| View previous topic :: View next topic |
| Author |
Message |
danez
n00b
Joined: 23 Mar 2018
Posts: 3
|
 Posted: Fri Mar 23, 2018 10:24 am Post subject: Sshd not starting on openvpn network with systemd |
 |
|
Hello,
I have a new server since some months and this was the first time I setup gentoo with systemd. Most stuff worked, some stuff still doesn't work reliable (like network interface eth0 cannot be renamed to en* on boot because busy) but for most things I found workarounds.
One thing that I haven't figured out yet is how to reliable start sshd after openvpn link is up and sshd can bind to the vpn network address. This worked fine on my old server with openrc but with systemd there seem to be race timing conditions as it works 3 or 4 times out of 10.
So far I already added this systemd unit extension, but that doesn't seem to help much as even though the network interface is up it seems not to have an ip assigned yet.
/etc/systemd/system/sshd.service.d/00openvpn.conf
| Code: |
[Unit]
Wants=sys-devices-virtual-net-tun0.device sys-subsystem-net-devices-tun0.device
After=sys-devices-virtual-net-tun0.device sys-subsystem-net-devices-tun0.device
|
Here is a snippet of my systemlog:
| Code: |
Mar 23 09:46:43 bifrost systemd[1]: Started Wait for Network to be Configured.
Mar 23 09:46:43 bifrost systemd[1]: Reached target Network is Online.
Mar 23 09:46:43 bifrost systemd-timesyncd[1689]: Synchronized to time server 78.46.204.247:123 (0.gentoo.pool.ntp.org).
Mar 23 09:46:43 bifrost systemd[1]: Starting OpenVPN service for gateway...
Mar 23 09:46:43 bifrost openvpn[1890]: OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar 9 2018
Mar 23 09:46:43 bifrost openvpn[1890]: library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.09
Mar 23 09:46:43 bifrost systemd[1]: Started OpenVPN service for gateway.
Mar 23 09:46:43 bifrost openvpn[1890]: Diffie-Hellman initialized with 2048 bit key
Mar 23 09:46:43 bifrost openvpn[1890]: ROUTE_GATEWAY x.x.x.x/255.255.255.224 IFACE=enp3s0 HWADDR=x:x:x:x:x:x
Mar 23 09:46:43 bifrost openvpn[1890]: TUN/TAP device tun0 opened
Mar 23 09:46:43 bifrost openvpn[1890]: TUN/TAP TX queue length set to 100
Mar 23 09:46:43 bifrost openvpn[1890]: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mar 23 09:46:43 bifrost openvpn[1890]: /bin/ip link set dev tun0 up mtu 1500
Mar 23 09:46:43 bifrost systemd-udevd[1892]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Mar 23 09:46:43 bifrost systemd[1]: Found device /sys/subsystem/net/devices/tun0.
Mar 23 09:46:43 bifrost systemd[1]: Found device /sys/devices/virtual/net/tun0.
Mar 23 09:46:43 bifrost systemd-timesyncd[1689]: Network configuration changed, trying to establish connection.
Mar 23 09:46:43 bifrost systemd[1]: Starting OpenSSH server daemon...
Mar 23 09:46:43 bifrost systemd-timesyncd[1689]: Synchronized to time server 62.138.205.79:123 (0.gentoo.pool.ntp.org).
Mar 23 09:46:43 bifrost systemd[1]: Started OpenSSH server daemon.
Mar 23 09:46:43 bifrost systemd[1]: Reached target Multi-User System.
Mar 23 09:46:43 bifrost systemd[1]: Reached target Graphical Interface.
Mar 23 09:46:43 bifrost systemd[1]: Startup finished in 3.869s (kernel) + 17.921s (userspace) = 21.790s.
Mar 23 09:46:43 bifrost sshd[1896]: Bind to port 22 on 10.0.51.1 failed: Cannot assign requested address.
Mar 23 09:46:43 bifrost sshd[1896]: Cannot bind any address.
Mar 23 09:46:43 bifrost systemd[1]: sshd.service: Main process exited, code=exited, status=255/n/a
Mar 23 09:46:43 bifrost systemd[1]: sshd.service: Failed with result 'exit-code'.
|
I'm using systemd 237 if it matters.
Does anyone have an idea or a workaround? I thought about setting a timer for sshd to start 30sec after boot, but that seems really ugly.
Or maybe is it possible to create my own target "vpn-online" similar to network-online? |
|
| Back to top |
|
 |
danez
n00b
Joined: 23 Mar 2018
Posts: 3
|
| Posted: Fri Mar 23, 2018 11:01 am Post subject: |
|
|
Okay seems sometimes writing stuff down helps also finding new ways. I think I solved it now, will test further though. Here is what I have done:
Created new service
/etc/systemd/system/openvpn-online.service
| Code: | [Unit]
Description=Wait for Openvpn to be Configured
DefaultDependencies=no
Conflicts=shutdown.target
Requires=sys-devices-virtual-net-tun0.device
After=sys-devices-virtual-net-tun0.device
[Service]
Type=oneshot
ExecStart=/lib/systemd/systemd-networkd-wait-online --interface=tun0 --quiet
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target |
and changed /etc/systemd/system/sshd.service.d/00openvpn.conf to
| Code: | [Unit]
Wants=openvpn-online.service
After=openvpn-online.service |
|
|
| Back to top |
|
|
mike155
Advocate
Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany
|
| Posted: Fri Mar 23, 2018 11:13 am Post subject: |
|
|
| Another solution would be to start sshd independently of openvpn and NOT to set ListenAdress in sshd_config, so that sshd listens on all local addresses. |
|
| Back to top |
|
|
danez
n00b
Joined: 23 Mar 2018
Posts: 3
|
| Posted: Fri Mar 23, 2018 11:14 am Post subject: |
|
|
| mike155 wrote: | | Another way would be to start sshd independently of openvpn and NOT to set ListenAdress in sshd_config, so that sshd listens on all local addresses. |
But that's the point of my configuration that I only want ssh be available in the vpn network. |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3493
|
| Posted: Fri Mar 23, 2018 9:01 pm Post subject: |
|
|
Danez. you can make it listen on all addresses and deny direct access on firewall.
Usually you set INPUT policy to DROP, and then allow traffic you want. E.g. you can decide to accept stuff coming in via tap0 or whatever interface openvpn creates for you and drop the rest. |
|
| Back to top |
|
|
|
Networking & Security
