It appears that the referenced file does not exist in the current working directory.
Is your intention to reference a file that is also in the same directory as the config (.ovpn) file? If so, based on your command line, it does not appear that these files are actually in ./ but rather in configs/.
As a better approach, I believe you may want to use the --cd option to have openvpn change working directories before opening any files.
OpenVPN per client traffic control
To have a simple solution for traffic control on a per client basis, you could do something like the following. This solution only works for a /24 VPN subnet. Tested on Ubuntu 14.04.
OpenVPN server example configuration:
port 1194
proto udp
dev tun
topology subnet
server 10.8.0.0 255.255.255.0
keepalive 10 60
comp-lzo
persist-key
persist-tun
log /var/log/openvpn.log
verb 3
#user openvpn
#group nogroup
script-security 2
down-pre
up /etc/openvpn/tc.sh
down /etc/openvpn/tc.sh
client-connect /etc/openvpn/tc.sh
client-disconnect /etc/openvpn/tc.sh
Traffic control script /etc/openvpn/tc.sh:
#!/bin/bash
TC=$(which tc)
interface="$dev"
interface_speed="100mbit"
client_ip="$trusted_ip"
client_ip_vpn="$ifconfig_pool_remote_ip"
download_limit="512kbit"
upload_limit="10mbit"
handle=`echo "$client_ip_vpn" | cut -d. -f4`
function start_tc {
tc qdisc show dev $interface | grep -q "qdisc pfifo_fast 0"
[ "$?" -gt "0" ] && tc qdisc del dev $interface root; sleep 1
$TC qdisc add dev $interface root handle 1: htb default 30
$TC class add dev $interface parent 1: classid 1:1 htb rate $interface_speed burst 15k
$TC class add dev $interface parent 1:1 classid 1:10 htb rate $download_limit burst 15k
$TC class add dev $interface parent 1:1 classid 1:20 htb rate $upload_limit burst 15k
$TC qdisc add dev $interface parent 1:10 handle 10: sfq perturb 10
$TC qdisc add dev $interface parent 1:20 handle 20: sfq perturb 10
}
function stop_tc {
tc qdisc show dev $interface | grep -q "qdisc pfifo_fast 0"
[ "$?" -gt "0" ] && tc qdisc del dev $interface root
}
function filter_add {
$TC filter add dev $interface protocol ip handle ::${handle} parent 1: prio 1 u32 match ip ${1} ${2}/32 flowid 1:${3}
}
function filter_del {
$TC filter del dev $interface protocol ip handle 800::${handle} parent 1: prio 1 u32
}
function ip_add {
filter_add "dst" $client_ip_vpn "10"
filter_add "src" $client_ip_vpn "20"
}
function ip_del {
filter_del
filter_del
}
if [ "$script_type" == "up" ]; then
start_tc
elif [ "$script_type" == "down" ]; then
stop_tc
elif [ "$script_type" == "client-connect" ]; then
ip_add
elif [ "$script_type" == "client-disconnect" ]; then
ip_del
fi
Note, this a very simple script for tc testing purposes, a more sophisticated approach for OpenVPN traffic control can be found in this answer.
Make the script executable:
chmod +x /etc/openvpn/tc.sh
Running script as root in unprivileged mode
If you run OpenVPN in unprivileged mode and the script needs to be run as root, modify the following directives in the server configuration:
user openvpn
group nogroup
up "/usr/bin/sudo /etc/openvpn/tc.sh"
down "/usr/bin/sudo /etc/openvpn/tc.sh"
client-connect "/usr/bin/sudo /etc/openvpn/tc.sh"
client-disconnect "/usr/bin/sudo /etc/openvpn/tc.sh"
Add an unprivileged user named openvpn:
useradd -s /usr/sbin/nologin -r -M -d /dev/null openvpn
Edit /etc/sudoers with command visudo, add the following line:
# User privilege specification
openvpn ALL=NOPASSWD: /etc/openvpn/tc.sh
Save and quit with Ctrl+x, y
Make the script only writable by root:
chown root:root /etc/openvpn/tc.sh
chmod 700 /etc/openvpn/tc.sh
Please note that this might open a security hole and could possibly be comparable to running OpenVPN as root. Although it looks quite safe to me, but there are always people with better eyes :)
Troubleshooting
The script should be run as root now, you can troubleshoot it by adding the following lines to the beginning of your tc.sh script:
#!/bin/bash
exec >>/tmp/ov.log 2>&1
chmod 666 /tmp/ov.log 2>/dev/null
echo
date
id
echo "PATH=$PATH"
printenv
As soon as the server is started for the first time, you can tail the logs:
tail -f /var/log/openvpn.log /tmp/ov.log
Best Answer
I was having the same issue here, 3 years later, so I'll post the answer here.
If you're able to run/test using "openvpn --config ", but systemd keeps telling you that there's an error in the first line, it's not. It's SELinux fault.
For a simple way to test this hypothesis you can set selinux in permissive mode instead of enforcing and after a reboot you'll see openvpn up and running.
After that you can fiddle around your selinux rules if you want to/if it's the real deal server or just keep as it is if you don't care about it.