OpenVPN failed to start – Ubuntu / LXD issue

Recently I noticed that one of my OpenVPN servers stopped working. It was just after the update on the Ubuntu 16.04.4 LTS. What I found was that the service failed on start:

user@host:~$ sudo systemctl start openvpn@server.service
Job for openvpn@server.service failed because the control process exited with error code. See "systemctl status openvpn@server.service" and "journalctl -xe" for details.

The status message was also not helpful:

user@host:~$ sudo systemctl status openvpn@server.service
● openvpn@server.service - OpenVPN connection to server
   Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2018-12-13 14:52:59 CET; 7s ago

Dec 13 14:52:59 vz15951 systemd[1]: Starting OpenVPN connection to server…
Dec 13 14:52:59 vz15951 ovpn-server[1854]: OpenVPN 2.3.18 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Sep 26 2017
Dec 13 14:52:59 vz15951 ovpn-server[1854]: library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Dec 13 14:52:59 vz15951 ovpn-server[1854]: daemon() failed or unsupported: Resource temporarily unavailable (errno=11)
Dec 13 14:52:59 vz15951 ovpn-server[1854]: Exiting due to fatal error
Dec 13 14:52:59 vz15951 systemd[1]: openvpn@server.service: Control process exited, code=exited status=1
Dec 13 14:52:59 vz15951 systemd[1]: Failed to start OpenVPN connection to server.
Dec 13 14:52:59 vz15951 systemd[1]: openvpn@server.service: Unit entered failed state.
Dec 13 14:52:59 vz15951 systemd[1]: openvpn@server.service: Failed with result 'exit-code'.

Anything in the logs?

Unfortunately, logs also don’t look good:

Dec 13 14:52:59 vz15951 systemd[1]: Starting OpenVPN connection to server...
Dec 13 14:52:59 vz15951 ovpn-server[1854]: OpenVPN 2.3.18 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Sep 26 2017
Dec 13 14:52:59 vz15951 ovpn-server[1854]: library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Dec 13 14:52:59 vz15951 ovpn-server[1854]: daemon() failed or unsupported: Resource temporarily unavailable (errno=11)
Dec 13 14:52:59 vz15951 ovpn-server[1854]: Exiting due to fatal error
Dec 13 14:52:59 vz15951 systemd[1]: openvpn@server.service: Control process exited, code=exited status=1
Dec 13 14:52:59 vz15951 systemd[1]: Failed to start OpenVPN connection to server.
Dec 13 14:52:59 vz15951 systemd[1]: openvpn@server.service: Unit entered failed state.
Dec 13 14:52:59 vz15951 systemd[1]: openvpn@server.service: Failed with result 'exit-code'.

There is no clear evidence what failed. I remember that my provider was changing something in the virtual machine configurations recently (the company was bought by the bigger one) and this led me to the simple but brilliant solution…

Service configuration update

There is a known issue with OpenVPN on LXD containers. It has the same symptoms. So I tried to adjust the service configuration file:

user@host:~$ sudo vi /lib/systemd/system/openvpn@.service

I found the line with the LimitNPROC=10 and commented it out:

#LimitNPROC=10

Once updated, I had to perform two more steps – first was the reload of systemctl daemon:

user@host:~$ sudo systemctl daemon-reload

Next, I turned the OpenVPN service on again:

user@host:~$ sudo systemctl start openvpn@server.service

No error message, this looks much better. Let’s take a look at the status:

user@host:~$ sudo systemctl status openvpn@server.service
● openvpn@server.service - OpenVPN connection to server
   Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2018-12-13 15:15:17 CET; 39s ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
  Process: 3497 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/
 Main PID: 3498 (openvpn)
   CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
           └─3498 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/server.conf --writepid /

Dec 13 15:15:17 vz15951 ovpn-server[3498]: succeeded -> ifconfig_pool_set()
Dec 13 15:15:17 vz15951 ovpn-server[3498]: Initialization Sequence Completed

Wonderful. It is working now. Such a simple solution but it requires a little bit of luck to find it 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *