Hi all, I have 4 machines (actually VPSes) that have a full mesh of VPNs between them. I'm using a slightly-modified version of the 'client' example config. Since it appears TLS, and the use of certificates, requires named client and server peers, I'm using a PSK (one for the whole set).
This, when it works, seems to work fine. The trouble occurs when trying to (re)start the services with systemd. Using 'systemctl restart openvpn-client@host1', for example, will sometimes hang, and eventually return when I run the corresponding command on host1 - but that one then hangs, till I run it on the first one again ... and so on indefinitely. I can usually make it work if I stop both, then start both. But arranging timimg like that is difficult, if one machine needs to reboot - whether the VPN between them will come back is unpredictable, to say the least. On the other hand, the VPNs I have with a more conventional cert-based, client-server setup cope with reboots at either end just fine. Any suggestions on why this happens - what state the peers go into, for example - and how to avoid it would be gratefully received. ------------------------------------------------ Here's a sanitised example from host4, for connecting to host1. Many values are chosen to enable them to be templated in automatically from ansible: ------------------------------------------------ local x.x.x.83 remote x.x.x.12 # port numbers chosen to reference the remote end lport 1191 rport 1194 proto udp # tun device references remote end dev tun1 # same key everywhere secret /etc/openvpn/secret.key # address last octets chosen to indicate the peers involved ifconfig 10.111.111.41 10.111.111.14 route 192.168.127.0 255.255.255.0 keepalive 10 120 cipher AES-256-CBC user nobody group nogroup persist-key persist-tun status /var/lib/openvpn/host1.status log-append /var/log/openvpn/host1.log verb 4 explicit-exit-notify ------------------------------------------------ And here's the override file for the systemd openvpn-client@.service unit. Some of these are standard on some of the servers - they're a mix of Debian 9 (stretch) and buster (10): ------------------------------------------------ [Service] ExecStart= ExecStart=/usr/sbin/openvpn --config %i.conf KillMode=process RestartSec=5s Restart=on-failure ------------------------------------------------ Stretch unit: ------------------------------------------------ [Unit] Description=OpenVPN tunnel for %I After=syslog.target network-online.target Wants=network-online.target Documentation=man:openvpn(8) Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] Type=notify PrivateTmp=true RuntimeDirectory=openvpn-client RuntimeDirectoryMode=0710 WorkingDirectory=/etc/openvpn/client ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw [Install] WantedBy=multi-user.target ------------------------------------------------ Buster unit: ------------------------------------------------ [Unit] Description=OpenVPN tunnel for %I After=network-online.target Wants=network-online.target Documentation=man:openvpn(8) Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] Type=notify PrivateTmp=true WorkingDirectory=/etc/openvpn/client ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config %i.conf CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw ProtectSystem=true ProtectHome=true KillMode=process [Install] WantedBy=multi-user.target ------------------------------------------------ Thanks in advance :-) Richard _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
