Fedora Linux Support Community & Resources Center
  #1  
Old 18th January 2010, 10:30 AM
litikiti Offline
Registered User
 
Join Date: Jan 2010
Posts: 3
linuxfedorafirefox
OpenVPN service is dead

Hello all!

I'm trying to set up OpenVPN on my PC running Fedora 12.
I have all the settings, key files, etc.
BUT - it requires authentication.
So, when I start it manually - it runs normally:

[root@AIRAHQ openvpn]# openvpn adsecurity.conf
Mon Jan 18 10:21:46 2010 OpenVPN 2.1_rc20 i686-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 25 2009
Enter Auth Username:adsecurity
Enter Auth Password:
Mon Jan 18 10:22:02 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Jan 18 10:22:02 2010 WARNING: file 'adsecurity.key' is group or others accessible
Mon Jan 18 10:22:02 2010 WARNING: file 'ta.key' is group or others accessible
Mon Jan 18 10:22:02 2010 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
Mon Jan 18 10:22:02 2010 LZO compression initialized
Mon Jan 18 10:22:02 2010 UDPv4 link local: [undef]
Mon Jan 18 10:22:02 2010 UDPv4 link remote: xxx.xxx.xxx.xxx:443
Mon Jan 18 10:22:02 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Jan 18 10:22:04 2010 [vpvault] Peer Connection Initiated with xxx.xxx.xxx.xxx:443
Mon Jan 18 10:22:07 2010 TUN/TAP device tun0 opened
Mon Jan 18 10:22:07 2010 /sbin/ip link set dev tun0 up mtu 1500
Mon Jan 18 10:22:07 2010 /sbin/ip addr add dev tun0 local 10.189.0.6 peer 10.189.0.5
Mon Jan 18 10:22:09 2010 Initialization Sequence Completed
==============================

Since it's initialized perfectly, I have no problem and my connection is working.
Now I want to have it running automatically at system start up, without asking any password.

I configured this VPN connection in Network Connections, entered all the data, certificates, user name and passoword and tried to start up the connection from the netword icon in tray.
And it doesn't connect - after some time appears the message ¨Connection failed because the connection attempt timed out"

In Services screen OpenVPN service appears as "dead" and there is no way to start it.

Any ideas how to deal with that problem?

Thanks
Reply With Quote
  #2  
Old 18th January 2010, 11:00 AM
glennzo Online
Un-Retired Administrator
 
Join Date: Mar 2004
Location: Salem, Mass USA
Age: 57
Posts: 14,768
linuxfedorafirefox
If you type
Code:
su -c 'service openvpn restart'
do you get errors?

To have it start at boot type
Code:
su -c 'chkconfig --level 35 openvpn on'
Make sure that command worked by typing
Code:
chkconfig --list openvpn
You should see 3:on and 5:on. 0,1,2,4,and 6 will show off.

Check the status of openvpn with
Code:
service openvpn status
Is this what you're looking for?
__________________
Glenn
The Bassinator © ®

[SIGPIC][/SIGPIC]
Laptop: Just a couple of old single core units
Desktop: BioStar MCP6PB M2+ / AMD Phenom 9750 Quad Core / 4GB / Kingston HyperX 3K SSD 240GB SATA 3.0 / 1TB SATA / EVGA GeForce 8400 GS 1GB
Reply With Quote
  #3  
Old 18th January 2010, 11:50 AM
litikiti Offline
Registered User
 
Join Date: Jan 2010
Posts: 3
linuxfedorafirefox
Yes, I get errors restarting the service

# su -c 'service openvpn restart'
Shutting down openvpn: [ OK ]
Starting openvpn: [FAILED]

===========
and the next one:
==============

chkconfig --list openvpn
openvpn 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Reply With Quote
  #4  
Old 18th January 2010, 11:56 AM
glennzo Online
Un-Retired Administrator
 
Join Date: Mar 2004
Location: Salem, Mass USA
Age: 57
Posts: 14,768
linuxfedorafirefox
Got log files anywhere for that service? If so, do su -c 'tail -f /path/to/logfile' and you will see the file change as you try to restart openvpn. Might be of some help.
__________________
Glenn
The Bassinator © ®

[SIGPIC][/SIGPIC]
Laptop: Just a couple of old single core units
Desktop: BioStar MCP6PB M2+ / AMD Phenom 9750 Quad Core / 4GB / Kingston HyperX 3K SSD 240GB SATA 3.0 / 1TB SATA / EVGA GeForce 8400 GS 1GB
Reply With Quote
  #5  
Old 18th January 2010, 12:16 PM
litikiti Offline
Registered User
 
Join Date: Jan 2010
Posts: 3
linuxfedorafirefox
well, that's a problem - I have no idea where the log file can be

---------- Post added at 01:16 PM CST ---------- Previous post was at 01:02 PM CST ----------

I got some more info:

SeLinux reported recently a couple of errors:
=========

Summary:

SELinux is preventing /usr/sbin/openvpn "read" access to
/etc/openvpn/adsecurity.conf.

Detailed Description:

SELinux denied access requested by openvpn. /etc/openvpn/adsecurity.conf may be
a mislabeled. /etc/openvpn/adsecurity.conf default SELinux type is openvpn_etc_t,
but its current type is fusefs_t. Changing this file back to the default type,
may fix your problem.

File contexts can be assigned to a file in the following ways.

* Files created in a directory receive the file context of the parent
directory by default.
* The SELinux policy might override the default label inherited from the
parent directory by specifying a process running in context A which creates
a file in a directory labeled B will instead create the file with label C.
An example of this would be the dhcp client running with the dhclient_t type
and creating a file in the directory /etc. This file would normally receive
the etc_t type due to parental inheritance but instead the file is labeled
with the net_conf_t type because the SELinux policy specifies this.
* Users can change the file context on a file using tools such as chcon, or
restorecon.

This file could have been mislabeled either by user error, or if an normally
confined application was run under the wrong domain.

However, this might also indicate a bug in SELinux because the file should not
have been labeled with this type.

If you believe this is a bug, please file a bug report against this package.

Allowing Access:

You can restore the default system context to this file by executing the
restorecon command. restorecon '/etc/openvpn/adsecurity.conf', if this file is a
directory, you can recursively restore using restorecon -R
'/etc/openvpn/adsecurity.conf'.

Fix Command:

/sbin/restorecon '/etc/openvpn/adsecurity.conf'

Additional Information:

Source Context unconfined_u:system_r:openvpn_t:s0
Target Context system_u:object_r:fusefs_t:s0
Target Objects /etc/openvpn/adsecurity.conf [ file ]
Source openvpn
Source Path /usr/sbin/openvpn
Port <Unknown>
Host AIRAHQ
Source RPM Packages openvpn-2.1-0.37.rc20.fc12
Target RPM Packages
Policy RPM selinux-policy-3.6.32-41.fc12
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name restorecon
Host Name AIRAHQ.localdomain
Platform Linux AIRAHQ.localdomain
2.6.31.5-127.fc12.i686.PAE #1 SMP Sat Nov 7
21:25:57 EST 2009 i686 i686
Alert Count 2
First Seen Mon 18 Jan 2010 09:58:14 AM CET
Last Seen Mon 18 Jan 2010 12:47:54 PM CET
Local ID 5cbd7f9a-61b8-4c0b-a3cb-cece1a524ba1
Line Numbers

Raw Audit Messages

node=AIRAHQ type=AVC msg=audit(1263815274.218:32427): avc: denied { read } for pid=10235 comm="openvpn" name="adsecurity.conf" dev=sda1 ino=6273 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=file

node=AIRAHQ type=SYSCALL msg=audit(1263815274.218:32427): arch=40000003 syscall=5 success=no exit=-13 a0=bfc88f3f a1=0 a2=1b6 a3=80afc47 items=0 ppid=10226 pid=10235 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5 comm="openvpn" exe="/usr/sbin/openvpn" subj=unconfined_u:system_r:openvpn_t:s0 key=(null)

=================================

I restored file context as advised, but then appeared another error:

=================================

an 18 13:11:53 localhost nm-openvpn[10407]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jan 18 13:11:53 localhost nm-openvpn[10407]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 18 13:11:53 localhost nm-openvpn[10407]: WARNING: file '/etc/openvpn/adsecurity.key' is group or others accessible
Jan 18 13:11:53 localhost nm-openvpn[10407]: WARNING: file '/etc/openvpn/ta.key' is group or others accessible
Jan 18 13:11:53 localhost nm-openvpn[10407]: Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
Jan 18 13:11:53 localhost nm-openvpn[10407]: LZO compression initialized
Jan 18 13:11:53 localhost nm-openvpn[10407]: UDPv4 link local: [undef]
Jan 18 13:11:53 localhost nm-openvpn[10407]: UDPv4 link remote: 85.17.167.201:443
Jan 18 13:12:05 localhost setroubleshoot: SELinux is preventing /usr/bin/python "read" access on /proc//cmdline. For complete SELinux messages. run sealert -l 2439b377-99cf-4c68-975d-075a8fffb7e8
Jan 18 13:12:05 localhost setroubleshoot: SELinux is preventing /usr/bin/python "read" access on /proc//cmdline. For complete SELinux messages. run sealert -l 2439b377-99cf-4c68-975d-075a8fffb7e8
Jan 18 13:12:34 localhost NetworkManager: <info> VPN connection 'advpn' (IP Config Get) timeout exceeded.
Jan 18 13:12:34 localhost nm-openvpn[10407]: SIGTERM[hard,] received, process exiting
Jan 18 13:12:34 localhost NetworkManager: <info> Policy set 'System eth0' (eth0) as default for routing and DNS.

==============================

Seems like there is some permission problem?
Reply With Quote
  #6  
Old 18th January 2010, 01:10 PM
beaker_ Offline
Registered User
 
Join Date: Nov 2008
Location: Canada
Posts: 2,400
linuxfedorafirefox
I see three problems:

You've configured it in nm applet but are trying to start it in services even though they are two different things.

The selinux errors are telling us it won't permit the service to start anyway because the cert & keys aren't in the proper location (fusefs_t, mounted device??). Unless you've mounted that device there but then you'll have to permit it.

You haven't pasted your .conf so we're assuming the user name & password are in the cert & key (build-key-pass vs build-key) and not from a plugin or script. Which may also be part of the fusefs_t thing. And you should put a log & verb ref in your .conf so you have a log.

O, and it should have been openvpn --config CONFIG.FILE.NAME to start it from the command line.
Reply With Quote
Reply

Tags
dead, openvpn, service

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
nmb service is dead ttx336 Using Fedora 27 18th January 2010 10:58 PM
Why my OpenVPN service can't start up ? yu xintian Using Fedora 1 24th November 2009 10:16 AM
unbound enabled in services, but after reboot, it shows "this service is dead" DennyCrane Using Fedora 0 22nd October 2009 04:16 AM
Open VPN Service Dead Donchulo Servers & Networking 3 28th May 2009 01:52 PM
OpenVPN service failure madplague Servers & Networking 0 31st July 2004 03:11 AM


Current GMT-time: 02:55 (Sunday, 26-10-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Pucheng Photos - Jau Instagram Photos - Mudkhed Instagram Photos