No /etc/openvpn/update-resolv-conf


I’m trying to use my AzireVPN connection from the command line. It is a simple openvpn call with a config file that has been created by Azire and downloaded by me. However, in this file there is a reference to /etc/openvpn/update-resolv-conf . But I do not have that file. In fact my openvpn folder only contains 2 subfolders (server and client), but no files at all. I tried to remove the 2 lines that refer to this file, but then the connection attempt fails at some point. See my config file and the error message below. Tried reinstalling OpenVPN but no difference. Still the /etc/openvpn directory is only containing server and client subfolders, nothing else.

Any ideas? Thanks.

**Config file** (sorry, cannot attach anything):
# configuration generator
# Location: switzerland
# Protocol: udp
# Port: random
# DNS-leak protection: yes

dev tun
proto udp
remote 1194
remote 443
resolv-retry infinite
remote-cert-tls server
reneg-sec 0
keepalive 10 60

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

explicit-exit-notify 3

cipher AES-256-CBC
auth SHA512
tls-version-min 1.2


And here’s the error message from openvpn:

werner@werner-manjaro:/etc/openvpn$ openvpn --config ~/Downloads/AzireVPN-ch1.ovpn 
Options error: --up script fails with '/etc/openvpn/update-resolv-conf': No such file or directory (errno=2)
Options error: Please correct this error.
Use --help for more information.

You can make it yourself, or get it from the AUR

(this also depends on whether you are using systemd-resolvconf or resolvconf … I suppose if it wants update-resolve-conf … then it must be resolvconf)

Ok… thanks. And can I figure out which one I’m using? What is this even doing? I have no idea. Isn’t Manjaro using systemd? I just downloaded that config file from Azire… not sure they know which one to use?!

I guess you could just check which is installed

pacman -Qs resolv

And yes we use systemd … but some things can be done with or without systemd … resolvconf is one of them.

werner@werner-manjaro:~$ pacman -Qs resolv
local/geoip 1.6.12-2
    Non-DNS IP-to-country resolver C library & utils
local/libmicrodns 0.2.0-1
    Minimal mDNS resolver library
local/python-geoip 1.3.2-10
    Python bindings for the GeoIP IP-to-country resolver library
local/python-resolvelib 0.5.5-1
    Resolve abstract dependencies into concrete ones
local/systemd-resolvconf 249.4-2
    systemd resolvconf replacement (for use with systemd-resolved)

Guess that means the systemd-version is installed? Puh. That wiki-page really scares the sh… out of me :wink:

Then its basically 2 steps …
-install openresolv (this should conflict with and automatically replace systemd-resolvconf)
-install the aur package above (or create the file manually)

(the setup may be made to work with systemd-resolvd & update-systemd-resolved instead … but if we are just going by the vpn instructions/assumptions … the above will get you there)

Tried that. Doesn’t work…
Just want to mention that this wiki page explicitly warns about a conflict between openresolv and the systemd-managed resolv file (I’m just throwing these words around like I know what I’m talking about…).

This is what happens:

werner@werner-manjaro:~$ openvpn --config ~/Downloads/AzireVPN-ch1.ovpn 
2021-11-14 18:30:51 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-11-14 18:30:51 OpenVPN 2.5.4 [git:makepkg/3f7a85b9aebe7be0+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021
2021-11-14 18:30:51 library versions: OpenSSL 1.1.1l  24 Aug 2021, LZO 2.10
Enter Auth Username: F9XXXXXXG6
🔐 Enter Auth Password: ********                
2021-11-14 18:31:13 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-11-14 18:31:13 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-11-14 18:31:13 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-11-14 18:31:14 TCP/UDP: Preserving recently used remote address: [AF_INET]
2021-11-14 18:31:14 Socket Buffers: R=[212992->212992] S=[212992->212992]
2021-11-14 18:31:14 UDP link local: (not bound)
2021-11-14 18:31:14 UDP link remote: [AF_INET]
2021-11-14 18:31:14 TLS: Initial packet from [AF_INET], sid=6b35c72a de29c0f4
2021-11-14 18:31:14 VERIFY OK: depth=1, C=SE, ST=Stockholm, L=Stockholm, O=AzireVPN, OU=AzireVPN,, name=AzireVPN,
2021-11-14 18:31:14 VERIFY KU OK
2021-11-14 18:31:14 Validating certificate extended key usage
2021-11-14 18:31:14 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-11-14 18:31:14 VERIFY EKU OK
2021-11-14 18:31:14 VERIFY OK: depth=0, C=SE, ST=Stockholm, L=Stockholm, O=AzireVPN, OU=AzireVPN,, name=AzireVPN,
2021-11-14 18:31:14 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 4096 bit RSA, signature: RSA-SHA256
2021-11-14 18:31:14 [] Peer Connection Initiated with [AF_INET]
2021-11-14 18:31:15 SENT CONTROL []: 'PUSH_REQUEST' (status=1)
2021-11-14 18:31:15 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS,dhcp-option DNS6 2a0e:1c80:a:1011::1,redirect-gateway ipv6,route-ipv6 2000::/3,tun-ipv6,route-gateway,topology subnet,ping 10,ping-restart 30,ifconfig-ipv6 2a0e:1c80:a:1011::1007/64 2a0e:1c80:a:1011::1,ifconfig,peer-id 8,cipher AES-256-GCM'
2021-11-14 18:31:15 WARNING: You have specified redirect-gateway and redirect-private at the same time (or the same option multiple times). This is not well supported and may lead to unexpected results
2021-11-14 18:31:15 OPTIONS IMPORT: timers and/or timeouts modified
2021-11-14 18:31:15 OPTIONS IMPORT: --ifconfig/up options modified
2021-11-14 18:31:15 OPTIONS IMPORT: route options modified
2021-11-14 18:31:15 OPTIONS IMPORT: route-related options modified
2021-11-14 18:31:15 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2021-11-14 18:31:15 OPTIONS IMPORT: peer-id set
2021-11-14 18:31:15 OPTIONS IMPORT: adjusting link_mtu to 1624
2021-11-14 18:31:15 OPTIONS IMPORT: data channel crypto options modified
2021-11-14 18:31:15 Data Channel: using negotiated cipher 'AES-256-GCM'
2021-11-14 18:31:15 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-11-14 18:31:15 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-11-14 18:31:15 net_route_v4_best_gw query: dst
2021-11-14 18:31:15 net_route_v4_best_gw result: via dev enp5s0
2021-11-14 18:31:15 ROUTE_GATEWAY IFACE=enp5s0 HWADDR=54:04:a6:a4:5d:73
2021-11-14 18:31:15 GDG6: remote_host_ipv6=n/a
2021-11-14 18:31:15 net_route_v6_best_gw query: dst ::
2021-11-14 18:31:15 net_route_v6_best_gw result: via fe80::3a43:7dff:feca:f26 dev enp5s0
2021-11-14 18:31:15 ROUTE6_GATEWAY fe80::3a43:7dff:feca:f26 IFACE=enp5s0
2021-11-14 18:31:15 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1)
2021-11-14 18:31:15 Exiting due to fatal error

Just want to say that I can get a connection via the GUI client, so Azire and my account are working. But I'd like to do the connection via script on logon.

It seems to work fine … except for one thing:

what about with sudo ? openvpn and messing with your network would require privileges…

sudo openvpn --config ~/Downloads/AzireVPN-ch1.ovpn

Holy moly. That works! Thanks so much.

You know, I love Linux with all my heart. But some things are (unnecessarily?) complicated as hell. Great that people like you are around to help out. I must admit I should have thought about sudo myself, since the gui client also asks for root privileges.

To be fair the guide you were using (actually it was never linked?) seems to assume you are using deprecated software … and further seems to suggest you do so … and they also probably assume you are using ubuntu, because thats the only linux of course. All of that is sorta on them, even down to the quality of documentation.
If it were using modern standards … not only would the docs reflect that and you wouldnt need to replace a package … but automation through systemd (let alone polkit) would mean you could have it autostart/etc and the sudo thing wouldnt have been an issue either.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.