openvpn from version 2.3.7 did not ask for the passphrase which is required for the key if started by init-script (openrc). Reproducible: Always Steps to Reproduce: 1. Update openvpn from 2.3.6 to 2.3.7 2. Use vpn-config with key which requires passphrase Actual Results: See openvpn starting via init-script: * Starting openvpn.vpn1... [ ok ] * WARNING: openvpn.vpn1 has started, but is inactive openvpn[26264]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this openvpn[26264]: Error: private key password verification failed openvpn[26264]: Exiting due to fatal error Expected Results: Passphrase-request and working VPN-client OpenVPN seems to need "askpass" as option, but this did not work, while stdin is not available during init-sript: openvpn[26561]: Options error: --askpass fails with 'stdin': No such file or directory openvpn[26561]: Options error: Please correct these errors. The patch in https://community.openvpn.net/openvpn/ticket/248 http://thread.gmane.org/gmane.network.openvpn.devel/9918 did fix the stdin-error above, but did not allow to enter passphrase. Already tried to start openvpn with --daemon --askpass --config CONFIG-FILE results in the same issue. Maybe also related: http://sourceforge.net/p/openvpn/mailman/message/34294347/
Apologies, this is upstream breakage (specifically, --daemon with password-protected keys and/or --auth-user-pass is broken in 2.3.7). To fix, you want these patches from git release/2.3 branch: commit dda40aedfb87d77afcef52376cd3e4778ba0370b Author: Gert Doering <gert@greenie.muc.de> Document --daemon changes and consequences (--askpass, --auth-nocache). commit 4d093fff305a3054d88ae2c803665cf90d512c7e Author: James Geboski <jgeboski@gmail.com> Fix --askpass not allowing for password input via stdin commit b131c7b974d9d4d3f0a6ab3a81719af6f7ab2ad6 Author: Gert Doering <gert@greenie.muc.de> Produce a meaningful error message if --daemon gets in the way of asking for passwords. commit 7bde2e1b19e66af22c26c90e1187a4365c9087fc Author: Steffan Karger <steffan@karger.me> fix regression: query password before becoming daemon *and* you need to run openvpn with the "--askpass" option - otherwise it won't know that it needs to ask for the pass phrase (more explanation is in the git commits). Again, apologies for the breakage - we had to swap crypto init and daemon() to ensure we never fork after initializing openssl - because that breaks FreeBSD's cryptodev (and makes pkcs#11 more complicated), and there is no other way to fix it. "Caught between a rock and a hard place".
looks like 2.3.8 is available with all the fixes now.
please test 2.3.8, just added to the tree (should have the fix)
I upgraded from 2.3.6 to 2.3.7 and was not asked for password and got openvpn[11087]: ERROR: could not read Auth username from stdin openvpn[11087]: Exiting due to fatal error Upgraded one version further to 2.3.8 -> works again Please do not mark 2.3.7 as stable
openvpn-2.3.8 works as expected, but needs changing configfile (add askpass to config) if the key requires a passphrase. As openvpn fails if askpass is configured, but the key did not need any passphrase this could not be done "automatically" via init-script. Maybe we should add a post-message/news about this.
mh... I see my description was not precise enough: /etc/init.d/openvpn.foobar start 2.3.6 and 2.3.8 ask for my credentials on console, meaning I type in user+pass 2.3.7 does not even try to ask for a username and silently fails, only log shows it got no username -- well, because it didn't even try and ask