OpenVPN systemd timeout error but works

Question

I have a file /lib/systemd/system/openvpn.service with those settings :

[Unit]
Description=OpenVPN client
After=network.target

[Service]
Type=forking
PIDFile=/var/run/openvpn/%i.pid
ExecStart=/usr/sbin/openvpn --dameon --writepid /var/run/openvpn/openvpn.pid --config /etc/openvpn/pia/Mexico.ovpn
ExecStop=-/bin/kill -TERM $MAINPID
Restart=on-failure


[Install]
WantedBy=multi-user.target

And whenever I run systemctl start openvpn I get this strange error :

Job for openvpn.service failed because a timeout was exceeded. See "systemctl status openvpn.service" and "journalctl -xe" for details.

But If I do check my public IP it shows my VPN IP. But its changing every few secs which I believe it is because OpenVPN is restarting...

Running the commands on that error message says :

Jun 19 04:29:33 test systemd[1]: openvpn.service: PID file /var/run/openvpn/.pid not readable (yet?) after start: No such file or directory

Output of ls -l on /var/run/openvpn :

-rw-r--r-- 1 root root 5 Jun 19 04:32 openvpn.pid

So I don't understand what could be wrong ? OS is Ubuntu 16.04 with OpenVPN 2.4.2 compiled from source. Mexico.conf is my conf file, renamed of .ovpn to .conf.

If I change PIDFILE to : PIDFile=/var/run/openvpn/openvpn.pid it just fails to start completely

I copied this settings from a guide somewhere and it works when it's named as [email protected] but the same settings give the above error when its named as openvpn.service... Any reason in particular? This is the settings :

[Unit]
Description=OpenVPN client
After=network.target

[Service]
RuntimeDirectory=openvpn
PrivateTmp=true
KillMode=mixed
Type=forking
PIDFile=/var/run/openvpn/%i.pid
ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/openvpn.pid --cd /etc/openvpn/pia/ --config Mexico.conf
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn
Restart=on-failure
RestartSec=3
ProtectSystem=yes
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw


[Install]
WantedBy=multi-user.target

I noticed that those settings work when named as [email protected] but it still give some non-fatal erros like :

ERROR: Linux route add command failed: external program exited with error status: 7

WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

Answer 1

The reason why your service complains is that it expects an argument which it does not receive: the position of the argument is, in the [email protected] file, wherever you see %i, in particular in the line

 PIDFile=/var/run/openvpn/%i.pid

which should also be mirrored in the ExecStart line below, where you substituted --writepid /var/run/openvpn/openvpn.pid for what should have rightfully been --writepid /run/openvpn/%i.pid.

The correct way to use a service such as [email protected] is to pass it an argument: for instance

 systemctl enable [email protected]
 systemctl start  [email protected]

In this simple case, the parameter passed (client) is just the name of the file where the process PID is stored, nothing else, so that you can call it whatever you wish. Just make sure you rename the service file to /lib/systemd/system/[email protected] as it was when you installed it, I am sure, and you are good to go.

The reason why the openvpn still works is in fact that the only thing you missed is the name of the PID file, not the openvpn configuration.

As for the other two errors, the second one is a warning, just heed it (= use the auth-nocache option in your configuration file). And the second one requires more information to diagnose, i.e. the full error message, the openvpn config file, and the routing table (ip route show) after having setup the VPN.