'ta.key' is group or others accessible
Mon Jan 18 10:22:02 2010 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Mon Jan 18 10:22:02 2010 LZO compression initialized
Mon Jan 18 10:22:02 2010 UDPv4 link local: [undef]
Mon Jan 18 10:22:02 2010 UDPv4 link remote: xxx.xxx.xxx.xxx:443
Mon Jan 18 10:22:02 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Jan 18 10:22:04 2010 [vpvault] Peer Connection Initiated with xxx.xxx.xxx.xxx:443
Mon Jan 18 10:22:07 2010 TUN/TAP device tun0 opened
Mon Jan 18 10:22:07 2010 /sbin/ip link set dev tun0 up mtu 1500
Mon Jan 18 10:22:07 2010 /sbin/ip addr add dev tun0 local 10.189.0.6 peer 10.189.0.5
Mon Jan 18 10:22:09 2010 Initialization Sequence Completed
==============================

Since it's initialized perfectly, I have no problem and my connection is working.
Now I want to have it running automatically at system start up, without asking any password.

I configured this VPN connection in Network Connections, entered all the data, certificates, user name and passoword and tried to start up the connection from the netword icon in tray.
And it doesn't connect - after some time appears the message ¨Connection failed because the connection attempt timed out"

In Services screen OpenVPN service appears as "dead" and there is no way to start it.

Any ideas how to deal with that problem?

Thanks

***glennzo*** · #2 18th January 2010, 11:00 AM

If you type

Code:

su -c 'service openvpn restart'

do you get errors?

To have it start at boot type

Code:

su -c 'chkconfig --level 35 openvpn on'

Make sure that command worked by typing

Code:

chkconfig --list openvpn

You should see 3:on and 5:on. 0,1,2,4,and 6 will show off.

Check the status of openvpn with

Code:

service openvpn status

Is this what you're looking for?

litikiti · #3 18th January 2010, 11:50 AM

# su -c 'service openvpn restart'
Shutting down openvpn: [ OK ]
Starting openvpn: [FAILED]

===========
and the next one:
==============

chkconfig --list openvpn
openvpn 0:off 1:off 2:on 3:on 4:on 5:on 6:off

***glennzo*** · #4 18th January 2010, 11:56 AM

Got log files anywhere for that service? If so, do su -c 'tail -f /path/to/logfile' and you will see the file change as you try to restart openvpn. Might be of some help.

litikiti · #5 18th January 2010, 12:16 PM

well, that's a problem - I have no idea where the log file can be

---------- Post added at 01:16 PM CST ---------- Previous post was at 01:02 PM CST ----------

I got some more info:

SeLinux reported recently a couple of errors:
=========

Summary:

SELinux is preventing /usr/sbin/openvpn "read" access to
/etc/openvpn/adsecurity.conf.

Detailed Description:

SELinux denied access requested by openvpn. /etc/openvpn/adsecurity.conf may be
a mislabeled. /etc/openvpn/adsecurity.conf default SELinux type is openvpn_etc_t,
but its current type is fusefs_t. Changing this file back to the default type,
may fix your problem.

File contexts can be assigned to a file in the following ways.

* Files created in a directory receive the file context of the parent
directory by default.
* The SELinux policy might override the default label inherited from the
parent directory by specifying a process running in context A which creates
a file in a directory labeled B will instead create the file with label C.
An example of this would be the dhcp client running with the dhclient_t type
and creating a file in the directory /etc. This file would normally receive
the etc_t type due to parental inheritance but instead the file is labeled
with the net_conf_t type because the SELinux policy specifies this.
* Users can change the file context on a file using tools such as chcon, or
restorecon.

This file could have been mislabeled either by user error, or if an normally
confined application was run under the wrong domain.

However, this might also indicate a bug in SELinux because the file should not
have been labeled with this type.

If you believe this is a bug, please file a bug report against this package.

Allowing Access:

You can restore the default system context to this file by executing the
restorecon command. restorecon '/etc/openvpn/adsecurity.conf', if this file is a
directory, you can recursively restore using restorecon -R
'/etc/openvpn/adsecurity.conf'.

Fix Command:

/sbin/restorecon '/etc/openvpn/adsecurity.conf'

Additional Information:

Source Context unconfined_u:system_r:openvpn_t:s0
Target Context system_u:object_r:fusefs_t:s0
Target Objects /etc/openvpn/adsecurity.conf [ file ]
Source openvpn
Source Path /usr/sbin/openvpn
Port <Unknown>
Host AIRAHQ
Source RPM Packages openvpn-2.1-0.37.rc20.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.32-41.fc12
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name restorecon
Host Name AIRAHQ.localdomain
Platform Linux AIRAHQ.localdomain
2.6.31.5-127.fc12.i686.PAE #1 SMP Sat Nov 7
21:25:57 EST 2009 i686 i686
Alert Count 2
First Seen Mon 18 Jan 2010 09:58:14 AM CET
Last Seen Mon 18 Jan 2010 12:47:54 PM CET
Local ID 5cbd7f9a-61b8-4c0b-a3cb-cece1a524ba1
Line Numbers

Raw Audit Messages

node=AIRAHQ type=AVC msg=audit(1263815274.218:32427): avc: denied { read } for pid=10235 comm="openvpn" name="adsecurity.conf" dev=sda1 ino=6273 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=file

node=AIRAHQ type=SYSCALL msg=audit(1263815274.218:32427): arch=40000003 syscall=5 success=no exit=-13 a0=bfc88f3f a1=0 a2=1b6 a3=80afc47 items=0 ppid=10226 pid=10235 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5 comm="openvpn" exe="/usr/sbin/openvpn" subj=unconfined_u:system_r:openvpn_t:s0 key=(null)

=================================

I restored file context as advised, but then appeared another error:

=================================

an 18 13:11:53 localhost nm-openvpn[10407]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jan 18 13:11:53 localhost nm-openvpn[10407]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 18 13:11:53 localhost nm-openvpn[10407]: WARNING: file '/etc/openvpn/adsecurity.key' is group or others accessible
Jan 18 13:11:53 localhost nm-openvpn[10407]: WARNING: file '/etc/openvpn/ta.key' is group or others accessible
Jan 18 13:11:53 localhost nm-openvpn[10407]: Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
Jan 18 13:11:53 localhost nm-openvpn[10407]: LZO compression initialized
Jan 18 13:11:53 localhost nm-openvpn[10407]: UDPv4 link local: [undef]
Jan 18 13:11:53 localhost nm-openvpn[10407]: UDPv4 link remote: 85.17.167.201:443
Jan 18 13:12:05 localhost setroubleshoot: SELinux is preventing /usr/bin/python "read" access on /proc//cmdline. For complete SELinux messages. run sealert -l 2439b377-99cf-4c68-975d-075a8fffb7e8
Jan 18 13:12:05 localhost setroubleshoot: SELinux is preventing /usr/bin/python "read" access on /proc//cmdline. For complete SELinux messages. run sealert -l 2439b377-99cf-4c68-975d-075a8fffb7e8
Jan 18 13:12:34 localhost NetworkManager: <info> VPN connection 'advpn' (IP Config Get) timeout exceeded.
Jan 18 13:12:34 localhost nm-openvpn[10407]: SIGTERM[hard,] received, process exiting
Jan 18 13:12:34 localhost NetworkManager: <info> Policy set 'System eth0' (eth0) as default for routing and DNS.

==============================

Seems like there is some permission problem?

beaker_ · #6 18th January 2010, 01:10 PM

I see three problems:

You've configured it in nm applet but are trying to start it in services even though they are two different things.

The selinux errors are telling us it won't permit the service to start anyway because the cert & keys aren't in the proper location (fusefs_t, mounted device??). Unless you've mounted that device there but then you'll have to permit it.

You haven't pasted your .conf so we're assuming the user name & password are in the cert & key (build-key-pass vs build-key) and not from a plugin or script. Which may also be part of the fusefs_t thing. And you should put a log & verb ref in your .conf so you have a log.

O, and it should have been openvpn --config CONFIG.FILE.NAME to start it from the command line.