openvpn []:选项错误:在[CMD-LINE]中:1:打开配置文件时出错


14

当试图 service openvpn start

Oct 12 14:02:01 ccushing1 openvpn[9091]: Options error: In [CMD-LINE]:1: Error opening configuration file: devnet-client-vm.conf

运行openvpn devnet-client-vm.conf正常。为什么openvpn无法启动?我该如何解决?


我提供了一个答案,但是我鼓励不要涉及绝育SELinux的答案
xenoterracide

Answers:


12

您可能要跑步

fixfiles -R openvpn restore

ls -alZ应该给你这样的东西(现在显示文件在正确的selinux上下文中):

[root@server openvpn]# ls -alZ /etc/openvpn/
drwxr-xr-x. root    root    system_u:object_r:openvpn_etc_t:s0 .
drwxr-xr-x. root    root    system_u:object_r:etc_t:s0       ..
drwxr-xr-x. root    root    unconfined_u:object_r:openvpn_etc_t:s0 certs
-rw-r--r--. root    root    unconfined_u:object_r:openvpn_etc_t:s0 dh2048.pem
drwxr-xr-x. root    root    unconfined_u:object_r:openvpn_etc_t:s0 easy-rsa
-rw-------. root    root    unconfined_u:object_r:openvpn_etc_rw_t:s0 ipp.txt
-rw-------. root    root    unconfined_u:object_r:openvpn_etc_t:s0 ta.key
-rw-------. openvpn openvpn unconfined_u:object_r:openvpn_etc_t:s0 server.conf

如果您有类似的声明

status openvpn-status.log

在您的openvpn配置文件中,您可能会注意到服务器仍然无法启动。窥视/var/log/audit/audit.log将显示

type=AVC msg=audit(1413580155.710:1265): avc:  denied  { write } for  pid=19725 comm="openvpn" name="openvpn-status.log" dev="dm-1" ino=54153273 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_etc_t:s0 tclass=file

将此文件的上下文更改为rw可以达到目的:

chcon -t openvpn_etc_rw_t openvpn-status.log

[root@server openvpn]# ls -alZ openvpn-status.log
-rw-------. root    root    unconfined_u:object_r:openvpn_etc_t:s0 openvpn-status.log

会变成

-rw-------. root    root    unconfined_u:object_r:openvpn_etc_rw_t:s0 openvpn-status.log

之后通话

service openvpn@server start

完美地工作。

[root@server openvpn]# service openvpn@server status
Redirecting to /bin/systemctl status  openvpn@server.service
openvpn@server.service - OpenVPN Robust And Highly Flexible Tunneling Application On server
   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; disabled)
   Active: active (running) since Fri 2014-10-17 23:13:49 CEST; 9s ago
  Process: 20445 ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf (code=exited, status=0/SUCCESS)
 Main PID: 20449 (openvpn)
   CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
           └─20449 /usr/sbin/openvpn --daemon --writepid /var/run/openvpn/server.pid --cd /etc/openvpn/ --config server.conf

Oct 17 23:13:49 server openvpn[20445]: ROUTE_GATEWAY xx.xxx.xx.x/255.255.255.0 IFACE=eth0 HWADDR=XX:XX:XX:XX:XX:XX
Oct 17 23:13:49 server openvpn[20449]: GID set to nobody
Oct 17 23:13:49 server openvpn[20449]: UID set to nobody
Oct 17 23:13:49 server openvpn[20449]: UDPv4 link local (bound): [undef]
Oct 17 23:13:49 server openvpn[20449]: UDPv4 link remote: [undef]
Oct 17 23:13:49 server openvpn[20449]: MULTI: multi_init called, r=256 v=256
Oct 17 23:13:49 server openvpn[20449]: IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Oct 17 23:13:49 server systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
Oct 17 23:13:49 server openvpn[20449]: IFCONFIG POOL LIST
Oct 17 23:13:49 server openvpn[20449]: Initialization Sequence Completed

PS:我正在使用Centos 7。


应该将其标记为正确答案。
ansi_lumen

4

对于发现此线程的其他人,我在Fedora 26上遇到了问题。原来的说明是,您将conf文件放在/ etc / openvpn目录中,但是它们需要放在/ etc / openvpn / server中。


1
谢谢。对于其他需要深入研究的人:您必须将cacrtkey(所以两个.crt文件和一个.key)文件复制到同一目录
AlexWalterbos

1
这也是我在CentOS 8上的解决方案
oucil

1

问题是SELinux,对我进行编辑/etc/sysconfig/selinux和设置SELINUX=permissive,然后重新启动已修复。我记得在fedora中有一个命令必须运行才能正确使用cert目录,但是我忘记了该命令是什么。设置为完全允许修复,但更可取的方法是修复它,以便它可以正确使用目录。


0

对于cert目录和SElinux问题,似乎已经很老了,首先在这里报告:https ://bugzilla.redhat.com/show_bug.cgi?id=555785 看来这是上游错误,至少在您使用NetworkManager进行控制时您的openvpn连接。但是上游错误仍然“未经证实” -.- https://bugzilla.gnome.org/show_bug.cgi?id=670198

也许SELinux在尝试运行OpenVPN时重新标记问题可以在某种程度上帮助SElinux。

或者,如果您要使用每个用户的证书,而不是系统范围的证书:https : //superuser.com/questions/339391/making-selinux-play-nice-with-openvpn-in-networkmanager


By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.