FedoraForum.org - Fedora Support Forums and Community
Results 1 to 6 of 6
  1. #1
    Join Date
    Jan 2010
    Posts
    3

    OpenVPN service is dead

    Hello all!

    I'm trying to set up OpenVPN on my PC running Fedora 12.
    I have all the settings, key files, etc.
    BUT - it requires authentication.
    So, when I start it manually - it runs normally:

    [root@AIRAHQ openvpn]# openvpn adsecurity.conf
    Mon Jan 18 10:21:46 2010 OpenVPN 2.1_rc20 i686-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 25 2009
    Enter Auth Username:adsecurity
    Enter Auth Password:
    Mon Jan 18 10:22:02 2010 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Mon Jan 18 10:22:02 2010 WARNING: file 'adsecurity.key' is group or others accessible
    Mon Jan 18 10:22:02 2010 WARNING: file 'ta.key' is group or others accessible
    Mon Jan 18 10:22:02 2010 Control Channel Authentication: using 'ta.key' as a OpenVPN static key file
    Mon Jan 18 10:22:02 2010 LZO compression initialized
    Mon Jan 18 10:22:02 2010 UDPv4 link local: [undef]
    Mon Jan 18 10:22:02 2010 UDPv4 link remote: xxx.xxx.xxx.xxx:443
    Mon Jan 18 10:22:02 2010 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Mon Jan 18 10:22:04 2010 [vpvault] Peer Connection Initiated with xxx.xxx.xxx.xxx:443
    Mon Jan 18 10:22:07 2010 TUN/TAP device tun0 opened
    Mon Jan 18 10:22:07 2010 /sbin/ip link set dev tun0 up mtu 1500
    Mon Jan 18 10:22:07 2010 /sbin/ip addr add dev tun0 local 10.189.0.6 peer 10.189.0.5
    Mon Jan 18 10:22:09 2010 Initialization Sequence Completed
    ==============================

    Since it's initialized perfectly, I have no problem and my connection is working.
    Now I want to have it running automatically at system start up, without asking any password.

    I configured this VPN connection in Network Connections, entered all the data, certificates, user name and passoword and tried to start up the connection from the netword icon in tray.
    And it doesn't connect - after some time appears the message ¨Connection failed because the connection attempt timed out"

    In Services screen OpenVPN service appears as "dead" and there is no way to start it.

    Any ideas how to deal with that problem?

    Thanks

  2. #2
    Join Date
    Mar 2004
    Location
    In your closet
    Posts
    15,642
    If you type
    Code:
    su -c 'service openvpn restart'
    do you get errors?

    To have it start at boot type
    Code:
    su -c 'chkconfig --level 35 openvpn on'
    Make sure that command worked by typing
    Code:
    chkconfig --list openvpn
    You should see 3:on and 5:on. 0,1,2,4,and 6 will show off.

    Check the status of openvpn with
    Code:
    service openvpn status
    Is this what you're looking for?
    Glenn
    The Bassinator
    © ®

  3. #3
    Join Date
    Jan 2010
    Posts
    3

    Yes, I get errors restarting the service

    # su -c 'service openvpn restart'
    Shutting down openvpn: [ OK ]
    Starting openvpn: [FAILED]

    ===========
    and the next one:
    ==============

    chkconfig --list openvpn
    openvpn 0:off 1:off 2:on 3:on 4:on 5:on 6:off

  4. #4
    Join Date
    Mar 2004
    Location
    In your closet
    Posts
    15,642
    Got log files anywhere for that service? If so, do su -c 'tail -f /path/to/logfile' and you will see the file change as you try to restart openvpn. Might be of some help.
    Glenn
    The Bassinator
    © ®

  5. #5
    Join Date
    Jan 2010
    Posts
    3
    well, that's a problem - I have no idea where the log file can be

    ---------- Post added at 01:16 PM CST ---------- Previous post was at 01:02 PM CST ----------

    I got some more info:

    SeLinux reported recently a couple of errors:
    =========

    Summary:

    SELinux is preventing /usr/sbin/openvpn "read" access to
    /etc/openvpn/adsecurity.conf.

    Detailed Description:

    SELinux denied access requested by openvpn. /etc/openvpn/adsecurity.conf may be
    a mislabeled. /etc/openvpn/adsecurity.conf default SELinux type is openvpn_etc_t,
    but its current type is fusefs_t. Changing this file back to the default type,
    may fix your problem.

    File contexts can be assigned to a file in the following ways.

    * Files created in a directory receive the file context of the parent
    directory by default.
    * The SELinux policy might override the default label inherited from the
    parent directory by specifying a process running in context A which creates
    a file in a directory labeled B will instead create the file with label C.
    An example of this would be the dhcp client running with the dhclient_t type
    and creating a file in the directory /etc. This file would normally receive
    the etc_t type due to parental inheritance but instead the file is labeled
    with the net_conf_t type because the SELinux policy specifies this.
    * Users can change the file context on a file using tools such as chcon, or
    restorecon.

    This file could have been mislabeled either by user error, or if an normally
    confined application was run under the wrong domain.

    However, this might also indicate a bug in SELinux because the file should not
    have been labeled with this type.

    If you believe this is a bug, please file a bug report against this package.

    Allowing Access:

    You can restore the default system context to this file by executing the
    restorecon command. restorecon '/etc/openvpn/adsecurity.conf', if this file is a
    directory, you can recursively restore using restorecon -R
    '/etc/openvpn/adsecurity.conf'.

    Fix Command:

    /sbin/restorecon '/etc/openvpn/adsecurity.conf'

    Additional Information:

    Source Context unconfined_u:system_r:openvpn_t:s0
    Target Context system_u:object_r:fusefs_t:s0
    Target Objects /etc/openvpn/adsecurity.conf [ file ]
    Source openvpn
    Source Path /usr/sbin/openvpn
    Port <Unknown>
    Host AIRAHQ
    Source RPM Packages openvpn-2.1-0.37.rc20.fc12
    Target RPM Packages
    Policy RPM selinux-policy-3.6.32-41.fc12
    Selinux Enabled True
    Policy Type targeted
    MLS Enabled True
    Enforcing Mode Enforcing
    Plugin Name restorecon
    Host Name AIRAHQ.localdomain
    Platform Linux AIRAHQ.localdomain
    2.6.31.5-127.fc12.i686.PAE #1 SMP Sat Nov 7
    21:25:57 EST 2009 i686 i686
    Alert Count 2
    First Seen Mon 18 Jan 2010 09:58:14 AM CET
    Last Seen Mon 18 Jan 2010 12:47:54 PM CET
    Local ID 5cbd7f9a-61b8-4c0b-a3cb-cece1a524ba1
    Line Numbers

    Raw Audit Messages

    node=AIRAHQ type=AVC msg=audit(1263815274.218:32427): avc: denied { read } for pid=10235 comm="openvpn" name="adsecurity.conf" dev=sda1 ino=6273 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=file

    node=AIRAHQ type=SYSCALL msg=audit(1263815274.218:32427): arch=40000003 syscall=5 success=no exit=-13 a0=bfc88f3f a1=0 a2=1b6 a3=80afc47 items=0 ppid=10226 pid=10235 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=5 comm="openvpn" exe="/usr/sbin/openvpn" subj=unconfined_u:system_r:openvpn_t:s0 key=(null)

    =================================

    I restored file context as advised, but then appeared another error:

    =================================

    an 18 13:11:53 localhost nm-openvpn[10407]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Jan 18 13:11:53 localhost nm-openvpn[10407]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jan 18 13:11:53 localhost nm-openvpn[10407]: WARNING: file '/etc/openvpn/adsecurity.key' is group or others accessible
    Jan 18 13:11:53 localhost nm-openvpn[10407]: WARNING: file '/etc/openvpn/ta.key' is group or others accessible
    Jan 18 13:11:53 localhost nm-openvpn[10407]: Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
    Jan 18 13:11:53 localhost nm-openvpn[10407]: LZO compression initialized
    Jan 18 13:11:53 localhost nm-openvpn[10407]: UDPv4 link local: [undef]
    Jan 18 13:11:53 localhost nm-openvpn[10407]: UDPv4 link remote: 85.17.167.201:443
    Jan 18 13:12:05 localhost setroubleshoot: SELinux is preventing /usr/bin/python "read" access on /proc//cmdline. For complete SELinux messages. run sealert -l 2439b377-99cf-4c68-975d-075a8fffb7e8
    Jan 18 13:12:05 localhost setroubleshoot: SELinux is preventing /usr/bin/python "read" access on /proc//cmdline. For complete SELinux messages. run sealert -l 2439b377-99cf-4c68-975d-075a8fffb7e8
    Jan 18 13:12:34 localhost NetworkManager: <info> VPN connection 'advpn' (IP Config Get) timeout exceeded.
    Jan 18 13:12:34 localhost nm-openvpn[10407]: SIGTERM[hard,] received, process exiting
    Jan 18 13:12:34 localhost NetworkManager: <info> Policy set 'System eth0' (eth0) as default for routing and DNS.

    ==============================

    Seems like there is some permission problem?

  6. #6
    Join Date
    Nov 2008
    Location
    Canada
    Posts
    2,719
    I see three problems:

    You've configured it in nm applet but are trying to start it in services even though they are two different things.

    The selinux errors are telling us it won't permit the service to start anyway because the cert & keys aren't in the proper location (fusefs_t, mounted device??). Unless you've mounted that device there but then you'll have to permit it.

    You haven't pasted your .conf so we're assuming the user name & password are in the cert & key (build-key-pass vs build-key) and not from a plugin or script. Which may also be part of the fusefs_t thing. And you should put a log & verb ref in your .conf so you have a log.

    O, and it should have been openvpn --config CONFIG.FILE.NAME to start it from the command line.

Similar Threads

  1. nmb service is dead
    By ttx336 in forum Using Fedora
    Replies: 27
    Last Post: 18th January 2010, 11:58 PM
  2. Why my OpenVPN service can't start up ?
    By yu xintian in forum Using Fedora
    Replies: 1
    Last Post: 24th November 2009, 11:16 AM
  3. Replies: 0
    Last Post: 22nd October 2009, 04:16 AM
  4. Open VPN Service Dead
    By Donchulo in forum Servers & Networking
    Replies: 3
    Last Post: 28th May 2009, 01:52 PM
  5. OpenVPN service failure
    By madplague in forum Servers & Networking
    Replies: 0
    Last Post: 31st July 2004, 03:11 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •