I’m trying to use my AzireVPN connection from the command line. It is a simple openvpn call with a config file that has been created by Azire and downloaded by me. However, in this file there is a reference to /etc/openvpn/update-resolv-conf . But I do not have that file. In fact my openvpn folder only contains 2 subfolders (server and client), but no files at all. I tried to remove the 2 lines that refer to this file, but then the connection attempt fails at some point. See my config file and the error message below. Tried reinstalling OpenVPN but no difference. Still the /etc/openvpn directory is only containing server and client subfolders, nothing else.
Any ideas? Thanks.
**Config file** (sorry, cannot attach anything):
# AzireVPN.com configuration generator
# Location: switzerland
# Protocol: udp
# Port: random
# DNS-leak protection: yes
client
dev tun
proto udp
remote ch1.ovpn.azirevpn.net 1194
remote ch1.ovpn.azirevpn.net 443
resolv-retry infinite
auth-user-pass
nobind
persist-key
persist-tun
remote-cert-tls server
reneg-sec 0
keepalive 10 60
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
mute-replay-warnings
explicit-exit-notify 3
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
<ca>
-----BEGIN CERTIFICATE-----
...
And here’s the error message from openvpn:
werner@werner-manjaro:/etc/openvpn$ openvpn --config ~/Downloads/AzireVPN-ch1.ovpn
Options error: --up script fails with '/etc/openvpn/update-resolv-conf': No such file or directory (errno=2)
Options error: Please correct this error.
Use --help for more information.
Ok… thanks. And can I figure out which one I’m using? What is this even doing? I have no idea. Isn’t Manjaro using systemd? I just downloaded that config file from Azire… not sure they know which one to use?!
Then its basically 2 steps …
-install openresolv (this should conflict with and automatically replace systemd-resolvconf)
-install the aur package above (or create the file manually)
(the setup may be made to work with systemd-resolvd & update-systemd-resolved instead … but if we are just going by the vpn instructions/assumptions … the above will get you there)
Tried that. Doesn’t work…
Just want to mention that this wiki page explicitly warns about a conflict between openresolv and the systemd-managed resolv file (I’m just throwing these words around like I know what I’m talking about…).
This is what happens:
werner@werner-manjaro:~$ openvpn --config ~/Downloads/AzireVPN-ch1.ovpn
2021-11-14 18:30:51 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-11-14 18:30:51 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 5 2021
2021-11-14 18:30:51 library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10
Enter Auth Username: F9XXXXXXG6
🔐 Enter Auth Password: ********
2021-11-14 18:31:13 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-11-14 18:31:13 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-11-14 18:31:13 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-11-14 18:31:14 TCP/UDP: Preserving recently used remote address: [AF_INET]45.15.18.3:1194
2021-11-14 18:31:14 Socket Buffers: R=[212992->212992] S=[212992->212992]
2021-11-14 18:31:14 UDP link local: (not bound)
2021-11-14 18:31:14 UDP link remote: [AF_INET]45.15.18.3:1194
2021-11-14 18:31:14 TLS: Initial packet from [AF_INET]45.15.18.3:1194, sid=6b35c72a de29c0f4
2021-11-14 18:31:14 VERIFY OK: depth=1, C=SE, ST=Stockholm, L=Stockholm, O=AzireVPN, OU=AzireVPN, CN=ovpn.azirevpn.net, name=AzireVPN, emailAddress=info@azirevpn.com
2021-11-14 18:31:14 VERIFY KU OK
2021-11-14 18:31:14 Validating certificate extended key usage
2021-11-14 18:31:14 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-11-14 18:31:14 VERIFY EKU OK
2021-11-14 18:31:14 VERIFY OK: depth=0, C=SE, ST=Stockholm, L=Stockholm, O=AzireVPN, OU=AzireVPN, CN=ovpn.azirevpn.net, name=AzireVPN, emailAddress=info@azirevpn.com
2021-11-14 18:31:14 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
2021-11-14 18:31:14 [ovpn.azirevpn.net] Peer Connection Initiated with [AF_INET]45.15.18.3:1194
2021-11-14 18:31:15 SENT CONTROL [ovpn.azirevpn.net]: 'PUSH_REQUEST' (status=1)
2021-11-14 18:31:15 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 100.73.33.1,dhcp-option DNS6 2a0e:1c80:a:1011::1,redirect-gateway ipv6,route-ipv6 2000::/3,tun-ipv6,route-gateway 100.73.33.1,topology subnet,ping 10,ping-restart 30,ifconfig-ipv6 2a0e:1c80:a:1011::1007/64 2a0e:1c80:a:1011::1,ifconfig 100.73.33.9 255.255.255.0,peer-id 8,cipher AES-256-GCM'
2021-11-14 18:31:15 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2021-11-14 18:31:15 OPTIONS IMPORT: timers and/or timeouts modified
2021-11-14 18:31:15 OPTIONS IMPORT: --ifconfig/up options modified
2021-11-14 18:31:15 OPTIONS IMPORT: route options modified
2021-11-14 18:31:15 OPTIONS IMPORT: route-related options modified
2021-11-14 18:31:15 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2021-11-14 18:31:15 OPTIONS IMPORT: peer-id set
2021-11-14 18:31:15 OPTIONS IMPORT: adjusting link_mtu to 1624
2021-11-14 18:31:15 OPTIONS IMPORT: data channel crypto options modified
2021-11-14 18:31:15 Data Channel: using negotiated cipher 'AES-256-GCM'
2021-11-14 18:31:15 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-11-14 18:31:15 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-11-14 18:31:15 net_route_v4_best_gw query: dst 0.0.0.0
2021-11-14 18:31:15 net_route_v4_best_gw result: via 192.168.0.1 dev enp5s0
2021-11-14 18:31:15 ROUTE_GATEWAY 192.168.0.1/255.255.255.0 IFACE=enp5s0 HWADDR=54:04:a6:a4:5d:73
2021-11-14 18:31:15 GDG6: remote_host_ipv6=n/a
2021-11-14 18:31:15 net_route_v6_best_gw query: dst ::
2021-11-14 18:31:15 net_route_v6_best_gw result: via fe80::3a43:7dff:feca:f26 dev enp5s0
2021-11-14 18:31:15 ROUTE6_GATEWAY fe80::3a43:7dff:feca:f26 IFACE=enp5s0
2021-11-14 18:31:15 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
2021-11-14 18:31:15 Exiting due to fatal error
werner@werner-manjaro:~$
Just want to say that I can get a connection via the GUI client, so Azire and my account are working. But I'd like to do the connection via script on logon.
You know, I love Linux with all my heart. But some things are (unnecessarily?) complicated as hell. Great that people like you are around to help out. I must admit I should have thought about sudo myself, since the gui client also asks for root privileges.
To be fair the guide you were using (actually it was never linked?) seems to assume you are using deprecated software … and further seems to suggest you do so … and they also probably assume you are using ubuntu, because thats the only linux of course. All of that is sorta on them, even down to the quality of documentation.
If it were using modern standards … not only would the docs reflect that and you wouldnt need to replace a package … but automation through systemd (let alone polkit) would mean you could have it autostart/etc and the sudo thing wouldnt have been an issue either.
