OpenVPN Systemd – Using OpenVPN with Systemd on Debian

Ok, so I've been searching the web for solutions to this problem with no answers seeming to work for me. Hopefully someone can help me. I'm only trying to configure the OpenVPN Client.

I'm running CrunchBang Linux 3.2.0-4-amd64 Debian 3.2.60-1+deb7u1 x86_64 GNU/Linux and I just switched over to using systemd. The changeover went smooth enough but now I can't get my OpenVPN client to come up using systemd I've tried following these configuration tutorials, but nothing works.

• http://fedoraproject.org/wiki/Openvpn
• http://d.stavrovski.net/blog/how-to-install-and-set-up-openvpn-in-debian-7-wheezy
• And looked at a bunch of other different guides.

I can bring up the tunnel from the command line with openvpn /etc/openvpn/vpn.conf. So I know the config file is good, it was working with sysvinit just fine so I'm not surprised. I then attempt to just do a status with systemctl status openvpn@vpn.service resulting in:

$ sudo systemctl status openvpn@vpn.service
  openvpn@vpn.service
Loaded: error (Reason: No such file or directory)
Active: inactive (dead)

I realized that I need to do some setup for services. I want to be prompted for a password so I followed this guide to create an openvpn@.service in /etc/systemd/system/. But restarting the OpenVPN service still doesn't prompt for a password.

$ sudo service openvpn restart
[ ok ] Restarting openvpn (via systemctl): openvpn.service.

The Fedora tutorials go through the steps of creating symbolic links, but don't create any of the .service files in the walk-throughs.

What piece am I missing? Do I need to create an openvpn@vpn.service? If so, where exactly do I place it? I feel like it shouldn't be this difficult, but I can't seem to find any solution that works for me. I'm happy to provide any more information that's needed.

Solution

-rw-r--r--  1 root root   319 Aug  7 10:42 openvpn@.service

[Unit]
Description=OpenVPN connection to %i
After=network.target

[Service]
Type=forking
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn

[Install]
WantedBy=multi-user.target
openvpn@.service (END)

Symlink:

lrwxrwxrwx  1 root root   36 Aug  7 10:47 openvpn@vpn.service -> /lib/systemd/system/openvpn@.service

Prompt For Password

Everything is working now, except for being prompted for a password to connect. I've attempted this solution. I tweaked the file from above just a bit, and added an Expect script like in the example. Working like a charm! My files are below.

Modified lines from the above /lib/systemd/system/openvpn@.service

ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --management localhost 5559 --management-query-passwords --management-forget-disconnect --config /etc/openvpn/%i.conf
ExecStartPost=/usr/bin/expect /lib/systemd/system/openvpn_pw.exp

Expect script /lib/systemd/system/openvpn_pw.exp. Make sure to do the following:

• chmod +x on the script.
• Have telnet installed

Code of the expect script:

#!/usr/bin/expect
set pass [exec /bin/systemd-ask-password "Please insert Private Key password: "]

spawn telnet 127.0.0.1 5559
expect "Enter Private Key Password:"
send "password 'Private Key' $pass\r"
expect "SUCCESS: 'Private Key' password entered, but not yet verified"
send "exit\r"
expect eof

It should be noted that the above solution does log your password entered in plaintext in the following logs in /var/log/syslog and /var/log/daemon.log