The way OpenVPM prompts for access has changed, they have started migrating it to run under systemd. The existing startup script I was using now fails.
[root@vpnserver init.d]# service openvpn start [root@vpnserver init.d]# Broadcast message from root@vpnserver (Fri 2016-02-26 17:38:40 NZDT): Password entry required for 'Enter Private Key Password:' (PID 1328). Please enter password with the systemd-tty-ask-password-agent tool!
My first thought was there is probably a new service. So had a quick look, found one that was diabled, tried to enable it… and that must also be in development as all packages are fully installed but this service is not yet ready to run.
[root@vpnserver init.d]# systemctl status systemd-ask-password-console.service
● systemd-ask-password-console.service - Dispatch Password Requests to Console
Loaded: loaded (/usr/lib/systemd/system/systemd-ask-password-console.service; static; vendor preset: disabled)
Active: inactive (dead)
Docs: man:systemd-ask-password-console.service(8)
Feb 26 17:38:40 vpnserver systemd[1]: Stopped Dispatch Password Requests to Console.
[root@vpnserver init.d]# systemctl enable systemd-ask-password-console.service
The unit files have no [Install] section. They are not meant to be enabled
using systemctl.
Anyway, back to my old buddy google.
Found this helpfull thread on the subject at https://sourceforge.net/p/openvpn/mailman/message/34319245/
As a result of that I found two methods that work to start OpenVPN again.
Method 1, that I have decided not to use yet
The first I will probably have to use after the next upgrade, inconvenient though it is. Strangely enough the origional error message stated exactly what to do.
The origional command can still be used
openvpn --cd /etc/openvpn --daemon --config /etc/openvpn/server.conf
But it no longer prompts for a password, so after it has gone daemon on the command line use the command
systemd-tty-ask-password-agent
That will prompt for the password and pass it through to OpenVPN.
The reason I have decided not to use that method yet is there can be many outstanding prompts, well not at the moment but as more services under systemd start using this method there will be. There is the command “systemd-tty-ask-password-agent –query” which I assume should list them all, it doesn’t at the moment, at the moment it is treated as an invalid response to the OpenVPN prompt.
Fortunately I don’t start OpenVPN from systemd but have always started it manually because of the password prompt, so when using the systemd-tty-ask-password-agent to get a enter password prompt I know there is only that one outstanding.
Method 2, force emulation of the origional behaviour
As this changed behaviour was identified as potentially causing issues the parameter –askpass can be used to force the old behaviour where the passphrase is requested before the OpenVPN server switches to daemon mode
By changing my origional command
` openvpn --cd /etc/openvpn --daemon --config /etc/openvpn/server.conf
To be the command below
openvpn --cd /etc/openvpn --askpass --daemon --config /etc/openvpn/server.conf
The origional behaviour is restored and the passphrase is requested by OpenVPM when a startup script is run, without having to start a seperate far-too-long-to-type program to enter the password.
Summary
Thanks to google, and the mentioned helpfull post it found, my VPN server is working again, I will be using the second method. Although I have left a few comments in my startup script on how to use the first method in case that is the onjly option after the next upgrade.
