Sunday, October 25, 2009

OpenVPN Issue on Ubuntu Jaunty 9.04

I have a bunch of linux routers all meshed together running Ubuntu 8.04.3 with OpenVPN. I added a new Ubuntu Jaunty 9.04 router into the mix today, copied my generated private key via scp to the new box and setup a new connector back to another site. When I the VPN using my firewall script I wrote I was getting the following error:

/usr/sbin/openvpn-vulnkey:22: DeprecationWarning: the md5 module is deprecated; use hashlib instead
import md5



In the daemon.log file under /var/log I was getting the following:

Oct 25 19:52:42 bunbline1 ovpn-bunbury-dunsborough[8871]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1545,tun-mtu 1500,proto UDPv4,ifconfig 10.5.15.1 10.5.15.2,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,secret'
Oct 25 19:52:42 bunbline1 ovpn-bunbury-dunsborough[8871]: Local Options hash (VER=V4): 'bd07f87b'
Oct 25 19:52:42 bunbline1 ovpn-bunbury-dunsborough[8871]: Expected Remote Options hash (VER=V4): '47793853'
Oct 25 19:52:42 bunbline1 ovpn-bunbury-dunsborough[8871]: failed to find GID for group nobody
Oct 25 19:52:42 bunbline1 ovpn-bunbury-dunsborough[8871]: Exiting



In previous versions of ubuntu there was a group called nobody, now in ubuntu 9 there is just a group called nogroup with a GID of 65534. In previous versions of ubuntu the group nobody had a GID of 1002 so I recreated it with the same GID.

groupadd -g 1002 nobody

OpenVPN failed again, this time I got the following error in the daemon.log file upon restarting it:

Oct 25 20:04:10 bunbline1 ovpn-bunbury-dunsborough[9176]: chroot to '/var/empty' failed: No such file or directory (errno=2)

In previous versions of ubuntu yes you may have guessed their was a directory called /var/empty. Make this directory with

mkdir /var/empty

Now when I start the VPN I get the following:



However its no longer saying failed... it is coming up as OK and data is passing through the VPN perfectly fine. However it is not liking the key I generated on ubuntu 8 by the looks of it... however it is accepting it. I got it working but if anyone has more information on this, please do leave a comment.

4 comments:

  1. The fix for this is to change your OpenVPN config file; change the line 'group nobody' to 'group nogroup'. Then it will fire up just fine.

    ReplyDelete
  2. Thanks...
    adding the group worked just fine. nogroup in the config did not.

    ReplyDelete
  3. Actually adding group nogroup worked great for me in Ubuntu 10.04.

    ReplyDelete
  4. changing "group nobody" to "group nogroup" and executing the command
    "sudo openvpn --config ~/ovpndir/configfile.ovpn --script-security 2"
    worked for me

    ReplyDelete