F21 to F23 upgrade, issue 2, OpenVPN behaviour changes

The way OpenVPM prompts for access has changed, they have started migrating it to run under systemd. The existing startup script I was using now fails.

[root@vpnserver init.d]# service openvpn start
[root@vpnserver init.d]# 
Broadcast message from root@vpnserver (Fri 2016-02-26 17:38:40 NZDT):

Password entry required for 'Enter Private Key Password:' (PID 1328).
Please enter password with the systemd-tty-ask-password-agent tool!

My first thought was there is probably a new service. So had a quick look, found one that was diabled, tried to enable it… and that must also be in development as all packages are fully installed but this service is not yet ready to run.

[root@vpnserver init.d]# systemctl status systemd-ask-password-console.service
‚óŹ systemd-ask-password-console.service - Dispatch Password Requests to Console
   Loaded: loaded (/usr/lib/systemd/system/systemd-ask-password-console.service; static; vendor preset: disabled)
   Active: inactive (dead)
     Docs: man:systemd-ask-password-console.service(8)

Feb 26 17:38:40 vpnserver systemd[1]: Stopped Dispatch Password Requests to Console.

[root@vpnserver init.d]# systemctl enable systemd-ask-password-console.service
The unit files have no [Install] section. They are not meant to be enabled
using systemctl.

Anyway, back to my old buddy google.
Found this helpfull thread on the subject at https://sourceforge.net/p/openvpn/mailman/message/34319245/

As a result of that I found two methods that work to start OpenVPN again.

Method 1, that I have decided not to use yet

The first I will probably have to use after the next upgrade, inconvenient though it is. Strangely enough the origional error message stated exactly what to do.

The origional command can still be used

openvpn --cd /etc/openvpn --daemon --config /etc/openvpn/server.conf

But it no longer prompts for a password, so after it has gone daemon on the command line use the command


That will prompt for the password and pass it through to OpenVPN.

The reason I have decided not to use that method yet is there can be many outstanding prompts, well not at the moment but as more services under systemd start using this method there will be. There is the command “systemd-tty-ask-password-agent –query” which I assume should list them all, it doesn’t at the moment, at the moment it is treated as an invalid response to the OpenVPN prompt.
Fortunately I don’t start OpenVPN from systemd but have always started it manually because of the password prompt, so when using the systemd-tty-ask-password-agent to get a enter password prompt I know there is only that one outstanding.

Method 2, force emulation of the origional behaviour

As this changed behaviour was identified as potentially causing issues the parameter –askpass can be used to force the old behaviour where the passphrase is requested before the OpenVPN server switches to daemon mode

By changing my origional command

openvpn --cd /etc/openvpn --daemon --config /etc/openvpn/server.conf

To be the command below

openvpn --cd /etc/openvpn --askpass --daemon --config /etc/openvpn/server.conf

The origional behaviour is restored and the passphrase is requested by OpenVPM when a startup script is run, without having to start a seperate far-too-long-to-type program to enter the password.


Thanks to google, and the mentioned helpfull post it found, my VPN server is working again, I will be using the second method. Although I have left a few comments in my startup script on how to use the first method in case that is the onjly option after the next upgrade.

About mark

At work, been working on Tandems for around 30yrs (programming + sysadmin), plus AIX and Solaris sysadmin also thrown in during the last 20yrs; also about 5yrs on MVS (mainly operations and automation but also smp/e work). At home I have been using linux for decades. Programming background is commercially in TAL/COBOL/SCOBOL/C(Tandem); 370 assembler(MVS); C, perl and shell scripting in *nix; and Microsoft Macro Assembler(windows).
This entry was posted in Unix. Bookmark the permalink.