OpenVPN failed to start – Ubuntu / LXD issue

Recently I noticed that one of my OpenVPN servers stopped working. It was just after the update on the Ubuntu 16.04.4 LTS. What I found was that the service failed on start:

user@host:~$ sudo systemctl start openvpn@server.service
Job for openvpn@server.service failed because the control process exited with error code. See "systemctl status openvpn@server.service" and "journalctl -xe" for details.

The status message was also not helpful:

user@host:~$ sudo systemctl status openvpn@server.service
● openvpn@server.service - OpenVPN connection to server
   Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2018-12-13 14:52:59 CET; 7s ago

Dec 13 14:52:59 vz15951 systemd[1]: Starting OpenVPN connection to server…
Dec 13 14:52:59 vz15951 ovpn-server[1854]: OpenVPN 2.3.18 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Sep 26 2017
Dec 13 14:52:59 vz15951 ovpn-server[1854]: library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Dec 13 14:52:59 vz15951 ovpn-server[1854]: daemon() failed or unsupported: Resource temporarily unavailable (errno=11)
Dec 13 14:52:59 vz15951 ovpn-server[1854]: Exiting due to fatal error
Dec 13 14:52:59 vz15951 systemd[1]: openvpn@server.service: Control process exited, code=exited status=1
Dec 13 14:52:59 vz15951 systemd[1]: Failed to start OpenVPN connection to server.
Dec 13 14:52:59 vz15951 systemd[1]: openvpn@server.service: Unit entered failed state.
Dec 13 14:52:59 vz15951 systemd[1]: openvpn@server.service: Failed with result 'exit-code'.

Anything in the logs?

Unfortunately, logs also don’t look good:

Dec 13 14:52:59 vz15951 systemd[1]: Starting OpenVPN connection to server...
Dec 13 14:52:59 vz15951 ovpn-server[1854]: OpenVPN 2.3.18 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Sep 26 2017
Dec 13 14:52:59 vz15951 ovpn-server[1854]: library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Dec 13 14:52:59 vz15951 ovpn-server[1854]: daemon() failed or unsupported: Resource temporarily unavailable (errno=11)
Dec 13 14:52:59 vz15951 ovpn-server[1854]: Exiting due to fatal error
Dec 13 14:52:59 vz15951 systemd[1]: openvpn@server.service: Control process exited, code=exited status=1
Dec 13 14:52:59 vz15951 systemd[1]: Failed to start OpenVPN connection to server.
Dec 13 14:52:59 vz15951 systemd[1]: openvpn@server.service: Unit entered failed state.
Dec 13 14:52:59 vz15951 systemd[1]: openvpn@server.service: Failed with result 'exit-code'.

There is no clear evidence what failed. I remember that my provider was changing something in the virtual machine configurations recently (the company was bought by the bigger one) and this led me to the simple but brilliant solution…

Service configuration update

There is a known issue with OpenVPN on LXD containers. It has the same symptoms. So I tried to adjust the service configuration file:

user@host:~$ sudo vi /lib/systemd/system/openvpn@.service

I found the line with the LimitNPROC=10 and commented it out:

#LimitNPROC=10

Once updated, I had to perform two more steps – first was the reload of systemctl daemon:

user@host:~$ sudo systemctl daemon-reload

Next, I turned the OpenVPN service on again:

user@host:~$ sudo systemctl start openvpn@server.service

No error message, this looks much better. Let’s take a look at the status:

user@host:~$ sudo systemctl status openvpn@server.service
● openvpn@server.service - OpenVPN connection to server
   Loaded: loaded (/lib/systemd/system/openvpn@.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2018-12-13 15:15:17 CET; 39s ago
     Docs: man:openvpn(8)
           https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
           https://community.openvpn.net/openvpn/wiki/HOWTO
  Process: 3497 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/
 Main PID: 3498 (openvpn)
   CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
           └─3498 /usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/server.conf --writepid /

Dec 13 15:15:17 vz15951 ovpn-server[3498]: succeeded -> ifconfig_pool_set()
Dec 13 15:15:17 vz15951 ovpn-server[3498]: Initialization Sequence Completed

Wonderful. It is working now. Such a simple solution but it requires a little bit of luck to find it 🙂

14 Replies to “OpenVPN failed to start – Ubuntu / LXD issue”

  1. vim is not allowing me to comment out #LimitNPROC=10, i went to the folder and tried to chane it from there it wouldnt allow me either since its protected

    can you help me change it

    1. Hello Ahmad,

      I can see possible issues here:
      1) you may not be familiar with vi editor – in such case instead of vi, use nano – it should be easier. If you have to use vi, please remember that you have to do the following things:
      – find the place you want to edit
      – enter “insert mode” by pressing “i” letter on the keyboard
      – make your change
      – exit from “insert mode” by pressing ESC on the keyboard
      – enter the command “:wq” which means “I want to write and quit”, remember that the command starts with “:”

      2) there is also a possibility that you skipped “sudo” before your vi command. This file is not editable for everyone so if you want to save it, you have to use “sudo vi [filename]”

      3) there can be other issues not mentioned above, but I need more information to help 🙂

      Dulare

  2. sudo vi /lib/system/system/openvpn@.service when i am using this command it is showing nothing, once its showing the same as to mention above I comment the thing also , I am removing something else and I guess I remove that complete file, now what can I do?

    1. Hi there 🙂

      If the vi command shows nothing, most likely the file you tried to edit (openvpn@.service) was not there and it was created by the editor. You will have to find the proper file location in order to comment out the line mentioned in the post. On the other hand, if you removed the file completely, you can backup your VPN configuration, remove and install it again. Have you checked what is the service file? If it is really openvpn@.service?

  3. Hi Dulare,

    I’ve been stuck for several days and can’t start the VPN serever. I always have this error and can’t continue. Can you help me ?
    I followed this web site : https://blog.vpscheap.net/running-a-vpn-server-on-your-vps-everything-you-need-to-know/

    [root@server system]# systemctl status openvpn@server.service
    * openvpn@server.service – OpenVPN Robust And Highly Flexible Tunneling Application On server
    Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
    Active: failed (Result: exit-code) since Tue 2020-04-07 14:37:32 UTC; 2min 15s ago
    Process: 930 ExecStart=/usr/sbin/openvpn –cd /etc/openvpn/ –config %i.conf (code=exited, status=1/FAILURE)
    Main PID: 930 (code=exited, status=1/FAILURE)
    Status: “Pre-connection initialization successful”

    Apr 07 14:37:32 server systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server…
    Apr 07 14:37:32 server systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
    Apr 07 14:37:32 server systemd[1]: openvpn@server.service: main process exited, code=exited, status=1/FAILURE
    Apr 07 14:37:32 server systemd[1]: Unit openvpn@server.service entered failed state.
    Apr 07 14:37:32 server systemd[1]: openvpn@server.service failed.
    [root@server system]#
    —–
    [root@server system]# sudo vi /lib/systemd/system/openvpn@.service
    [Unit]
    Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
    After=network.target

    [Service]
    Type=notify
    PrivateTmp=true
    ExecStart=/usr/sbin/openvpn –cd /etc/openvpn/ –config %i.conf

    [Install]
    WantedBy=multi-user.target

    ————-
    [root@server system]# sudo vi /lib/systemd/system/openvpn-server@.service
    [Unit]
    Description=OpenVPN service for %I
    After=syslog.target network-online.target
    Wants=network-online.target
    Documentation=man:openvpn(8)
    Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
    Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

    [Service]
    Type=notify
    PrivateTmp=true
    WorkingDirectory=/etc/openvpn
    ExecStart=/usr/sbin/openvpn –status %t/openvpn-server/status-%i.log –status-version 2 –suppress-timestamps –config %i.conf
    CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE
    #LimitNPROC=10
    DeviceAllow=/dev/null rw
    DeviceAllow=/dev/net/tun rw
    ProtectSystem=true
    ProtectHome=true
    KillMode=process
    RestartSec=5s
    Restart=on-failure

    [Install]
    WantedBy=multi-user.target

    —–
    [root@server ~]# sudo vim /etc/openvpn/server.conf

    port 1194
    ;proto tcp
    proto udp
    ;dev tap
    dev tun
    ca /etc/openvpn/easy-rsa/pki/ca.crt
    cert /etc/openvpn/easy-rsa/pki/issued/server.crt
    key /etc/openvpn/easy-rsa/pki/private/server.key
    dh /etc/openvpn/easy-rsa/pki/dh.pem
    topology subnet
    server 10.8.0.0 255.255.255.0
    ;ifconfig-pool-persist ipp.txt
    ;ifconfig-push
    push “redirect-gateway def1 bypass-dhcp”
    push “dhcp-option DNS 8.8.8.8”
    push “dhcp-option DNS 8.8.4.4”
    duplicate-cn
    keepalive 10 120
    ;tls-auth ta.key 0 # This file is secret
    tls-crypt mykey.tls
    remote-cert-eku “TLS Web Client Authentication”
    cipher AES-256-CBC
    compress lz4-v2
    push “compress lz4-v2”
    persist-key
    persist-tun
    daemon
    status /var/log/openvpn/openvpn-status.log
    ;log openvpn.log
    log-append /var/log/openvpn/openvpn.log
    verb 4
    explicit-exit-notify 1

    1. Hello Diego,

      You should do one of the things:
      1) Execute OpenVPN server manually (not as a service) with verbose information turned on and review the messages
      2) Review log files (/var/log/messages) to see what is reported

      This should lead you to the root of the problem.

      1. Hello Dulare,

        thank for your answer. This is what I got from: (/var/log/messages)

        Apr 7 14:37:19 server systemd: Reloading.
        Apr 7 14:37:19 server systemd: Binding to IPv6 address not available since kernel does not support IPv6.
        Apr 7 14:37:19 server systemd: Binding to IPv6 address not available since kernel does not support IPv6.
        Apr 7 14:37:19 server systemd: [/usr/lib/systemd/system/vzfifo.service:19] Support for option SysVStartPriority= has been removed and it is ignored
        Apr 7 14:37:32 server systemd: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server…
        Apr 7 14:37:32 server systemd: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
        Apr 7 14:37:32 server systemd: openvpn@server.service: main process exited, code=exited, status=1/FAILURE
        Apr 7 14:37:32 server systemd: Unit openvpn@server.service entered failed state.
        Apr 7 14:37:32 server systemd: openvpn@server.service failed.

        —————–

        Regarding to execute OpenVPN server manually, do you mean with this command, or do you have a different one?

        [root@server log]# openvpn –config /etc/openvpn/tun0.conf –verb 6 // verbose output
        Options error: In [CMD-LINE]:1: Error opening configuration file: /etc/openvpn/tun0.conf
        Use –help for more information.

        Thanks

        1. Hello Diego,

          The log is not really helpful, so let’s take a look at the manual start.
          Your config file is here /etc/openvpn/server.conf as far as I can tell from your previous comment. So try to execute OpenVPN the following way:

          # openvpn –config /etc/openvpn/server.conf –verb 6

          This should do the trick 🙂

          1. Hello Dulare.

            Now it seems to work, so every time I restart the server can I just start it manually?
            you say there is a way to solve the problem in “openvpn@server.service?
            Thanks again

            ———
            [root@server ~]# openvpn –config /etc/openvpn/server.conf –verb 6
            Options error: I’m trying to parse “–config” as an –option parameter but I don’t see a leading ‘–‘
            Use –help for more information.
            [root@server ~]# openvpn –config /etc/openvpn/server.conf –verb 6
            [root@server ~]# systemctl status openvpn@server.service
            * openvpn@server.service – OpenVPN Robust And Highly Flexible Tunneling Application On server
            Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
            Active: active (running) since Wed 2020-04-08 08:07:46 UTC; 4min 43s ago
            Main PID: 392 (openvpn)
            Status: “Initialization Sequence Completed”
            CGroup: /system.slice/system-openvpn.slice/openvpn@server.service
            `-392 /usr/sbin/openvpn –cd /etc/openvpn/ –config server.conf

            Apr 07 14:34:23 server systemd[1]: openvpn@server.service: main process exited, code=exited, status=1/FAILURE
            Apr 07 14:34:23 server systemd[1]: Unit openvpn@server.service entered failed state.
            Apr 07 14:34:23 server systemd[1]: openvpn@server.service failed.
            Apr 07 14:37:32 server systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server…
            Apr 07 14:37:32 server systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
            Apr 07 14:37:32 server systemd[1]: openvpn@server.service: main process exited, code=exited, status=1/FAILURE
            Apr 07 14:37:32 server systemd[1]: Unit openvpn@server.service entered failed state.
            Apr 07 14:37:32 server systemd[1]: openvpn@server.service failed.
            Apr 08 08:07:46 server systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunneling Application On server…
            Apr 08 08:07:46 server systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On server.
            [root@server ~]#

          2. It is good that it worked manually. Yes, you can start it manually if needed. However, it would be better to find the source of the issue, which is most likely related to the openvpn@server.service configuration file.

            You can try to edit this line in your /lib/systemd/system/openvpn@.service file:
            ExecStart=/usr/sbin/openvpn –status %t/openvpn-server/status-%i.log –status-version 2 –suppress-timestamps –config %i.conf

            Instead of %i.conf you can enter your configuration file location, so it should look like:
            ExecStart=/usr/sbin/openvpn –status %t/openvpn-server/status-%i.log –status-version 2 –suppress-timestamps –config /etc/openvpn/server.conf

            But this is only my guess, not the solution I’m sure will work

  4. Hello Dulare.
    I installed open vpn in Ubuntu 18.04 (DELL lap top and using Mobile hotspot), but not working, below are the steps I followed –
    >sudo apt-get install openvpn
    > sudo openvpn –config client.opvn
    >sudo systemctl start openvpn@client.service
    >sudo systemctl status openvpn@client.service
    I got this error log from above status command –
    >ERROR: Linux route add command failed: external program exited with error status: 2
    May 29 17:06:48 ovpn-client[1309]: /sbin/ip route add 10.0.0.0/16 metric 101 via 172.27.232.1
    May 29 17:06:48 openvpn[1309]: RTNETLINK answers: File exists
    May 29 17:06:48 ovpn-client[1309]: ERROR: Linux route add command failed: external program exited with error status: 2
    May 29 17:06:48 ovpn-client[1309]: Initialization Sequence Completed
    May 29 17:49:02 ovpn-client[1309]: write UDP: Network is unreachable (code=101)
    May 29 17:49:03 ovpn-client[1309]: write UDP: Network is unreachable (code=101)
    May 29 17:49:04 ovpn-client[1309]: write UDP: Network is unreachable (code=101)

    Thanks,

    1. Hello Mahesh,

      It looks like your issue is related to the same subnet used by your VPN server and your VPN client. The server is not able to add the route to the 10.0.0.0/16 subnet since this route already exists. It looks like your VPN client is already connected to the subnet with the same parameters.

    1. Hello Krish,

      There is also a second part of this message, please use “journalctl -xe” or “systemctl status openvpn@server.service” in order to see what happened. You can also take a look at logs. There is no easy way to help you as long as we don’t know what happened. Try the above commands and let me know what you found 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *