Client auto connect with openvpn

This is here for my future reference more than anything. I have a Raspberry Pi   (Referred to as Raspberry Pi A = rpA) that dials into another raspberry pi (referrred to as Raspberry Pi B = rpB) I have at home. Due to limits on the router rpA is connected to, I can’t setup any port forwarding – meaning there’s no easy way to connect into it. To solve this, I set up an openvpn server on rpB, that rpA dials into. I can then connect via the tunnel that’s created.

I don’t have easy physical access to rpA, so it needs to be able to come back up following a power outage etc, so I’ve added various bits of automation and reporting to keep an eye on things. It reports to my web server, so if there’s a problem with the vpn, but the rest of things are working, I can see this and it will help me narrow down the issue

Recently rpA stopped responding both via vpn and to my web server. I was able to get someone to check it had power, was connected to the router etc, so the assumption now is that it’s either a physical hardware problem, or a corrupt sd card. I did keep a backup of the sd card, however got rid of it a few months ago during some over enthusiastic tidying up of my server.

When I first setup rpA, I had some issues getting openvpn to autostart and connect – I have come across the same issues now setting the new image up, so am documenting the solution here:

First this assumes you’ve setup your openvpn server,  and then created some keys – there’s plenty of instructions online that talk you through adding the keys, and then creating an OPVN file – this is a file that contains the configuration as well as the various keys needed to connect.

I use password protected certificates to connect to the vpn. The first issue to overcome is how to supply the password on autostart. Adding the following line to the client config achieves this:

askpass /etc/openvpn/server.pass

And then that file contains the password for your certificate.

Looking in /etc/init.d/openvpn we can see it sources /etc/default/openvpn for some variables. Let’s look there. In /etc/default/openvpn there’s this line:

#AUTOSTART="all"

This needs uncommenting, and will mean on startup openvpn will connect to each *.conf file in /etc/openvpn/

However, when you run :

service openvpn start

/var/log/daemon.log only reads:

Aug 28 12:38:36 rpA systemd[1]: Started OpenVPN service.

Why?

Answer: Systemd.

I don’t understand why both configs are supplied – surely if being installed on a system that uses systemd, we should just install the systemd start scripts?

Nevermind. What we need to do is symlink in info to our vpn, and enable that through systemctl:

Openvpn under systemd controls which profiles to start by adding openvpn@<Name of Config File>.service.

First, symlink the openvpn@.service into your systemd directory using the name of your config file in /etc/openvpn/. For example, if you have /etc/openvpn/myConfig.conf you would type:

ln -s /lib/systemd/system/openvpn@.service /etc/systemd/system/openvpn@myConfig.service

We then need to enable and start the service:

systemctl enable openvpn@myConfig.service
systemctl start openvpn@myConfig.service

We should then check it’s started. Looking in /var/log/daemon.log should show us more output, plus we can check the network adapters to make sure we have the correct tunnel adapter:

ifconfig

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

That looks fine. Next try a reboot and make sure your connection is re-established!