when trying to service openvpn start
Oct 12 14:02:01 ccushing1 openvpn[9091]: Options error: In [CMD-LINE]:1: Error opening configuration file: devnet-client-vm.conf
running openvpn devnet-client-vm.conf works just fine. Why does openvpn not start? how can I fix it?
You might want to run
fixfiles -R openvpn restore
An ls -alZ should give you something like this (showing your files are in the correct selinux context now):
[root@server openvpn]# ls -alZ /etc/openvpn/
drwxr-xr-x. root root system_u:object_r:openvpn_etc_t:s0 .
drwxr-xr-x. root root system_u:object_r:etc_t:s0 ..
drwxr-xr-x. root root unconfined_u:object_r:openvpn_etc_t:s0 certs
-rw-r--r--. root root unconfined_u:object_r:openvpn_etc_t:s0 dh2048.pem
drwxr-xr-x. root root unconfined_u:object_r:openvpn_etc_t:s0 easy-rsa
-rw-------. root root unconfined_u:object_r:openvpn_etc_rw_t:s0 ipp.txt
-rw-------. root root unconfined_u:object_r:openvpn_etc_t:s0 ta.key
-rw-------. openvpn openvpn unconfined_u:object_r:openvpn_etc_t:s0 server.conf
If you have a statement like
status openvpn-status.log
in your openvpn config file, you might notice the server still won't start. A peek at the /var/log/audit/audit.log will reveal
type=AVC msg=audit(1413580155.710:1265): avc: denied { write } for pid=19725 comm="openvpn" name="openvpn-status.log" dev="dm-1" ino=54153273 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_etc_t:s0 tclass=file
Changing the context of this file to rw does the trick:
chcon -t openvpn_etc_rw_t openvpn-status.log
and
[root@server openvpn]# ls -alZ openvpn-status.log
-rw-------. root root unconfined_u:object_r:openvpn_etc_t:s0 openvpn-status.log
will become
-rw-------. root root unconfined_u:object_r:openvpn_etc_rw_t:s0 openvpn-status.log
Afterwards the call
service openvpn@server start
worked flawlessly.
[root@server openvpn]# service openvpn@server status
Redirecting to /bin/systemctl status [email protected]
[email protected] - OpenVPN Robust And Highly Flexible Tunneling Application On server
Loaded: loaded (/usr/lib/systemd/system/[email protected]; disabled)
Active: active (running) since Fri 2014-10-17 23:13:49 CEST; 9s ago
Process: 20445 ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf (code=exited, status=0/SUCCESS)
Main PID: 20449 (openvpn)
CGroup: /system.slice/system-openvpn.slice/[email protected]
└─20449 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --cd /etc/openvpn/ --config server.conf
Oct 17 23:13:49 server openvpn[20445]: ROUTE_GATEWAY xx.xxx.xx.x/255.255.255.0 IFACE=eth0 HWADDR=XX:XX:XX:XX:XX:XX
Oct 17 23:13:49 server openvpn[20449]: GID set to nobody
Oct 17 23:13:49 server openvpn[20449]: UID set to nobody
Oct 17 23:13:49 server openvpn[20449]: UDPv4 link local (bound): [undef]
Oct 17 23:13:49 server openvpn[20449]: UDPv4 link remote: [undef]
Oct 17 23:13:49 server openvpn[20449]: MULTI: multi_init called, r=256 v=256
Oct 17 23:13:49 server openvpn[20449]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Oct 17 23:13:49 server systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
Oct 17 23:13:49 server openvpn[20449]: IFCONFIG POOL LIST
Oct 17 23:13:49 server openvpn[20449]: Initialization Sequence Completed
PS: I'm on Centos 7.
For anyone else that finds this thread, I had the problem on Fedora 26. Turns out the instructions I was following had you put the conf files in /etc/openvpn directory, but they need to go in /etc/openvpn/server.
The problem is SELinux, editing /etc/sysconfig/selinux and setting SELINUX=permissive and then rebooting fixed it for me. I remember in fedora that there was a command that had to be run to allow the cert directory to be used properly, but I forget what that command is. Setting to permissive fixes completely but a more preferred way would be to fix it so that it can use the directory properly.
For the cert directory and the SElinux issue, seems that's quite old, first reported here: https://bugzilla.redhat.com/show_bug.cgi?id=555785 And seems it's an upstream bug, at least when you use NetworkManager to control your openvpn connection. But the upstream bug is still "unconfirmed" -.- https://bugzilla.gnome.org/show_bug.cgi?id=670198
Maybe SELinux re-labeling problem while attempting to run OpenVPN helps somehow with the SElinux bits.
Or if you want to use per-user certificates, and not systemwide ones: https://superuser.com/questions/339391/making-selinux-play-nice-with-openvpn-in-networkmanager
I resolved the above error by moving the conf file(s)
to the client directory, e.g.,
/etc/openvpn/client/openvpn.conf
I had this error that is mentioned in the header since I had mistyped the name of the ovpn file, typing opvn instead. Better always use the tab trick to complete writing the name of a file.
sudo openvpn MY_FILE.ovpn
Side-note: This works, but in my case, it did not help me, my DBMS still could not reach the databases of an external network. Instead, I had to go to Linux "Network Settings", click on the "+" to create a new VPN connection, and choose to import from file and select MY_FILE.ovpn.
Same Problem For me Also The issue was I was not in the vpn.ovpn File Directory
1)Check Your Directory (sudo openvpn vpn.ovpn) 2)if Not Solved Do This -> sudo killall openvpn 3) Again Try To Connect [sudo openvpn [file.name] 4) Redownload The File if Possible. Some Times Ovpn Files also May Have issues
