piotr-dobrogost · March 23, 2016 20:17
diff --git a/\etc\openvpn\xxx.conf b/\etc\openvpn\xxx.conf
 client
 dev tun

 proto udp
 remote x.x.x.x 1194
 remote y.y.y.y 1194

 resolv-retry infinite
 nobind

 script-security 2
 up /etc/openvpn/client.up
 plugin /usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so "/etc/openvpn/client.down"

 persist-key
 persist-tun

 pkcs12 /etc/openvpn/xxx/piotr.dobrogost.xxx.vpn.p12

 cipher AES-256-CBC
 comp-lzo

 # logowanie
 mute-replay-warnings
 verb 3

diff --git a/\etc\systemd\system\[email protected]\env.conf b/\etc\systemd\system\[email protected]\env.conf
 [Service]
 Environment=OPENSSL_ENABLE_MD5_VERIFY=1
diff --git a/\usr\lib\systemd\system\[email protected] b/\usr\lib\systemd\system\[email protected]
 [Unit]
 Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
 After=network.target

 [Service]
 PrivateTmp=true
 Type=forking
 PIDFile=/var/run/openvpn/%i.pid
 ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf

 [Install]
 WantedBy=multi-user.target
diff --git a/commands b/commands
 # This works
 > sudo OPENSSL_ENABLE_MD5_VERIFY=1 openvpn --daemon --config /etc/openvpn/xxx.conf

 # `sudo journalctl`
 (...)
 Mar 22 21:45:08 demon openvpn[31225]: VERIFY OK: depth=2, (...)
 Mar 22 21:45:08 demon openvpn[31225]: VERIFY OK: depth=1, (...)
 Mar 22 21:45:08 demon openvpn[31225]: VERIFY OK: depth=0, (...)
 (...)

 # This does not work
 > sudo systemctl start openvpn@xxx

 # `sudo journalctl`
 (...)
 Mar 22 21:51:47 demon openvpn[31587]: VERIFY OK: depth=2, (...)
 Mar 22 21:51:47 demon openvpn[31587]: VERIFY ERROR: depth=1, error=certificate signature failure: (...)

 (...)
diff --git a/systemctl cat openvpn@xxx b/systemctl cat openvpn@xxx
 # /usr/lib/systemd/system/[email protected]
 [Unit]
 Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
 After=network.target

 [Service]
 PrivateTmp=true
 Type=forking
 PIDFile=/var/run/openvpn/%i.pid
 Environment=OPENSSL_ENABLE_MD5_VERIFY=1
 ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf

 [Install]
 WantedBy=multi-user.target

 # /etc/systemd/system/[email protected]/env.conf
 [Service]
 Environment="OPENSSL_ENABLE_MD5_VERIFY=1"
	client
	dev tun

	proto udp
	remote x.x.x.x 1194
	remote y.y.y.y 1194

	resolv-retry infinite
	nobind

	script-security 2
	up /etc/openvpn/client.up
	plugin /usr/lib64/openvpn/plugins/openvpn-plugin-down-root.so "/etc/openvpn/client.down"

	persist-key
	persist-tun

	pkcs12 /etc/openvpn/xxx/piotr.dobrogost.xxx.vpn.p12

	cipher AES-256-CBC
	comp-lzo

	# logowanie
	mute-replay-warnings
	verb 3
	[Unit]
	Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
	After=network.target

	[Service]
	PrivateTmp=true
	Type=forking
	PIDFile=/var/run/openvpn/%i.pid
	ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf

	[Install]
	WantedBy=multi-user.target
	# This works
	> sudo OPENSSL_ENABLE_MD5_VERIFY=1 openvpn --daemon --config /etc/openvpn/xxx.conf

	# `sudo journalctl`
	(...)
	Mar 22 21:45:08 demon openvpn[31225]: VERIFY OK: depth=2, (...)
	Mar 22 21:45:08 demon openvpn[31225]: VERIFY OK: depth=1, (...)
	Mar 22 21:45:08 demon openvpn[31225]: VERIFY OK: depth=0, (...)
	(...)

	# This does not work
	> sudo systemctl start openvpn@xxx

	# `sudo journalctl`
	(...)
	Mar 22 21:51:47 demon openvpn[31587]: VERIFY OK: depth=2, (...)
	Mar 22 21:51:47 demon openvpn[31587]: VERIFY ERROR: depth=1, error=certificate signature failure: (...)

	(...)
	# /usr/lib/systemd/system/[email protected]
	[Unit]
	Description=OpenVPN Robust And Highly Flexible Tunneling Application On %I
	After=network.target

	[Service]
	PrivateTmp=true
	Type=forking
	PIDFile=/var/run/openvpn/%i.pid
	Environment=OPENSSL_ENABLE_MD5_VERIFY=1
	ExecStart=/usr/sbin/openvpn --daemon --writepid /var/run/openvpn/%i.pid --cd /etc/openvpn/ --config %i.conf

	[Install]
	WantedBy=multi-user.target

	# /etc/systemd/system/[email protected]/env.conf
	[Service]
	Environment="OPENSSL_ENABLE_MD5_VERIFY=1"