On Mon, 7 Jun 2021 11:46:02 +0200, David Sommerseth
<open...@sf.lists.topphemmelig.net> wrote:

Thanks for your reply and information!
I am still confused, see below

>> I have seen different ways of accomplishing this:
>> 
>> 1) Via the openvpn defaults
>> ---------------------------
>> In this case the client.ovpn file is renamed to client.conf and placed in
>> /etc/openvpn.
>> 
>> Then the defaults file is edited:
>> sudo nano /etc/default/openvpn
>> 
>> And the AUTOSTART line is set like this:
>> AUTOSTART="client"
>> 
>> Then:
>> sudo systemctl daemon-reload
>> sudo systemctl restart openvpn
>
>This is not recommended at all.  This approach is Debian's way to 
>simulate the behaviour of the pre-systemd days.  Over the years, this 
>has caused many unexpected behaviours.

How can I invalidate my use of this method so I get a clean system again?
Is it enough to comment out the AUTOSTART line and then run the commands:

sudo systemctl daemon-reload
sudo systemctl stop openvpn

>> 
>> 2) By adding a service
>> ----------------------
>> Do the same as above with the client.ovpn file
>> 
>> Then:
>> sudo systemctl enable openvpn@client.service
>> sudo service openvpn@client start
>> or
>> sudo systemctl start openvpn@client
>

>This is also NOT recommended.
OK - understood...

>
>Put client configuration files into /etc/openvpn/client ... private keys 
>may be placed in /etc/openvpn/private

I have now *moved* the client's conf file from /etc/openvpn to
/etc/openvpn/client after first doing this:

sudo systemctl stop openvpn@SSRemote002

>
>Then use: systemd start openvpn-client@CONFIG_NAME

So you mean that if the conf file is placed inside the client dir then running
this command will both start the connection and also make it a service that will
run on startup in the future?

  sudo systemd start openvpn-client@SSRemote002

Or will any conf file placed there be started on system startup?

>
>This is the only approach supported by the upstream OpenVPN project. 
>For more details: 
><https://github.com/OpenVPN/openvpn/blob/master/distro/systemd/README.systemd>
>

I tried to do what you described and this is the result:

$ systemd start openvpn-client@SSRemote002
Excess arguments.

Adding sudo in front causes the same Excess arguments response happen... :(

>> 3) By setting up a cron job running on startup
>> ----------------------------------------------
>> In this case cron is set up to run openvpn with the client.conf file as 
>> config,
>> not necessarily located in /etc/openvpn
>
>This sounds like a cludgy workaround hack.  Don't do that.  You will 
>have much more control when systemd is used correctly.  In addition to 
>systemd's journal also fetching the logs in way which is easier to 
>navigate in afterwords.

It was not something I seriously contemplated using but wanted to add as an
exaple of yet another way to start openvpn with the client's conf file to
connect to the remote location.

>
>The openvpn-server@.service unit also has "RestartSec=5s" and 
>"Restart=on-failure" set, which will automatically restart openvpn 
>servers if they die unexpectedly.  You can do a similar trick with the 
>openvpn-client@.service - also for only specific configuration files:
>
>    # systemctl edit openvpn-client@CONFIG_NAME
>
>This will fire off an editor, where you add these lines:
>
>    [Service]
>    RestartSec=1m
>    Restart=on-failure
>
>This will automatically restart this particular configuration after 1 
>minute if the openvpn process dies unexpectedly.  "1 minute" may be 
>tweaked, but also consider race conditions against your server.  Not all 
>client configs will be too happy if started too quickly afterwards.  1 
>minute is very conservative - but based on this is a common timer delay 
>on the server side, 30 seconds might be enough and work fine too.

If this is not done, what happens?
Does the connection remain down until someone manually does some rescue action?
Is there no default timeout?


-- 
Bo Berglund
Developer in Sweden



_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to