Ubuntu – How to Start 2FA-Using OpenVPN with Systemd

openvpnsystemdUbuntu

I have openvpn config that users 2 factor authentication.

If I start it manually, by running:

/usr/sbin/openvpn --writepid /run/whatever --cd /etc/openvpn/ --config /etc/openvpn/work.conf

it asks for username, then password (provided by software on my phone), and then password for private key. And then it works.

But if/when I try to start it via normal service call:

=# service openvpn start work

nothing is printed, openvpn doesn't work, and journalctl shows:

=# systemctl status openvpn
● openvpn.service - OpenVPN service
   Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enabled)
   Active: active (exited) since czw 2015-05-28 10:24:22 CEST; 17min ago
  Process: 30395 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
 Main PID: 30395 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/openvpn.service

maj 28 10:24:22 krowka systemd[1]: Starting OpenVPN service...
maj 28 10:41:40 krowka systemd[1]: Started OpenVPN service.

Is there anything I could do to make it work "normally", via "service" call, or any other mean, other than manually building /usr/sbin/openvpn invocation?

Best Answer

I try to start it via normal service call:
# service openvpn start work

No, that's not normal. That's a quirk of System 5 rc toolsets that invokes a System 5 rc script with two arguments. The rc script takes the non-standard second argument as the basename of the OpenVPN configuration to use.

This is Ubuntu Linux. You aren't using System 5 rc. You aren't using its rc script. You are using systemd. You are using systemd service units, which OpenVPN has in fact had for many years now. systemd service units aren't scripts and don't have script arguments.

What they have are template parameters, and OpenVPN was in fact one of the earlier adopters of the template units mechanism when it came along, having had templatized units since at least 2011. (Templatized upstart jobs for OpenVPN have been floating around since at least 2012.)

You're looking at /lib/systemd/system/openvpn.service. What you should be looking at is /lib/systemd/system/openvpn@.service. Instantiate that on the configuration name:

  • systemctl preset openvpn@work.service
  • systemctl disable openvpn@work.service
  • systemctl start openvpn@work.service
  • systemctl stop openvpn@work.service
  • systemctl status openvpn@work.service

Or just let Debian/Ubuntu do the heavy lifting. There's a unit generator in /lib/systemd/system-generators/openvpn-generator that automatically instantiates this template against every *.conf file in /etc/openvpn at bootstrap or when systemctl daemon-reload is run.

Further reading

Related Question