[email protected] file fails on Debian Stretch

[zilexa]

Hi! I never spend much time figuring this out even though I believe it isn't that difficult with your blog article.
So tonight I tried again and it all made much more sense. I successfully build nsdo and performed the steps in your blog. I use a RPi3 running DietPi (based on Debian Stretch).

Unfortunately the [email protected] file is giving me troubles. This is what happens when I run
systemctl start openvpn@ns-vpn
(my vpn conf file is /etc/openvpn/ns-vpn.conf).

root@Raspberry:/lib/systemd/system# systemctl start openvpn@ns-vpn
A dependency job for [email protected] failed. See 'journalctl -xe' for det                                                                                                             ails.
root@Raspberry:/lib/systemd/system# systemctl status openvpn@ns-vpn
[email protected] - OpenVPN connection to ns-vpn
   Loaded: loaded (/lib/systemd/system/[email protected]; disabled; vendor preset
  Drop-In: /etc/systemd/system/[email protected]
           └─netns.conf
   Active: inactive (dead)

Jan 19 22:45:58 Raspberry systemd[1]: Dependency failed for OpenVPN connection t
Jan 19 22:45:58 Raspberry systemd[1]: [email protected]: Job openvpn@ns-vpn
Jan 19 22:46:06 Raspberry systemd[1]: [/lib/systemd/system/[email protected]:9] U
Jan 19 22:46:06 Raspberry systemd[1]: [/lib/systemd/system/[email protected]:10]
Jan 19 22:46:24 Raspberry systemd[1]: [/lib/systemd/system/[email protected]:9] U
Jan 19 22:46:24 Raspberry systemd[1]: [/lib/systemd/system/[email protected]:10]
Jan 19 22:47:40 Raspberry systemd[1]: Dependency failed for OpenVPN connection t
Jan 19 22:47:40 Raspberry systemd[1]: [email protected]: Job openvpn@ns-vpn
Jan 19 22:56:33 Raspberry systemd[1]: Dependency failed for OpenVPN connection t
Jan 19 22:56:33 Raspberry systemd[1]: [email protected]: Job openvpn@ns-vpn
lines 1-16/16 (END)...skipping...
[email protected] - OpenVPN connection to ns-vpn
   Loaded: loaded (/lib/systemd/system/[email protected]; disabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/[email protected]
           └─netns.conf
   Active: inactive (dead)

Jan 19 22:45:58 Raspberry systemd[1]: Dependency failed for OpenVPN connection to ns-vpn.
Jan 19 22:45:58 Raspberry systemd[1]: [email protected]: Job [email protected]/start failed with result 'dependency'.
Jan 19 22:46:06 Raspberry systemd[1]: [/lib/systemd/system/[email protected]:9] Unknown lvalue 'requires' in section 'Unit'
Jan 19 22:46:06 Raspberry systemd[1]: [/lib/systemd/system/[email protected]:10] Unknown lvalue 'after' in section 'Unit'
Jan 19 22:46:24 Raspberry systemd[1]: [/lib/systemd/system/[email protected]:9] Unknown lvalue 'requires' in section 'Unit'
Jan 19 22:46:24 Raspberry systemd[1]: [/lib/systemd/system/[email protected]:10] Unknown lvalue 'after' in section 'Unit'
Jan 19 22:47:40 Raspberry systemd[1]: Dependency failed for OpenVPN connection to ns-vpn.
Jan 19 22:47:40 Raspberry systemd[1]: [email protected]: Job [email protected]/start failed with result 'dependency'.
Jan 19 22:56:33 Raspberry systemd[1]: Dependency failed for OpenVPN connection to ns-vpn.
Jan 19 22:56:33 Raspberry systemd[1]: [email protected]: Job [email protected]/start failed with result 'dependency'.

should I also edit the openvpn.service file? I did not touch that one. I hope you can help me figure out how to modify [email protected]. I have no clue how to troubleshoot this. I believe this is the only issue and nsdo should do the trick once openvpn is running.

[ausbin]

Jan 19 22:46:06 Raspberry systemd[1]: [/lib/systemd/system/[email protected]:9] Unknown lvalue 'requires' in section 'Unit'
Jan 19 22:46:06 Raspberry systemd[1]: [/lib/systemd/system/[email protected]:10] Unknown lvalue 'after' in section 'Unit'

This makes me wonder if the [Unit] section contains requires=xxx instead of Requires=xxx, and the same for After. Could you post your [email protected] file?

[zilexa]

File /lib/systemd/system/[email protected]:

Unit]
Description=OpenVPN connection to %i

[Service]
PrivateTmp=true
Type=forking
ExecStart=/usr/bin/openvpn --cd /etc/openvpn --config /etc/openvpn/%i.conf --daemon openvpn@$
PIDFile=/run/openvpn@%i.pid
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID$
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw

[Install]
WantedBy=multi-user.target

And /etc/systemd/system/[email protected]/netns.conf:

[Unit]
Requires=netns@%i.service
After=netns@%i.service

[Service]
# Needed to call setns() as ip netns does
CapabilityBoundingSet=CAP_SYS_ADMIN

[zilexa]

I believe the system cannot find [email protected] so I copied it to the default location for .service files:
cp /etc/systemd/system/[email protected] /lib/systemd/system/[email protected]

Now at least the first errors are gone "unknown lvalue ... in section..." so it seems we are getting closer.

root@Raspberry:~# systemctl start openvpn@ns-vpn
A dependency job for [email protected] failed. See 'journalctl -xe' for details.
root@Raspberry:~# systemctl status openvpn@ns-vpn
● [email protected] - OpenVPN connection to ns-vpn
   Loaded: loaded (/lib/systemd/system/[email protected]; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/[email protected]
           └─netns.conf
   Active: inactive (dead)

Jan 19 22:47:40 Raspberry systemd[1]: Dependency failed for OpenVPN connection to ns-vpn.
Jan 19 22:47:40 Raspberry systemd[1]: [email protected]: Job [email protected]/start failed with result 'dependency'.
Jan 19 22:56:33 Raspberry systemd[1]: Dependency failed for OpenVPN connection to ns-vpn.
Jan 19 22:56:33 Raspberry systemd[1]: [email protected]: Job [email protected]/start failed with result 'dependency'.
Jan 19 23:02:57 Raspberry systemd[1]: Dependency failed for OpenVPN connection to ns-vpn.
Jan 19 23:02:57 Raspberry systemd[1]: [email protected]: Job [email protected]/start failed with result 'dependency'.
Jan 20 09:38:10 Raspberry systemd[1]: Dependency failed for OpenVPN connection to ns-vpn.
Jan 20 09:38:10 Raspberry systemd[1]: [email protected]: Job [email protected]/start failed with result 'dependency'.
Jan 20 09:40:16 Raspberry systemd[1]: Dependency failed for OpenVPN connection to ns-vpn.
Jan 20 09:40:16 Raspberry systemd[1]: [email protected]: Job [email protected]/start failed with result 'dependency'.

When I check ctljournal, it says:

Jan 20 09:40:16 Raspberry systemd[1]: Starting network namespace ns/vpn...
-- Subject: Unit [email protected] has begun start-up
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- Unit [email protected] has begun starting up.
Jan 20 09:40:16 Raspberry ip[3769]: Cannot create namespace file "/var/run/netns/ns/vpn": No such file or directory
Jan 20 09:40:16 Raspberry systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE
Jan 20 09:40:16 Raspberry systemd[1]: Failed to start network namespace ns/vpn.
-- Subject: Unit [email protected] has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- Unit [email protected] has failed.
--
-- The result is failed.
Jan 20 09:40:16 Raspberry systemd[1]: Dependency failed for OpenVPN connection to ns-vpn.
-- Subject: Unit [email protected] has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- Unit [email protected] has failed.
--
-- The result is dependency.
Jan 20 09:40:16 Raspberry systemd[1]: [email protected]: Job [email protected]/start failed with result 'dependency'.
Jan 20 09:40:16 Raspberry systemd[1]: [email protected]: Unit entered failed state.
Jan 20 09:40:16 Raspberry systemd[1]: [email protected]: Failed with result 'exit-code'.

Note the /var/run/netns directory exists but it is empty...

[zilexa]

(I accidentally closed the issue)

[ausbin]

I wonder if this is because combining drop-in files with overriding the entire unit isn't supported or doesn't work too well. You shouldn't ever have to put .service files in /lib/systemd/system by hand, that's kinda bad

What if you delete the drop-in config file netns.conf and leave [email protected] in /etc/systemd/system, but have it look like this instead

[Unit]
Description=OpenVPN connection to %i
Requires=netns@%i.service
After=netns@%i.service

[Service]
PrivateTmp=true
Type=forking
ExecStart=/usr/bin/openvpn --cd /etc/openvpn --config /etc/openvpn/%i.conf --daemon openvpn@%i --writepid /run/openvpn@%i.pid --status-version 2
PIDFile=/run/openvpn@%i.pid
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_SYS_ADMIN
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw

[Install]
WantedBy=multi-user.target

[zilexa]

Ha thanks! That helped!
I also had to change ExecStart to /usr/sbin/openvpn (sbin instead of bin) because /openvpn did not exist in 'bin' folder.

But it seems the up script failed :( see the 2nd last line below. Not sure if we can fix that one..

root@Raspberry:/# journalctl -xe
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- Unit [email protected] has finished starting up.
--
-- The start-up result is done.
Jan 20 18:35:18 Raspberry openvpn@nsvpn[5000]: WARNING: --ping should normally be used with --ping-restart or --ping-exit
Jan 20 18:35:18 Raspberry openvpn@nsvpn[5000]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 20 18:35:18 Raspberry openvpn@nsvpn[5000]: Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Jan 20 18:35:18 Raspberry openvpn@nsvpn[5000]: Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
Jan 20 18:35:18 Raspberry openvpn@nsvpn[5000]: TCP/UDP: Preserving recently used remote address: [AF_INET]196.196.244.12:1194
Jan 20 18:35:18 Raspberry openvpn@nsvpn[5000]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Jan 20 18:35:18 Raspberry openvpn@nsvpn[5000]: UDP link local: (not bound)
Jan 20 18:35:18 Raspberry openvpn@nsvpn[5000]: UDP link remote: [AF_INET]196.196.244.12:1194
Jan 20 18:35:18 Raspberry openvpn@nsvpn[5000]: TLS: Initial packet from [AF_INET]196.196.244.12:1194, sid=a54ce442 516c5f45
Jan 20 18:35:18 Raspberry openvpn@nsvpn[5000]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan 20 18:35:18 Raspberry openvpn@nsvpn[5000]: VERIFY OK: depth=1, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=se65.nordvpn.com, name=NordVPN, emai
Jan 20 18:35:19 Raspberry openvpn@nsvpn[5000]: Validating certificate key usage
Jan 20 18:35:19 Raspberry openvpn@nsvpn[5000]: ++ Certificate has key usage  00a0, expects 00a0
Jan 20 18:35:19 Raspberry openvpn@nsvpn[5000]: VERIFY KU OK
Jan 20 18:35:19 Raspberry openvpn@nsvpn[5000]: Validating certificate extended key usage
Jan 20 18:35:19 Raspberry openvpn@nsvpn[5000]: ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Jan 20 18:35:19 Raspberry openvpn@nsvpn[5000]: VERIFY EKU OK
Jan 20 18:35:19 Raspberry openvpn@nsvpn[5000]: VERIFY OK: depth=0, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=se65.nordvpn.com, name=NordVPN, emai
Jan 20 18:35:19 Raspberry openvpn@nsvpn[5000]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jan 20 18:35:19 Raspberry openvpn@nsvpn[5000]: [se65.nordvpn.com] Peer Connection Initiated with [AF_INET]196.196.244.12:1194
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: SENT CONTROL [se65.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,dhcp-option
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: Socket Buffers: R=[163840->327680] S=[163840->327680]
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: OPTIONS IMPORT: route options modified
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: OPTIONS IMPORT: route-related options modified
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: OPTIONS IMPORT: peer-id set
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: OPTIONS IMPORT: adjusting link_mtu to 1657
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: OPTIONS IMPORT: data channel crypto options modified
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 20 18:35:20 Raspberry kernel: tun: Universal TUN/TAP device driver, 1.6
Jan 20 18:35:20 Raspberry kernel: tun: (C) 1999-2004 Max Krasnyansky <[email protected]>
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: ROUTE_GATEWAY 192.168.1.254/255.255.255.0 IFACE=eth0 HWADDR=b8:27:eb:e3:cb:07
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: TUN/TAP device tun0 opened
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: TUN/TAP TX queue length set to 100
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: /usr/local/bin/vpn-ns tun0 1500 1585 10.8.8.116 255.255.255.0 init
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: WARNING: Failed running command (--route-up): external program exited with error status: 2
Jan 20 18:35:20 Raspberry openvpn@nsvpn[5000]: Initialization Sequence Completed

[ausbin]

/usr/local/bin/vpn-ns exists right? could you post your openvpn config file?

[zilexa]

I triple checked, /usr/local/bin/vpn-ns definitely exists, it contains the exact copy of your blog.
openvpn config file (it is nordvpn.ovpn file modified according to the blog and renamed it to nsvpn.conf):

root@Raspberry:/etc/openvpn# cat nsvpn.conf


#           _   _               ___     ______  _   _
#          | \ | | ___  _ __ __| \ \   / /  _ \| \ | |
#          |  \| |/ _ \| '__/ _` |\ \ / /| |_) |  \| |
#          | |\  | (_) | | | (_| | \ V / |  __/| |\  |
#          |_| \_|\___/|_|  \__,_|  \_/  |_|   |_| \_|
#


client
dev tun
proto udp
remote 196.196.244.12 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0

explicit-exit-notify 3

remote-cert-tls server

#mute 10000
auth-user-pass

comp-lzo
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
# script should run `ip`, not openvpn
route-noexec
ifconfig-noexec
up "/usr/local/bin/vpn-ns"
route-up "/usr/local/bin/vpn-ns"
script-security 2


<ca>
-----BEGIN CERTIFICATE-----
MIIExzCCA6+gAwIBAgIJAKGnvAwP6tcDMA0GCSqGSIb3DQEBCwUAMIGdMQswCQYD
VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEZMBcGA1UEAxMQc2U2NS5ub3JkdnBu
LmNvbTEQMA4GA1UEKRMHTm9yZFZQTjEfMB0GCSqGSIb3DQEJARYQY2VydEBub3Jk
dnBuLmNvbTAeFw0xNzEyMDQxMjE3MTdaFw0yNzEyMDIxMjE3MTdaMIGdMQswCQYD
VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH
Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEZMBcGA1UEAxMQc2U2NS5ub3JkdnBu
LmNvbTEQMA4GA1UEKRMHTm9yZFZQTjEfMB0GCSqGSIb3DQEJARYQY2VydEBub3Jk
dnBuLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMXEczmyRa2v
2aoYjiAg5CuLd7K3EUoaJmGDcEqONSpCkuMX69ot8lX5qGbEpxF4tBMqVT7qpEvy
IHNr4wVIlxRXVBcReGUJcX5bmWTigkvgKG0mQSMcDrBZCdrnPw1rTI3A84w9Q6xQ
ChBtchDy0zfUHQGnlXJTBHHkcS8TA6YlsLeotfd3afVfYPaevNbqBsqJhY5yZt8t
j6LLL85/2TqZbXUNI2aOgMnGbW/Nij3OfMxQy6U7yUAAAxhdQOv6Wko9NMiYhWq3
K2HvlMo5loJRrrYJtv/kqo2FhrB5X2s+TPUyD7QKIKz5jHSUwTBdDk5hUrrGh4Kl
Ko9s5E8A9W0CAwEAAaOCAQYwggECMB0GA1UdDgQWBBTjzJ5Jam8FnjFCbiJH6/Z1
yHLyzjCB0gYDVR0jBIHKMIHHgBTjzJ5Jam8FnjFCbiJH6/Z1yHLyzqGBo6SBoDCB
nTELMAkGA1UEBhMCUEExCzAJBgNVBAgTAlBBMQ8wDQYDVQQHEwZQYW5hbWExEDAO
BgNVBAoTB05vcmRWUE4xEDAOBgNVBAsTB05vcmRWUE4xGTAXBgNVBAMTEHNlNjUu
bm9yZHZwbi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEWEGNl
cnRAbm9yZHZwbi5jb22CCQChp7wMD+rXAzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4IBAQBGfuIiCKmzfjnfyaRhghfFbQYAY/vNvgl43DcApALpQlK/NyaN
1eXFZ5DP+rr+9JyRyY1kX73VDyrjgTmsb3PLoW461ld0mBg5VvM6Zfjdqgrolphb
raW2zlZx8zIzb1oxKj+d2mKA6iceh0f6IV429rsVoI0MMc8CIWfajXwLKfxs3GE/
mC4lusdkiIUZfzUckcjP9inbTmEBXZfj+FgaAB1KR9zAW8GwTYxzU+KJHBBnfjee
n/bzYYkhtcFfk+iG9AVJZmDR1OA3wt5mg16xMtlJV+wxRNVV3A8Su9E9uhAx5Xgi
JLwbo8ldcVzoVQtjr8mR4hXNsO/FWx4yR6sx
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
f4f99d00e7ef3d33e1b4e911eb07a2a4
f5b21443b07fef0c6ced5a5b4302f640
6242c9e1dc49b5db1c175821252ee9b3
6c841c6fe66c176d7f10d30a71c8f5cc
573548503f1d3b35b9cbe7b2f25578ea
cd65db109064d44fb1406d8d664119ae
189bac9a05592dea47cbd8c61ed7b10d
a8cf5fcdcb1af201eaf11bd6e579cff0
d132bad23f2870dad48b47cae12a1e4d
ea8a7a2b15993509bbf81310fc2d1137
5ed89e2befc01b7f1c35551ebfbe0117
3c95ebe72b478d0c8c58fbbd3f23a329
af327e65a7431ed12baca3b2c6093c0c
fdcd928ea1eb71596e21288fa1ba48fe
7d0fb54a506302d50a9044eafa4b85ed
a115348d16dd4e686612eac3fd626bda
-----END OpenVPN Static key V1-----
</tls-auth>

[ausbin]

if i run

$ ip link set dev enx503f560224e5 down

as my (non-root) user, i get exit code 2, so i wonder if it's a permissions issue. like in particular, if one of the Capabilities are missing from the service file.

Try changing the CapabilityBoundingSet line in /etc/systemd/system/[email protected] to just

CapabilityBoundingSet=

this will reset the list of allowed capabilities from the ones configured in /lib/systemd/system/[email protected]

[ausbin]

you'll have to do a systemctl daemon-reload when you change systemd units btw

[zilexa]

You mean I should create /etc/systemd/system/[email protected]? Because until now, I have put [email protected] in /lib/systemd/system/.

If I simply copy that version to /etc/systemd/system/ and only change CapabilityBoundingSet= and leave the old version as is, I get the same behavior.

but I am not sure if systemctl will actually look at the newly created file /etc/systemd/system/[email protected].

I did do:

root@Raspberry:/# nano /etc/systemd/system/[email protected]
root@Raspberry:/# systemctl stop openvpn@nsvpn
root@Raspberry:/# systemctl disable openvpn@nsvpn
root@Raspberry:/# systemctl disable [email protected]
Removed /etc/systemd/system/multi-user.target.wants/[email protected].
root@Raspberry:/# systemctl daemon-reload
root@Raspberry:/# systemctl start openvpn@nsvpn
Enter Auth Username: myusername
Enter Auth Password: *********
root@Raspberry:/# systemctl status openvpn@nsvpn
● [email protected] - OpenVPN connection to nsvpn
   Loaded: loaded (/lib/systemd/system/[email protected]; disabled; vendor preset: enabled)
   Active: active (running) since Sat 2018-01-20 20:15:50 GMT; 6s ago
  Process: 5335 ExecStart=/usr/sbin/openvpn --cd /etc/openvpn --config /etc/openvpn/nsvpn.conf --daemon openvpn@nsvpn --writepid /run/[email protected] --status-version 2 (code=exited, stat
 Main PID: 5338 (openvpn)
   CGroup: /system.slice/system-openvpn.slice/[email protected]
           └─5338 /usr/sbin/openvpn --cd /etc/openvpn --config /etc/openvpn/nsvpn.conf --daemon openvpn@nsvpn --writepid /run/[email protected] --status-version 2

Jan 20 20:15:52 Raspberry openvpn@nsvpn[5338]: OPTIONS IMPORT: adjusting link_mtu to 1657
Jan 20 20:15:52 Raspberry openvpn@nsvpn[5338]: OPTIONS IMPORT: data channel crypto options modified
Jan 20 20:15:52 Raspberry openvpn@nsvpn[5338]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 20 20:15:52 Raspberry openvpn@nsvpn[5338]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 20 20:15:52 Raspberry openvpn@nsvpn[5338]: ROUTE_GATEWAY 192.168.1.254/255.255.255.0 IFACE=eth0 HWADDR=b8:27:eb:e3:cb:07
Jan 20 20:15:52 Raspberry openvpn@nsvpn[5338]: TUN/TAP device tun0 opened
Jan 20 20:15:52 Raspberry openvpn@nsvpn[5338]: TUN/TAP TX queue length set to 100
Jan 20 20:15:52 Raspberry openvpn@nsvpn[5338]: /usr/local/bin/vpn-ns tun0 1500 1585 10.8.8.116 255.255.255.0 init
Jan 20 20:15:52 Raspberry openvpn@nsvpn[5338]: WARNING: Failed running command (--route-up): external program exited with error status: 2
Jan 20 20:15:52 Raspberry openvpn@nsvpn[5338]: Initialization Sequence Completed

[ausbin]

Only the operating system should be managing .service files in /lib/systemd/system/. If it works it works I guess, but I wouldn't do that

and it does look at it: https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Unit%20File%20Load%20Path

[ausbin]

I'm not sure what to try next tho. Might be a good idea to get the environmental variables openvpn is passing to vpn-ns and then run vpn-ns in a shell with those environmental variables to see how it behaves (hopefully it will produce a helpful error message). that's how i originally wrote the script at least -- i just set up and route-up to run some script that ran env >/tmp/env or something instead

[zilexa]

I believe I made a mistake interpreting your blog.
I added CAP_SYS_ADMIN to the only [email protected] file I could find on my system (which was in /lib/systemd/system). Then I created the file /etc/systemd/system/[email protected]/netns.conf (note there was no [email protected] file in /etc/systemd/system on my machine) and copied the contents from your blog (also containing CAP_SYS_ADMIN.

I actually tested all of the above on DietPi, which is also Debian Stretch based but not as "clean" Debian Stretch as OSMC is so I am going to start over on a clean OSMC system now and I want to make sure I make no mistakes understanding the steps from your blog.

As you explained I should not manually change files in /lib/... BUT: re-reading your blog I believe I should not change any [email protected] file at all, I should only create the drop-in unit in /etc/systemd/system/[email protected]/netns.conf and see if that works, right?
I am going to do that now and follow the other steps on an untouched OSMC device.

If I end up with the same result I will do more trial and error to get the up script working.

[zilexa]

So that went really smooth (and makes more sense). Also on OSMC, openvpn is located in usr/bin just like in your blog (on DietPi it was usr/sbin). I only created the drop-in unit and followed the other steps.

I still get the same error Failed running command (--route-up): external program exited with error status: 2. I will try the method you described to get a more useful error message.

also the netns script you provide says

        echo "$0: unknown \$script_type: '$script_type'" >&2
        exit 2;

And I am getting errorcode 2 so the issue must be with the case above this part.

my output now:

Jan 21 01:49:46 Vero ovpn-nsnordvpn[4932]: VERIFY EKU OK
Jan 21 01:49:46 Vero ovpn-nsnordvpn[4932]: VERIFY OK: depth=0, C=PA, ST=PA, L=Panama, O=NordVPN, OU=NordVPN, CN=se65.nordvpn.com, name=NordVPN, [email protected]
Jan 21 01:49:46 Vero ovpn-nsnordvpn[4932]: Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jan 21 01:49:46 Vero ovpn-nsnordvpn[4932]: [se65.nordvpn.com] Peer Connection Initiated with [AF_INET]196.196.244.12:1194
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: SENT CONTROL [se65.nordvpn.com]: 'PUSH_REQUEST' (status=1)
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,dhcp-option DNS 78.46.223.24,dhcp-option DNS 162.242
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: timers and/or timeouts modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: Socket Buffers: R=[212992->1048576] S=[212992->1048576]
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: --ifconfig/up options modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: route options modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: route-related options modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: peer-id set
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: adjusting link_mtu to 1657
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: OPTIONS IMPORT: data channel crypto options modified
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: ROUTE_GATEWAY 192.168.1.254/255.255.255.0 IFACE=wlan0 HWADDR=cc:b8:a8:11:64:48
Jan 21 01:49:47 Vero connmand[388]: tun0 {create} index 4 type 65534 <NONE>
Jan 21 01:49:47 Vero connmand[388]: tun0 {update} flags 4240 <DOWN>
Jan 21 01:49:47 Vero connmand[388]: tun0 {newlink} index 4 address 00:00:00:00:00:00 mtu 1500
Jan 21 01:49:47 Vero connmand[388]: tun0 {newlink} index 4 operstate 2 <DOWN>
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: TUN/TAP device tun0 opened
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: TUN/TAP TX queue length set to 100
Jan 21 01:49:47 Vero ovpn-nsnordvpn[4932]: /usr/local/bin/vpn-ns tun0 1500 1585 10.8.8.116 255.255.255.0 init
Jan 21 01:49:47 Vero connmand[388]: tun0 {dellink} index 4 operstate 2 <DOWN>
Jan 21 01:49:47 Vero connmand[388]: (null) {remove} index 4
Jan 21 01:49:48 Vero ovpn-nsnordvpn[4932]: WARNING: Failed running command (--route-up): external program exited with error status: 2
Jan 21 01:49:48 Vero ovpn-nsnordvpn[4932]: Initialization Sequence Completed
Jan 21 01:49:55 Vero sudo[4963]:     osmc : TTY=pts/0 ; PWD=/home ; USER=root ; COMMAND=/bin/systemctl status openvpn@nsnordvpn
Jan 21 01:49:55 Vero sudo[4963]: pam_unix(sudo:session): session opened for user root by osmc(uid=0)
Jan 21 01:50:35 Vero sudo[4963]: pam_unix(sudo:session): session closed for user root
Jan 21 01:50:52 Vero sudo[5038]:     osmc : TTY=pts/0 ; PWD=/home ; USER=root ; COMMAND=/bin/journalctl -xe
Jan 21 01:50:52 Vero sudo[5038]: pam_unix(sudo:session): session opened for user root by osmc(uid=0)

[zilexa]

The issue with the script is probably due to no $PATH.

I want to try to replace variables in the net-ns script and replace them for the absolute values.
$1 --> should this be the IP address range or just 24 or eth0?
$ns --> should this be (in my example) [email protected]?
$tun_mtu --> should this be mtu0?

[zilexa]

I never got this working, gave up a week later in January, but I would like to try again. Just wonder if more people have tried using your nsdo on Debian Stretch?